ISA Server 2000 Allowing Secure NAT clients all access while Proxy clients have limited access?

Is it posible to allow Secure NAT clients unrisitricted access to the internet while restricting "proxy" clients to only certian sites?
I read an followed many articles from ISA Server.ORG but I am having trouble. It seems I can get either one or the other to work.
If the content rules are running for certain groups or users, then My Secure NAT clients are denied access all together. If I give all access to "all client sets" then the Content rules for the Proxy users no longer work. Due to the fact I have users whom travel constantly between company locations and customer sites, I can not assign all my users to use the "proxy".  Nor can I use content rules via client address sets. I have a terminal server and I will need to restrict access to individual users of that device. I have certain users whom are always in house, and are abusing internet access, thus the need for the resrticition.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why not just setup multiple site/content rules and apply to the user groups in need of the different levels of access.

If your sure you want to handle secure nat clients differently then you'll need to look at ISA's Extensions>Application Filters>HTTP Redirector
The redirector forces all secureNat and firewall client use to go through the web proxy service.
If you click on the options tab of it's properties you can choose the "Send to requested web server".
Stop and start webproxy and firewall services from the Monitoring>Services section.

Give it a shot. you can also check the box to NOT enable the filter.

You need to read up on the pros/cons of altering and disabling this filter.

Hope it helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bryandillonAuthor Commented:
Thanks for the info I will check it out shortly,
I'd like nothing more than to be able to completely control each user or group using proxy or firewall, but my main problem is I have executives from our corporate office who come to my location (a different domain) and hook up to access their network over the WAN and use "My internet" for browsing. It would be unacceptable to them to have to set their browsers up to use a "proxy" every time they visit. Thus the need for secure NAT. I read the chapter on content filtering in the "configuring ISA 2000" book by Tom Shinder. He states that I would have to turn off the http redirector for secure NAT clients to be able to access sites. Is this what you are referring to? Please forgive my ignorance, I have been using ISA for 3 years, but it has always worked out of the box for me (using secure NAT) but now that I have to implement Content Rules, it is getting a bit difficult and I have found some of the tech manuals kind of hard to interpret
Yes, that is what Tom is referring to.
However, if the visiting corporate big wig is using a machine from a different domain/ip, are you physically setting their default gateway to your ISA server's internal IP every time the visit? If not, and your dong via DHCP, then all your clients are secure nat's and will be given wide open access once you turn off that redirector.

Just want to make sure I understand everything. If your setting gateways manually it just as easy, if not more so, to have the corp user change their IE proxy IP/port.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

bryandillonAuthor Commented:
We use DHCP to assign the gateway. They bring in their own laptops from the corporate office & they do not use any type of proxy there just secure NAT through a Cisco PIX. So if I do this, will it disable all proxy services? What will happen to the firewall clients I currently have (only a few) I know when you install the client it automatically sets the browser to use the proxy server. Will I need to go into each of these and remove that setting or will it function transparently to the user? I tried to talk the big wigs in investing in Websense, but they don't want to spend the money, they said they had total faith that I could get it working with what I have.  What can you say when your told that! :-)
Ok, here is the thing.
If every machine on your network is assigned the default gateway of your ISA turn off that redirector filter.......everyone goes anywhere they want to go. Doesn't matter if they are web proxy clients or firewall clients,,,,,,they are all secure nat clients with redirector NOT directing them through the web proxy service.......WIDE OPEN access.

If you explain to these corp users the magnitude of setting them up so that they can auto access the web when on your network opens up free http access to all users......they'll support you on editing their machines upon each visit.

Just remember, when you turn off that redirector ANY firewall client or secure nat client will have full access. ONLY users that have ONLY IE proxy settings will be restricted.
bryandillonAuthor Commented:
Thanks TannerMan,
I completely understand now! Shame it wasn't written as well in the manuals. I tunred off the redirector and the results are as expected. I can contol the Proxy users, but not the NAT they can do what ever they want. But now that I know what I know, I may have to rethink the whole thing. I cant have everyone doing anything. Your sugestions make perfect sense. Thanks a million for the help!
Your very welcome.
AND, DON"T feel bad. I have been using ISA for 3 years with over 8 installations under my belt and I have to review this everytime. It is confusing, to say the least.
Glad it hellped and I wish you luck keeping those corp folks happy..hahahahhaha
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.