This is a bit confusing to explain so please bear with me...
We have an ISA 2000 server in our organization that filters internet access to our users. We only allow a certain domain security group to access the internet. When an authorized internet user opens up their browser, the ISA will authenticate the user through their local domain account. This has been a practice for many years and hasn't been a problem until now. Our users are now in need to access a CRM and sharepoint site from our corporate office (which requires us to use a separate domain account since we are not on their domain). When they access the crm or sharepoint site, they are challenged with a windows authentication ( using our corporate domain account, not local domain account). The browser prompts the user with multiple windows logon boxes as they enter their corporate domain account. It slowly loads each section of the site after entering their credentials to access the crm/sharepoint site, but ultimately fails from unauthorized access.
I believe that the issue is the differing domain accounts they are using to authenticate between two different domains. One, they are authenticated in our domain to access the internet. Two, they are using a different domain account to access the crm/sharepoint site. When the user opens up the crm/sharepoint site, I believe the two domains is conflicting with eachother (one is trying to authenticate internet access in local domain and other is trying to authenticate crm/sharepoint access in the corporate domain). To get it to work, I set up a protocol policy (HTTP) and applied it to "any request" instead of specifiying to certain user groups. This solved the issue and users are able to access the crm/sharepoint site using their other domain credentials (not the domain credentials they are using to log into the network). However, we can't allow this policy because we can't allow everyone access to the Internet.
Does anyone know more about ISA 2000 to configure it so we can allow only the authorized users to access the crm/sharepoint site without opening internet to everyone else? I've tried applying the policy to only the internet group and not apply it to everyone else but it still doesn't work. Any ideas or thoughts? Thank you for any help!