ISA 2000: Handling Apps That Don’t Like Proxy Authentication

Quite often, we’re faced with a situation where an application has its own Web Proxy client mechanism, and that mechanism has various issues, like:


  • It doesn’t support NTLM authentication, and only NTLM is enabled on the ISA Server
  • It doesn’t support more than one Proxy-Authenticate header
  • It doesn’t support proxy authentication at all (a 407 response kills it)

There are a few methods that can be used to work around the issues above which I’ll go through, starting with…

 

Avoiding The Whole Issue With The Firewall Client


Configure a given application to not use a proxy at all, and use the Firewall Client. This generally works best on client machines, and where the port involved isn’t a standard HTTP port (for example, java applets that connect to ports other than 80).

 

The problem with the Firewall Client approach (and it may not be a problem for you) is that by default, the ISA HTTP Redirector Filter intercepts firewall client requests, forwards them to the Web Proxy service, but doesn’t supply any credentials when doing so. Best-case, your application gets unauthenticated web access. Worst-case, your app fails because of your Site and Content ruleset.

 

Disabling the HTTP Redirector Filter (it’s an Application Filter) means that Firewall and SecureNAT clients can connect directly to the target server if the rules permit it – Firewall clients will be able to authenticate transparently, without the application being challenged or otherwise bothered.

 

If the HTTP Redirector filter is disabled, you lose transparent caching of web requests, but most will be configured to use the Web Proxy anyway, right? You’ll also need to look in the FWSEXT (Firewall service) logs, rather than the WEBEXT (Web Proxy service) logs to see the client traffic.

 

This is mainly useful for client applications, but can be applied to servers if really necessary.

 

 

Applications That Speak Only Basic Authentication

 

If you’re having authentication problems with an application that supports the use of a proxy server, chances are it fits into this category.

 

ISA 2000 comes configured out-of-the-box to offer only NTLM authentication to Web Proxy clients, which means that this type of application won’t be able to traverse the proxy.

 

Enabling Basic authentication is simple – just enable it in the properties of the Outgoing Web Requests listener.

 

Now, this means that the credentials used by the application are being sent in near-to-plaintext over the network, which is usually undesirable.

 

If you’re in this category, you might want to consider using the Firewall client if it’s a client application, or (more useful for server applications) creating an IPSec policy that encrypts communications between the application and the proxy; something like “TCP traffic destined for port 8080 on <ISA Server internal IP> from <application server>”, and apply the policy to the ISA Server and the Application Server.

 

 

Applications That Don’t Support Multiple Proxy-Authenticate Headers

 

Rarer – IIRC, older versions of the Sun JVM used to do this before they spoke NTLM.

 

This is more or less the same as the suggestion for the Basic set above, except that it’s mandatory to add another internal IP address and listener for these applications, because having more than one authentication option ticked breaks the application.

 

So, you create a new IP for the internal interface, enable only Basic authentication for this  IP address in Outgoing Web Requests, and configure only this client application to use the new IP address (give it a different CNAME, like BASICPROXY, perhaps…).

 

 

Applications That Don’t Understand Proxy Authentication

(AKA how to turn off authentication for certain sites but retain authentication for others).

 

ISA uses what I call the “law of least effort”, which translates to applications finding the laziest possible path through the ISA Server’s rule set.

 

If you have an application that just can’t handle proxy authentication, you can configure your proxy rules to allow anybody going to that destination to do so anonymously.

 

To do this, there are a couple of prerequisites:


  • Your Outgoing Web Listener must be configured not to ask users for authentication. If authentication is required, make it part of the Site and Content rules that apply to clients.
  • The applicable Protocol Rule must allow All Requests or use a Client Address Set, but not use user-based authentication.

To look at a simple example, here’s how you’d configure unauthenticated access to www.BarryIsGood.dom (in a destination set called “Unauthenticated Sites”) while requiring authentication for all other sites:

 

Site and Content Rules:
Allow <Domain Users> <Anywhere> Anytime
Allow <Anyone> <Destination Set: Unauthenticated Sites> Anytime

 

Protocol Rules:
Allow <Anyone> <HTTP> Anytime

 

And that’s it. Destination sets can be locked down to the point where only a certain part of a path can be accessed, so if you know the specific URL being accessed at the target site, you can restrict it using the Dest Set.

 

Web Proxy clients always try to get to sites anonymously, making a simple GET request for the target site. ISA then checks to see if a user is allowed to get there anonymously, and if so, stops processing rules and executes the request.

 

Using the rules above, if someone were to type in “www.barryisgood.dom“, the rule processing would look like this:

 

Client Request: GET www.barryisgood.dom /

ISA processing: Is <anyone> allowed to use HTTP? Yes
ISA processing: Is <anyone> allowed to get to
www.barryisgood.dom ? Yes

ISA Response to client: 200 page contents from barryisgood.dom .

 

If the same person were to type in “www.authenticateddomain.dom” (which isn’t part of the Unauthenticated Sites destination set):

 

Client Request: GET www.authenticateddomain.dom /

ISA processing: Is <anyone> allowed to use HTTP? Yes
ISA processing: Is <anyone> allowed to get to
www.authenticateddomain.dom? Not without authenticating.

ISA Response to client: 407 Proxy Authentication Required

 

If the “Ask users for authentication” tickbox had been enabled, the 407 would have immediately followed the client request, which would break the scenario for someone getting to barryisgood.dom without needing to supply credentials.

 

It’s a solution I’ve used for a few similar issues in the past, and it seems to work pretty well…

 

Comments? Questions? Leave them below…

An MSN Messenger Update…

Which thoughtfully reset my painstakingly reconfigured emotional-blackmail-free Messenger sound scheme.


Still, at least I’ve a simple solution these days.

 

I upgraded while Novaworld (appeared to be/was) down for the last few minutes, while waiting to play Joint Operations again. It’s a lot of fun, don’t be put off by the website. Fingers crossed for a standalone dedicated server…

ISA 2000: Script for Bigpond Cable Heartbeat

If you’re not on the Australian Telstra Bigpond Cable network, you don’t need this.

 

Update: Since 2007 (or maybe before; I lost track), Bigpond moved away from their heartbeat, instead using cable modem authentication. So, no need for this any more. W00p! 🙂

 

This is a script I wrote a long while back that enables packet filters corresponding to the Bigpond Heartbeat ports on your ISA Server (2000).

 

It’s specifically for the scenario in which ISA is directly connected to Bigpond Cable, and has Packet Filtering enabled, and is the computer running the login client. If you have a cable router in front of ISA doing the login stuff, you don’t need to use this. It’s only for directly-connected ISAs.

 

It creates two packet filters – one for 5050 TCP outbound for the sign-in, one for UDP 5050 Receive then Send for the Heartbeat challenge/response.

 

By default, it allows inbound 5050 UDP to the ISA Server from all IP addresses, but when you know the IP address of your login server, you can modify the script – or if you’re not comfortable with scripting, just modify the packet filter it creates via the MMC directly – to only allow the heartbeat from the IP of the login-server, sm-server or dce-server (ping to find the IP address), depending on your state.

 

It also creates a new SSL tunnel port, enabling TCP port 8443 to be used by Web Proxy clients for outbound SSL.

 

Download here: BPAISA2K.zip – usual caveat applies: all care taken, but no responsibility accepted.

More Fiddling: Emotion-Free (quiet!) MSN Messenger Sound Scheme

After migrating to a new user profile (easiest way to make a clean start and work out what I actually need on my desktop), I remembered one of my pet annoyances: MSN Messenger (and/or Windows Messenger) sounds like an ice cream van when it’s installed. Contacts happily bling online, messages make optimistic bleeps for attention, and alerts are announced with as much fanfare as a visiting head of state.

 

I’m an easily excitable person. All these emotionally weighted blings, bloops and bops fail to contribute to a calm working environment. They demand attention. They make me want to stop whatever I’m doing, imbuing me with an inescapable urge to gaze at (or sometimes mousefondle) my contact list – that, or throw a chair through the nearest window, depending on the caffeine situation. It pressures me.

 

So, early on my new-user-profile checklist is now the “fix the cute Messenger sounds” step. To assist with this step, I dumped out the settings from my registry for my current Messenger sound scheme, which uses the standard Windows XP sound set to create a more manageable, clinical set of sounds. For example: Windows XP Menu Command.wav is an emotionless subtle click, which I use as the new message notification. Windows XP Balloon is a robust – but cool – pop that announces a new contact’s presence. All nice and commitment free.

 

You’re welcome to grab them with the usual if-they-wipe-your-hard-drive-you-agree-not-to-sue-me caveats:

 



The Zip file contains two REG files, one for MSN Messenger, one for Windows Messenger, just double-click whichever one, click OK and you’re done. You’re welcome to right-click->Edit the files to see exactly what they do first, which is always good practice with .REG files.

 

Both adjust current settings for the current user – saving your existing sound scheme in Control Panel -> Sounds before applying these is recommended (though probably unnecessary). Update(2): Seems MSN Messenger gets annoyed if the sounds are changed without the labels being changed as well. This set Really Should Stick this time. Apologies for any inconvenience.

 

4 April 2005 – my host suffered a disk problem, and corrupted the zip file (and other bits and pieces on this site). Should be back to normal in a few days.

Pointless Fiddling: XML Deserialization vs DataSets

I was tinkering with one of my pet .Net 1.1 applications this evening (“They’re my friends. I make them. I make my friends!“) – I figured I’d try to get the hang of XML Serialization by trying to deserialize a SQL Reporting Services report. The reports are very useful for amateur dabblers like me, as they have an Export to XML option that can be invoked through the web interface, or directly from a URL. If there’s useful information in a report, it needn’t be an island…

 

The deserialization process was a bit more fiddly than I expected, but still laughably simple compared to brute-forcing it yourself.

 

Dare kindly pointed the XmlSerializer out to me when I suggested on an internal DL that I’d really like a simple API that you could, say, throw a schema at, and get back “real” objects. Naturally, it existed, I just hadn’t stumbled across it. In the end, the example I ended up working from was the Longhorn Communications History RSS sample. Using the techniques in rssparser.cs, I had a working object hierarchy within an hour, which would deserialize directly from the Reporting Services XML.

 

I had problems early on, basically because I’m someone that tends to learn by doing and not reading the documentation, but solved them by going backwards, and serializing the object I thought I was wanting to XML, then comparing that XML with my desired input. As it turned out, I was missing the default XML namespace argument from the serializer (the whole document appeared to belong to the same namespace, so I assumed (wrongly) that not specifying it would do the job…), but as far as I can tell, it’s just a string.

 

I’ll say at this point that I’m not a fan of the XML error messages that are reported when something goes wrong. “Error in document (number, number)” isn’t exactly a clear problem statement. Sure, I got the right general idea and worked through to a working model, but I was sorely tempted to abandon it.

 

Then, I remembered that I wasn’t really using objects as such within the application (so chalk deserialization up to a learning experience), but mostly DataSets and DataViews for sorting. On a whim, I tried pointing the DataSet.ReadXml method at the Reporting Services output, and got a set of tables back, which were immediately usable within the application (only a little column name hacking required – I didn’t bother to abstract the data model for my teeny app – next time, I will, I promise…). I was impressed.

 

I was also fiddling with owner-drawn menus based on Dino Esposito’s excellent article, and ended up porting his VB control to C#, to get a better understanding of how it worked – I modified it to use an ImageList as the image source, rather than files distributed along with the application, which I might cover another time…

IRL: I was an Angry Young Man, once…


 

I normally don’t comment on Scoble’s posts – I just sponge from them – but this one really struck a chord, and it’s about time for a personal-ish blog (My content-to-personality quota feels about right). Try as I might, I just couldn’t stick to a topic, so it’s an autobiographical rambler. Sorry.

 

Darren (at 12+) sounds a lot like me at 17. I’d describe myself as an Angry Young Man at the time. Around then, I was busy dissing DOS and Windows 3.11, and M$ (pronounced ’em ta-ching’) was the Evil Empire. When Windows 95 was released, I actually went out and bought OS/2 Warp Connect 3.0, blue spine edition, so that I’d have A Better DOS than DOS, and A Better Windows than Windows. NT was still 3.5(1?) at the time, and I wasn’t really keen on the Win3x interface any more.

 

Why was Microsoft evil? I don’t really recall any more – most of my information came from the trade mags of the time, which I seem to recall were running stories like “UNIX is in your future – but which UNIX?”. The trade mags weren’t fans of Windows. They weren’t fans of DOS. They weren’t fans of Microsoft. They wrote, well – basically, what they thought. Often, there was a grudging “they’re rich, but…” at the start of any given positive article. Which was cool. And I absorbed it. I formed opinions about Chicago without ever actually having used it… Because I was an expert in my social circles, my opinion carried some weight, at least among my friends, and my opinion was their opinion. “Win95? Sure, you could, but it’ll be full of bugs. Tried OS/2?”

 

Before continuing, one thing I will say – once you got it installed*, the multitasking on OS/2 was amazing. Being able to format a floppy whilst playing the DOS version of Descent in a window without any appreciable slowdown just blew me away. But there were compatibility issues, and in the end, I found my OS2/Win environment crashed more often than my good ol’ DOS and 3.11 setup. So, reluctantly (cos I’d gone HPFS, plus I loved being able to give any folder a bitmap background), I went back to my productivity environment. After experimenting with several Fixpacks. Another story.

 

What changed my path? At the end of 1995, I needed a holiday job. I knew how to hand-tune Config.sys, Autoexec.bat, the DOS=HIGH stuff that so many games had taught me about, I knew not to run Memmaker, and had just figured out that my Windows networking experiments had gone so horribly wrong because terminators were required for BNC during the interview, so the outsourced partner hired me, and sent me on Windows 95 training.

 

Pretty early on, I realized I’d made a horrible error in judgement on Windows 95. It wasn’t as buggy as They Said. It didn’t try to spy for pirate software and report it back to Bill Gates as They Said. Formatting a floppy ground the rest of the system to a near-halt, but now I could at least have a stab at explaining why! Win95 was a reasonably good solution to a horrifically complex problem (compatible with the old, performant with the new). As my understanding deepened, I grew more embarrassed about my ignorant earlier posturing, and tried to help those folk in my circle of influence be successful with their PCs, and did (I think) a fairly good job of it.

 

Flash forward to today – I now work for Microsoft proper, not a partner. I’m a reasonably balanced advocate of our technology, our philosophy (when there is a collective consensus, at least – mine when there’s not), and a strong proponent of our Values. I’m not what I’d call a zealot, but I’ll usually assign benefit of the doubt to Microsoft in a cointoss. My viewpoint on our (and other) technologies is now mostly based on observation and on experience, not on what an expert  with their own agenda writes. And if there’s an overarching goal here that’s visible on the inside, it’s continuous improvement. The culture is about constantly raising every bar we can define.

 

To sum up: Get with the learning. It promotes understanding, which in turn promotes either happiness, or better arguments. And never, ever trust an expert.

 

Sigh. I’m so old, suddenly. “And this is your father at the side of the house, but you can see the front of the house. This is the front of the house, but you can see the side of the house with your father there…”

New Australian Support Offering: Professional Support Advantage

If you’re someone that uses the pay-per-incident Professional Support in Australia (13 16 30), then you may be interested in Professional Support Advantage, a new support offering that we’re piloting at the moment, accepting signups until mid-October.

 

What’s the Advantage? Once your PSA contract is set up, you can log support calls 24×7, and billing is invoiced – no credit card required when you call. Just to let you know up front: there’s an annual administration fee, and calls worked after hours are more expensive.

 

[Updated links 18/07/2004]

If you’re interested, you can read the overview here: Microsoft Professional Support Advantage .

A list of all Support Services currently available in Australia is here.

NLB Will Actually Converge On A Crossover Cable

…It’s just that it’s of no use to anyone outside the cluster – and I can’t think of a way of making anything useful happen using a crossover cable within an NLB cluster, so if anyone’s got a good usage scenario for Wibbles with a crossover cable, please leave a comment!

 

In the course of a support issue I was working on, the possibility of testing NLB (aka WLBS =”Wibbles“) convergence with a crossover cable came up. I couldn’t think of a good reason that it wouldn’t work, but the title of the following article made me look at it again:

 

242248 Using crossover cable causes load balancing not to work
http://support.microsoft.com/?id=242248

 

The title seems pretty straightforward, but it seemed to contradict what we know about Wibbles from NLBTech2 – which is that as long as there’s a common broadcast plane for the heartbeat traffic to work across, convergence should work.

 

When you take a closer look at the contents of the article, the actual meaning becomes clearer:

 

other devices on the same subnet may not be able to ping the cluster IP address, or may not be able to gain access to TCP services configured for load balancing.
CAUSE
This behavior can occur if the cluster nodes are connected by using a crossover cable between the cluster adapters.
RESOLUTION
Remove the crossover cable and attach the cluster adapters to the same network as the dedicated adapters.

 

So what the article is actually saying is that if the clients aren’t connecting to the NLB adapters directly, they can’t connect. Which is cool, it’s what we expect!

 

For those focused on troubleshooting this type of thing, and who like resolutions, in the case I was working on the Gigabit Ethernet adapters weren’t converging when in Multicast mode, even with a crossover cable, though Unicast was working fine. A driver upgrade solved the problem.

 

If you’re ever troubleshooting an NLB/WLBS convergence problem, a good “master” article to start with is this one:
812870 Network Load Balancing Cluster Node Does Not Successfully Converge
http://support.microsoft.com/?id=812870

TS Licensing in 90 Words Or Less

Various aspects of TS Licensing are often misunderstood, so I set myself the goal of explaining it relatively clearly in under 90 words.
I cheated by using a picture, which is reputedly worth a thousand words, though I think that mainly applies to people with, what’s the word, skill.
TSLicensing90Words
Words From The Picture Retyped:
Clients connect directly to the Terminal Server using RDP.
The Terminal Server validates the client license, and talks to the TS Licensing Server (LS) if necessary:
  • to obtain a Temporary License token for an unlicensed client
  • to upgrade Temporary License tokens to Permanent
  • to renew Permanent License token within 7 days of expiry
Clients never connect to the LS directly.
The TS discovers the License Server automatically if the LS is a Domain Controller. If not, use DefaultLicenseServer value (Windows 2000) or LicenseServers subkeys (Windows Server 2003).
Enterprise LSs span domains within a site.
Domain LSs span sites within a domain.
Picture FAQ:
Yes, the user on the right is probably up to no good, but I can’t prove anything.
Windows Server 2003:
301932 Terminal Services Licensing Service Discovery
http://support.microsoft.com/?id=301932

Notes: You can specify a list of license servers, you create a subkey of LicenseServers for each LS you want to query.
Windows 2000:
239107 Establishing Preferred Windows 2000 Terminal Services License Server
http://support.microsoft.com/?id=239107
Notes: You can only specify a single default license server, a single REG_SZ registry value called DefaultLicenseServer.
Some history on TS Licensing Enhancements (short version: for Windows 2000, get SP3 or later, and put it on both the TSs and LS).
287687 Terminal Services Licensing Enhancements
http://support.microsoft.com/?id=287687
And the Terminal Services Licensing White Papers (if you want to know how it all works in detail, start here – there’s tons of excellent information).
If you liked this, you might also like How TSWeb Works .

Blog Facelift: The Joy Of Filters (aka Getting IE Filters to Work)

I admit it (as if it wasn’t already obvious) – I dropped out of Graphic Design at Uni. The sad truth is that I’m a much better design critic than creator. /me shrugs, I’m from the Scoble school of blog design – it’s all about the content!

 

Still, a friend of mine (who might well bear my children for a link to Buy Presents For Darryn, mwuhaha) was angry at me for IE Filters the other night.

 

Being something of a back-end guy (I like the data access bits and the networky stuff, but the CSS stuff is something somebody else is much better off doing), I hadn’t a clue what he was on about, and comiserated without really committing to anything.

 

Overnight, I decided that my blog lacked a certain aesthetic appeal, so I started renovating the stylesheets, and discovered Filters. And boy, are they ever cool. And I’m told they gracefully “just don’t work” in other browsers. Can’t beat that for an optional feature!

 

There’s one key frustration I wanted to share, which comes from Tristan Not Reading The Docs Properly, and that’s that if you just add a filter:blah to a random object in your style sheet, it may not work at all – so I’ll paste the relevant bit in below:

 

The object that the filter is applied to must have layout before the filter effect will display. You can give the object layout by setting the height or width property, setting the position property to absolute, setting the writingMode property to tb-rl, or setting the contentEditable property to true.

 


 

So, just add a “width:100%;” (or whatever else), and you’re done.

 

Now where did I leave those blink tags? I need to draw more attention to the titles…