Create ISA rule to allow only connections on port 80 on specific machine

I have to do some tests on one particular machine in my network.  I want to figure out a way to configure an ISA rule to only allow connections through port 80 on that machine.

I have some basic knowledge of ISA but I hardly ever work with it so I'm a little rusty.  Can anybody give me some direction? Thanks.
msomohanoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
What do you actually mean by "only allow connections through port 80 on that machine" ?
0
pwindellCommented:
My point is that we need the "big picture".  We need to know what you really want to do and why.  Normally ISA can only identify a machine by the IP# which does very little good if the machine is using DHCP.
0
msomohanoAuthor Commented:
well iI can setup the rule on the TO. by the computer name.  That much I've done before, to deny the http protocol for example to a particular user.  But anyway...

I want to test  our flash player with one specific user and by doing that, it will hopefully, successfully fallback to the RTMPT (HTTP tunneling) protocol over port 80 if a direct RTMP connection on port 1935 fails.  Some people when using proxys and trying to open a flash player the first try fails on 1935 then goes into 80 on the second one.  That's why I need to test this.   don't know if it makes sense yet.

Is it still too confusing?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

pwindellCommented:
You cannot use computer names.  You can use IP#s (if not DHCP) or the user name,..that is all.
0
msomohanoAuthor Commented:
look...wathever, assume i'm using IP's, is there a way to go about it? If I set the rule to deny and then on protocol choose "apply to all outbound traffic except selected, and mark HTTP and on ports pick between 80 and 80...would that work?  If not, is there a way to go about it? or am i even on the right track?
0
pwindellCommented:
You don't mess with "ports".

Do this:
(I assume you are stopping HTTPS as well)

1. Create a Computer Set
    Name: PCs Denid HTTP-HTTPS
    Add the IP#s,..or Range,..or Subnet of the effected PC

2. Create a new Access Rule
    Name:  Deny HTTP-HTTPS
    Action: "Deny"
    From: <the computer set you created>
    To: External
    Protocols:  HTTP, HTTPS (along with any other protocol you might choose)
    Users:  "All Users"  (or optionally choose specific users)

This rule must be higher on the Rule List than any other rule that might give them access.

Here are some relevant links.  Both ISA2004 and 2006 work the same way:

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pwindellCommented:
EXPERTS,
I need your help.  Please post your closing recommendations within a few days.  If you do not respond, I may need to assume that no correct answer was provided.

I didn't know I had to respond to those.  For any that involve me, just do what you think is fair.  If my reply to the asker seemed reasonable  then split points or assign points, even if not the full amount is fine. If my reply didn't amount to anything worth mentioning then no points is fine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.