Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

isa server configuration problems

Posted on 2004-04-09
12
262 Views
Last Modified: 2013-11-16
hi all
 our isa server setup is

1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e For  i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

bco'z i want users (students) not access internet on lab pc,
i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
in some times i need to allow
3-  student use internet access on lab pcs for limited time period.

How can i configure all these.

thanks
0
Comment
Question by:Futuremind2
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10795259
Is there any reason that you just use groups and users to restrict access to the net?

That way when a member of staff logs on they will have access, rather than tying it down to fixed ip addresses. The student accounts/library log ons will have no Internet access where ever the log on then.

Have a look at the guide below and see if that will do what you want:
http://www.isaserver.org/tutorials/Using_ISA_Content_Groups_to_Restrict_the_Use_of_Non_Business_Related_Traffic.html
0
 

Author Comment

by:Futuremind2
ID: 10795770
thanks all for replying ,
But problem not solved ..  please give solution in details.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10795862
You all ready have your users in Groups in Active Directory which are split in to the three groups you've already defined.

You create three separate Protocol Rules for each group in ISA

This link walks you through how to create a protocol rule:
http://www.windowsecurity.com/articles/Protocol_Rules_Block_Access_Sites.html

Now comes the more complex part to allow access to the internet in the library.

Create a destination set with the library machines ip address range and set it to allow HTTP access and apply that to the student group.

Answer to question 3 you can't do it without aid from a thrid party tool. The connection would remain open until you closed it manually.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:rhandels
ID: 10795996
Here it is.

Create a protocol rule for HTTP and HTTPS traffic, give all you're users rights to this protocol rule.

Then, create the following access rules..

For the students pc's

Allow students's pc (ip addresses) access to the internet (everyone can internet on these pc's).

For the lab.

Allow all lab users to access internet (by user group) on all pc's. They can then access internet at all pc's..

For the access of the students on the lab pc's.

Allow the lab pc's (ip adresses) access to the internet on a specified time.

You can create a time schedule at the policies options.

I think this should do the trick.

The only problem there is, is that ISA doesn't work like a normal rulebase. You cannot tell to ISA which rule to use first..

If you have any question (or if it put down to diffucult), just post and we will help you...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10796000
Sorry didn''t read the part about the protocol rules. You can also just let them stand there, should't be a problem...
0
 

Author Comment

by:Futuremind2
ID: 10796516
I not understand this::::::::::::
Allow the lab pc's (ip adresses) access to the internet on a specified time.
You can create a time schedule at the policies options. : : : :  : : : : :
None of theses solutions work for me......
i agian ask my question in detail....


1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e  

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

and SITE AND CONTENT RULE IS
     
For      i. Admin group=     I created DESTINATION ALLOW FOR ADMIN , in destination tab  i choose all
                                       in action--i choose allow and in applies to tab i choose admin group

           ii. faculty group=     I created DESTINATION ALLOW FOR faculty , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose faculty group

           iii. student group=    I created DESTINATION ALLOW FOR student , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose student  group


students are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3 repectively

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

also the backoffice pc configuration is
10.0.0.1-10.0.0.50 (ip addresses use in backoffice)
the backoffice users are Admin Group and FAculty group.

bco'z i want users (students) not access internet on lab pc,

i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
In some times i need to allow
3-  student use internet access on lab pcs (for limited time period.)

currently if i need to allow internet on lab pc..... i go to deny internet internet for lab pc's protocol rule.
and add pc ip (which need to allow internet access)  in exception tab under client address set.
and then delete this ip from exception when internet work is completed.

How can i configure all these.

thanks



0
 
LVL 20

Expert Comment

by:What90
ID: 10796824
Appologies, totally mis-read you question.

The problem you have is the Deny rule wiil always beat the Allow rule. So I'd suggest you flip the rules.

Ditched the ip address rules for the labs as the will block everything and everyone.

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow but time is set to (none 0 hours)

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

Create any allow all SITE AND CONTENT Rule for these IP addresses of the library machines for All Hours.
When the students come to these machine the site rule should "win" and allow them access.


As I've already mentioned your 3rd question is a big problem. You can't do it without aid from a third party tool automatically.
What you can do is change the student rule time to allow access for that time period. However, the connections to the Internet for the lab machines would remain open until you closed it manually.
0
 

Author Comment

by:Futuremind2
ID: 10801374
thank what90, but still problem not solved......
0
 
LVL 20

Expert Comment

by:What90
ID: 10803008
Futuremind2 -

I was talking to a friend at a Uni campus and they commented on the public access pc's for web access. Though this might be of interest.

Their setup is that machines in public areas have been made in to kiosk terminals.
This stops the students and other problematic indivuals pulling down tools and logging users details via keyloggers and other kiddie script tools, plus cluttering the machine with profiles.

As the machines have been put in to full lock down mode, 90% of their supoort calls have dropped from those areas and 30% of user complaints about other students using abusing the logon/password system have too.

I'd suggest that you'd make the Library machine pure kiosk boxes and remove HTTP/S from the students protocol group or leave it at 0 hours.
Here's some food for though:
http://support.microsoft.com/?kbid=154780
http://www.kiosks.org/kioskmode.htm
0
 

Author Comment

by:Futuremind2
ID: 10850586
hmmmm... none of these solution... solve my problems :(


please tell the expert's solution for this sceniro...


thanks
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803037
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question