Solved

Installing ISA With 1 NIC And restricting each user to a specific set of sites is it Possible

Posted on 2004-09-18
6
143 Views
Last Modified: 2010-04-14
I current have a network of 25 users on a Windows 2000 Network

The way we connect to internet currently we use an ADSL Line to connect.

I have installed the PIX 501 firewall the Ip of which is the default gateway on all the machines and the server.  and all the clients and the server  and the PIX is connected to the Switch.  Thats how we access it Now.

Now i want to make the server IP the default gateway and restrict some users from accessing some sites and i want to do this with only 1 NIC installed in my server is it possible to do this with installing ISA.  

I also need my users to connect to a VPN server which is located out side my network basically my users should be able to PPTP / 1723 as clients to the VPN server from my network through the internet.

Please advise
0
Comment
Question by:mivbinfotech
6 Comments
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12091298
I forgot to mention that i will be using ISA server 2000 and not 2004

thanx
0
 
LVL 3

Expert Comment

by:kelo501
ID: 12092289
If you want a fast and simple way to block sites from the network try this...

If all clients are useing DHCP from server, change the defult gateway to the server along with DNS.  DNS should already be pointing to the server but just incase.

Then in DNS go to your domains forward lookup zone and add a new domain for the web sites you want blocked.

example would be yahoo.com.  By creating this domain on your dns server the DNS server becomes the SOA for yahoo and all requests for that domain are resolved by the server.  Because the yahoo web site is not in your domain a failure is returned to the clients.

This can be beat real easy if they change there machine to static IPs and grab a public DNS server.

Let me know what you think.

I must say that the best way is to add a WWW gareway be it ISA in a 2 NIC box or a bluecoat or something that all traffic MUST pass.  Another product that is way more then your looking for but rather cool is SpectorCNE $500.00 for 10 boxes but that will do a whole bunch of things for you so check it out.

kelo501
0
 
LVL 12

Expert Comment

by:ColinRoyds
ID: 12093295
It is not possible to run ISA on a 1 NIC box.
 
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12097631
It is possible to run ISA 2000 in firewall mode on a single NIC box, but you get heaps of errors every time the server tries to access a site "ISA server could not create a packet filter for IP 123.123.123.123" which just clog up the even logs. This lets you make it the default gateway, but you'll never be able to properly troubleshoot the server again.

It is possible to run ISA server in Caching only mode on a single NIC, which is supported, and gives you content control for http, but nothing else.

You need to add the blocked sites to a destination set, then add the destination set to a deny protocol rule. www.isaserver.org has some great tutorials on ISA
0
 
LVL 2

Author Comment

by:mivbinfotech
ID: 12122036
Please advise how to do user specific blocking in ISA 2000 i want to block a specific set of users from accessing the sites.

for example

USER SET 1 --- >>> msn.com / yahoo.com / etc.  should be blocked

USER SET 2 --->>> msn.com / yahoo.com / shoule be accessible from within the same network

Please advise anything you can help on this

Also tell me about VPN as written earlier.

Regards
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12122246
Ok.

Destination sets is what we are after.

In ISA management add a destination set to the "Destination Sets" folder under the Policy Elements branch of the tree. Add the required sites to it. Call is something sensible like "restricted sites" "blocked sites" if it for all users or "semi restricted" "blocked for _usergroup_" if it's just for some.

Once you're done, tootle up to the Access Piolicy branch, and Site and Content rules. Add a new rule. Call it something descriptive again, "Usergroup restriction" or wahtever, set it to Deny, add a redirect page if required - always a good idea so that people know they've been sprung. Set Deny access based on destination, choose Secified dest set, pick the one you created earlier. And finish... That applies to everyone. To loosen the restriction you need to go back into the rule, choose the "Applies to" tab, then set it to "users and groupse secified below" and choose the usergroup who should be blocked in the "applies to requests.."  field.

One other thing you might consider - block outbound port 80 and 443 requests from every IP address bar the ISA server on the PIX - that will prevent smart alecs from bypassing the ISA server.

That should set you up.

Now, as you're on a single NIC box, you can only run caching mode, so you cannot control anything but HTTP/HTTPS access. So the VPN traffic is going to go out via the router direct.  Given you're running a PIX - you're going to have a hard time getting outbound PPTP connections to work. I don't know pix at all. but I know its troublesome. Pat yourself on the back if you made it work already. :)

If you want ISA server to do port blocking, you MUST install a second NIC, and install ISA in integrated mode. It's the only way.  







0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now