Welcome to ISAserver.org

ISA 2000 Access Policy

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> ISA 2000 Access Policy

Page: [1]

Message

<< Older Topic Newer Topic >>

ISA 2000 Access Policy - 29.Jan.2008 3:58:45 PM

devlin7

Posts: 3
Joined: 19.Oct.2004
Status: offline

Hi,

We have been running ISA 2000 for 4 or 5 years now. It is currently running on a Windows 2003 R2 machine which happens to be one of the "domain controllers".
We have just implemented some software which tracks and charges printing and internet usage. The internet usage is handled quite simply. If the users have money they are members of an internet users group. When their funds run out, they are removed from this group. In ISA 2000, I have an access policy that allows users out if they are members of this group. This all seems to work except for the fact that ISA doesn't seem to refresh or look at members of the group any other time other than startup. If a user has money when ISA starts they can access the net and if they don't they can't. When the user runs out of funds they are removed from the group but ISA 2000 doesn't seem to recognise this, also if they have no funds when ISA 2000 starts they can't surf, even if they top up their account.

The software provider suggested using a local group but ISA 2000 doesn't seem to recognise local groups. IS there anyway I can schedule regular refreshes of the access policy?

< Message edited by devlin7 -- 29.Jan.2008 4:00:15 PM >

Post #: 1

Featured Links*

RE: ISA 2000 Access Policy - 6.Feb.2008 12:04:19 AM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

Hmmn.. interesting. Guess this is for a school/education type environment?

Sure, on the O/S you can create a domain local group (either security or distribution) as well as Global groups but ISA 2000 seems to only see the 'global' groups for applcation of 'applies to'. I'd never encountered this as I've always used global groups (or legacy NT4 global groups)
The old saying was AGLP meaning Accounts go into Global groups, which can go into Local groups, which are used for the applying of Permissions. But the ISA can't use local groups for the permissions aspect.

Past experience has indicated that changing a users permissions in the domain/AD really only takes effect at login with the exception of accoutnt disabled or must change password which can lead to 'instant' removal of access.

Is it important this can happen 'at any time' during the day or is at login sufficient?
I can't see a way to do this 'on the fly' during the day without a logout/login.
Check out this article which is somewhat related to the reasoning behind this. Just apply the 'folder permissions' to 'internet permissions'

- http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_22748237.html
Even if your not an Experts Excahgne member, you can still view responses down below the 'Exchange Zones' table. Take note of the reference to changing Kerebos keys, which are applied at login. They do talk about 15 minute intervals so maybe it will work "after a while" adding/removing a user from the group.

Hope this is of some help.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to devlin7)

Post #: 2

RE: ISA 2000 Access Policy - 18.Mar.2008 11:01:48 AM

Budmaas

Posts: 48
Joined: 7.Oct.2007
Status: offline

I don't think it is quite related to the post question in starting but i wanted to do so ... if possible .... !!!

e.g. I have 100 users & want to seperate them with Internet & Email users.

Is it possible to make 2-3 policies & allow them in sets of IP's to user Internet & email & another to use just Email sending -receiving only ?

I have a policy to allow all for everything & another for internet & email. It works.

Now I want to make another policy to make some IP's to allow them for email sending- receiving only.

Is it posible ?

I tried with user IP's [ e.g. - 5-10 & 100-150 email only ] but it din't work ?

any smarter way to create rule or access policy in ISA 2000 .. ?

(in reply to AHIT)

Post #: 3

RE: ISA 2000 Access Policy - 19.Mar.2008 7:01:25 PM

AHIT

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

First up, what sort of clients are these machines?.
ie: WebProxy, SecureNAT, firewall client.

If webproxy you can control their destination within the browser.
If Firewall clients you can control what apps (as far as what protocols) are used and who can use them.
If they're SecureNAT, you can do bugger all because you cant identify the userID nor can packet filter rules be applied to internal IP's.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to Budmaas)

Post #: 4

RE: ISA 2000 Access Policy - 20.Mar.2008 6:56:14 AM

Budmaas

Posts: 48
Joined: 7.Oct.2007
Status: offline

quote:

ORIGINAL: AHIT

First up, what sort of clients are these machines?.
ie: WebProxy, SecureNAT, firewall client.

If webproxy you can control their destination within the browser.

If Firewall clients you can control what apps (as far as what protocols) are used and who can use them.
If they're SecureNAT, you can do bugger all because you cant identify the userID nor can packet filter rules be applied to internal IP's.

I was thinking to try CONTENT ADVISOR option that is in internet explorer but in this case . .what if an user is using Firebox browser.

another
ISA 2000 gives some limited facility to make policies for groupwise application use or protocol & destination IP set.

This works but ISA 2000 is not well enough.

Planning for Upgrade to win 2003 server & ISA 2006. By this i can use web monitor for more reporting & monitor an user activity.
what is your take ?

what

(in reply to AHIT)

Post #: 5

RE: ISA 2000 Access Policy - 25.Mar.2008 12:06:59 AM