Solved

Thin Client Users

Posted on 2004-09-21
10
292 Views
Last Modified: 2010-04-19
First off, I'll admit that I'm new to ISA server. That said here's my situation. I have a growing number of users that access the intranet/internet from thin clients and I've been asked to find a way to control who is allowed internet access, all users need intranet access. I've tried the fake proxy in group policy but it's far too restrictive. The other possiblilty was ISA, as I mentioned, I'm new. I'd like to setup and ISA server that will allow access to the internet on a per user/group basis. I do not need ISA as a firewall so I'm thinking that the proxy client is what I'm looking for. Can anyone help point me in the right direction?
0
Comment
Question by:Chryyys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12120244
ISA in default mode allows all users all access.

You need to change the rules to provide access to ports/services based on what group they are in.

I'll assume you know how to add a group to ADUC, and add the appropriate users to it.

In ISA server you assign permissions under

Internet Security and Accelleration Server
+Servers and Arrays
 +ISA_SERVER
  +Access Policy
    +Protocol Rules

The server I'm looking at has a default "internet" rule, which allows all users access to the specified services - DNS, HTTP, POP etc. You can start afresh, or mod that one.

To change the rule, just double click it, then go to the "applies to" tab. If this says "any Request" then change it to user and groups specified below, then add the group/groups required.

To wipe and start new, just use the little wizards.

Give it a name, Set it to allow, Change the "apply this rule to" to "Selected Protocols" Then check the desired protocls. Use schedule = always, Apply the rule to requests from = your user group/s. By doing it this way you could set a group for web access only for some staff, but a different rule for others, who can maybe access FTP or P2P apps or whatever.

To define a new protocol go down to Policy Elements > Protocol Definitions. That bit is straightforward, so I won't type it all out...

lots of help at www.isaserver.org.







0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12120259
Oh, ISA on a Small Business Server by default allows access only to the "Backoffice Internet Users" group!

And lastly - if this is a single NIC server, set up ISA in cache only mode, otherwise it'll be a pain to keep under control - the event logs report errors constantly. You'll only be able to control web access on a single NIC, so I strongly advise a multi homed setup if it's going to be a real firewall/router.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12122630
Here's a little more info on what I have.  This is a single NIC machine setup in cache mode, that much I had seen as www.isaserver.org (you're right that a very informative site).  For my test environment I have a single domain controller, 2 clustered terminal servers and the ISA server.  Since I already have a firewall I will not be using ISA for this function, ISA will only be used to control internet access.  I will attempt to setup the Protocol Rule and apply it to a specific group.  But a question remains, do i need to direct the traffice from the terminal servers to ISA, similar to a proxy setup, in order for this to work?
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12122754
OIC.

The clients will need to have the ISA server set in their IE proxy settings - in a Cache only server, that will be server:80 unless you changed it (I always set it back to 8080, the integrated default)

The Default gateway will need to remain the roeuter/firewall, as the ISA server cannot control the other access.

I just posted some tips on setting up access control in another thread http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21136017.html#12122036

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12125873
After reading both of the answers that you posted it would appear that I would be more interested in a Destination Set rather than a Protocol Rule.  Since this is a single NIC Cache only ISA server.  Please correct me if I'm wrong.  I will build a Destination Set and give it a go and I'll report back shortly.  Thanks
0
 
LVL 3

Author Comment

by:Chryyys
ID: 12126554
Well now I"m just confused.  With no destination sets configured, with no protocol rule configured and only the default site and content rule that allow everyone out I managed to get it working by going to Client Configuration ->Web Browser->properties and setting automatic configuration via the routing script.  Under direct access list putting in the intranet domain names allows me to have access to all the intranet sites.  If this does what I would like, can I build a destination set to bypass the script for specific users?
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12128547
Hah. You've lost me now!

In summary of what I said - you set a Destination set, then apply it through a site and protocol rule. You can't use the protocol filters, which are applied in a similar manner, as they are for integrated/multihomed servers only.

So right now everyone has access, right?

Now you need to block sites, using the above method, but adding banned users into a group, and applying the site rule to said group. That should block the group, but not anyone else.

0
 
LVL 3

Author Comment

by:Chryyys
ID: 12153024
First off, thanks for your help, I really feel as if I'm maiking progress.  Ok, here's where I'm at.  I haved no Destination Sets nor any Site and Protocol rules in place.  I've turned off HTTP cacheing because I don't want the cache to populate.  And under the Client Configuration I only have the Web Browser option where I configured Direct Access to include all the intranet domains.  Then I use the routing script to configure the browser for individual users.  It allows access to all intanet sites but no internet sites.

Along those same lines, if I want to use the destination sets and sites and protocol rules, am I required to install the firewall client?  
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12153086
No, don't install the firewall client.

You must have at least one destination set for external access, without it noone will go anywhere. It can be as simple as "any request" and applies to you external users group, or you can mix and match if some users get more sites etc.

The Firewall Client is only used to provide a socks (I think) proxy service. Without it, on a dual nic ISA server I wouldn't install it, as you rarely need it these days. ISA server funtions as a sercure NAT server out of the box.
0
 
LVL 3

Author Comment

by:Chryyys
ID: 12172240
Ok thanks again for the help.  I believe that I have enough to go on.  I just need to work out the rules for my environment.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question