Solved

Installing ISA With 1 NIC And restricting each user to a specific set of sites is it Possible

Posted on 2004-09-18
6
147 Views
Last Modified: 2010-04-14
I current have a network of 25 users on a Windows 2000 Network

The way we connect to internet currently we use an ADSL Line to connect.

I have installed the PIX 501 firewall the Ip of which is the default gateway on all the machines and the server.  and all the clients and the server  and the PIX is connected to the Switch.  Thats how we access it Now.

Now i want to make the server IP the default gateway and restrict some users from accessing some sites and i want to do this with only 1 NIC installed in my server is it possible to do this with installing ISA.  

I also need my users to connect to a VPN server which is located out side my network basically my users should be able to PPTP / 1723 as clients to the VPN server from my network through the internet.

Please advise
0
Comment
Question by:mivbinfotech
6 Comments
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12091298
I forgot to mention that i will be using ISA server 2000 and not 2004

thanx
0
 
LVL 3

Expert Comment

by:kelo501
ID: 12092289
If you want a fast and simple way to block sites from the network try this...

If all clients are useing DHCP from server, change the defult gateway to the server along with DNS.  DNS should already be pointing to the server but just incase.

Then in DNS go to your domains forward lookup zone and add a new domain for the web sites you want blocked.

example would be yahoo.com.  By creating this domain on your dns server the DNS server becomes the SOA for yahoo and all requests for that domain are resolved by the server.  Because the yahoo web site is not in your domain a failure is returned to the clients.

This can be beat real easy if they change there machine to static IPs and grab a public DNS server.

Let me know what you think.

I must say that the best way is to add a WWW gareway be it ISA in a 2 NIC box or a bluecoat or something that all traffic MUST pass.  Another product that is way more then your looking for but rather cool is SpectorCNE $500.00 for 10 boxes but that will do a whole bunch of things for you so check it out.

kelo501
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093295
It is not possible to run ISA on a 1 NIC box.
 
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12097631
It is possible to run ISA 2000 in firewall mode on a single NIC box, but you get heaps of errors every time the server tries to access a site "ISA server could not create a packet filter for IP 123.123.123.123" which just clog up the even logs. This lets you make it the default gateway, but you'll never be able to properly troubleshoot the server again.

It is possible to run ISA server in Caching only mode on a single NIC, which is supported, and gives you content control for http, but nothing else.

You need to add the blocked sites to a destination set, then add the destination set to a deny protocol rule. www.isaserver.org has some great tutorials on ISA
0
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12122036
Please advise how to do user specific blocking in ISA 2000 i want to block a specific set of users from accessing the sites.

for example

USER SET 1 --- >>> msn.com / yahoo.com / etc.  should be blocked

USER SET 2 --->>> msn.com / yahoo.com / shoule be accessible from within the same network

Please advise anything you can help on this

Also tell me about VPN as written earlier.

Regards
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12122246
Ok.

Destination sets is what we are after.

In ISA management add a destination set to the "Destination Sets" folder under the Policy Elements branch of the tree. Add the required sites to it. Call is something sensible like "restricted sites" "blocked sites" if it for all users or "semi restricted" "blocked for _usergroup_" if it's just for some.

Once you're done, tootle up to the Access Piolicy branch, and Site and Content rules. Add a new rule. Call it something descriptive again, "Usergroup restriction" or wahtever, set it to Deny, add a redirect page if required - always a good idea so that people know they've been sprung. Set Deny access based on destination, choose Secified dest set, pick the one you created earlier. And finish... That applies to everyone. To loosen the restriction you need to go back into the rule, choose the "Applies to" tab, then set it to "users and groupse secified below" and choose the usergroup who should be blocked in the "applies to requests.."  field.

One other thing you might consider - block outbound port 80 and 443 requests from every IP address bar the ISA server on the PIX - that will prevent smart alecs from bypassing the ISA server.

That should set you up.

Now, as you're on a single NIC box, you can only run caching mode, so you cannot control anything but HTTP/HTTPS access. So the VPN traffic is going to go out via the router direct.  Given you're running a PIX - you're going to have a hard time getting outbound PPTP connections to work. I don't know pix at all. but I know its troublesome. Pat yourself on the back if you made it work already. :)

If you want ISA server to do port blocking, you MUST install a second NIC, and install ISA in integrated mode. It's the only way.  







0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question