ISA 2006 : Restricting Groups is affecting everyone

[Nick_Parker]

Hi guys,

I'm having some problems with an ISA 2006 setup, the ISA server is setup as a gateway and is working fine, however, I would now like to start restricting sites to specific people/places.

Currently the rule is:

ALLOW
PROTOCOLS: All Outbound Traffic
FROM: ALL Protected Networks
TO: External
CONDITION: All Users

I have created an URL Set of blocked sites, and created a User Set which includes the Pupils group on the Active Directory.

Now if I setup a rule to block the URL set to the Pupils User set, it blocks the URL Set to everybody, pupil or not.

2nd Problem, How can I now go about only allowing internet access to Authenticated Users? Do I have to install the Firewall Client on every machine?

3rd Problem, Is it possible to create Computer Sets (for each of our labs) if we use a DHCP server, or must the IPs be static?

4th Problem/Question, what is the best way to track who's been to what website, or what websites are currently being visited by who and from where?

Thanks guys, sorry it's so much!

[Ryan]

Main problem:

To stop it blocking All Users, you need to remove All Users from the condition, and set that to the group you made that's got the kids in it. Add a new User Set in ISA that corresponds to the AD group you just made, then apply the rule to that new set.

[timzim]

Turn off your default allow-all rule and create separate Allow rules for the groups/computers/protocols who need access. If you leave this default rule on what's the use of a firewall since you're allowing everyone access to everything?

Put your rules in this order (top down):

1. Global deny rules (deny access to all users)
2. Global allow rules (allow specific access to all user)
3. Rules for specific computers
4. Rules for specific users, URLs & MIME types
5. Other allow rules
6. Default deny rule (must be at bottom - blocks everything else)

Remember that Deny rules take precedence over Allow rules, i.e. if you Deny access for any user you cannot then Allow them access while the deny rule is switched on.

If you use Windows Updates you'll need an allow rule at the top of the list for all Windows Update sites (http & https). You'll also need to install the firewall client on your PCs or WU won't work (neither will a lot of things) but you can easily roll it out with Group Policies anyway.

IP groups are going to give you problems if you use dynamic IPs since ISA uses IPs to identify computers, not their names.

[Nick_Parker]

Main problem:

To stop it blocking All Users, you need to remove All Users from the condition, and set that to the group you made that's got the kids in it. Add a new User Set in ISA that corresponds to the AD group you just made, then apply the rule to that new set.

I tried that, but even tho the rule is set to only apply to the Pupils user set, it's still blocking the site to everybody

[Nick_Parker]

Turn off your default allow-all rule and create separate Allow rules for the groups/computers/protocols who need access. If you leave this default rule on what's the use of a firewall since you're allowing everyone access to everything?

Put your rules in this order (top down):

1. Global deny rules (deny access to all users)
2. Global allow rules (allow specific access to all user)
3. Rules for specific computers
4. Rules for specific users, URLs & MIME types
5. Other allow rules
6. Default deny rule (must be at bottom - blocks everything else)

Remember that Deny rules take precedence over Allow rules, i.e. if you Deny access for any user you cannot then Allow them access while the deny rule is switched on.

If you use Windows Updates you'll need an allow rule at the top of the list for all Windows Update sites (http & https). You'll also need to install the firewall client on your PCs or WU won't work (neither will a lot of things) but you can easily roll it out with Group Policies anyway.

IP groups are going to give you problems if you use dynamic IPs since ISA uses IPs to identify computers, not their names.

Wow, ok, going to give that a try and see what happens, thanks!

[Nick_Parker]

I would just like to say a big thanks to everybody for all your help, everything is working perfectly