Microsoft Internet Security and Acceleration Server 2000

Rules and Authentication

When a Firewall client requests content which is not Hypertext Transfer Protocol (HTTP), ISA Server determines if any rules have been configured to apply to specific users or groups. If so, then ISA Server requires that the client authenticate itself, so that ISA Server can determine if the rule applies to the client requesting the object.

When a Web proxy or Firewall client requests HTTP content, ISA Server checks the rules to determine if a specific rule allows anonymous users access (either because it applies to all users, or it applies to a client address set that includes the IP address of the client). If so, then the request is allowed. Otherwise, if no rule has been configured to allow anonymous users access, ISA Server requires that the client authenticate itself, to determine if a rule applies to the specific, authenticated user.

In other words, when a client requests HTTP content, authentication information is not passed to the ISA Server, unless ISA Server requires it. This happens when the Web proxy service must identify the user to allow the request.

You can configure ISA Server to always require authentication for Web requests by using the FPCWebRequestConfiguration.AlwaysAuthenticate property.

For Firewall clients, HTTP requests are passed to the HTTP redirector, if the filter is enabled and configured. In this case, the Firewall client's authentication information is not passed to the Web proxy service and ISA Server treats the request as if it were from an unauthenticated user. If ISA Server cannot pass the request from unauthenticated user, then the request will be denied, because ISA Server will not ask for authentication.

Authentication Example

Suppose you configure ISA Server with the following rules:

  1. A protocol rule that allows everyone to use all protocols.
  2. A site and content rule that allows everyone access to all sites.
  3. A site and content rule that denies access to user John.

The first two rules allow access to all requests from anonymous users. The third rule will be enforced, that is, John's request will be denied, only if ISA Server requires that John authenticate himself. For example, consider the following scenarios:

To enforce the third rule for all Web requests, configure the array option to ask unauthenticated users for identification. John's request will be denied in all the scenarios previously listed.