+ Post New Thread
Results 1 to 6 of 6
Windows Thread, ISA 2006 : Restricting Groups is affecting everyone in Technical; Hi guys, I'm having some problems with an ISA 2006 setup, the ISA server is setup as a gateway and ...
  1. #1
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    436
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17

    ISA 2006 : Restricting Groups is affecting everyone

    Hi guys,

    I'm having some problems with an ISA 2006 setup, the ISA server is setup as a gateway and is working fine, however, I would now like to start restricting sites to specific people/places.

    Currently the rule is:

    ALLOW
    PROTOCOLS: All Outbound Traffic
    FROM: ALL Protected Networks
    TO: External
    CONDITION: All Users

    I have created an URL Set of blocked sites, and created a User Set which includes the Pupils group on the Active Directory.

    Now if I setup a rule to block the URL set to the Pupils User set, it blocks the URL Set to everybody, pupil or not.

    2nd Problem, How can I now go about only allowing internet access to Authenticated Users? Do I have to install the Firewall Client on every machine?

    3rd Problem, Is it possible to create Computer Sets (for each of our labs) if we use a DHCP server, or must the IPs be static?

    4th Problem/Question, what is the best way to track who's been to what website, or what websites are currently being visited by who and from where?

    Thanks guys, sorry it's so much!

  2. #2
    Ryan's Avatar
    Join Date
    Jan 2008
    Location
    Scotland
    Posts
    537
    Thank Post
    12
    Thanked 16 Times in 15 Posts
    Blog Entries
    1
    Rep Power
    29
    Main problem:

    To stop it blocking All Users, you need to remove All Users from the condition, and set that to the group you made that's got the kids in it. Add a new User Set in ISA that corresponds to the AD group you just made, then apply the rule to that new set.

  3. Thanks to Ryan from:

    Nick_Parker (29th February 2008)

  4. #3

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Turn off your default allow-all rule and create separate Allow rules for the groups/computers/protocols who need access. If you leave this default rule on what's the use of a firewall since you're allowing everyone access to everything?

    Put your rules in this order (top down):

    1. Global deny rules (deny access to all users)
    2. Global allow rules (allow specific access to all user)
    3. Rules for specific computers
    4. Rules for specific users, URLs & MIME types
    5. Other allow rules
    6. Default deny rule (must be at bottom - blocks everything else)

    Remember that Deny rules take precedence over Allow rules, i.e. if you Deny access for any user you cannot then Allow them access while the deny rule is switched on.

    If you use Windows Updates you'll need an allow rule at the top of the list for all Windows Update sites (http & https). You'll also need to install the firewall client on your PCs or WU won't work (neither will a lot of things) but you can easily roll it out with Group Policies anyway.

    IP groups are going to give you problems if you use dynamic IPs since ISA uses IPs to identify computers, not their names.

  5. Thanks to timzim from:

    Nick_Parker (29th February 2008)

  6. #4
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    436
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Quote Originally Posted by Ryan View Post
    Main problem:

    To stop it blocking All Users, you need to remove All Users from the condition, and set that to the group you made that's got the kids in it. Add a new User Set in ISA that corresponds to the AD group you just made, then apply the rule to that new set.
    I tried that, but even tho the rule is set to only apply to the Pupils user set, it's still blocking the site to everybody

  7. #5
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    436
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Quote Originally Posted by timzim View Post
    Turn off your default allow-all rule and create separate Allow rules for the groups/computers/protocols who need access. If you leave this default rule on what's the use of a firewall since you're allowing everyone access to everything?

    Put your rules in this order (top down):

    1. Global deny rules (deny access to all users)
    2. Global allow rules (allow specific access to all user)
    3. Rules for specific computers
    4. Rules for specific users, URLs & MIME types
    5. Other allow rules
    6. Default deny rule (must be at bottom - blocks everything else)

    Remember that Deny rules take precedence over Allow rules, i.e. if you Deny access for any user you cannot then Allow them access while the deny rule is switched on.

    If you use Windows Updates you'll need an allow rule at the top of the list for all Windows Update sites (http & https). You'll also need to install the firewall client on your PCs or WU won't work (neither will a lot of things) but you can easily roll it out with Group Policies anyway.

    IP groups are going to give you problems if you use dynamic IPs since ISA uses IPs to identify computers, not their names.
    Wow, ok, going to give that a try and see what happens, thanks!

  8. #6
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    436
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    I would just like to say a big thanks to everybody for all your help, everything is working perfectly

SHARE:
+ Post New Thread

Similar Threads

  1. Restricting MMC.
    By boomam in forum Windows
    Replies: 29
    Last Post: 10th January 2008, 07:30 PM
  2. Restricting Logons
    By Espada in forum Windows
    Replies: 2
    Last Post: 6th December 2007, 05:51 PM
  3. Restricting RIS
    By beast_gts in forum Windows
    Replies: 3
    Last Post: 28th June 2007, 09:26 PM
  4. Replies: 1
    Last Post: 9th March 2007, 09:10 AM
  5. Mapping AD groups to Unix groups
    By localzuk in forum *nix
    Replies: 23
    Last Post: 11th February 2007, 08:57 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •