FW_H_CnfWebAuth

  • Article

To configure authentication methods for Web Proxy clients

  1. In the console tree of ISA Server Management, click Networks.

  2. In the details pane, click the Networks tab, and then select the applicable network.

  3. On the Tasks tab, click Edit Selected Network.

  4. On the Web Proxy tab, click Authentication.

  5. Select the authentication method that may be used to authenticate clients connecting to the selected network.

  6. Select Require all users to authenticate, to force clients from this network to authenticate using one of the selected authentication methods.

  7. If you select RADIUS, Digest, or Basic authentication, click Select Domain and type the name of the domain to use when authenticating clients.

  8. If you select RADIUS authentication, you must enable the system policy's RADIUS configuration group (in the Authentication Services category).

  9. If you select RADIUS authentication, click RADIUS Servers to configure the servers to use for RADIUS authentication.

Note

To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, expand Configuration, and then click Networks.
For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, expand Configuration, and then click Networks.

Important

Requiring all users to authenticate may block traffic to sites, such as Windows Update, that do not support user authentication. To ensure that you do not unintentionally block traffic to such sites, we recommend enforcing user authentication on firewall policy access rules and publishing rules, instead of selecting Require all users to authenticate.
Users who log on to the network with the Basic authentication methods must belong to a specific domain. Usually, the Windows domain that is used for Basic authentication is the local domain in which the Web server is active. A different domain can be specified, if required.
When no domain is explicitly specified, ISA Server uses its own domain.
If you select RADIUS authentication, you cannot select any other authentication method.
If you do not select an authentication method and if the firewall policy includes rules that require users to authenticate, authentication will fail and the request will be denied.
Kerberos authentication depends upon User Datagram Protocol (UDP) packets that are commonly fragmented. If your ISA Server computer or array is in a domain, and you enable the blocking of IP fragments, Kerberos authentication will fail. For example, if the computer uses Kerberos for authentication during user logon, logon will fail. We recommend that you do not enable the blocking of packets containing IP fragments in scenarios where Kerberos authentication is used.