Thin Client Users

First off, I'll admit that I'm new to ISA server. That said here's my situation. I have a growing number of users that access the intranet/internet from thin clients and I've been asked to find a way to control who is allowed internet access, all users need intranet access. I've tried the fake proxy in group policy but it's far too restrictive. The other possiblilty was ISA, as I mentioned, I'm new. I'd like to setup and ISA server that will allow access to the internet on a per user/group basis. I do not need ISA as a firewall so I'm thinking that the proxy client is what I'm looking for. Can anyone help point me in the right direction?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

harleyjdConnect With a Mentor Commented:
ISA in default mode allows all users all access.

You need to change the rules to provide access to ports/services based on what group they are in.

I'll assume you know how to add a group to ADUC, and add the appropriate users to it.

In ISA server you assign permissions under

Internet Security and Accelleration Server
+Servers and Arrays
  +Access Policy
    +Protocol Rules

The server I'm looking at has a default "internet" rule, which allows all users access to the specified services - DNS, HTTP, POP etc. You can start afresh, or mod that one.

To change the rule, just double click it, then go to the "applies to" tab. If this says "any Request" then change it to user and groups specified below, then add the group/groups required.

To wipe and start new, just use the little wizards.

Give it a name, Set it to allow, Change the "apply this rule to" to "Selected Protocols" Then check the desired protocls. Use schedule = always, Apply the rule to requests from = your user group/s. By doing it this way you could set a group for web access only for some staff, but a different rule for others, who can maybe access FTP or P2P apps or whatever.

To define a new protocol go down to Policy Elements > Protocol Definitions. That bit is straightforward, so I won't type it all out...

lots of help at

Oh, ISA on a Small Business Server by default allows access only to the "Backoffice Internet Users" group!

And lastly - if this is a single NIC server, set up ISA in cache only mode, otherwise it'll be a pain to keep under control - the event logs report errors constantly. You'll only be able to control web access on a single NIC, so I strongly advise a multi homed setup if it's going to be a real firewall/router.

ChryyysAuthor Commented:
Here's a little more info on what I have.  This is a single NIC machine setup in cache mode, that much I had seen as (you're right that a very informative site).  For my test environment I have a single domain controller, 2 clustered terminal servers and the ISA server.  Since I already have a firewall I will not be using ISA for this function, ISA will only be used to control internet access.  I will attempt to setup the Protocol Rule and apply it to a specific group.  But a question remains, do i need to direct the traffice from the terminal servers to ISA, similar to a proxy setup, in order for this to work?
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


The clients will need to have the ISA server set in their IE proxy settings - in a Cache only server, that will be server:80 unless you changed it (I always set it back to 8080, the integrated default)

The Default gateway will need to remain the roeuter/firewall, as the ISA server cannot control the other access.

I just posted some tips on setting up access control in another thread

ChryyysAuthor Commented:
After reading both of the answers that you posted it would appear that I would be more interested in a Destination Set rather than a Protocol Rule.  Since this is a single NIC Cache only ISA server.  Please correct me if I'm wrong.  I will build a Destination Set and give it a go and I'll report back shortly.  Thanks
ChryyysAuthor Commented:
Well now I"m just confused.  With no destination sets configured, with no protocol rule configured and only the default site and content rule that allow everyone out I managed to get it working by going to Client Configuration ->Web Browser->properties and setting automatic configuration via the routing script.  Under direct access list putting in the intranet domain names allows me to have access to all the intranet sites.  If this does what I would like, can I build a destination set to bypass the script for specific users?
Hah. You've lost me now!

In summary of what I said - you set a Destination set, then apply it through a site and protocol rule. You can't use the protocol filters, which are applied in a similar manner, as they are for integrated/multihomed servers only.

So right now everyone has access, right?

Now you need to block sites, using the above method, but adding banned users into a group, and applying the site rule to said group. That should block the group, but not anyone else.

ChryyysAuthor Commented:
First off, thanks for your help, I really feel as if I'm maiking progress.  Ok, here's where I'm at.  I haved no Destination Sets nor any Site and Protocol rules in place.  I've turned off HTTP cacheing because I don't want the cache to populate.  And under the Client Configuration I only have the Web Browser option where I configured Direct Access to include all the intranet domains.  Then I use the routing script to configure the browser for individual users.  It allows access to all intanet sites but no internet sites.

Along those same lines, if I want to use the destination sets and sites and protocol rules, am I required to install the firewall client?  
No, don't install the firewall client.

You must have at least one destination set for external access, without it noone will go anywhere. It can be as simple as "any request" and applies to you external users group, or you can mix and match if some users get more sites etc.

The Firewall Client is only used to provide a socks (I think) proxy service. Without it, on a dual nic ISA server I wouldn't install it, as you rarely need it these days. ISA server funtions as a sercure NAT server out of the box.
ChryyysAuthor Commented:
Ok thanks again for the help.  I believe that I have enough to go on.  I just need to work out the rules for my environment.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.