ISA Authentication issue

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey guys, here I am again. We have been setting up our domain controllers and the isa firewall for the lab we are building in the classroom.

There is a thread about the project here: http://certforums.co.uk/forums/thread30990.html

We managed to open up the needed ports to allow for AD authentication from a seperate subnet to the domain controllers but the problem is when I make a access rule for http for instance and I tell it to allow a certain ad user or group. When I login with a user that is a member of the group I gave access I still wont be able to surf the web. If I change the rule to 'All Authenticated Users' it neither will work, however when I set the rule to All Users it will work. although this is not wanted.

Do I need to open up certain ports or something? And is it normal that for AD authentication from other subnets that I had to open up the following protocols through a access rule (I really thought it would be more simple and I didnt found any information online how to do this): LDAP, LDAP (UDP), Kerberos-sec (UDP) Microsoft CIFS (TCP), Netbios Session, Ping, RPC (all interfaces).

Any help is appreciated. ISA setup is alot harder then I expected it to be

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

We found out it was as simple as installing Firewall Client on the workstation Onwards with ISA again.

 

I see you found a solution, but to clarify.....

Yes, you need the Firewall Client as soon as you change any rule from All Users to a more specific group or groups.

When using ISA as either a Proxy or NAT server, all requests are sent as Anonymous, therefore ISA blocks them since it had no user account to validate the groups it's a member of. It can get confusing because you see an Allow rule blocking traffic!

As soon as you specify a group membership required, the Firewall Client is one way to submit that Username & Password, basically.

 

You do not open up ports on ISA, you create rules which either allow or deny traffic based on set criteria.

No it is not normal that you had to allow all those protocols in order for authentication to work. ISA is a firewall and does not control traffic on the LAN, it is between the LAN and the public WAN or should be

And yes ISA is very complicated, you are probably biting off more than you can chew at this point.

 

I've been in touch with Tom Decaluwe (MVP Forefront Belgium) concerning my project. He told me that our approach was very secure and is being deployed by him in some production environments. Our ISA is acting as a firewall for both the Internet and our different LAN segments.

As for the protocols that are required to allow AD authentication: