Re: Newbie asking for advice/help with ISA 2004
- From: "Daphna Porath [MSFT]" <daphnap@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 8 Jun 2006 12:41:55 +0300
Hi again,
Can you send details of the access rule you've created, and how you restrict
users access?
I tried using firefox in my lab and it worked fine for me (firefox version
1.0.7).
Thanks,
Daphna
--
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.This posting is provided "AS IS" with no warranties, and
confers no rights.
"Andy Abplanalp" <freshtech@xxxxxxxxx> wrote in message
news:1149686035.171087.80980@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Daphna,
Thanks for the reply. I had already done what you suggested using a
test account and it works great for IE, but Firefox will still allow
access to everything. Is there a way to use my current setup with
Firefox? I have set proxy settings in Firefox, but it makes no
difference. Firefox is the browser of choice (by management here) and
changing it will require a lot of politicking on my part. Can I
control access to the Internet using Firefox and my current setup, or
will all of the clients have to be SecureNAT for that to happen? And
if they are all SecureNAT clients, can I set up certain users to have
all access?
Thanks,
Andy
Daphna Porath [MSFT] wrote:
Hi Andy,
Am I correct assuming you wish your clients to be able to browse the
internet and you wish to be able to restrict internet access according to
AD
users?
In that case i would create an access rule allowing the protocols you use
to
access the internet (HTTP\HTTPS etc...), From the "Internal" network to
the
"External".
If you wish ISA to restrict users access to the internet and you don't
wish
to use the firewall client, your clients have to be "web proxy clients"
(configured through IE\other web browser settings).
I hope this helps,
Daphna Porath
--
Please do not send email directly to this alias. This alias is for
newsgroup
purposes only.This posting is provided "AS IS" with no warranties, and
confers no rights.
"Andy Abplanalp" <freshtech@xxxxxxxxx> wrote in message
news:1149126549.047712.203820@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi everyone,
I work for a non-profit with about 75 2K/XP clients on a simple Server
2003 domain network. Our subnet is 192.168.168.x. I have read some of
Tom Shinder's Configuring ISA 2004 book which has wonderful
descriptions in it, but I need a better step-by-step plan than the one
I have stumbled through so far. The installation (with SP2) seems to
go fine, but that's where it ends for me and it seems to get more
convoluted as I dig deeper into it. All we really want to do with ISA
is to use XML blacklists that I have saved to block content (or not
block content based on AD users/groups) and to log users' Internet
activity to an Access or SQL database. Caching would be nice, too.
The DSL gateway/router address is currently 192.168.168.1. From what I
have read, I should change the DSL router to a different subnet (say
192.168.1.1) and assign the "external" NIC to that subnet
(192.168.1.10) and then assign the "internal" NIC to our current
192.168.168.x subnet to make for better security. I would then change
the DHCP scope to include the "internal" NIC's IP address to serve the
clients as their default gateway. At this point all of the clients
will be SecureNAT clients, correct? This all seems pretty
straightforward, I'm sure, but after this is done things don't seem to
be working intuitively or with consistency. Just for testing purposes
after the initial settings have locked everything down, I open up all
protocols with source and destination settings of "Anywhere".
Sometimes I will be able to do whatever I want and other times I can't
even log a client into the domain while getting a "domain not
available" error. Sometimes things work OK and when I do something
else and come back 30 minutes later, I can't access the Internet from a
client or even the ISA machine. The default system policy looks to me
like it should leave AD and other "normal" network operations alone and
let me do what I need to with HTTP/HTTPS, but I'm ready to tear my hair
out at this point. I know it sounds weird and it's obviously something
I'm doing, but there's got to be an easy way to configure this setup.
Before installing ISA, I was able to successfully use RRAS to route
traffic normally between subnets without incident and with consistency.
So, some of my questions include: Is SecureNAT going to let me
allow/deny content through AD groups, or should I take another
approach? Do I really need the firewall client installed? Shouldn't
the WebProxy client be enough?
Hopefully I made enough sense for someone to offer up some
suggestions/opinions/advice. Thanks for reading.
Andy Abplanalp
I/S Specialist
Penfield Children's Center
.
- References:
- Newbie asking for advice/help with ISA 2004
- From: Andy Abplanalp
- Re: Newbie asking for advice/help with ISA 2004
- From: Daphna Porath [MSFT]
- Re: Newbie asking for advice/help with ISA 2004
- From: Andy Abplanalp
- Newbie asking for advice/help with ISA 2004
- Prev by Date: ISA 2004 migration
- Next by Date: How do I "tweak" ISA 2004 to get thr report I want?
- Previous by thread: Re: Newbie asking for advice/help with ISA 2004
- Next by thread: Caching Windows Update - How?
- Index(es):
Relevant Pages
|
