Announcement

Collapse
No announcement yet.

Forefront TMG / ISA2006

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forefront TMG / ISA2006

    My question is a bit left field... however I'm after some advice from people who have extensive experience in ISA2006, or in FF/TMG.

    I'm in an environment where we want to implement caching or internet access, as well as time and bandwidth recording.
    All well and good, squid can do this, so can ISA IIUC.

    However - we have a large number of users who are domain authenticated, and then we have a smaller subset of users who are not domain authenticated, and cannot/willnot be domain authenticated.

    We obviously still want to allow them internet access, but still monitor and cache it. Is is possible ? Cause I probably wouldn't be inclined to spend the time on it at the moment if there's not at least a suggestion it can be done

    I've hit a number of hurdles with Squid trying to do this.... the boss wants me to go the direction of having two individual instances... one authenticating via AD, one for the non-ad users.
    Rather annoying though from my point of view, especially in a reporting point of view.. so if I could do it with forefront, or ISA, that woul dbe great..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: Forefront TMG / ISA2006

    It could be done with ISA IF you configure all of your clients, AD and non-AD, to use ISA as a web proxy and also all of the non-AD clients would need an AD logon to authenticate to ISA when they open a browser session. Otherwise you can only record activity by IP address and things like that, not by username.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Forefront TMG / ISA2006

      yea.. see we don't want to give them AD logons.. :/

      unless I can find a way to make them incredibly restricted logons, that can do nothing at all.

      I tried the simple step of creating just a basic user account, but they were still able to enumerate shares once they had logged on to the proxy with that account
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Forefront TMG / ISA2006

        When using Authentication, ISA will use AD to authenticate when LDAP is configured or when he is a member of the domain.
        However it's also possible to use the local account database on the ISA server itself.

        You might review this:
        http://blogs.technet.com/isablog/arc...rver-2004.aspx
        http://www.microsoft.com/forefront/e.../features.aspx

        Another option is to use RADIUS authentication when the users are stored into an other database.

        hmmm I could write some articles about it, but it is quite timeconsuming and I currently don't have a lab available.
        Last edited by Dumber; 11th May 2009, 10:19.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Forefront TMG / ISA2006

          Originally posted by tehcamel View Post
          yea.. see we don't want to give them AD logons.. :/

          unless I can find a way to make them incredibly restricted logons, that can do nothing at all.

          I tried the simple step of creating just a basic user account, but they were still able to enumerate shares once they had logged on to the proxy with that account
          You can get around that by creating a group called "Non AD Proxy Users" or something like that and adding it to the Internet Users group so that they can use the proxy and also using it to deny permissions to the root drives of the servers and propogating the permissions down. It's a bit clunky, but probably easier than implementing a RADIUS server. Depends on how many servers you have really.

          There are probably more elegant ways you can implement this (Scripting or GPO) with a bit of research.
          Last edited by cruachan; 11th May 2009, 21:32. Reason: More info.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: Forefront TMG / ISA2006

            I've got the biggest, kludigest work around in the history of the whole world.. if I explained it, you'd probably crack up.

            I've got it to authenticate against AD for AD users, and also found a way to authenticate against users on the local users and groups on the FFTMG server.. so i'm quite happy with that.


            However - Firefox is now throwing up repeated, and I do mean repeated, authenitcation prompts for the non-domain users... and putting authenitcation errors in the event logs.. I'm quite sure my password is correct though.


            Still, I'm quit ehappy with what I have so far
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Forefront TMG / ISA2006

              I.. so I sorted out the repetitive authentication prompt for the non-AD users by selecting only 'Basic' authentication rather than integrated.

              (Yes,I know, it's clear text.)
              Seems to be working however.
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Forefront TMG / ISA2006

                been going round and round in circles more.. but i've found that when the non-ad clients try and authenticate, the forefront server is filling with security failures for the local usernames and computer names, not the proxy names i've given them.. so firefox was trying to use integrated.

                i went into the firefox about:config and changed network.auth.use-sspi to false.
                so now it's not using integrated for these clients, and is no longer prompting them !

                i'm happy.. :d
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment

                Working...
                X