Link to home
Start Free TrialLog in
Avatar of biff_johnston
biff_johnstonFlag for United States of America

asked on

ISA 2006 - How to use AD OU's as Computer Sets or Network Entity

Hi All,

I am trying to set up a firewall policy on my new ISA 2006 Standard Edition server (single NIC configuration acting as a proxy) that allows web access based on a computer object's membership in an AD OU.

So far, all I've been able to see is that I can apply the firewall policy based on IP address or address range, or based on AD Usernames.  However, neither one of these will work for my particular requirement.

It appears that ISA 'speaks' AD, at least to the degree that it can recognize usernames, so I am assuming there is a way to get it to recognize other AD objects as well.

Any help would be greatly appreciated!

Avatar of jonhicks

Unfortunately you can't.

You can have:

A network (computers connected to a network interface)
A network set
A single computer (by IP)
A group of computers
Address range (e.g. -
Domain name set
Web listener
Avatar of biff_johnston


And that 'A group of computers' is by IP range only, Yes?
Avatar of Keith Alabaster
ISA cannot pick up by OU directly as the OU is simply a container but CAN by AD security group.
As you say, you need to make sure that the ISA has access to the AD servers
When you create your access rules you will see that the default authentication is set to all users - you can remove this and choose Add and then select the authenticator to use instead - ie the AD group.

yes - by IP only. ISA operates from layer 3 to layer 7

Yes, the computer group is a group of single computers, defined by IP. It's all by IP or range of IP unfortunately.

It would be quite difficult for it to be able to convert a computer account into an IP address to filter by, so I can see why they don't do it.

If you use the agent, you can create rules based on users... which looks up AD... which is what Keith is getting at.
No offence but you do not need to use the ISA firewall client to use AD - just web proxy. Web proxy does not collect the username etc though if you use the All Users authentication type.

You can group a set of machines by mac address also by cheating a little. A number of people have asked for this before and I suggested that they use dhcp reservations. Effectively you are still grouping by IP address but you don't need to mess about with static addressing and can be assured that the machine will always get the same ip address.
Does the Web proxy only collect user details from IE though and not non-MS clients? I'm probably thinking of integrated windows authentication.

Regardless, you can't filter based on computer AD account. We've also gone for the DHCP approach and find it works well... so long as you can cope with the admin side.
In a sense, yes - because IE and other associated browsers have the capability to pass credentials within the packets, as long as you have used an AD group or authenticated users as the authentication type, it will collect the username. Application clients such as ftp, dns,, pop, smtp etc would fail though because they do NOT have the ability to pass the credentials - those would need the ISA fwc which would do it on their behalf.

If you think of the way that ISA handles quesries, all traffic arrives at the ISA as anonymous and just has the ip address of the source machine. if the authenticator is set to All Users and the traffic passes. ISA will log that entry with the ip address and job done. If it is set to authenticated users or an AD group, then ISA would deny the first packets and send back a request to the source client asking for the credentials of the requestor. Web browsers can respond with the username - ISA checks the username against AD - and then either allows/denies - and logs withy the username it received. if the request had come from an ftp client (for example), the request from ISA would just sit there as the FTP client would not be able to respond - and eventually it would time out. The ISA firewall client, when it is installed, intercepts this request from ISA and passes the credentials of the logged in user back to ISA on the ftp client' behalf. ISA then allows/denies the request based on AD and logs the event with the username.

In the Users section (where you set the authentication) you will see that you can click Add - New and then assign access to a single windows user, a group, whatever and can select from the domain or from just the ISA server local accounts. It is your call.

Thanks for the thoughts so far...

So I understand all FW rule logic is IP based, unless an AD User or Group object other than 'All Users' is specified and the client is a web browser.  Good so far.

So what I want to do is create two rules and have them apply to two AD groups.  The first rule allows access to URL Set 1 to Group1, and the second rule allows access to URL Set 2 to Group2.  I'm hitting a bit of a wall on this because it seems to me that the rules would end up denying each other, and so only the rule that is first on the list would work.  In other words, a request that would otherwise be allowed by Rule 2 would be denied by Rule 1 if that is the order of processing.

Am I correct here?  And if so, is there a way to get around this?
Avatar of jonhicks

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Nope - you're not - fortunately :)

In ISA2004/2006, the rules changed and started following the traditional approach of top-down in rule application.

Imagine this:

Rule1 - allow: http/https: from INTERNAL to URL_SET1 users: AD_group1 - Applies ONLY to AD_group1
Rule2 - allow: http/https; from INTERNAL to URL_SET2 users: AD_group2 - Applies ONLY to AD_group2
Rule3 - deny : http/https; from INTERNAL to EXTERNAL: users; AD_group1 AND ADgroup2 - Creates a block for the two groups
Rule4 - allow; http/https; from INTERNAL to External: users: All Users - allow all other users full access

Works just as you said, Jonhicks.  Thanks!  Hopefully ISA will someday be able to work with AD OU's, but until then, this will work.
Oh well, sorry you didn't find any of my input helpful.