?
Solved

isa server configuration problems

Posted on 2004-04-09
12
Medium Priority
?
270 Views
Last Modified: 2013-11-16
hi all
 our isa server setup is

1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e For  i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

bco'z i want users (students) not access internet on lab pc,
i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
in some times i need to allow
3-  student use internet access on lab pcs for limited time period.

How can i configure all these.

thanks
0
Comment
Question by:Futuremind2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10795259
Is there any reason that you just use groups and users to restrict access to the net?

That way when a member of staff logs on they will have access, rather than tying it down to fixed ip addresses. The student accounts/library log ons will have no Internet access where ever the log on then.

Have a look at the guide below and see if that will do what you want:
http://www.isaserver.org/tutorials/Using_ISA_Content_Groups_to_Restrict_the_Use_of_Non_Business_Related_Traffic.html
0
 

Author Comment

by:Futuremind2
ID: 10795770
thanks all for replying ,
But problem not solved ..  please give solution in details.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10795862
You all ready have your users in Groups in Active Directory which are split in to the three groups you've already defined.

You create three separate Protocol Rules for each group in ISA

This link walks you through how to create a protocol rule:
http://www.windowsecurity.com/articles/Protocol_Rules_Block_Access_Sites.html

Now comes the more complex part to allow access to the internet in the library.

Create a destination set with the library machines ip address range and set it to allow HTTP access and apply that to the student group.

Answer to question 3 you can't do it without aid from a thrid party tool. The connection would remain open until you closed it manually.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 23

Expert Comment

by:rhandels
ID: 10795996
Here it is.

Create a protocol rule for HTTP and HTTPS traffic, give all you're users rights to this protocol rule.

Then, create the following access rules..

For the students pc's

Allow students's pc (ip addresses) access to the internet (everyone can internet on these pc's).

For the lab.

Allow all lab users to access internet (by user group) on all pc's. They can then access internet at all pc's..

For the access of the students on the lab pc's.

Allow the lab pc's (ip adresses) access to the internet on a specified time.

You can create a time schedule at the policies options.

I think this should do the trick.

The only problem there is, is that ISA doesn't work like a normal rulebase. You cannot tell to ISA which rule to use first..

If you have any question (or if it put down to diffucult), just post and we will help you...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10796000
Sorry didn''t read the part about the protocol rules. You can also just let them stand there, should't be a problem...
0
 

Author Comment

by:Futuremind2
ID: 10796516
I not understand this::::::::::::
Allow the lab pc's (ip adresses) access to the internet on a specified time.
You can create a time schedule at the policies options. : : : :  : : : : :
None of theses solutions work for me......
i agian ask my question in detail....


1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e  

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

and SITE AND CONTENT RULE IS
     
For      i. Admin group=     I created DESTINATION ALLOW FOR ADMIN , in destination tab  i choose all
                                       in action--i choose allow and in applies to tab i choose admin group

           ii. faculty group=     I created DESTINATION ALLOW FOR faculty , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose faculty group

           iii. student group=    I created DESTINATION ALLOW FOR student , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose student  group


students are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3 repectively

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

also the backoffice pc configuration is
10.0.0.1-10.0.0.50 (ip addresses use in backoffice)
the backoffice users are Admin Group and FAculty group.

bco'z i want users (students) not access internet on lab pc,

i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
In some times i need to allow
3-  student use internet access on lab pcs (for limited time period.)

currently if i need to allow internet on lab pc..... i go to deny internet internet for lab pc's protocol rule.
and add pc ip (which need to allow internet access)  in exception tab under client address set.
and then delete this ip from exception when internet work is completed.

How can i configure all these.

thanks



0
 
LVL 20

Expert Comment

by:What90
ID: 10796824
Appologies, totally mis-read you question.

The problem you have is the Deny rule wiil always beat the Allow rule. So I'd suggest you flip the rules.

Ditched the ip address rules for the labs as the will block everything and everyone.

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow but time is set to (none 0 hours)

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

Create any allow all SITE AND CONTENT Rule for these IP addresses of the library machines for All Hours.
When the students come to these machine the site rule should "win" and allow them access.


As I've already mentioned your 3rd question is a big problem. You can't do it without aid from a third party tool automatically.
What you can do is change the student rule time to allow access for that time period. However, the connections to the Internet for the lab machines would remain open until you closed it manually.
0
 

Author Comment

by:Futuremind2
ID: 10801374
thank what90, but still problem not solved......
0
 
LVL 20

Expert Comment

by:What90
ID: 10803008
Futuremind2 -

I was talking to a friend at a Uni campus and they commented on the public access pc's for web access. Though this might be of interest.

Their setup is that machines in public areas have been made in to kiosk terminals.
This stops the students and other problematic indivuals pulling down tools and logging users details via keyloggers and other kiddie script tools, plus cluttering the machine with profiles.

As the machines have been put in to full lock down mode, 90% of their supoort calls have dropped from those areas and 30% of user complaints about other students using abusing the logon/password system have too.

I'd suggest that you'd make the Library machine pure kiosk boxes and remove HTTP/S from the students protocol group or leave it at 0 hours.
Here's some food for though:
http://support.microsoft.com/?kbid=154780
http://www.kiosks.org/kioskmode.htm
0
 

Author Comment

by:Futuremind2
ID: 10850586
hmmmm... none of these solution... solve my problems :(


please tell the expert's solution for this sceniro...


thanks
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803037
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question