Very new to ISA, I have however recently inherited a job that requires me to manage an already setup ISA 2000 server.
My problem is this, I wish to allow access to my proxy server by IP address or range. Currently they log in by Username / Password.
Under Policy Elements --> Client Address lists I have set up a group with the address range I wish to be allowed xxx.xxx.xxx.0 - xxx.xxx.xxx.255
However this doesnt seem to resolve my problem because whenever I disable the login account. They cant seem to access the internet at all. Also the browser ( IE ) also still asks for the Username and Password.
I feel I am probably making a schoolboy error but I cant seem to spot my mistake.
1. create a client address set that defines the IP address range that you wish to allow access 2. create a protocol rule that allows the desired protocols and apply it only to the client address set you just defined (checking the Spedific computers button in the wizard) 3. create a site and content rule that allows access to the desired sites/content and apply it only to the client address set you just defined (checking the Spedific computers button in the wizard)
jklick Thanks very much for your help! I have set up ISA has you mentioned.
Then I disabled the User account. Restarted the client PC and tryed again to access
Unfortunatly It still asks me for a username + password, If I hit ok or cancel it seems to stall and then crash out after a while.
Also although our sites are connected to head office through 256 - 512K lines it seems to take a long time to users to connect Can this be speeded up in any way? or more to the point could we be slowing the link down through some rules / Configuration on the current ISA server.
Again thanks for all your help so far, I do appreciate it :)
You may want to ensure that the "Ask unauthenticated users for identification" check box is not checked. You can find this by right-clicking the array and selecting properties and then select the Outgoing Web Requests tab.
I have also seen this slow down performance in some environments.
Ive checked the properties of the array and the "Ask unauthenticated users for identification" box is checked on both incoming and outgoing. If I uncheck this box will that force users to be checked by the IP address?
From what I understood I thought that ISA would check / pickup the IP address of the client and authenticate them before it asked for the username password. Which could be where I am going wrong.
Currently I am setup as jklick instructed.
Or do all my problems revolve around a DNS misconfiguration? Can I check this some way?
My workplace is a very mixed up one. We have sites all around the country, some of which are members of the domain and some which are not. Mainly due to political reasons. We also look after a number of other sites which we support but dont / cant administrate.
Basically I need to be able to allow everyone access to the Internet through the proxy server.
I thought that if I allowed the Workgroup Sites access by IP address I could very easily administer them that way and so control them. Also in a lot of the workgroup sites, alot of people use the same username and password.
In the domain, everyone is authenicated anyway by using the domain account and so I can control them.
The problem I had was that the people in the workgroup sites were having to wait a very long time before they were even asked to authenticate, I thought I could clear this all up by using IP addresses.
What I was hoping to achieve was to authenticate by using IP addresses in the remote sites that were not part of the domain. While those people in the domain would authenticate by their usual domain accounts. That way I could easily enough administer both (I hope)
What I dont want is any body who plugs into the network to have internet access without having to get permission first.
I hope this clears things up a bit
Do you think that this is a good way to go about it? or am I completly going about it the worng way
As long as you do not have anonymous users or all users in your rules, unchecking the ask unauthenticated users for authentication should not create a security hole. I would suggest for the rules that allow all of your domain users out, use the authenticated users group instead of all users or anonymous users. this would make the following true:
1. Anyone on a machine that has rules based on IP address will be allowed/denied that access 2. anyone not covered by the IP addresses would have to authenticate based on there being no anonymous rules.
If you require the use of all users or anonymous users, then anyone who "plugs into your network" will have fall under those rules.