Re: Create rule in ISA 2004

Colin wrote:

Hi all,

One of my clients needs to allow a finance software package installed on 1
PC to retrieve updates from the vendor's website. They (the vendor) have
informed me that this is a common problem and I need to allow
un-authenticated access to their website through ISA (installed on my
client's SBS Prem box, 2 nic's). How do I create a rule to allow this ? Many
thanks.

Whether their comment is accurate or not depends on a number of factors:

a) is their application proxy-aware, and
b) if so, does it support passing credentials, and
c) do you have the Firewall Client installed on this workstation

CASE 1:
If the answer to (a) is no, then you need (c) to be yes in order for the application to be able to make authenticated requests through ISA (the FWC handles the authentication on behalf of the application).

CASE 2:
If the answer to (a) is yes, then (b) needs to be yes as well for the application to use ISA directly. Note that you may need to configure ISA to allow Basic Authentication in this scenario.

CASE 3:
If the answers to (a) and (b) are yes and no respectively, the application should be treated as non-proxy-aware, configured with *no* proxy information and handled as case 1.

If you can't fit any of the above cases, then yes, you may need to configure ISA to allow anonymous access:

(assuming ISA2004)

New Access Rule:
"Vendor X Updates" NEXT
Allow NEXT
Selected Protocols, Add HTTP, NEXT
Internal (or define a new Computer or Computer Set and include the relevant PC(s) ), NEXT
"Vendor X Update Site" (defining a new URL set, with <base URL>/* as per vendor guidance), NEXT
All Users, NEXT
FINISH

Make sure this new rule is (just) above the SBS Internet Access rule, and click the big APPLY.

This rule grants anonymous HTTP access to _just_ the vendor's website, thus minimising the risk potential.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.

Relevant Pages

  • Re: SBS mit Isa-Server erricht Webseite von internen Clients nicht
    ... mach mal ein ipconfig /flushdns auf dem Client und auf dem Server. ... MVP ISA Server ... Browser auf dem Server kann man nun die Website anzeigen und im ... Versuche ich die Site von einem Client aufzurufen steht im Protokoll ...
    (microsoft.public.de.german.isaserver)
  • Re: SBS mit Isa-Server erricht Webseite von internen Clients nicht
    ... Einträge entfernt - im Prinzip alles, was ich am Dienstag und gestern ... MVP ISA Server ... mach mal ein ipconfig /flushdns auf dem Client und auf dem Server. ... Browser auf dem Server kann man nun die Website anzeigen und im ...
    (microsoft.public.de.german.isaserver)
  • Re: .local and .com
    ... Okay, again, I disagree with Dana. ... but because of the implicit advocation of ISA as a valid security tool. ... I find the idea of using Vendor one's product to protect Vendor one's ...
    (microsoft.public.windows.server.dns)
  • Issues with security software: orbicule.com "Undercover"
    ... During a lab exercise one of our students found several privacy security issues in products and services offered by http://orbicule.com. ... The binary contains - for what ever reason = the ftp username and passwort to administer the orbicule.com Website. ... Vendor contacted us and assures the MAC Addresses are not stored anymore on the server, the SQL-Injection is fixed and the password is removed from the binary. ... Pi1 - Laboratory for Dependable Distributed Systems, ...
    (Bugtraq)
  • Re: Cannot access particular website
    ... If the website fails to respond, there's nothing you can do about it. ... Jim Harrison (ISA SE) ... We have been running ISA Server 2000 on SBS2000 without this problem. ... We do not have any out of the ordinary Access Policy Rules, ...
    (microsoft.public.isa)