Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Computer set by name
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Computer set by name - 21.Nov.2006 12:40:58 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
Hi,
I manage a large network of ~450 computers, split into rooms. The computer names are set in a standard such as [Room name]-[computer number]. We recently moved over to using DHCP over static IP's (the network expanded rapidly, and static IP's were becoming a nightmare to manage).
The problem is, the ISA server had computer sets based on the static IP's of computers in different rooms, so there was a set of computers for each room. This allowed us to control internet access for each room independantly. Now we have moved to DHCP, the IPs are no longer specific to rooms, so this technique can no longer be used. Is there any way to get ISA to recognise a computer based on its name, instead of its IP Address, or even for DHCP to issue specific IPs based on the computer name. I have looked into user/vendor classes, but I think they can only be used to configure scope options, and not the IP that is assigned.
If anyone could offer any suggestions I would be extremely grateful,
Thanks a lot,
Rob
< Message edited by robgolding63 -- 21.Nov.2006 1:19:42 PM >
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 7:55:47 AM
|
|
|
simonhill
Posts: 21
Joined: 1.Mar.2005
From: UK
Status: offline
|
Hi,
Off the top of my head I can think of two ways to achieve this, (I'm sure there are others)
1. Split your network into VLANs, one per room or group of rooms, and have a different DHCP scope for each VLAN. (depends how many rooms you have, more than 20 would be tiresome!)
2. Static reservations within DHCP for each PC. (time consuming to set up, but still easier than manually configuring IPs on PCs, could be scripted to some degree)
hope this helps,
Simon.
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 8:22:57 AM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
OK I think I may go down the reservation route, even though it might take some time to set up. If you can point me in the right direction on any possible ways there are to script this process, that would save me lots of time!!!
Thanks a lot for the reply,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 9:33:05 AM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
why u just dont control your machines by authenticating user ?
set your machines as webproxy and/or firewall clients.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 10:52:34 AM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
They are authenticating users, all the machines are firewall clients. What are you suggesting?
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 12:53:02 PM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
They are authenticating users, all the machines are firewall clients
Then great.
Create Your Access rules and authenticate Users or group.
Like:
Allow > Protocols > From Internal > To External > Room1_Group
Where Room1_Group is an Active Directory group containing all the users from Room # 1.
if u dont want all Users in Room 1 to suf everything , then
Allow > Protocols > From Internal > To Room1_DNSet > Room1_Group
where Room1_DNSet is a Domain Name Set containing all the domain names u want your Room1_group users to be able to access only , and so on.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 12:56:28 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
Oh I see, problem is the users all move around (it's a school). So the users and rooms arent really linked at all. Can you authenticate the computer name in ISA, rather than the username? Just a thought.
Thanks for the suggestion,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:06:18 PM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
What do u want to accomplish ??
are you going to have different access groups for different students ??
or all the students going to have the same access rule and the staff are going to have their own access rule ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:14:36 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
The rooms are what need to be affected by these rules, not the students. For example, the teachers could turn off internet access to a particular room, because the computers all used to have static IP's. The students can login to any room, so I need it to apply to the computers not the user accounts.
I have been looking into DHCP reservations and I think I have a working script that will use a CSV file to insert reservations in bulk.
Thanks for the help,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:26:42 PM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
if thats the case, then yes u need to create multiple Computer Set and define the IP of each machine in specific room and then create an access rule for each of these Computer Sets.
ex.
Allow > Protocols > From Room1_Computer_Set > To External > Users
Allow > Protocols > From Room2_Computer_Set > To External > Users
.
.
.
Allow > Protocols > From RoomN_Computer_Set > To External > Users
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:28:39 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
OK well, we already have the rules in place, the problem is when we moved over to DHCP all the IP's got jumbled up, and, as you can probably imagine, it became a nightmare! I have a temporary global allow rule in place at the moment, just to keep everyone happy!
I'll get testing this script, and I'll try it on just one room of computers first!
Thanks for the help,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:36:13 PM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
For example, the teachers could turn off internet access to a particular room
how the teachers do this ??
They call u and you block a specific rule , right ?
i believe there is also a script to populate the Computer Set, i will look for it and once i find it i will post the script URL so that u download it
This will make your life easier ( for the ISA part )
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:39:06 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
There is a 3rd party software that edits the XML config file for ISA, so that rules get enabled or disabled as per the teachers' request. It's not too pretty but it works (i did not set it up, i've just been landed with making sure it works).
Anyway, the computer sets are already populated from before, I'll just export the DHCP leases to a CSV file, sort the records in Excel, edit the IP's to match what they were before (won't take too long in excel), then use the script to stick 'em all in as reservations! Next time the PC's are restarted, it'll start working. I hope so anyway!
Thanks again,
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:43:24 PM
|
|
|
elmajdal
Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
There is a 3rd party software that edits the XML config file for ISA, so that rules get enabled or disabled as per the teachers' request. It's not too pretty but it works (i did not set it up, i've just been landed with making sure it works).
This is the website for the scripts: http://www.isascripts.org/
you can user this script to enable or disable any rule
ISA_Enable-Disable_Rule.vbs
Enable/disable firewall rules from the command line.
and if u ever needed to repopulate ur Computer Set, in the same website i mentioned above, u can use:
ISA_Fill_Computer_Set_Computers.vbs
Create or update a Computer Set with computer objects obtained from a text file containing hostnames and their IP addresses.
Good luck !
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Computer set by name - 24.Nov.2006 1:46:27 PM
|
|
|
robgolding63
Posts: 29
Joined: 3.Jun.2006
Status: offline
|
OK, thanks for all your help, we'll see in a few days whether the reservation plan has worked or not!
Rob
_____________________________
Rob Golding - http://maxms.net - Windows Server/Exchange Resource Site
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
