Solved

Thin Client Users

Posted on 2004-09-21
10
278 Views
Last Modified: 2010-04-19
First off, I'll admit that I'm new to ISA server. That said here's my situation. I have a growing number of users that access the intranet/internet from thin clients and I've been asked to find a way to control who is allowed internet access, all users need intranet access. I've tried the fake proxy in group policy but it's far too restrictive. The other possiblilty was ISA, as I mentioned, I'm new. I'd like to setup and ISA server that will allow access to the internet on a per user/group basis. I do not need ISA as a firewall so I'm thinking that the proxy client is what I'm looking for. Can anyone help point me in the right direction?
0
Comment
Question by:Chryyys
  • 5
  • 5
10 Comments
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12120244
ISA in default mode allows all users all access.

You need to change the rules to provide access to ports/services based on what group they are in.

I'll assume you know how to add a group to ADUC, and add the appropriate users to it.

In ISA server you assign permissions under

Internet Security and Accelleration Server
+Servers and Arrays
 +ISA_SERVER
  +Access Policy
    +Protocol Rules

The server I'm looking at has a default "internet" rule, which allows all users access to the specified services - DNS, HTTP, POP etc. You can start afresh, or mod that one.

To change the rule, just double click it, then go to the "applies to" tab. If this says "any Request" then change it to user and groups specified below, then add the group/groups required.

To wipe and start new, just use the little wizards.

Give it a name, Set it to allow, Change the "apply this rule to" to "Selected Protocols" Then check the desired protocls. Use schedule = always, Apply the rule to requests from = your user group/s. By doing it this way you could set a group for web access only for some staff, but a different rule for others, who can maybe access FTP or P2P apps or whatever.

To define a new protocol go down to Policy Elements > Protocol Definitions. That bit is straightforward, so I won't type it all out...

lots of help at www.isaserver.org.







0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12120259
Oh, ISA on a Small Business Server by default allows access only to the "Backoffice Internet Users" group!

And lastly - if this is a single NIC server, set up ISA in cache only mode, otherwise it'll be a pain to keep under control - the event logs report errors constantly. You'll only be able to control web access on a single NIC, so I strongly advise a multi homed setup if it's going to be a real firewall/router.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12122630
Here's a little more info on what I have.  This is a single NIC machine setup in cache mode, that much I had seen as www.isaserver.org (you're right that a very informative site).  For my test environment I have a single domain controller, 2 clustered terminal servers and the ISA server.  Since I already have a firewall I will not be using ISA for this function, ISA will only be used to control internet access.  I will attempt to setup the Protocol Rule and apply it to a specific group.  But a question remains, do i need to direct the traffice from the terminal servers to ISA, similar to a proxy setup, in order for this to work?
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12122754
OIC.

The clients will need to have the ISA server set in their IE proxy settings - in a Cache only server, that will be server:80 unless you changed it (I always set it back to 8080, the integrated default)

The Default gateway will need to remain the roeuter/firewall, as the ISA server cannot control the other access.

I just posted some tips on setting up access control in another thread http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21136017.html#12122036

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12125873
After reading both of the answers that you posted it would appear that I would be more interested in a Destination Set rather than a Protocol Rule.  Since this is a single NIC Cache only ISA server.  Please correct me if I'm wrong.  I will build a Destination Set and give it a go and I'll report back shortly.  Thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:Chryyys
ID: 12126554
Well now I"m just confused.  With no destination sets configured, with no protocol rule configured and only the default site and content rule that allow everyone out I managed to get it working by going to Client Configuration ->Web Browser->properties and setting automatic configuration via the routing script.  Under direct access list putting in the intranet domain names allows me to have access to all the intranet sites.  If this does what I would like, can I build a destination set to bypass the script for specific users?
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12128547
Hah. You've lost me now!

In summary of what I said - you set a Destination set, then apply it through a site and protocol rule. You can't use the protocol filters, which are applied in a similar manner, as they are for integrated/multihomed servers only.

So right now everyone has access, right?

Now you need to block sites, using the above method, but adding banned users into a group, and applying the site rule to said group. That should block the group, but not anyone else.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12153024
First off, thanks for your help, I really feel as if I'm maiking progress.  Ok, here's where I'm at.  I haved no Destination Sets nor any Site and Protocol rules in place.  I've turned off HTTP cacheing because I don't want the cache to populate.  And under the Client Configuration I only have the Web Browser option where I configured Direct Access to include all the intranet domains.  Then I use the routing script to configure the browser for individual users.  It allows access to all intanet sites but no internet sites.

Along those same lines, if I want to use the destination sets and sites and protocol rules, am I required to install the firewall client?  
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12153086
No, don't install the firewall client.

You must have at least one destination set for external access, without it noone will go anywhere. It can be as simple as "any request" and applies to you external users group, or you can mix and match if some users get more sites etc.

The Firewall Client is only used to provide a socks (I think) proxy service. Without it, on a dual nic ISA server I wouldn't install it, as you rarely need it these days. ISA server funtions as a sercure NAT server out of the box.
0
 
LVL 3

Author Comment

by:Chryyys
ID: 12172240
Ok thanks again for the help.  I believe that I have enough to go on.  I just need to work out the rules for my environment.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now