Solved

ISA Server 2000 Allowing Secure NAT clients all access while Proxy clients have limited access?

Posted on 2004-11-01
282 Views
Last Modified: 2013-11-16
Is it posible to allow Secure NAT clients unrisitricted access to the internet while restricting "proxy" clients to only certian sites?
I read an followed many articles from ISA Server.ORG but I am having trouble. It seems I can get either one or the other to work.
If the content rules are running for certain groups or users, then My Secure NAT clients are denied access all together. If I give all access to "all client sets" then the Content rules for the Proxy users no longer work. Due to the fact I have users whom travel constantly between company locations and customer sites, I can not assign all my users to use the "proxy".  Nor can I use content rules via client address sets. I have a terminal server and I will need to restrict access to individual users of that device. I have certain users whom are always in house, and are abusing internet access, thus the need for the resrticition.
0
Question by:bryandillon
    7 Comments
     
    LVL 9

    Accepted Solution

    by:
    Why not just setup multiple site/content rules and apply to the user groups in need of the different levels of access.

    If your sure you want to handle secure nat clients differently then you'll need to look at ISA's Extensions>Application Filters>HTTP Redirector
    The redirector forces all secureNat and firewall client use to go through the web proxy service.
    If you click on the options tab of it's properties you can choose the "Send to requested web server".
    Stop and start webproxy and firewall services from the Monitoring>Services section.

    Give it a shot. you can also check the box to NOT enable the filter.

    You need to read up on the pros/cons of altering and disabling this filter.

    Hope it helps.
    0
     

    Author Comment

    by:bryandillon
    Thanks for the info I will check it out shortly,
    I'd like nothing more than to be able to completely control each user or group using proxy or firewall, but my main problem is I have executives from our corporate office who come to my location (a different domain) and hook up to access their network over the WAN and use "My internet" for browsing. It would be unacceptable to them to have to set their browsers up to use a "proxy" every time they visit. Thus the need for secure NAT. I read the chapter on content filtering in the "configuring ISA 2000" book by Tom Shinder. He states that I would have to turn off the http redirector for secure NAT clients to be able to access sites. Is this what you are referring to? Please forgive my ignorance, I have been using ISA for 3 years, but it has always worked out of the box for me (using secure NAT) but now that I have to implement Content Rules, it is getting a bit difficult and I have found some of the tech manuals kind of hard to interpret
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Yes, that is what Tom is referring to.
    However, if the visiting corporate big wig is using a machine from a different domain/ip, are you physically setting their default gateway to your ISA server's internal IP every time the visit? If not, and your dong via DHCP, then all your clients are secure nat's and will be given wide open access once you turn off that redirector.

    Just want to make sure I understand everything. If your setting gateways manually it just as easy, if not more so, to have the corp user change their IE proxy IP/port.
    0
     

    Author Comment

    by:bryandillon
    We use DHCP to assign the gateway. They bring in their own laptops from the corporate office & they do not use any type of proxy there just secure NAT through a Cisco PIX. So if I do this, will it disable all proxy services? What will happen to the firewall clients I currently have (only a few) I know when you install the client it automatically sets the browser to use the proxy server. Will I need to go into each of these and remove that setting or will it function transparently to the user? I tried to talk the big wigs in investing in Websense, but they don't want to spend the money, they said they had total faith that I could get it working with what I have.  What can you say when your told that! :-)
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Ok, here is the thing.
    If every machine on your network is assigned the default gateway of your ISA server....AND....you turn off that redirector filter.......everyone goes anywhere they want to go. Doesn't matter if they are web proxy clients or firewall clients,,,,,,they are all secure nat clients with redirector NOT directing them through the web proxy service.......WIDE OPEN access.

    If you explain to these corp users the magnitude of setting them up so that they can auto access the web when on your network opens up free http access to all users......they'll support you on editing their machines upon each visit.

    Just remember, when you turn off that redirector ANY firewall client or secure nat client will have full access. ONLY users that have ONLY IE proxy settings will be restricted.
    0
     

    Author Comment

    by:bryandillon
    Thanks TannerMan,
    I completely understand now! Shame it wasn't written as well in the manuals. I tunred off the redirector and the results are as expected. I can contol the Proxy users, but not the NAT they can do what ever they want. But now that I know what I know, I may have to rethink the whole thing. I cant have everyone doing anything. Your sugestions make perfect sense. Thanks a million for the help!
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Your very welcome.
    AND, DON"T feel bad. I have been using ISA for 3 years with over 8 installations under my belt and I have to review this everytime. It is confusing, to say the least.
    Glad it hellped and I wish you luck keeping those corp folks happy..hahahahhaha
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Anonabox PRO Tor & VPN Router

    PRO is the most advanced way to fortify your privacy and online anonymity by layering the Tor network with VPN services. Use both together or separately, and without needing to download software onto your devices.

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    This video discusses moving either the default database or any database to a new volume.

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now