Permit/Deny Internet Access Based on Active Directory Group Membership?

Hi everyone,

Currently we have Microsoft Active Directory Small Business Server, and use Microsoft ISA server for our firewall.  What I like about ISA is the ability to permit or deny internet access based on Active Directory group membership(s).

I would like to replace our ISA server with a stand alone firewall appliance (Cisco ASA, CheckPoint, Sonicwalll, or Juniper).  

Does anyone know if the stand alone firewalls (mentioned above) can permit or deny internet access based on Active Directory group membership?  Or perhaps there is software out that that can act as an intermediary between the stand alone firewall and Active Directory?

Thank you!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
No offence - but not much point putting ISA Server in your topic areas list as i am hardly likely to recommend anything but ISA Server seeing as that is what I work on all the time :)

You might want to change that TA to Software firewalls rather than ISA or something to give yourself a better spread of responses

oxburgerAuthor Commented:
No offense taken, Keith.

I would gladly change the TA if I knew what it was or where to change it at :)

Is there any reason you would not employ a Appliance firewall and also keep ISA for Web Proxy/Firewall Client contol using AD groups?  This is usually a good combination.  You'll get the appliance benefits and configurability of the Firewall while keeping your Proxy setup.  Should be less of an impact to your environment as well (changes etc).  Besides that as a practice we like to separate the inbound and outbound traffic in most cases and the combination gives you that option.

If you do want to use Juniper/Netscreen or some other firewall you'll need to look at RADIUS (Microsoft IAS) to match rules to a policy defined that way.  This would be a new one for me to setup but if you want to do it that way I'll see what I can cook up.

Here is an older document from Juniper on the subject (** Note it is old but goes over the process).

I hope you decided to go with  the combination as it should yeild you many less headaches.

Hope that helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oxburgerAuthor Commented:
Aplogies that it took so long to post back to this thread.

Thank you CBalderson for your help.  I like the idea of using ISA & a stand alone firewall appliance and I'll probably go with that.

Now my only concern is...what if the ISA server went down?  Your thoughts?

Thanks agian!    
In our config we use a cluster firewall (that is easy to setup), then for ISA we use a stand by server.  In ISA you can specify a server to fail to via the firewall client.  For the Web Proxy Client we resolve to the IP of the Production ISA server.  If there was a failure on the primary ISA the FW Clients will automatically go to the fail over (still stand alone ISA) but you would need to modify the DNS record for proxy to address the Web Proxy clients.  Note: If you like this setup, remember that DNS records cache on the client so if you test you'll need to flush the DNS Cache by typeing ipconfig /flushdns - Also in DNS modify the A record for proxy to havea short TTL (time to live) so if you did have an outage you can make the change and not worry about touching clients.

Hopefully that makes sense.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.