Solved

isa server configuration problems

Posted on 2004-04-09
12
258 Views
Last Modified: 2013-11-16
hi all
 our isa server setup is

1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e For  i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

bco'z i want users (students) not access internet on lab pc,
i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
in some times i need to allow
3-  student use internet access on lab pcs for limited time period.

How can i configure all these.

thanks
0
Comment
Question by:Futuremind2
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:What90
Comment Utility
Is there any reason that you just use groups and users to restrict access to the net?

That way when a member of staff logs on they will have access, rather than tying it down to fixed ip addresses. The student accounts/library log ons will have no Internet access where ever the log on then.

Have a look at the guide below and see if that will do what you want:
http://www.isaserver.org/tutorials/Using_ISA_Content_Groups_to_Restrict_the_Use_of_Non_Business_Related_Traffic.html
0
 

Author Comment

by:Futuremind2
Comment Utility
thanks all for replying ,
But problem not solved ..  please give solution in details.

thanks
0
 
LVL 20

Expert Comment

by:What90
Comment Utility
You all ready have your users in Groups in Active Directory which are split in to the three groups you've already defined.

You create three separate Protocol Rules for each group in ISA

This link walks you through how to create a protocol rule:
http://www.windowsecurity.com/articles/Protocol_Rules_Block_Access_Sites.html

Now comes the more complex part to allow access to the internet in the library.

Create a destination set with the library machines ip address range and set it to allow HTTP access and apply that to the student group.

Answer to question 3 you can't do it without aid from a thrid party tool. The connection would remain open until you closed it manually.
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Here it is.

Create a protocol rule for HTTP and HTTPS traffic, give all you're users rights to this protocol rule.

Then, create the following access rules..

For the students pc's

Allow students's pc (ip addresses) access to the internet (everyone can internet on these pc's).

For the lab.

Allow all lab users to access internet (by user group) on all pc's. They can then access internet at all pc's..

For the access of the students on the lab pc's.

Allow the lab pc's (ip adresses) access to the internet on a specified time.

You can create a time schedule at the policies options.

I think this should do the trick.

The only problem there is, is that ISA doesn't work like a normal rulebase. You cannot tell to ISA which rule to use first..

If you have any question (or if it put down to diffucult), just post and we will help you...
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Sorry didn''t read the part about the protocol rules. You can also just let them stand there, should't be a problem...
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Futuremind2
Comment Utility
I not understand this::::::::::::
Allow the lab pc's (ip adresses) access to the internet on a specified time.
You can create a time schedule at the policies options. : : : :  : : : : :
None of theses solutions work for me......
i agian ask my question in detail....


1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e  

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

and SITE AND CONTENT RULE IS
     
For      i. Admin group=     I created DESTINATION ALLOW FOR ADMIN , in destination tab  i choose all
                                       in action--i choose allow and in applies to tab i choose admin group

           ii. faculty group=     I created DESTINATION ALLOW FOR faculty , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose faculty group

           iii. student group=    I created DESTINATION ALLOW FOR student , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose student  group


students are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3 repectively

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

also the backoffice pc configuration is
10.0.0.1-10.0.0.50 (ip addresses use in backoffice)
the backoffice users are Admin Group and FAculty group.

bco'z i want users (students) not access internet on lab pc,

i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
In some times i need to allow
3-  student use internet access on lab pcs (for limited time period.)

currently if i need to allow internet on lab pc..... i go to deny internet internet for lab pc's protocol rule.
and add pc ip (which need to allow internet access)  in exception tab under client address set.
and then delete this ip from exception when internet work is completed.

How can i configure all these.

thanks



0
 
LVL 20

Expert Comment

by:What90
Comment Utility
Appologies, totally mis-read you question.

The problem you have is the Deny rule wiil always beat the Allow rule. So I'd suggest you flip the rules.

Ditched the ip address rules for the labs as the will block everything and everyone.

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow but time is set to (none 0 hours)

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

Create any allow all SITE AND CONTENT Rule for these IP addresses of the library machines for All Hours.
When the students come to these machine the site rule should "win" and allow them access.


As I've already mentioned your 3rd question is a big problem. You can't do it without aid from a third party tool automatically.
What you can do is change the student rule time to allow access for that time period. However, the connections to the Internet for the lab machines would remain open until you closed it manually.
0
 

Author Comment

by:Futuremind2
Comment Utility
thank what90, but still problem not solved......
0
 
LVL 20

Expert Comment

by:What90
Comment Utility
Futuremind2 -

I was talking to a friend at a Uni campus and they commented on the public access pc's for web access. Though this might be of interest.

Their setup is that machines in public areas have been made in to kiosk terminals.
This stops the students and other problematic indivuals pulling down tools and logging users details via keyloggers and other kiddie script tools, plus cluttering the machine with profiles.

As the machines have been put in to full lock down mode, 90% of their supoort calls have dropped from those areas and 30% of user complaints about other students using abusing the logon/password system have too.

I'd suggest that you'd make the Library machine pure kiosk boxes and remove HTTP/S from the students protocol group or leave it at 0 hours.
Here's some food for though:
http://support.microsoft.com/?kbid=154780
http://www.kiosks.org/kioskmode.htm
0
 

Author Comment

by:Futuremind2
Comment Utility
hmmmm... none of these solution... solve my problems :(


please tell the expert's solution for this sceniro...


thanks
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now