Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


ISA Server 2000 Allowing Secure NAT clients all access while Proxy clients have limited access?

Posted on 2004-11-01
Medium Priority
Last Modified: 2013-11-16
Is it posible to allow Secure NAT clients unrisitricted access to the internet while restricting "proxy" clients to only certian sites?
I read an followed many articles from ISA Server.ORG but I am having trouble. It seems I can get either one or the other to work.
If the content rules are running for certain groups or users, then My Secure NAT clients are denied access all together. If I give all access to "all client sets" then the Content rules for the Proxy users no longer work. Due to the fact I have users whom travel constantly between company locations and customer sites, I can not assign all my users to use the "proxy".  Nor can I use content rules via client address sets. I have a terminal server and I will need to restrict access to individual users of that device. I have certain users whom are always in house, and are abusing internet access, thus the need for the resrticition.
Question by:bryandillon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Accepted Solution

TannerMan earned 1000 total points
ID: 12468269
Why not just setup multiple site/content rules and apply to the user groups in need of the different levels of access.

If your sure you want to handle secure nat clients differently then you'll need to look at ISA's Extensions>Application Filters>HTTP Redirector
The redirector forces all secureNat and firewall client use to go through the web proxy service.
If you click on the options tab of it's properties you can choose the "Send to requested web server".
Stop and start webproxy and firewall services from the Monitoring>Services section.

Give it a shot. you can also check the box to NOT enable the filter.

You need to read up on the pros/cons of altering and disabling this filter.

Hope it helps.

Author Comment

ID: 12472857
Thanks for the info I will check it out shortly,
I'd like nothing more than to be able to completely control each user or group using proxy or firewall, but my main problem is I have executives from our corporate office who come to my location (a different domain) and hook up to access their network over the WAN and use "My internet" for browsing. It would be unacceptable to them to have to set their browsers up to use a "proxy" every time they visit. Thus the need for secure NAT. I read the chapter on content filtering in the "configuring ISA 2000" book by Tom Shinder. He states that I would have to turn off the http redirector for secure NAT clients to be able to access sites. Is this what you are referring to? Please forgive my ignorance, I have been using ISA for 3 years, but it has always worked out of the box for me (using secure NAT) but now that I have to implement Content Rules, it is getting a bit difficult and I have found some of the tech manuals kind of hard to interpret

Expert Comment

ID: 12473136
Yes, that is what Tom is referring to.
However, if the visiting corporate big wig is using a machine from a different domain/ip, are you physically setting their default gateway to your ISA server's internal IP every time the visit? If not, and your dong via DHCP, then all your clients are secure nat's and will be given wide open access once you turn off that redirector.

Just want to make sure I understand everything. If your setting gateways manually it just as easy, if not more so, to have the corp user change their IE proxy IP/port.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.


Author Comment

ID: 12473316
We use DHCP to assign the gateway. They bring in their own laptops from the corporate office & they do not use any type of proxy there just secure NAT through a Cisco PIX. So if I do this, will it disable all proxy services? What will happen to the firewall clients I currently have (only a few) I know when you install the client it automatically sets the browser to use the proxy server. Will I need to go into each of these and remove that setting or will it function transparently to the user? I tried to talk the big wigs in investing in Websense, but they don't want to spend the money, they said they had total faith that I could get it working with what I have.  What can you say when your told that! :-)

Expert Comment

ID: 12473435
Ok, here is the thing.
If every machine on your network is assigned the default gateway of your ISA server....AND....you turn off that redirector filter.......everyone goes anywhere they want to go. Doesn't matter if they are web proxy clients or firewall clients,,,,,,they are all secure nat clients with redirector NOT directing them through the web proxy service.......WIDE OPEN access.

If you explain to these corp users the magnitude of setting them up so that they can auto access the web when on your network opens up free http access to all users......they'll support you on editing their machines upon each visit.

Just remember, when you turn off that redirector ANY firewall client or secure nat client will have full access. ONLY users that have ONLY IE proxy settings will be restricted.

Author Comment

ID: 12473518
Thanks TannerMan,
I completely understand now! Shame it wasn't written as well in the manuals. I tunred off the redirector and the results are as expected. I can contol the Proxy users, but not the NAT they can do what ever they want. But now that I know what I know, I may have to rethink the whole thing. I cant have everyone doing anything. Your sugestions make perfect sense. Thanks a million for the help!

Expert Comment

ID: 12473557
Your very welcome.
AND, DON"T feel bad. I have been using ISA for 3 years with over 8 installations under my belt and I have to review this everytime. It is confusing, to say the least.
Glad it hellped and I wish you luck keeping those corp folks happy..hahahahhaha

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question