• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 161
  • Last Modified:

Installing ISA With 1 NIC And restricting each user to a specific set of sites is it Possible

I current have a network of 25 users on a Windows 2000 Network

The way we connect to internet currently we use an ADSL Line to connect.

I have installed the PIX 501 firewall the Ip of which is the default gateway on all the machines and the server.  and all the clients and the server  and the PIX is connected to the Switch.  Thats how we access it Now.

Now i want to make the server IP the default gateway and restrict some users from accessing some sites and i want to do this with only 1 NIC installed in my server is it possible to do this with installing ISA.  

I also need my users to connect to a VPN server which is located out side my network basically my users should be able to PPTP / 1723 as clients to the VPN server from my network through the internet.

Please advise
1 Solution
mivbinfotechAuthor Commented:
I forgot to mention that i will be using ISA server 2000 and not 2004

If you want a fast and simple way to block sites from the network try this...

If all clients are useing DHCP from server, change the defult gateway to the server along with DNS.  DNS should already be pointing to the server but just incase.

Then in DNS go to your domains forward lookup zone and add a new domain for the web sites you want blocked.

example would be yahoo.com.  By creating this domain on your dns server the DNS server becomes the SOA for yahoo and all requests for that domain are resolved by the server.  Because the yahoo web site is not in your domain a failure is returned to the clients.

This can be beat real easy if they change there machine to static IPs and grab a public DNS server.

Let me know what you think.

I must say that the best way is to add a WWW gareway be it ISA in a 2 NIC box or a bluecoat or something that all traffic MUST pass.  Another product that is way more then your looking for but rather cool is SpectorCNE $500.00 for 10 boxes but that will do a whole bunch of things for you so check it out.

It is not possible to run ISA on a 1 NIC box.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

It is possible to run ISA 2000 in firewall mode on a single NIC box, but you get heaps of errors every time the server tries to access a site "ISA server could not create a packet filter for IP" which just clog up the even logs. This lets you make it the default gateway, but you'll never be able to properly troubleshoot the server again.

It is possible to run ISA server in Caching only mode on a single NIC, which is supported, and gives you content control for http, but nothing else.

You need to add the blocked sites to a destination set, then add the destination set to a deny protocol rule. www.isaserver.org has some great tutorials on ISA
mivbinfotechAuthor Commented:
Please advise how to do user specific blocking in ISA 2000 i want to block a specific set of users from accessing the sites.

for example

USER SET 1 --- >>> msn.com / yahoo.com / etc.  should be blocked

USER SET 2 --->>> msn.com / yahoo.com / shoule be accessible from within the same network

Please advise anything you can help on this

Also tell me about VPN as written earlier.


Destination sets is what we are after.

In ISA management add a destination set to the "Destination Sets" folder under the Policy Elements branch of the tree. Add the required sites to it. Call is something sensible like "restricted sites" "blocked sites" if it for all users or "semi restricted" "blocked for _usergroup_" if it's just for some.

Once you're done, tootle up to the Access Piolicy branch, and Site and Content rules. Add a new rule. Call it something descriptive again, "Usergroup restriction" or wahtever, set it to Deny, add a redirect page if required - always a good idea so that people know they've been sprung. Set Deny access based on destination, choose Secified dest set, pick the one you created earlier. And finish... That applies to everyone. To loosen the restriction you need to go back into the rule, choose the "Applies to" tab, then set it to "users and groupse secified below" and choose the usergroup who should be blocked in the "applies to requests.."  field.

One other thing you might consider - block outbound port 80 and 443 requests from every IP address bar the ISA server on the PIX - that will prevent smart alecs from bypassing the ISA server.

That should set you up.

Now, as you're on a single NIC box, you can only run caching mode, so you cannot control anything but HTTP/HTTPS access. So the VPN traffic is going to go out via the router direct.  Given you're running a PIX - you're going to have a hard time getting outbound PPTP connections to work. I don't know pix at all. but I know its troublesome. Pat yourself on the back if you made it work already. :)

If you want ISA server to do port blocking, you MUST install a second NIC, and install ISA in integrated mode. It's the only way.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now