The ISA Firewall Returns Authenticated Content to Authenticated Users -- Fixed
I’ve seen a number of reports over the last two years regarding the ISA firewall serving authenticated content from its cache to users who were not the ones initially authorized to receive that content. For example, suppose a user visits a Web mail site, authenticates, and then retrieves his email. The user logs off and then another user on a different computer logs on to the same email site. There is a possibility that the other user will gain access to the previous users email information, as this information is stored in the ISA firewall’s Web cache and the ISA firewall does not require authentication to access the cached content.
You should note that this is not the default behavior of the ISA firewall. The figure below shows the relavent configuration of the Default Cache Rule, which is always the last cache rule to be evaluated by the ISA firewall. Notice the checkbox at the bottom of the dialog box for the Content requiring user authentication for retrieval is not enabled. The ISA firewall admin would have to create a Cache Rule that enables caching authenticated content for the destination Web site before the ISA firewall would serve that content from cache to another user.
Nevertheless, this has been an issue in the past and apparently enough so that Microsoft has fixed the problem. For more details on this problem and the fix, check out the KB article Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004 at http://support.microsoft.com/kb/894679/en-us
Thomas W Shinder, M.D.
MVP -- ISA Firewalls