Solved

isa server configuration problems

Posted on 2004-04-09
12
260 Views
Last Modified: 2013-11-16
hi all
 our isa server setup is

1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e For  i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

bco'z i want users (students) not access internet on lab pc,
i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
in some times i need to allow
3-  student use internet access on lab pcs for limited time period.

How can i configure all these.

thanks
0
Comment
Question by:Futuremind2
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10795259
Is there any reason that you just use groups and users to restrict access to the net?

That way when a member of staff logs on they will have access, rather than tying it down to fixed ip addresses. The student accounts/library log ons will have no Internet access where ever the log on then.

Have a look at the guide below and see if that will do what you want:
http://www.isaserver.org/tutorials/Using_ISA_Content_Groups_to_Restrict_the_Use_of_Non_Business_Related_Traffic.html
0
 

Author Comment

by:Futuremind2
ID: 10795770
thanks all for replying ,
But problem not solved ..  please give solution in details.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10795862
You all ready have your users in Groups in Active Directory which are split in to the three groups you've already defined.

You create three separate Protocol Rules for each group in ISA

This link walks you through how to create a protocol rule:
http://www.windowsecurity.com/articles/Protocol_Rules_Block_Access_Sites.html

Now comes the more complex part to allow access to the internet in the library.

Create a destination set with the library machines ip address range and set it to allow HTTP access and apply that to the student group.

Answer to question 3 you can't do it without aid from a thrid party tool. The connection would remain open until you closed it manually.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:rhandels
ID: 10795996
Here it is.

Create a protocol rule for HTTP and HTTPS traffic, give all you're users rights to this protocol rule.

Then, create the following access rules..

For the students pc's

Allow students's pc (ip addresses) access to the internet (everyone can internet on these pc's).

For the lab.

Allow all lab users to access internet (by user group) on all pc's. They can then access internet at all pc's..

For the access of the students on the lab pc's.

Allow the lab pc's (ip adresses) access to the internet on a specified time.

You can create a time schedule at the policies options.

I think this should do the trick.

The only problem there is, is that ISA doesn't work like a normal rulebase. You cannot tell to ISA which rule to use first..

If you have any question (or if it put down to diffucult), just post and we will help you...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10796000
Sorry didn''t read the part about the protocol rules. You can also just let them stand there, should't be a problem...
0
 

Author Comment

by:Futuremind2
ID: 10796516
I not understand this::::::::::::
Allow the lab pc's (ip adresses) access to the internet on a specified time.
You can create a time schedule at the policies options. : : : :  : : : : :
None of theses solutions work for me......
i agian ask my question in detail....


1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e  

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

and SITE AND CONTENT RULE IS
     
For      i. Admin group=     I created DESTINATION ALLOW FOR ADMIN , in destination tab  i choose all
                                       in action--i choose allow and in applies to tab i choose admin group

           ii. faculty group=     I created DESTINATION ALLOW FOR faculty , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose faculty group

           iii. student group=    I created DESTINATION ALLOW FOR student , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose student  group


students are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3 repectively

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

also the backoffice pc configuration is
10.0.0.1-10.0.0.50 (ip addresses use in backoffice)
the backoffice users are Admin Group and FAculty group.

bco'z i want users (students) not access internet on lab pc,

i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
In some times i need to allow
3-  student use internet access on lab pcs (for limited time period.)

currently if i need to allow internet on lab pc..... i go to deny internet internet for lab pc's protocol rule.
and add pc ip (which need to allow internet access)  in exception tab under client address set.
and then delete this ip from exception when internet work is completed.

How can i configure all these.

thanks



0
 
LVL 20

Expert Comment

by:What90
ID: 10796824
Appologies, totally mis-read you question.

The problem you have is the Deny rule wiil always beat the Allow rule. So I'd suggest you flip the rules.

Ditched the ip address rules for the labs as the will block everything and everyone.

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow but time is set to (none 0 hours)

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

Create any allow all SITE AND CONTENT Rule for these IP addresses of the library machines for All Hours.
When the students come to these machine the site rule should "win" and allow them access.


As I've already mentioned your 3rd question is a big problem. You can't do it without aid from a third party tool automatically.
What you can do is change the student rule time to allow access for that time period. However, the connections to the Internet for the lab machines would remain open until you closed it manually.
0
 

Author Comment

by:Futuremind2
ID: 10801374
thank what90, but still problem not solved......
0
 
LVL 20

Expert Comment

by:What90
ID: 10803008
Futuremind2 -

I was talking to a friend at a Uni campus and they commented on the public access pc's for web access. Though this might be of interest.

Their setup is that machines in public areas have been made in to kiosk terminals.
This stops the students and other problematic indivuals pulling down tools and logging users details via keyloggers and other kiddie script tools, plus cluttering the machine with profiles.

As the machines have been put in to full lock down mode, 90% of their supoort calls have dropped from those areas and 30% of user complaints about other students using abusing the logon/password system have too.

I'd suggest that you'd make the Library machine pure kiosk boxes and remove HTTP/S from the students protocol group or leave it at 0 hours.
Here's some food for though:
http://support.microsoft.com/?kbid=154780
http://www.kiosks.org/kioskmode.htm
0
 

Author Comment

by:Futuremind2
ID: 10850586
hmmmm... none of these solution... solve my problems :(


please tell the expert's solution for this sceniro...


thanks
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803037
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question