Internet Related/Filtering/Firewall Thread, One ISA Server - Two Connections in Technical; Wondering if anybody can help - we are in the process of building a new isa server in the form ...
1st December 2009, 10:56 AM #1
One ISA Server - Two Connections
Wondering if anybody can help - we are in the process of building a new isa server in the form of Windows Server 2008 Enterprise R2 with Forefront TMG Enterprise (ISA 2010) installed on it.
We now have our filtered connection from SWGFL and our own unfiltered ADSL connection.
Basically we want to create a group "allaccess" for the head / deputy / network manager / network technicians - which would send all of their web requests out on the unfiltered connection, whilst all other users would use the SWGFL filtered connection.
We have 3 NICs in the ISA Box -
One is on our internal network,
One goes to the modem router for our ADSL connection
and One goes into the Cisco box for our SWGFL connection
Does anyone know how to do this?
Thanks in advance, ECT
1st December 2009, 12:18 PM #2
I'm not hugely familiar with ISA 2010 - however I do know that I tried the same thing back with 2006 and there was no way I could actually get it to work reliably.
However - you could try turning on the proxy services for the internal network and the DSL network objects, point the people you want at one proxy and the others - at the other.
Combine those with using Integrated Authentication and some access rules and you should be all set.
Just remember to put your most restrictive groups at the top.
So if you have a group called 'IT Staff' - but it grants them the ability to use all traffic ports etc... then put that BEFORE any restrictive rules - so ISA doesn't mistakenly restrict someone who doesn't need it.
Another example may be this:
1 - 'AllAccess' - Allow ALL Traffic - Only usergroups 'IT Staff' (etc)
2 - 'Locked' - Allow only HTTP/HTTPS Traffic - Only usergroups 'Students' (etc)
ISA will take the first rule that matches, so if you had a student also part of an IT group - they would get the first rule - but that's highly unlikely and in this scenario you'd want certain users to have more privilege than others.
Actually - rethinking it - not sure how you'd do it with 3 NICs as all users would be going via the 'internal' network.
TMG may have some nice enhancements in it to handle this specifically but I doubt it - could you not enable routing (as in add a network rule for 'route') and then enable proxy on the 2 seperate LANs (not internal) and then add the appropriate route statements?
I mean it all sounds feasible - can you give some more details on what exactly you'd like and what exactly you currently have setup? Are you in the position to be able to add extra ISA boxes or reconfigure the one you have?
Hope this helps - somehow
1st December 2009, 12:39 PM #3
At present we have one single box with 2 connections - one goes back onto our core switch and one goes to the cisco for the SWGFL connection - the ADSL connection is a new thing that we now have and want to start making the use of.
We have one spare box that we are building the new Forefront TMG on, which is identical hardware wise to the old box.
What I can't seem to do, is get it to use the ADSL if your a member of the "AllAccess" group and get it to use the SWGFL connection if you are anyone else - it appears to let you either load balance, have a redundant connection, or just use one. I can't for the life of me work out how to do it!
The problem with either of the above methods is it would mean that the pupils could go anywhere as all of the filtering is applied at SWGFL level.
1st December 2009, 12:58 PM #4
I'm not sure you CAN do what you want with a single ISA.
We have a similar arrangement where I work - 2 connections but we had to have 2 ISAs to do the job.
Assuming you have a network that can control proxy settings in IE/FF or whatever other browser you may use - having 2 ISAs may well be the quickest and simplest way.
Have 1 ISA that handles the bulk of the internet traffic - so it has 2 NICs, 1 for internal (the network) and 1 for the SWGFL connection.
Setup a proxy on that ISA and then enforce the proxy for all users who MUST go through SWGFL.
However - if you are using SWGFL, are you aware of a feature called 'staff proxy' - it does allow unfiltered internet access via SWGFL. You can't access it unless it's setup via your RM Safetynet page AND you have to give staff individual logins for the service.
It may well be a more efficient route - perhaps put a smaller ISA on the DSL line and use it for an emergency backup line instead?
You may not be using RM Safetynet but if you are SWGFL I'd imagine you would be - have a look into the 'staff proxy' option in SWGFL - it may well satisfy your requirements meaning you only need 1 proxy.
We use our DSL line as a backup line incase any mission-critical stuff HAS to work via the net or if SWGFL's restrictions (not filtering) stops any mission-critical processes working correctly (such as accurate network time, some finance tools we use...).
1st December 2009, 01:04 PM #5
Thanks for the reply again...
I am aware of the staff proxy and we do use it, however its not 100% reliable and still filters some requests. Part of the problem is we use caching - so once a site has been seen as filtered, when you call it, the cache will show the filtered page despite being logged in on the staff proxy and on the unfiltered connection. We've looked at other ways of doing it, and feel that the ADSL connection for selected users and the filtered connection for everyone else would be the only way to get by.
I've seen other examples where people have managed to get this working although I am unable to find examples of the configuration that they used to achieve it.
By Nick_Parker in forum Windows Server 2008
Last Post: 2nd November 2012, 11:29 AM
By ICT_GUY in forum Wireless Networks
Last Post: 19th June 2008, 10:00 AM
By mrbios in forum Windows
Last Post: 10th July 2007, 01:43 PM
By yeoman in forum Windows
Last Post: 5th February 2007, 10:32 AM
By Norphy in forum Windows
Last Post: 26th May 2006, 02:14 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)