Re: FWC and Stamps.com on ISA2004
From: A.Klimkin (aklimkin)
Date: 10/11/04
- Next message: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Previous message: Newbie: "XP client keeps acquiring IP address?"
- In reply to: Matt: "Re: FWC and Stamps.com on ISA2004"
- Next in thread: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Reply: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 11 Oct 2004 09:41:27 +0400
OK. I believe your issue is connected with ISA HTTP redirector filter.
Depending on this application filter configuration HTTP requests from
firewall clients (as long as snat clients) are:
1. Passed to web proxy service.
2. Routed directly to the internet.
3. Rejected.
First option is the default filter configuration. This allows firewall
clients to enjoy the web proxy filtering and caching features. But therein
lies a problem that HTTP redirector is unable to pass user credentials to
the web proxy service, e.g. request is being passed as anonymous, even if
client is previously authenticated against firewall service. So if your
effective ISA policy require user authentication, all firewall clients web
requests are denied.
You should reconfigure the HTTP redirector to route web requestst from
firewall clients directly to the internet. In this case http requests from
the application will bypass web proxy service, will not be cached and
filtered but you'll got fully authenticated entries in your logs (sure, in
firewall, not web proxy logs).
Regards,
Andrew
"Matt" <anonymous@discussions.microsoft.com> wrote in message
news:3a9c01c4af24$a5cee660$a601280a@phx.gbl...
> I just figured it out after reviewing the log. If I add
> the "All Users" default group available for selection in
> ISA for that policy, it worked. The "All Users" group
> handles the un-authenticated access through ISA for a
> policy, which was my problem here.
>
> Now, should I configure a second policy just to handle
> that situation with this application, so that I do not
> have to loose the ability to control access rights via
> Firewall Client with policies? How do you usually handle
> those circumstances?
>
> Thanks,
>
> Matt
> >-----Original Message-----
> >The ISA Log points to the policy I have setup for
> >Firewall Clients (which allows HTTP, HTTPS, FTP, and
> MMS)
> >from a range of IP addresses, to External and the rule
> >applies to a AD Global Group.
> >
> >The error the log states is 0x800 and was recorded from
> >the Web Proxy Filter, the connection was denied (source -
>
> >Internal/Destination - External) and the HTTP method was
> >a "GET" to a URL. It also shows the client username
> >was "Anonymous".
> >
> >What else can I provide you with to help troubleshoot
> >this?
> >
> >Thanks,
> >
> >Matt
- Next message: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Previous message: Newbie: "XP client keeps acquiring IP address?"
- In reply to: Matt: "Re: FWC and Stamps.com on ISA2004"
- Next in thread: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Reply: Bill Stewart: "Re: FWC and Stamps.com on ISA2004"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
