RE: ISA 2004 - Anonymous Connection

Hello Luiz,

Thank you for kind update.

By default in ISA 2004 with SBS, after you run the CEICW, the ISA will
allow only domain user accounts access Internet, if the computer do not
logon domain account, the ISA will drop the connection from this computer
to Internet and do not prompt user input credentials. However, you can open
the function that when the not logon domain computer wants to access
Internet, the ISA prompt user input credentials. Then, if a guest put his
laptop in my network and want to use the Internet, he will be asked for
credentials.

To open the function, you have to run a VB script on ISA 2004 server:

1. You can copy the script in the following link:

http://msdn2.microsoft.com/en-us/library/ms826234.aspx

2. Save the script on ISA server as script.vbs file

3. Run the command in command prompt:

Cscript script.vbs True

Note: if you want to close this function, please run command

Cscript script.vbs False

For ISA Firewall client and Web proxy client:

1. Understanding the ISA 2004 Firewall Client

The Firewall client software is an optional client piece that can be
installed on any supported Windows operating system to provide enhanced
security and accessibility. The Firewall client software provides the
following enhancements to Windows clients:

Allows strong user/group-based authentication for all Winsock applications
using the TCP and UDP protocols

Allows user and application information to be recorded in the ISA 2004
firewall's log files

Provides enhanced support for network applications, including complex
protocols that require secondary connections

Provides 'proxy' DNS support for Firewall client machines

Allows you to publish servers requiring complex protocols without the aid
of an application filter

The network routing infrastructure is transparent to the Firewall client

ISA 2004 Web Proxy Client
The Web Proxy client is any computer that has its browser configured to use
the ISA 2004 firewall as its Web Proxy server. You do not need to add any
new software to make a machine a Web Proxy client. The only requirement is
that you configure the browser on the client machine to use the ISA 2004
firewall as its Web Proxy. The Web browser isn't the only application that
can be configured as a Web Proxy client. Other applications, such as
instant messengers and e-mail clients can also be configured as Web Proxy
clients.

2. Advantages of the Web Proxy client configuration include:

Improved performance for the Firewall and SecureNAT client configuration
for Web access

Ability to use the autoconfiguration script to bypass sites Direct Access

Allows you to provide Web access (HTTP/HTTPS/FTP download) without enabling
access to other protocols.

Allows you to enforce user/group-based access controls over Web access.

Supports RADIUS authentication for outbound Web Proxy client requests

Allows you to limit the number of outbound Web Proxy client connections.

Supports Web Proxy chaining, which can further speed up Internet access

Hope the info above help.

Thanks and have a nice day.

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: ISA 2004 - Anonymous Connection
| thread-index: AcdOlVy1O/XVFnAbR6OdAhZscKMcyg==
| X-WBNR-Posting-Host: 200.138.123.186
| From: =?Utf-8?B?THVpeg==?= <Luiz@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <72D017C1-9B8F-40F7-9731-5C8BF73724CD@xxxxxxxxxxxxx>
<ppmg8NBTHHA.2352@xxxxxxxxxxxxxxxxxxxxxx>
<4DBB2DDD-2235-468F-90F2-73795A6D6F6E@xxxxxxxxxxxxx>
<aAoNN6oTHHA.2096@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: ISA 2004 - Anonymous Connection
| Date: Mon, 12 Feb 2007 03:03:01 -0800
| Lines: 316
| Message-ID: <AA0D0994-DC20-4DB9-AAC4-C5C0D89F57AC@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:16409
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Terence,
|
| thank you for the time spent to verify the ISA logs.
| So, If a guest put his laptop in my network and want to use the Internet,
he
| will be asked for credentials?
| One another question, what is the difference between using ISA Client
| Firewall and doesn´t use it?
|
| Thank you again, Terence.
|
|
| Best Regards.
|
| Luiz
|
|
| "Terence Liu [MSFT]" wrote:
|
| > Hello Luiz,
| >
| > Thank you for kind update.
| >
| > Based on my knowledge, after you run the CEICW, if you enable "Require
all
| > users to authenticate", the clients have to provide authentication to
ISA
| > server when they want to access Internet. However, that does not mean
every
| > client have to input username and password every time when they access
| > Internet. The IE will provide the current logon user credential to ISA
| > automatic. So if the client logon SBS domain, the user can access
Internet
| > and no need to input credential. Meanwhile, the ISA will write into log
| > file as domain user account but not anonymous. If you do not log on
domain
| > on clients, you have to input credential when you access Internet.
| >
| > If you have any concerns, please feel free to let me know. I am glad to
be
| > of assistance. :-)
| >
| > Thanks and have a nice day.
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: ISA 2004 - Anonymous Connection
| > | thread-index: AcdMfrwO0H8huYWYSVWYh3bnZ0E5NQ==
| > | X-WBNR-Posting-Host: 200.138.123.186
| > | From: =?Utf-8?B?THVpeg==?= <Luiz@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <72D017C1-9B8F-40F7-9731-5C8BF73724CD@xxxxxxxxxxxxx>
| > <ppmg8NBTHHA.2352@xxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: RE: ISA 2004 - Anonymous Connection
| > | Date: Fri, 9 Feb 2007 11:16:00 -0800
| > | Lines: 189
| > | Message-ID: <4DBB2DDD-2235-468F-90F2-73795A6D6F6E@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:16118
| > | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | HI Terence,
| > |
| > | thank you for your help.
| > | I did send to you an email with ISA log to verify.
| > | One question, If I enable "Require all users to authenticate" all
users
| > must
| > | will put its credentials?
| > |
| > | Thanks again.
| > |
| > | Best Regards.
| > |
| > |
| > | "Terence Liu [MSFT]" wrote:
| > |
| > | > Hello Luiz,
| > | >
| > | > Thank you for posting here.
| > | >
| > | > According to your description, I understand that you want to know
why
| > your
| > | > ISA logs show anonymous connection. If I have misunderstood the
| > problem,
| > | > please don't hesitate to let me know.
| > | >
| > | > Based on my research, then ISA firewall client will always send
| > | > authentication to ISA server, but the web proxy may not send
| > authentication
| > | > to ISA, so the anonymous connection is mostly refer to client web
proxy
| > | > (http, https, ftp etc) access.
| > | >
| > | > I suggest we try the following steps to see if we can resolve this
| > issue:
| > | >
| > | > 1. I suggest we rerun the CEICW to make sure your SBS 2003 server
have
| > | > right network configuration. Go through the follow KB and Rerun
CEICW
| > again
| > | > carefully.
| > | >
| > | > How to configure Internet access in Windows Small Business Server
2003
| > | > http://support.microsoft.com/kb/825763/en-us
| > | >
| > | > 2. Please ensure that all clients all logon via domain accounts.
Only
| > the
| > | > domain account can provide authentication to ISA server.
| > | >
| > | > 3. Set request authentication for web proxy
| > | >
| > | > a. Open ISA 2004 console
| > | >
| > | > b. Extend Configuration ->Networks
| > | >
| > | > c. Click Networks tap in middle pane, double click Internal
| > | >
| > | > d. Click Web Proxy tap, click Authentication button
| > | >
| > | > e. Tick Require all users to authenticate
| > | >
| > | > f. Click OK twice, click Apply button
| > | >
| > | > If the issue persists, please kindly help me collect some
information
| > for
| > | > further investigation:
| > | >
| > | > 1. Please help to gather the ISA Info:
| > | >
| > | > 1) Download the file from the following URL:
| > | >
| > | > http://www.isatools.org/tools/isainfo.zip
| > | >
| > | > 2) Extract all files to a folder on ISA server.
| > | >
| > | > 3) Double click Isainfo.js. This will generate 2 files
| > | > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml
in
| > the
| > | > current folder.
| > | >
| > | > 4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
| > | >
| > | > 2. Please also help to gather the ISA logs:
| > | >
| > | > 1) Schedule a down time.
| > | >
| > | > 2) Open ISA 2004 management console.
| > | >
| > | > 3) Expand the server node and highlight 'Monitoring'.
| > | >
| > | > 4) In the right pane, switch to the 'Logging' tab, make sure the
'Task
| > | > Pane' is showed there.
| > | >
| > | > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
| > 'Logging
| > | > Tasks', and then switch the 'log storage format' from 'MSDE
database'
| > | > (default) to 'File'.
| > | >
| > | > 6) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
| > | >
| > | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
| > 'Logging
| > | > Tasks', and then switch the 'log storage format' from 'MSDE
database'
| > | > (default) to 'File'.
| > | >
| > | > 8) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
| > | >
| > | > 9) Click 'Apply' to save changes and update the configuration.
| > | >
| > | > 10) Temporarily disable the Firewall service. To do that, please
click
| > | > Monitoring | Services tab, and then right click 'Microsoft
Firewall' to
| > | > choose 'Stop'.
| > | >
| > | > 11) Clear the current existing W3C logs. To do that, go to the log
| > saving
| > | > directory and clean any existing .W3C logs. By default, the logs
will
| > be
| > | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
may
| > not
| > | > be able to deleted, that's normal.) You may backup them first and
| > then
| > | > delete them.
| > | >
| > | > 12) Go back to the ISA 2004 management console, and then Start the
| > stopped
| > | > 'Microsoft Firewall' service.
| > | >
| > | > 13) Reproduce the problem, stop the service, and then gather the
| > resulting
| > | > W3C files to me for analysis.
| > | >
| > | > 14) Please also let me know the IP address of the testing clients
so
| > that I
| > | > can filter the data.
| > | >
| > | > Hope these steps will give you some help.
| > | >
| > | > Thanks and have a nice day!
| > | >
| > | > Best regards,
| > | >
| > | > Terence Liu(MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
check
| > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | > --------------------
| > | > | Thread-Topic: ISA 2004 - Anonymous Connection
| > | > | thread-index: AcdLdyADQCp53Zj9TpSnIrbypkvyCA==
| > | > | X-WBNR-Posting-Host: 200.138.123.186
| > | > | From: =?Utf-8?B?THVpeg==?= <Luiz@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: ISA 2004 - Anonymous Connection
| > | > | Date: Thu, 8 Feb 2007 03:49:01 -0800
| > | > | Lines: 9
| > | > | Message-ID: <72D017C1-9B8F-40F7-9731-5C8BF73724CD@xxxxxxxxxxxxx>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | Path: TK2MSFTNGHUB02.phx.gbl
| > | > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.sbs:15704
| > | > | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | Hi,
| > | > |
| > | > | I have deployed ISA 2004 client to all workstations.
| > | > | When I review the ISA logs I noticed that appears anonymous
| > connection,
| > | > what
| > | > | does it mean?
| > | > |
| > | > | Thanks.
| > | > |
| > | > | Luiz
| > | > |
| > | >
| > | >
| > |
| >
| >
|

.

Loading