4 Replies Latest reply on May 19, 2010 4:01 AM by RayP

    WebWasher with ISA 2006





      I am having a few difficulties getting WebWasher to workwith ISA Server 2006.


      Here is my setup:

      • ISA server with x3 NICs (Internal, External & Perimeter/DMZnetworks).
      • All PC's/devices point to Internal as default gateway. (We also use Firewall Client to point to ISA Internal)
      • WebWasher is on the Perimeter/DMZ Network.



      What I have done:

      I have created firewall policy rules which allow WW to talkto Internal & External network. (all seems fine, WW can access internet)

      I have configured the proxy chaining plug & web chainingrule to forward to the WebWasher appliance.


      The issue:

      ISA Server does not appear to be passing WebWasher the X-Authenticated-User& X-Authenticated-Groups headers resulting in end users receiving a WebWasher notauthenticated error message.

      Support have confirmed via tcpdumps this information is not being passed.



      Any ideas would be gratefully received on how to make ISA pass this information.



      Message was edited by: king-ed on 17/05/10 12:29:38 CDT



      Message was edited by: king-ed on 17/05/10 12:30:11 CDT
        • 1. Re: WebWasher with ISA 2006

          Hi king-ed,


          usually the X-Authenticated-User and X-Authenticated-Groups header should be forwarded from the ISA server to Webwasher. As far as I know the process needs to be restarted after you have installed the Plugin. Have you done so?


          Also, is there a valid license added to the Plugin?


          Additionally, can you verify that the ISA Server actually performs authentication? If Users are able to access ISA without Authentication, the Headers won't be there.


          Please have a look.




          • 2. Re: WebWasher with ISA 2006

            Hi Andre,


            When installing the proxy chaining plugin you are required the stop and start the Microsoft Firewall service - I assume this is enough?


            The plugin is correctly licensed.


            I know that ISA preforms authentication because if I generate a report from within the ISA Management Console I can see that usernames are present(with domain name).


            I do currently have SmartFilter installed on the ISA Server - when I attempt to enable WebWasher I am disabling the SmartFilter addins first. (I don't want to uninstall SmartFilter until I know that WebWasher works 100%).



            • 3. Re: WebWasher with ISA 2006



              yes, restarting the ISA service should be enough. Well it seems you have done all the steps required. Have you already verified that the Header is NOT sent to Webwasher, or is the Header probably sent but Webwasher fails to map on it?


              You may generate an ICAP Trace or packet capture between ISA and Webwasher and give it a try (activate the Chaining Plugin of course). We can then have another look.




              • 4. Re: WebWasher with ISA 2006



                What settings did you use within Web Mapping.

                You must use Map from: Username, Map via: Map directly, Using these rules: User-Direct-1


                Within [Edit rules and options] you must use:

                Extract user information from: user defined request header

                User defined meta or request header: X-Authenticated-User