Restricting VPN Users - ISA2004

Hi Guys,

Quick Question:

I have an ISA 2004 server that we use for Proxy, FIrewall and VPN.  We use IAS(Radius) to authenticate VPN clients as the ISA is not a member of the Corporate Domain.

Its all pretty straight forward and it works well.

However, our telephone enginners want VPN access to the telephone system which is on a different subnet.  I have setup a router between the two subnets (corporate and telephone sys), added the telephone system subnet into the internal network in the ISA Manager and setup a persistant route on the ISA box pointing to the router for that subnet.  Therefore, providing the VPN client side has set "use VPN gateway" at their side then all is well - VPN users can access the new subnet.

However, is there an easy way to block/restrict a VPN user to a particular server ip - you'll probably realise where I am going with this.  I don't want them to be able to access any open shares or servers on the corporate network. By default they are in "Domain User's" group.

I could go through the securirty in AD, but that might be a hassle and take time.

Anyone have theory's on how to EASILY achieve this?

Thanks guys.

IM
ianmclachlanAsked:
Who is Participating?
 
pwindellCommented:
Include User Accounts (in a User Set) in the VPN Access Rule then combine that with an Address Set in the Destination that reflects the ones they should be allowed to reach.  Obviously you need at least 2 User Sets and 1 Address Set,...and 2 Access Rules.

Lastly don't think that just because these people can reach something at the IP Level on your LAN that this means they have access,...it does not.  Security does not begin and end at Layer3.  They will not have access to Files on your File Server because their accounts have not been granted permission to the Files,...they have no access to the DCs because their accounts are not Domain Admins,..even your own internal users do not have access to the DCs and they are already on the LAN.  They do not have access to anything in your business Applications because they have no accounts on the business applications, nor do they have the business application's Client App (whatever that may be) install on their machines.  The list can go on,..but you should get the idea.

I'm not saying that you can not be more specific in what they can get to over the VPN,..go ahead and do it,...I'm just trying to make the "bigger picture" a little more obvious so you have a more clear perspective.   If your LAN's security is done properly then anyone could carry a laptop into your building, plug it into the nearest wall jack, receive a valid IP Config via DHCP, and they would gain,.....Nothing,...other than they could "ping stuff" which doesn't mean anything,...and by comparison these VPN Users are no different than that.
0
 
Mohamed KhairyEnterprise Solutions ArchitectCommented:
You can create an access rule that deny this user from accessing the mentioned servers.
0
 
pwindellCommented:
You also need to consider improving your security by making the ISA a Domain Member.   Not having it a Domain Member reduces security,..it does not enhance it.  However you cannot simply join it at this point.  You would have to export your Config,...at least a Config containing the Access and Publishing Rules at minimum.  Then uninstall ISA,...join it to the Domain,...reinstall ISA back tot he same patch level it was,...import the config back in again.

Debunking the Myth that the ISA Firewall Should Not be a Domain Member
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)
http://www.isaserver.org/articles/2004tales.html

ISA Firewall Dirty Dozen (FAQ)
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ianmclachlanAuthor Commented:
Hi Guys,

Thanks for your comments.  Sometimes you can't see the woods for the tree's, it seems so obvious !!!

Pwindell -I have to slightly disagree with your suggestion that the VPN user has no access to the servers.  As this user is authenticated by Radius they have an AD account.  By default, they become part of the "domain users" group.  We have a number of shared directories/services/printers etc... that are available for authenticated users - which the VPN user is.  Sensitive areas are controlled by permissions.  

I agree with your comments about the security at the IP level, but they are slightly higher up the scale than that.

I note your comments about ISA being a domain controller.  When I setup this server, it was widely recognised that ISA should not be a member of your domain.  That now seems to have changed.  Unfortunately, I have already went through the pain of getting the weakness in that to work.  So I may as well keep the configuration as is.

I will share the points between the answers.

Thanks again,

IM
0
 
pwindellCommented:
When I setup this server, it was widely recognised that ISA should not be a member of your domain.  That now seems to have changed.  Unfortunately, I have already went through the pain of getting the weakness in that to work.  So I may as well keep the configuration as is.

I understand.  It is easy to get "stuck" with choices that we make.

You said Domain Controller, but I assume you meant Domain Member.  It was never widely recognized that ISA should not be a Domain Member except from Non-MS or Anti-MS sources who were incorrect in their beliefs.  There may have been a small amount of people within MS who were not tied to the product and lacked knowledge about he product who may have claimed that,...but they were wrong as well.  ISA has been designed from the beginning to be a Domain Member and leverage AD to a degree that no other product out there can do.  I have been involved with the product and have had a relationship to one degree or another with people from the ISA/TMG Team since the period of ISA2000.
0
 
ianmclachlanAuthor Commented:
Hi,

Yes, sorry I meant domain member.

My initial findings had suggested that ISA should not be a domain member - can't remember the exact source.  But I do seem to recall reading this more than once.  

Anyway, as you say , sometimes we have to live by our choices.  Its a good product, I can't complain.  I also have Cisco PIX/ASA which is a little harder to configure.  But again, a good product.

Finally, thanks for your suggestions, you have been a credit to EE.

Regards

IM
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.