We are using ISA 2004, we need it setup so usernames are resolved (for websense). So we cannot turn off authorisation but how can we grant access to the internet for unauthorised users please?
Your help is appreciated
We are using ISA 2004, we need it setup so usernames are resolved (for websense). So we cannot turn off authorisation but how can we grant access to the internet for unauthorised users please?
Your help is appreciated
The problem taht you will have is that you cannot set a rule up to allow web traffic to external for all users as this will not authenticate.
I have full auth through my ISA but i had a problem when my antivirus wanted to update without Auth, i created this rule
Allow out bound traffic (what ever traffic you want)
from internal
to domain name set
then created domain name set to my antivirus update site and other sites like microsoft update.
hope this helps,
Regards
Hi Guys,
For antivirus and servers you want to create rules specifically for this but then create computer set rules with all the static IPs of all servers and use this computer set in the "From" section so it only allows those servers access to the internet. This will make it easier on allowing all users as there are programs on servers that are not proxy aware and so need the all users rule.
This is how we got it setup.
HTH,
Ash.
But how can i configure ISA so users who are not unauthenticated can still get onto the net?
Thanks
Create a new rule
Allow - https and http
From Internal
To external
for All Auth users
This will only allow for authed users
i would also reccommend using isa firewall client on all workstations if you are forcing auth,
HTH
No, we have it working fine, but unauthenticated just as guest laptops etc i want them to have access to the internet. But we cannot turn off unauthentication.
Basically any unauthenticated need access to the internet.
I can only think of two ways to get around this problem,
the first would be to give them statics/reservations then creat the rule desigend on there ip's but this would only work if the laptops where controlled by you institute.
the second would be to create a "internet" user account so when the browse and it prompts for username and password you could give them the "internet"user account and base the rule on that one user.
HTH
Depending on volume of access needed you might want to make a group which has access and put auto-created users in that. You would then just hand out the individual user details to the person so that they could get proxy access and delete the user at the end of the session (or just delete/re-create at the end of each day).Quote:
Originally Posted by maf_001
You would probably want to "deny logon locally" to those users so they couldn't make use of other network facilities.
But i can't do that to guest laptops. Literally it needs just to be simply plugin and go.
If its plug in and go then you need to create vlans on your network and users who are guest can go on that vlan and will have access to the net (providing you created rules) this will make it easier to create rule on ISA as you just create another internal network and make all the vlan's clients default gateway the ip address of the isa server.
Ash.
Who don't have the switches for that. Plus my NM won't go for it.
All i need to know is how to grant access to the internet to users that have not been unauthenticated against AD.
You could try a second afirewall rule for Internet access. You will have one already to allow authenticated users, place one for 'all users' directly beneath it.
There is a flaw in your plan though, any infractions caused by 'guests' will not be logged properly. I think that there is a way of forcing the authentication dialogue - I assume that your 'guests' are students with their own machines so they will have a login.
If the guests are not students/staff, you would need the user to sign an AUP anyway to make sure that they agree to behave!
I thought that, but its configured under Configuration > Networks. Surely there must be a way to do this?
Anyone Please?
I do not think that it is possible still, i would just find a old workststion taht is going to be binned and run smoothwall along side your existing ISA and point the unathenticated clients at the smoothwall, it is free and will run on most hardware.
Set this box up to allow internet access only, shouldnt take you more than an hour to set this up.
HTH