Windows Thread, ISA 2006 : Restricting Groups is affecting everyone in Technical; Hi guys,
I'm having some problems with an ISA 2006 setup, the ISA server is setup as a gateway and ...
29th February 2008, 11:45 AM #1
ISA 2006 : Restricting Groups is affecting everyone
I'm having some problems with an ISA 2006 setup, the ISA server is setup as a gateway and is working fine, however, I would now like to start restricting sites to specific people/places.
Currently the rule is:
PROTOCOLS: All Outbound Traffic
FROM: ALL Protected Networks
CONDITION: All Users
I have created an URL Set of blocked sites, and created a User Set which includes the Pupils group on the Active Directory.
Now if I setup a rule to block the URL set to the Pupils User set, it blocks the URL Set to everybody, pupil or not.
2nd Problem, How can I now go about only allowing internet access to Authenticated Users? Do I have to install the Firewall Client on every machine?
3rd Problem, Is it possible to create Computer Sets (for each of our labs) if we use a DHCP server, or must the IPs be static?
4th Problem/Question, what is the best way to track who's been to what website, or what websites are currently being visited by who and from where?
Thanks guys, sorry it's so much!
IDG Tech News
29th February 2008, 11:48 AM #2
To stop it blocking All Users, you need to remove All Users from the condition, and set that to the group you made that's got the kids in it. Add a new User Set in ISA that corresponds to the AD group you just made, then apply the rule to that new set.
Thanks to Ryan from:
Nick_Parker (29th February 2008)
29th February 2008, 01:05 PM #3
Turn off your default allow-all rule and create separate Allow rules for the groups/computers/protocols who need access. If you leave this default rule on what's the use of a firewall since you're allowing everyone access to everything?
Put your rules in this order (top down):
1. Global deny rules (deny access to all users)
2. Global allow rules (allow specific access to all user)
3. Rules for specific computers
4. Rules for specific users, URLs & MIME types
5. Other allow rules
6. Default deny rule (must be at bottom - blocks everything else)
Remember that Deny rules take precedence over Allow rules, i.e. if you Deny access for any user you cannot then Allow them access while the deny rule is switched on.
If you use Windows Updates you'll need an allow rule at the top of the list for all Windows Update sites (http & https). You'll also need to install the firewall client on your PCs or WU won't work (neither will a lot of things) but you can easily roll it out with Group Policies anyway.
IP groups are going to give you problems if you use dynamic IPs since ISA uses IPs to identify computers, not their names.
Thanks to timzim from:
Nick_Parker (29th February 2008)
29th February 2008, 04:53 PM #4
I tried that, but even tho the rule is set to only apply to the Pupils user set, it's still blocking the site to everybody
Originally Posted by Ryan
29th February 2008, 04:54 PM #5
Wow, ok, going to give that a try and see what happens, thanks!
Originally Posted by timzim
11th March 2008, 02:40 PM #6
I would just like to say a big thanks to everybody for all your help, everything is working perfectly
By boomam in forum Windows
Last Post: 10th January 2008, 08:30 PM
By Espada in forum Windows
Last Post: 6th December 2007, 06:51 PM
By beast_gts in forum Windows
Last Post: 28th June 2007, 10:26 PM
By frontal in forum Windows
Last Post: 9th March 2007, 10:10 AM
By localzuk in forum *nix
Last Post: 11th February 2007, 09:57 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)