Restricting VPN Users - ISA2004

Hi Guys,

Quick Question:

I have an ISA 2004 server that we use for Proxy, FIrewall and VPN.  We use IAS(Radius) to authenticate VPN clients as the ISA is not a member of the Corporate Domain.

Its all pretty straight forward and it works well.

However, our telephone enginners want VPN access to the telephone system which is on a different subnet.  I have setup a router between the two subnets (corporate and telephone sys), added the telephone system subnet into the internal network in the ISA Manager and setup a persistant route on the ISA box pointing to the router for that subnet.  Therefore, providing the VPN client side has set "use VPN gateway" at their side then all is well - VPN users can access the new subnet.

However, is there an easy way to block/restrict a VPN user to a particular server ip - you'll probably realise where I am going with this.  I don't want them to be able to access any open shares or servers on the corporate network. By default they are in "Domain User's" group.

I could go through the securirty in AD, but that might be a hassle and take time.

Anyone have theory's on how to EASILY achieve this?

Thanks guys.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohamed KhairyEnterprise Solutions ArchitectCommented:
You can create an access rule that deny this user from accessing the mentioned servers.
Include User Accounts (in a User Set) in the VPN Access Rule then combine that with an Address Set in the Destination that reflects the ones they should be allowed to reach.  Obviously you need at least 2 User Sets and 1 Address Set,...and 2 Access Rules.

Lastly don't think that just because these people can reach something at the IP Level on your LAN that this means they have access, does not.  Security does not begin and end at Layer3.  They will not have access to Files on your File Server because their accounts have not been granted permission to the Files,...they have no access to the DCs because their accounts are not Domain Admins,..even your own internal users do not have access to the DCs and they are already on the LAN.  They do not have access to anything in your business Applications because they have no accounts on the business applications, nor do they have the business application's Client App (whatever that may be) install on their machines.  The list can go on,..but you should get the idea.

I'm not saying that you can not be more specific in what they can get to over the VPN,..go ahead and do it,...I'm just trying to make the "bigger picture" a little more obvious so you have a more clear perspective.   If your LAN's security is done properly then anyone could carry a laptop into your building, plug it into the nearest wall jack, receive a valid IP Config via DHCP, and they would gain,.....Nothing,...other than they could "ping stuff" which doesn't mean anything,...and by comparison these VPN Users are no different than that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You also need to consider improving your security by making the ISA a Domain Member.   Not having it a Domain Member reduces security, does not enhance it.  However you cannot simply join it at this point.  You would have to export your Config, least a Config containing the Access and Publishing Rules at minimum.  Then uninstall ISA,...join it to the Domain,...reinstall ISA back tot he same patch level it was,...import the config back in again.

Debunking the Myth that the ISA Firewall Should Not be a Domain Member

ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)

ISA Firewall Dirty Dozen (FAQ)
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ianmclachlanAuthor Commented:
Hi Guys,

Thanks for your comments.  Sometimes you can't see the woods for the tree's, it seems so obvious !!!

Pwindell -I have to slightly disagree with your suggestion that the VPN user has no access to the servers.  As this user is authenticated by Radius they have an AD account.  By default, they become part of the "domain users" group.  We have a number of shared directories/services/printers etc... that are available for authenticated users - which the VPN user is.  Sensitive areas are controlled by permissions.  

I agree with your comments about the security at the IP level, but they are slightly higher up the scale than that.

I note your comments about ISA being a domain controller.  When I setup this server, it was widely recognised that ISA should not be a member of your domain.  That now seems to have changed.  Unfortunately, I have already went through the pain of getting the weakness in that to work.  So I may as well keep the configuration as is.

I will share the points between the answers.

Thanks again,

When I setup this server, it was widely recognised that ISA should not be a member of your domain.  That now seems to have changed.  Unfortunately, I have already went through the pain of getting the weakness in that to work.  So I may as well keep the configuration as is.

I understand.  It is easy to get "stuck" with choices that we make.

You said Domain Controller, but I assume you meant Domain Member.  It was never widely recognized that ISA should not be a Domain Member except from Non-MS or Anti-MS sources who were incorrect in their beliefs.  There may have been a small amount of people within MS who were not tied to the product and lacked knowledge about he product who may have claimed that,...but they were wrong as well.  ISA has been designed from the beginning to be a Domain Member and leverage AD to a degree that no other product out there can do.  I have been involved with the product and have had a relationship to one degree or another with people from the ISA/TMG Team since the period of ISA2000.
ianmclachlanAuthor Commented:

Yes, sorry I meant domain member.

My initial findings had suggested that ISA should not be a domain member - can't remember the exact source.  But I do seem to recall reading this more than once.  

Anyway, as you say , sometimes we have to live by our choices.  Its a good product, I can't complain.  I also have Cisco PIX/ASA which is a little harder to configure.  But again, a good product.

Finally, thanks for your suggestions, you have been a credit to EE.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.