Welcome to ISAserver.org

Client Connection to ISA

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Firewall Client >> Client Connection to ISA

Page: [1]

Message

<< Older Topic Newer Topic >>

Client Connection to ISA - 6.Dec.2007 4:15:28 PM

seantk421

Posts: 8
Joined: 6.Dec.2007
Status: offline

Hi everyone,

I need some help. I recently set up a isa server on my domain which has an http proxy for other computers on my domain who point there browser to the isa server. However, I am looking for a way to have each user install the firewall client on there computer and only make it so that the ones who have installed the firewall client can get through the proxy and onto the internet. Is this possible?

Thanks for any help.

Post #: 1

Featured Links*

RE: Client Connection to ISA - 7.Dec.2007 3:36:04 AM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Sure.

Require authentication on your outbound rules.

Then any users that is not included in the rule, will not be authentication , hence will not be allowed to get outbound access.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to seantk421)

Post #: 2

RE: Client Connection to ISA - 7.Dec.2007 8:05:43 AM

seantk421

Posts: 8
Joined: 6.Dec.2007
Status: offline

Thanks for the help. Quick question though, I already tried setting the proxy settings to only allow authenticated users, but that seems to allow most everybody. Is it possible that I am not setting this correctly, right now I have set up two policies telling the firewall to allow http and https access to authenticated users. Is there another way to set up authenticated users as only those with the firewall client installed?

Thanks!

(in reply to elmajdal)

Post #: 3

RE: Client Connection to ISA - 7.Dec.2007 9:02:51 AM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Why not then authenticate users/ groups from Active Directory.

If you do not wish to authenticate everyone, then do not use the all authenticated users, instead replace it with users from AD

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to seantk421)

Post #: 4

RE: Client Connection to ISA - 7.Dec.2007 9:09:02 AM

seantk421

Posts: 8
Joined: 6.Dec.2007
Status: offline

So then will the windows firewall client just send the credentials to the isa server allowing them to connect through the isaserver. Also, will i still need to point each persons browser to the isa server or will the firewall client take care of this. As you can tell im new at this so thanks for all the help.

(in reply to elmajdal)

Post #: 5

RE: Client Connection to ISA - 7.Dec.2007 11:07:45 AM

elmajdal

Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Yes the Firewall Client will take care of setting up the proxy.

and Yes you can deploy the Firewall Client to your your machines, but only those users who you specify in your outbound rules will be able to have internet access.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to seantk421)

Post #: 6

RE: Client Connection to ISA - 7.Dec.2007 2:10:52 PM

seantk421

Posts: 8
Joined: 6.Dec.2007
Status: offline

but there is no way to set it up to allow just the computers running the firewall client to be allowed through the proxy?

(in reply to elmajdal)

Post #: 7

RE: Client Connection to ISA - 19.Dec.2007 9:59:37 AM

abqtech

Posts: 216
Joined: 9.Mar.2004
Status: offline

You can force user authentication, as already mentioned, or if you know the IP address of computers that have the firewall client you could create a rule in ISA that includes those IP Addresses access to http and https and control it that way.

(in reply to seantk421)

Post #: 8

RE: Client Connection to ISA - 19.Dec.2007 12:35:21 PM

Jason Jones

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: seantk421

Hi everyone,

I need some help. I recently set up a isa server on my domain which has an http proxy for other computers on my domain who point there browser to the isa server. However, I am looking for a way to have each user install the firewall client on there computer and only make it so that the ones who have installed the firewall client can get through the proxy and onto the internet. Is this possible?

Thanks for any help.

The firewall client is primarily meant for non-web access to the Internet. In order to access web protocols you would normally use the web proxy client (e.g. configure IE to use a proxy).

From what I understand, you want to block web proxy clients but allow firewall clients - is this correct?

Why not just use authenticed rules with a specific group (as stated) as only define a small number of users (who are allowed to access the internet) for this rule? This way you do not even need the firewall client unless people need access to non-web protocols.

The only possible answer I can think of it to create new protocols using ports 80 and 443 and make sure they are not bound to the web proxy filter - this way ISA should treat these protocols as non-web protocols and allow you to define them in rules which will only apply to firewall clients...I think....

I have used this methid before to access external Citrix servers which use CitrixICA over port 80 and hence ISA sees it an invalid use of HTTP.

Does this help or have we all missed something?

Cheers

JJ

< Message edited by Jason Jones -- 19.Dec.2007 12:44:39 PM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to seantk421)

Post #: 9