Solved

Installing ISA With 1 NIC And restricting each user to a specific set of sites is it Possible

Posted on 2004-09-18
6
144 Views
Last Modified: 2010-04-14
I current have a network of 25 users on a Windows 2000 Network

The way we connect to internet currently we use an ADSL Line to connect.

I have installed the PIX 501 firewall the Ip of which is the default gateway on all the machines and the server.  and all the clients and the server  and the PIX is connected to the Switch.  Thats how we access it Now.

Now i want to make the server IP the default gateway and restrict some users from accessing some sites and i want to do this with only 1 NIC installed in my server is it possible to do this with installing ISA.  

I also need my users to connect to a VPN server which is located out side my network basically my users should be able to PPTP / 1723 as clients to the VPN server from my network through the internet.

Please advise
0
Comment
Question by:mivbinfotech
6 Comments
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12091298
I forgot to mention that i will be using ISA server 2000 and not 2004

thanx
0
 
LVL 3

Expert Comment

by:kelo501
ID: 12092289
If you want a fast and simple way to block sites from the network try this...

If all clients are useing DHCP from server, change the defult gateway to the server along with DNS.  DNS should already be pointing to the server but just incase.

Then in DNS go to your domains forward lookup zone and add a new domain for the web sites you want blocked.

example would be yahoo.com.  By creating this domain on your dns server the DNS server becomes the SOA for yahoo and all requests for that domain are resolved by the server.  Because the yahoo web site is not in your domain a failure is returned to the clients.

This can be beat real easy if they change there machine to static IPs and grab a public DNS server.

Let me know what you think.

I must say that the best way is to add a WWW gareway be it ISA in a 2 NIC box or a bluecoat or something that all traffic MUST pass.  Another product that is way more then your looking for but rather cool is SpectorCNE $500.00 for 10 boxes but that will do a whole bunch of things for you so check it out.

kelo501
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093295
It is not possible to run ISA on a 1 NIC box.
 
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 15

Expert Comment

by:harleyjd
ID: 12097631
It is possible to run ISA 2000 in firewall mode on a single NIC box, but you get heaps of errors every time the server tries to access a site "ISA server could not create a packet filter for IP 123.123.123.123" which just clog up the even logs. This lets you make it the default gateway, but you'll never be able to properly troubleshoot the server again.

It is possible to run ISA server in Caching only mode on a single NIC, which is supported, and gives you content control for http, but nothing else.

You need to add the blocked sites to a destination set, then add the destination set to a deny protocol rule. www.isaserver.org has some great tutorials on ISA
0
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12122036
Please advise how to do user specific blocking in ISA 2000 i want to block a specific set of users from accessing the sites.

for example

USER SET 1 --- >>> msn.com / yahoo.com / etc.  should be blocked

USER SET 2 --->>> msn.com / yahoo.com / shoule be accessible from within the same network

Please advise anything you can help on this

Also tell me about VPN as written earlier.

Regards
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12122246
Ok.

Destination sets is what we are after.

In ISA management add a destination set to the "Destination Sets" folder under the Policy Elements branch of the tree. Add the required sites to it. Call is something sensible like "restricted sites" "blocked sites" if it for all users or "semi restricted" "blocked for _usergroup_" if it's just for some.

Once you're done, tootle up to the Access Piolicy branch, and Site and Content rules. Add a new rule. Call it something descriptive again, "Usergroup restriction" or wahtever, set it to Deny, add a redirect page if required - always a good idea so that people know they've been sprung. Set Deny access based on destination, choose Secified dest set, pick the one you created earlier. And finish... That applies to everyone. To loosen the restriction you need to go back into the rule, choose the "Applies to" tab, then set it to "users and groupse secified below" and choose the usergroup who should be blocked in the "applies to requests.."  field.

One other thing you might consider - block outbound port 80 and 443 requests from every IP address bar the ISA server on the PIX - that will prevent smart alecs from bypassing the ISA server.

That should set you up.

Now, as you're on a single NIC box, you can only run caching mode, so you cannot control anything but HTTP/HTTPS access. So the VPN traffic is going to go out via the router direct.  Given you're running a PIX - you're going to have a hard time getting outbound PPTP connections to work. I don't know pix at all. but I know its troublesome. Pat yourself on the back if you made it work already. :)

If you want ISA server to do port blocking, you MUST install a second NIC, and install ISA in integrated mode. It's the only way.  







0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Why Windows 7 desktop can not connect to Windows 2000 terminal server? 3 1,364
Print Server: NT to 2008 10 579
HP ML 110: This System is not supported platform 1 506
auto copy 8 614
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now