RE: ISA 2004 and w2k3 server GPOs
- From: James Scarlett <JamesScarlett@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 23 Sep 2006 11:29:01 -0700
Thanks for that advice. Will this modify the ISA client behaviour through the
AD group as well?
Many thanks
"Shijaz" wrote:
Create an access rule to allow access only to "teachers" AD group on the.
staff ISA server. This will prevent internet access to all users that are not
part of "teachers" group in AD. (Students are not allowed).
On the Students ISA server, create an access rule to allow students only if
you like. Or you can simply allow all users to access internet thru the
students ISA server.
This will prevent the students from accessing the net using the teachers
server (unless of course, if the little rascals manage to steal one of the
teachers' user account passwords ;) )
To create a user-based rule in ISA:
First create a User Set in ISA. (Toolbox on the right side-->Network
Objects--> New--> User set). In the New User Set window, select Windows users
and groups and select the AD group containing the staff user accounts.
Then create an access rule such as:
Allow
All Outbound Access
From: Internal
To: External
Users: <select the user set containing the teachers AD group>
Thank you for using the Microsoft Newsgroups. Hope this was helpful!
--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver
"James Scarlett" wrote:
Thanks for your reply. Yes two different ISA servers as the ISP providing the
student filter uses an upstream server for the filtering whilst the staff
need open access so I am stuck with using two gateways. Both ISA servers are
running ISA 2004 on a w2k3 OS. I need to find a way, if it's possible, to
configure some method of a user based rule to point the appropriate user
groups to the appropriate gateway. Both staff and students are on roaming
profiles. It works just fine using GPOs without the firewall client installed
but the school want the tracking capabilities that the client offers or some
other way of tracking users activity on the internet. Is there a package or
method that can be installed on the ISA servers without the need for the FW
client for example?
Any help appreciated
James
"Shijaz" wrote:
Configuring gateways through GPO is not a good approach. By 2 'gateways', do
you mean two different ISA servers for the students and the staff?
Since you've posted in an ISA newsgroup, I assume the gateways are running
ISA.
You can always use a single ISA server with user-based rules to achieve
this. Create a AD security group containing all staff user accounts and
create an access rule to allow full access. Any user not in this group will
be given limited access via another access rule on ISA.
Using a single gateway helps u reduce network complexity, centralized
security, better logging convenience, and saves you on ISA licenses and
hardware.
--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver
"James Scarlett" wrote:
We have a situation in a school network with two gateways, one for students
using an external website filter and the other open to the world for the
staff.
We use GPOs to direct students and staff to the appropriate gateway and ISA
client to provide tracking.
The problem is that the ISA client seems to override the GPO settings so
there is a danger of the students gaining access through the unfiltered staff
gateway. Is there any way of configuring either ISA , the client or the GPOs
to prevent this hazard?
Thanks in advance
James
- Follow-Ups:
- RE: ISA 2004 and w2k3 server GPOs
- From: Shijaz
- RE: ISA 2004 and w2k3 server GPOs
- References:
- RE: ISA 2004 and w2k3 server GPOs
- From: Shijaz
- RE: ISA 2004 and w2k3 server GPOs
- Prev by Date: RE: ISA 2004 and w2k3 server GPOs
- Next by Date: RE: ISA 2004 and w2k3 server GPOs
- Previous by thread: RE: ISA 2004 and w2k3 server GPOs
- Next by thread: RE: ISA 2004 and w2k3 server GPOs
- Index(es):
Relevant Pages
|
Loading
