Solved

isa server configuration problems

Posted on 2004-04-09
12
263 Views
Last Modified: 2013-11-16
hi all
 our isa server setup is

1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e For  i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

bco'z i want users (students) not access internet on lab pc,
i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
in some times i need to allow
3-  student use internet access on lab pcs for limited time period.

How can i configure all these.

thanks
0
Comment
Question by:Futuremind2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10795259
Is there any reason that you just use groups and users to restrict access to the net?

That way when a member of staff logs on they will have access, rather than tying it down to fixed ip addresses. The student accounts/library log ons will have no Internet access where ever the log on then.

Have a look at the guide below and see if that will do what you want:
http://www.isaserver.org/tutorials/Using_ISA_Content_Groups_to_Restrict_the_Use_of_Non_Business_Related_Traffic.html
0
 

Author Comment

by:Futuremind2
ID: 10795770
thanks all for replying ,
But problem not solved ..  please give solution in details.

thanks
0
 
LVL 20

Expert Comment

by:What90
ID: 10795862
You all ready have your users in Groups in Active Directory which are split in to the three groups you've already defined.

You create three separate Protocol Rules for each group in ISA

This link walks you through how to create a protocol rule:
http://www.windowsecurity.com/articles/Protocol_Rules_Block_Access_Sites.html

Now comes the more complex part to allow access to the internet in the library.

Create a destination set with the library machines ip address range and set it to allow HTTP access and apply that to the student group.

Answer to question 3 you can't do it without aid from a thrid party tool. The connection would remain open until you closed it manually.
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 23

Expert Comment

by:rhandels
ID: 10795996
Here it is.

Create a protocol rule for HTTP and HTTPS traffic, give all you're users rights to this protocol rule.

Then, create the following access rules..

For the students pc's

Allow students's pc (ip addresses) access to the internet (everyone can internet on these pc's).

For the lab.

Allow all lab users to access internet (by user group) on all pc's. They can then access internet at all pc's..

For the access of the students on the lab pc's.

Allow the lab pc's (ip adresses) access to the internet on a specified time.

You can create a time schedule at the policies options.

I think this should do the trick.

The only problem there is, is that ISA doesn't work like a normal rulebase. You cannot tell to ISA which rule to use first..

If you have any question (or if it put down to diffucult), just post and we will help you...
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10796000
Sorry didn''t read the part about the protocol rules. You can also just let them stand there, should't be a problem...
0
 

Author Comment

by:Futuremind2
ID: 10796516
I not understand this::::::::::::
Allow the lab pc's (ip adresses) access to the internet on a specified time.
You can create a time schedule at the policies options. : : : :  : : : : :
None of theses solutions work for me......
i agian ask my question in detail....


1-   i created 3 groups i.e admin,faculty,student on ADS , and add users to their respective groups.

2- then i create site and content rule and protocol rule on isa server.
i.e  

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow

and SITE AND CONTENT RULE IS
     
For      i. Admin group=     I created DESTINATION ALLOW FOR ADMIN , in destination tab  i choose all
                                       in action--i choose allow and in applies to tab i choose admin group

           ii. faculty group=     I created DESTINATION ALLOW FOR faculty , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose faculty group

           iii. student group=    I created DESTINATION ALLOW FOR student , in destination tab  i choose all
                                        in action--i choose allow and in applies to tab i choose student  group


students are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3 repectively

and in Lab's pc ip configuration are:
10.0.1.1-10.0.1.14 for lab1
10.0.2.1-10.0.2.14 for lab2
10.0.3.1-10.0.3.14 for lab3
10.0.4.1-10.0.4.14 for lab4

also the backoffice pc configuration is
10.0.0.1-10.0.0.50 (ip addresses use in backoffice)
the backoffice users are Admin Group and FAculty group.

bco'z i want users (students) not access internet on lab pc,

i create a deny internt access protocol rule in which i add the above ip address ie
10.0.1.1-10.0.1.14  
10.0.2.1-10.0.2.14
10.0.3.1-10.0.3.14
10.0.4.1-10.0.4.14
on it.

my question or my problem is:

i want others i.e faculty members and admin persons can use internet facility in everywhere including lab pc's. (but  due to deny ip address rule , they can not access internet on lanb pc).


how can i configure this:

1- students can access internet only on library . (ipaddress are 10.0.9.1-10.0.9.3).
2-faculty members and admin persons can use internt every where including labs pc.
In some times i need to allow
3-  student use internet access on lab pcs (for limited time period.)

currently if i need to allow internet on lab pc..... i go to deny internet internet for lab pc's protocol rule.
and add pc ip (which need to allow internet access)  in exception tab under client address set.
and then delete this ip from exception when internet work is completed.

How can i configure all these.

thanks



0
 
LVL 20

Expert Comment

by:What90
ID: 10796824
Appologies, totally mis-read you question.

The problem you have is the Deny rule wiil always beat the Allow rule. So I'd suggest you flip the rules.

Ditched the ip address rules for the labs as the will block everything and everyone.

PROTOCOL RULE

 For      i.  Admin group=all protocols are allow
           ii.  Faculty group=all protocols are allow except msn
           iii. student group=only http and https protocol are allow but time is set to (none 0 hours)

student are use internet only on library ( 3 computers in library) which have following ip addresses.. 10.0.9.1,10.0.9.2 and 10.0.9.3

Create any allow all SITE AND CONTENT Rule for these IP addresses of the library machines for All Hours.
When the students come to these machine the site rule should "win" and allow them access.


As I've already mentioned your 3rd question is a big problem. You can't do it without aid from a third party tool automatically.
What you can do is change the student rule time to allow access for that time period. However, the connections to the Internet for the lab machines would remain open until you closed it manually.
0
 

Author Comment

by:Futuremind2
ID: 10801374
thank what90, but still problem not solved......
0
 
LVL 20

Expert Comment

by:What90
ID: 10803008
Futuremind2 -

I was talking to a friend at a Uni campus and they commented on the public access pc's for web access. Though this might be of interest.

Their setup is that machines in public areas have been made in to kiosk terminals.
This stops the students and other problematic indivuals pulling down tools and logging users details via keyloggers and other kiddie script tools, plus cluttering the machine with profiles.

As the machines have been put in to full lock down mode, 90% of their supoort calls have dropped from those areas and 30% of user complaints about other students using abusing the logon/password system have too.

I'd suggest that you'd make the Library machine pure kiosk boxes and remove HTTP/S from the students protocol group or leave it at 0 hours.
Here's some food for though:
http://support.microsoft.com/?kbid=154780
http://www.kiosks.org/kioskmode.htm
0
 

Author Comment

by:Futuremind2
ID: 10850586
hmmmm... none of these solution... solve my problems :(


please tell the expert's solution for this sceniro...


thanks
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803037
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question