Welcome to ISAserver.org

Blocking Internet Access?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Access Policies >> Blocking Internet Access?

Page: [1]

Message

<< Older Topic Newer Topic >>

Blocking Internet Access? - 11.Oct.2006 12:54:43 PM

dkraut

Posts: 3
Joined: 11.Oct.2006
From: Atlanta, GA
Status: offline

This has got to be easy to do but I'm not finding straight forward info on how to accomplish. We want to use ISA 2006 to block all users from accessing the Internet by default, while allowing a specified group full access to the Internet. The ISA server will sit on the Internal net in front of a Netscreen 25 so we do not need firewall functionality, only the ability to filter who can access the Internet.
All clients are Windows XP.

Thoughts? Thanks!

Post #: 1

Featured Links*

RE: Blocking Internet Access? - 11.Oct.2006 3:26:57 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi dkraut,

if you don't use the ISA server as a full blown firewall and therefore don't force all the traffic through the ISA box, how would you think that ISA can control that traffic?

Therefore, use ISA as a full blown firewall and what you wan't to accomplish is easily done.

HTH,
Stefaan

(in reply to dkraut)

Post #: 2

RE: Blocking Internet Access? - 11.Oct.2006 4:08:47 PM

dkraut

Posts: 3
Joined: 11.Oct.2006
From: Atlanta, GA
Status: offline

Hi Stefaan,

Semantics I suppose... To clarify, all traffic will flow from the internal network through the Internal interface and out the external interface of our ISA server. The ISA external interface will then default to our Netscreen and then out to the Internet.

I just meant that I was not concerned about the firewall capabilities of ISA and only want to limit who can access the Internet via HTTP / HTTPS. Is this easily done?

Cheers!

(in reply to spouseele)

Post #: 3

RE: Blocking Internet Access? - 11.Oct.2006 4:25:13 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi dkraut,

if you force all traffic to flow through the ISA server, than you have no other choice than using ISA as a full blown firewall. That means ISA has to handle also all none HTTP/HTTPS traffic, if you like it or not!

BTW --- remember that both NICs bust be on different Network IDs (subnets).

HTH,
Stefaan

(in reply to dkraut)

Post #: 4

RE: Blocking Internet Access? - 19.Oct.2006 1:37:26 PM

CSDAdmin

Posts: 19
Joined: 19.Oct.2006
Status: offline

Would a domain policy forcing all IE clients to ISA, having that traffic leave on another port, and blocking 80 out on firewall work for you?

(in reply to spouseele)

Post #: 5

RE: Blocking Internet Access? - 24.Oct.2006 11:02:00 AM

itadmin

Posts: 30
Joined: 21.Jul.2006
Status: offline

Will the ISA be seen as the gateway to these clients? If the clients are going through ISA as their gateway, you could just use a coupe of rules. The default rule on ISA drops all traffic. Just create a rule that allows certain AD groups to get out to the internet. You can then create specific allow lists for those groups based on need.

If all traffic isn't forced through the ISA and they have another way out, this may not work.

(in reply to CSDAdmin)

Post #: 6