Avatar of biff_johnston
biff_johnstonFlag for United States of America asked on

ISA 2006 - How to use AD OU's as Computer Sets or Network Entity

Hi All,

I am trying to set up a firewall policy on my new ISA 2006 Standard Edition server (single NIC configuration acting as a proxy) that allows web access based on a computer object's membership in an AD OU.

So far, all I've been able to see is that I can apply the firewall policy based on IP address or address range, or based on AD Usernames.  However, neither one of these will work for my particular requirement.

It appears that ISA 'speaks' AD, at least to the degree that it can recognize usernames, so I am assuming there is a way to get it to recognize other AD objects as well.

Any help would be greatly appreciated!

Ted
Microsoft Forefront ISA Server

Avatar of undefined
Last Comment
Keith Alabaster

8/22/2022 - Mon
jonhicks

Unfortunately you can't.

You can have:

A network (computers connected to a network interface)
A network set
A single computer (by IP)
A group of computers
Address range (e.g. 192.168.1.10 - 192.168.1.20)
Subnet
URL Set
Domain name set
Web listener
ASKER
biff_johnston

And that 'A group of computers' is by IP range only, Yes?
Keith Alabaster

ISA cannot pick up by OU directly as the OU is simply a container but CAN by AD security group.
As you say, you need to make sure that the ISA has access to the AD servers
When you create your access rules you will see that the default authentication is set to all users - you can remove this and choose Add and then select the authenticator to use instead - ie the AD group.

keith
ISA MVP
Your help has saved me hundreds of hours of internet surfing.
fblack61
Keith Alabaster

yes - by IP only. ISA operates from layer 3 to layer 7

Keith
jonhicks

Yes, the computer group is a group of single computers, defined by IP. It's all by IP or range of IP unfortunately.

It would be quite difficult for it to be able to convert a computer account into an IP address to filter by, so I can see why they don't do it.

If you use the agent, you can create rules based on users... which looks up AD... which is what Keith is getting at.
Keith Alabaster

No offence but you do not need to use the ISA firewall client to use AD - just web proxy. Web proxy does not collect the username etc though if you use the All Users authentication type.

You can group a set of machines by mac address also by cheating a little. A number of people have asked for this before and I suggested that they use dhcp reservations. Effectively you are still grouping by IP address but you don't need to mess about with static addressing and can be assured that the machine will always get the same ip address.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
jonhicks

Does the Web proxy only collect user details from IE though and not non-MS clients? I'm probably thinking of integrated windows authentication.

Regardless, you can't filter based on computer AD account. We've also gone for the DHCP approach and find it works well... so long as you can cope with the admin side.
Keith Alabaster

In a sense, yes - because IE and other associated browsers have the capability to pass credentials within the packets, as long as you have used an AD group or authenticated users as the authentication type, it will collect the username. Application clients such as ftp, dns,, pop, smtp etc would fail though because they do NOT have the ability to pass the credentials - those would need the ISA fwc which would do it on their behalf.

If you think of the way that ISA handles quesries, all traffic arrives at the ISA as anonymous and just has the ip address of the source machine. if the authenticator is set to All Users and the traffic passes. ISA will log that entry with the ip address and job done. If it is set to authenticated users or an AD group, then ISA would deny the first packets and send back a request to the source client asking for the credentials of the requestor. Web browsers can respond with the username - ISA checks the username against AD - and then either allows/denies - and logs withy the username it received. if the request had come from an ftp client (for example), the request from ISA would just sit there as the FTP client would not be able to respond - and eventually it would time out. The ISA firewall client, when it is installed, intercepts this request from ISA and passes the credentials of the logged in user back to ISA on the ftp client' behalf. ISA then allows/denies the request based on AD and logs the event with the username.

In the Users section (where you set the authentication) you will see that you can click Add - New and then assign access to a single windows user, a group, whatever and can select from the domain or from just the ISA server local accounts. It is your call.

ASKER
biff_johnston

Thanks for the thoughts so far...

So I understand all FW rule logic is IP based, unless an AD User or Group object other than 'All Users' is specified and the client is a web browser.  Good so far.

So what I want to do is create two rules and have them apply to two AD groups.  The first rule allows access to URL Set 1 to Group1, and the second rule allows access to URL Set 2 to Group2.  I'm hitting a bit of a wall on this because it seems to me that the rules would end up denying each other, and so only the rule that is first on the list would work.  In other words, a request that would otherwise be allowed by Rule 2 would be denied by Rule 1 if that is the order of processing.

Am I correct here?  And if so, is there a way to get around this?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
jonhicks

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Keith Alabaster

Nope - you're not - fortunately :)

In ISA2004/2006, the rules changed and started following the traditional approach of top-down in rule application.

Imagine this:

Rule1 - allow: http/https: from INTERNAL to URL_SET1 users: AD_group1 - Applies ONLY to AD_group1
Rule2 - allow: http/https; from INTERNAL to URL_SET2 users: AD_group2 - Applies ONLY to AD_group2
Rule3 - deny : http/https; from INTERNAL to EXTERNAL: users; AD_group1 AND ADgroup2 - Creates a block for the two groups
Rule4 - allow; http/https; from INTERNAL to External: users: All Users - allow all other users full access


ASKER
biff_johnston

Works just as you said, Jonhicks.  Thanks!  Hopefully ISA will someday be able to work with AD OU's, but until then, this will work.
Keith Alabaster

Oh well, sorry you didn't find any of my input helpful.

Keith
ISA MVP
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.