Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Thin Client Users

Posted on 2004-09-21
10
Medium Priority
?
294 Views
Last Modified: 2010-04-19
First off, I'll admit that I'm new to ISA server. That said here's my situation. I have a growing number of users that access the intranet/internet from thin clients and I've been asked to find a way to control who is allowed internet access, all users need intranet access. I've tried the fake proxy in group policy but it's far too restrictive. The other possiblilty was ISA, as I mentioned, I'm new. I'd like to setup and ISA server that will allow access to the internet on a per user/group basis. I do not need ISA as a firewall so I'm thinking that the proxy client is what I'm looking for. Can anyone help point me in the right direction?
0
Comment
Question by:Chryyys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 15

Accepted Solution

by:
harleyjd earned 1500 total points
ID: 12120244
ISA in default mode allows all users all access.

You need to change the rules to provide access to ports/services based on what group they are in.

I'll assume you know how to add a group to ADUC, and add the appropriate users to it.

In ISA server you assign permissions under

Internet Security and Accelleration Server
+Servers and Arrays
 +ISA_SERVER
  +Access Policy
    +Protocol Rules

The server I'm looking at has a default "internet" rule, which allows all users access to the specified services - DNS, HTTP, POP etc. You can start afresh, or mod that one.

To change the rule, just double click it, then go to the "applies to" tab. If this says "any Request" then change it to user and groups specified below, then add the group/groups required.

To wipe and start new, just use the little wizards.

Give it a name, Set it to allow, Change the "apply this rule to" to "Selected Protocols" Then check the desired protocls. Use schedule = always, Apply the rule to requests from = your user group/s. By doing it this way you could set a group for web access only for some staff, but a different rule for others, who can maybe access FTP or P2P apps or whatever.

To define a new protocol go down to Policy Elements > Protocol Definitions. That bit is straightforward, so I won't type it all out...

lots of help at www.isaserver.org.







0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12120259
Oh, ISA on a Small Business Server by default allows access only to the "Backoffice Internet Users" group!

And lastly - if this is a single NIC server, set up ISA in cache only mode, otherwise it'll be a pain to keep under control - the event logs report errors constantly. You'll only be able to control web access on a single NIC, so I strongly advise a multi homed setup if it's going to be a real firewall/router.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12122630
Here's a little more info on what I have.  This is a single NIC machine setup in cache mode, that much I had seen as www.isaserver.org (you're right that a very informative site).  For my test environment I have a single domain controller, 2 clustered terminal servers and the ISA server.  Since I already have a firewall I will not be using ISA for this function, ISA will only be used to control internet access.  I will attempt to setup the Protocol Rule and apply it to a specific group.  But a question remains, do i need to direct the traffice from the terminal servers to ISA, similar to a proxy setup, in order for this to work?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12122754
OIC.

The clients will need to have the ISA server set in their IE proxy settings - in a Cache only server, that will be server:80 unless you changed it (I always set it back to 8080, the integrated default)

The Default gateway will need to remain the roeuter/firewall, as the ISA server cannot control the other access.

I just posted some tips on setting up access control in another thread http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21136017.html#12122036

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12125873
After reading both of the answers that you posted it would appear that I would be more interested in a Destination Set rather than a Protocol Rule.  Since this is a single NIC Cache only ISA server.  Please correct me if I'm wrong.  I will build a Destination Set and give it a go and I'll report back shortly.  Thanks
0
 
LVL 3

Author Comment

by:Chryyys
ID: 12126554
Well now I"m just confused.  With no destination sets configured, with no protocol rule configured and only the default site and content rule that allow everyone out I managed to get it working by going to Client Configuration ->Web Browser->properties and setting automatic configuration via the routing script.  Under direct access list putting in the intranet domain names allows me to have access to all the intranet sites.  If this does what I would like, can I build a destination set to bypass the script for specific users?
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12128547
Hah. You've lost me now!

In summary of what I said - you set a Destination set, then apply it through a site and protocol rule. You can't use the protocol filters, which are applied in a similar manner, as they are for integrated/multihomed servers only.

So right now everyone has access, right?

Now you need to block sites, using the above method, but adding banned users into a group, and applying the site rule to said group. That should block the group, but not anyone else.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12153024
First off, thanks for your help, I really feel as if I'm maiking progress.  Ok, here's where I'm at.  I haved no Destination Sets nor any Site and Protocol rules in place.  I've turned off HTTP cacheing because I don't want the cache to populate.  And under the Client Configuration I only have the Web Browser option where I configured Direct Access to include all the intranet domains.  Then I use the routing script to configure the browser for individual users.  It allows access to all intanet sites but no internet sites.

Along those same lines, if I want to use the destination sets and sites and protocol rules, am I required to install the firewall client?  
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12153086
No, don't install the firewall client.

You must have at least one destination set for external access, without it noone will go anywhere. It can be as simple as "any request" and applies to you external users group, or you can mix and match if some users get more sites etc.

The Firewall Client is only used to provide a socks (I think) proxy service. Without it, on a dual nic ISA server I wouldn't install it, as you rarely need it these days. ISA server funtions as a sercure NAT server out of the box.
0
 
LVL 3

Author Comment

by:Chryyys
ID: 12172240
Ok thanks again for the help.  I believe that I have enough to go on.  I just need to work out the rules for my environment.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question