1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ISA Authentication issue

Discussion in 'General Microsoft Certifications' started by John Neerdael, Feb 12, 2009.

  1. John Neerdael

    John Neerdael Nibble Poster

    Hey guys, here I am again. We have been setting up our domain controllers and the isa firewall for the lab we are building in the classroom.

    There is a thread about the project here: http://certforums.co.uk/forums/thread30990.html

    We managed to open up the needed ports to allow for AD authentication from a seperate subnet to the domain controllers but the problem is when I make a access rule for http for instance and I tell it to allow a certain ad user or group. When I login with a user that is a member of the group I gave access I still wont be able to surf the web. If I change the rule to 'All Authenticated Users' it neither will work, however when I set the rule to All Users it will work. although this is not wanted.

    Do I need to open up certain ports or something? And is it normal that for AD authentication from other subnets that I had to open up the following protocols through a access rule (I really thought it would be more simple and I didnt found any information online how to do this): LDAP, LDAP (UDP), Kerberos-sec (UDP) Microsoft CIFS (TCP), Netbios Session, Ping, RPC (all interfaces).

    Any help is appreciated. ISA setup is alot harder then I expected it to be :(
    WIP: MCTS: 70-640
  2. John Neerdael

    John Neerdael Nibble Poster

    We found out it was as simple as installing Firewall Client on the workstation :) Onwards with ISA again.
    WIP: MCTS: 70-640
  3. Simon-MCT

    Simon-MCT Bit Poster

    I see you found a solution, but to clarify.....

    Yes, you need the Firewall Client as soon as you change any rule from All Users to a more specific group or groups.

    When using ISA as either a Proxy or NAT server, all requests are sent as Anonymous, therefore ISA blocks them since it had no user account to validate the groups it's a member of. It can get confusing because you see an Allow rule blocking traffic!

    As soon as you specify a group membership required, the Firewall Client is one way to submit that Username & Password, basically.
    Certifications: MCSE:Sec;MCITP; MCTS; MCT; A+,Sec+
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    You do not open up ports on ISA, you create rules which either allow or deny traffic based on set criteria.

    No it is not normal that you had to allow all those protocols in order for authentication to work. ISA is a firewall and does not control traffic on the LAN, it is between the LAN and the public WAN or should be :)

    And yes ISA is very complicated, you are probably biting off more than you can chew at this point.
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  5. John Neerdael

    John Neerdael Nibble Poster

    I've been in touch with Tom Decaluwe (MVP Forefront Belgium) concerning my project. He told me that our approach was very secure and is being deployed by him in some production environments. Our ISA is acting as a firewall for both the Internet and our different LAN segments.

    As for the protocols that are required to allow AD authentication:

    WIP: MCTS: 70-640
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    PING? :blink
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page