MORE INFORMATION

This behavior is expected because standard Hypertext Transfer Protocol (HTTP) protocol always attempts to first use anonymous access.

This problem can be corrected by forcing all HTTP proxy users to authenticate with the ISA Server.

By default, ISA Server does not authenticate outbound Web requests which means that a user can anonymously access the Web if the rules are configured as previously discussed.

To force users to authenticate with the Web Proxy service, use either of the following methods:

• Create all Site and Content rules so that they do not apply to all destinations and any user. You can select specific destinations and enable access to any user, or to all destinations and a specific user or group. -or-
  

• In ISA Management, right-click the Server/Array node, and then click Properties. On the Outgoing Web requests tab, click the Ask un authenticated users for authentication option.

Both of the preceding changes make ISA Server require a Web proxy user to provide a user identification before the user can access any Web resource.

NOTE: All Web requests that pass through ISA Server also pass through the Web Proxy service, by default. Any clients that are configured only for secure-Network Address Translation (S-NAT) with browsers that are not configured to use Web proxy, are unable to access any Web site. This occurs because the clients are using ISA Server strictly as a NAT device, and, therefore, there is no mechanism for them to provide any credentials. Clients should configure their browsers to use Web Proxy service on ISA Server; or, you should create Site and Content rules for those users based on client sets.

For information on specific steps on how to create Site and Content rules or how to modify settings, refer to the Help file.