RE: ISA 2004 and w2k3 server GPOs

You really dont need the ISA client installed on the desktops unless you're
allowing them to uses POP3 etc.

For more details on the which ISA client to use, see:
* ISA 2004 Clients FAQ
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-clients.mspx

You can simpy use Group Policies to set the proxy in IE automatically. Or,
you could create a WPAD DHCP Scope Option if you want to send the proxy
settings via DHCP (if you use DHCP in your network).


--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver


"James Scarlett" wrote:

Thanks for that advice. Will this modify the ISA client behaviour through the
AD group as well?

Many thanks

"Shijaz" wrote:

Create an access rule to allow access only to "teachers" AD group on the
staff ISA server. This will prevent internet access to all users that are not
part of "teachers" group in AD. (Students are not allowed).

On the Students ISA server, create an access rule to allow students only if
you like. Or you can simply allow all users to access internet thru the
students ISA server.

This will prevent the students from accessing the net using the teachers
server (unless of course, if the little rascals manage to steal one of the
teachers' user account passwords ;) )

To create a user-based rule in ISA:

First create a User Set in ISA. (Toolbox on the right side-->Network
Objects--> New--> User set). In the New User Set window, select Windows users
and groups and select the AD group containing the staff user accounts.

Then create an access rule such as:

Allow
All Outbound Access
From: Internal
To: External
Users: <select the user set containing the teachers AD group>

Thank you for using the Microsoft Newsgroups. Hope this was helpful!

--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver


"James Scarlett" wrote:

Thanks for your reply. Yes two different ISA servers as the ISP providing the
student filter uses an upstream server for the filtering whilst the staff
need open access so I am stuck with using two gateways. Both ISA servers are
running ISA 2004 on a w2k3 OS. I need to find a way, if it's possible, to
configure some method of a user based rule to point the appropriate user
groups to the appropriate gateway. Both staff and students are on roaming
profiles. It works just fine using GPOs without the firewall client installed
but the school want the tracking capabilities that the client offers or some
other way of tracking users activity on the internet. Is there a package or
method that can be installed on the ISA servers without the need for the FW
client for example?

Any help appreciated

James

"Shijaz" wrote:

Configuring gateways through GPO is not a good approach. By 2 'gateways', do
you mean two different ISA servers for the students and the staff?

Since you've posted in an ISA newsgroup, I assume the gateways are running
ISA.

You can always use a single ISA server with user-based rules to achieve
this. Create a AD security group containing all staff user accounts and
create an access rule to allow full access. Any user not in this group will
be given limited access via another access rule on ISA.

Using a single gateway helps u reduce network complexity, centralized
security, better logging convenience, and saves you on ISA licenses and
hardware.

--
Shijaz Abdulla
MCSE:Security, CCNA
www.shijaz.com/isaserver


"James Scarlett" wrote:

We have a situation in a school network with two gateways, one for students
using an external website filter and the other open to the world for the
staff.

We use GPOs to direct students and staff to the appropriate gateway and ISA
client to provide tracking.

The problem is that the ISA client seems to override the GPO settings so
there is a danger of the students gaining access through the unfiltered staff
gateway. Is there any way of configuring either ISA , the client or the GPOs
to prevent this hazard?

Thanks in advance

James
.

Relevant Pages

  • Re: Outbound VPN
    ... Your SBS client cannot establish PPTP VPN through ISA 2004. ... Chapter 6: ISA Server 2004 VPN Deployment Kit: Configuring the ISA Server ... 2004 Firewall for Outbound PPTP and L2TP/IPSec Access ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems access certain web site
    ... Please temporarily place a client computer directly connected to the ... Open the ISA Server Management, right click the ISA Server Name, and ... and then point to Monitoring Configuration | Logs ...
    (microsoft.public.windows.server.sbs)
  • RE: Web proxy returns Error code 502 (12202)
    ... Please open the ISA management console, navigate to Firewall Policy, click ... Microsoft ISA Server together with client certificate authentication: ... An ISA Server 2006 Web Proxy client receives error code 502 when a user ...
    (microsoft.public.isa)
  • Re: Firewall client not working but its session is visible in ISA-
    ... Most likely at a certain point, I rebooted the ISA or restarted the ... It's true I do not use the full capacity of the ISA server, ... if I re-enable the client I can "see" the internet again. ... at the session logs on the ISA server it reads "Firewall client" if the FW ...
    (microsoft.public.isa.clients)
  • RE: client install
    ... To make sure that all client computers will automatically discover ISA ... If you mean that the "Automatically detect ISA Server" is not working, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.isa)
Loading