Windows Thread, ISA Server 2004, Granting Users access to the internet when unauthenticated. in Technical; We are using ISA 2004, we need it setup so usernames are resolved (for websense). So we cannot turn off ...
28th February 2008, 12:31 PM #1
ISA Server 2004, Granting Users access to the internet when unauthenticated.
We are using ISA 2004, we need it setup so usernames are resolved (for websense). So we cannot turn off authorisation but how can we grant access to the internet for unauthorised users please?
Your help is appreciated
28th February 2008, 02:53 PM #2
The problem taht you will have is that you cannot set a rule up to allow web traffic to external for all users as this will not authenticate.
I have full auth through my ISA but i had a problem when my antivirus wanted to update without Auth, i created this rule
Allow out bound traffic (what ever traffic you want)
to domain name set
then created domain name set to my antivirus update site and other sites like microsoft update.
hope this helps,
28th February 2008, 03:00 PM #3
For antivirus and servers you want to create rules specifically for this but then create computer set rules with all the static IPs of all servers and use this computer set in the "From" section so it only allows those servers access to the internet. This will make it easier on allowing all users as there are programs on servers that are not proxy aware and so need the all users rule.
This is how we got it setup.
28th February 2008, 03:15 PM #4
But how can i configure ISA so users who are not unauthenticated can still get onto the net?
28th February 2008, 03:24 PM #5
Create a new rule
Allow - https and http
for All Auth users
This will only allow for authed users
i would also reccommend using isa firewall client on all workstations if you are forcing auth,
28th February 2008, 03:38 PM #6
No, we have it working fine, but unauthenticated just as guest laptops etc i want them to have access to the internet. But we cannot turn off unauthentication.
Basically any unauthenticated need access to the internet.
28th February 2008, 03:46 PM #7
I can only think of two ways to get around this problem,
the first would be to give them statics/reservations then creat the rule desigend on there ip's but this would only work if the laptops where controlled by you institute.
the second would be to create a "internet" user account so when the browse and it prompts for username and password you could give them the "internet"user account and base the rule on that one user.
28th February 2008, 05:17 PM #8
Depending on volume of access needed you might want to make a group which has access and put auto-created users in that. You would then just hand out the individual user details to the person so that they could get proxy access and delete the user at the end of the session (or just delete/re-create at the end of each day).
Originally Posted by maf_001
You would probably want to "deny logon locally" to those users so they couldn't make use of other network facilities.
28th February 2008, 05:57 PM #9
But i can't do that to guest laptops. Literally it needs just to be simply plugin and go.
28th February 2008, 06:05 PM #10
If its plug in and go then you need to create vlans on your network and users who are guest can go on that vlan and will have access to the net (providing you created rules) this will make it easier to create rule on ISA as you just create another internal network and make all the vlan's clients default gateway the ip address of the isa server.
28th February 2008, 06:28 PM #11
Who don't have the switches for that. Plus my NM won't go for it.
All i need to know is how to grant access to the internet to users that have not been unauthenticated against AD.
28th February 2008, 07:21 PM #12
You could try a second afirewall rule for Internet access. You will have one already to allow authenticated users, place one for 'all users' directly beneath it.
There is a flaw in your plan though, any infractions caused by 'guests' will not be logged properly. I think that there is a way of forcing the authentication dialogue - I assume that your 'guests' are students with their own machines so they will have a login.
If the guests are not students/staff, you would need the user to sign an AUP anyway to make sure that they agree to behave!
28th February 2008, 07:36 PM #13
I thought that, but its configured under Configuration > Networks. Surely there must be a way to do this?
Last edited by FN-GM; 28th February 2008 at 09:30 PM.
29th February 2008, 12:58 PM #14
29th February 2008, 01:21 PM #15
I do not think that it is possible still, i would just find a old workststion taht is going to be binned and run smoothwall along side your existing ISA and point the unathenticated clients at the smoothwall, it is free and will run on most hardware.
Set this box up to allow internet access only, shouldnt take you more than an hour to set this up.
By browolf in forum Scripts
Last Post: 17th January 2011, 02:36 PM
By tosca925 in forum Windows
Last Post: 7th September 2007, 02:13 PM
By lemonstar in forum Network and Classroom Management
Last Post: 29th August 2007, 01:53 PM
By SimonC in forum Windows
Last Post: 13th February 2007, 10:48 PM
By krb548 in forum How do you do....it?
Last Post: 25th July 2005, 12:05 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)