Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Integration with active directory
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Integration with active directory - 7.Aug.2008 7:56:06 PM
|
|
|
sqlcoder
Posts: 7
Joined: 7.Aug.2008
Status: offline
|
I have seek on the forums and google but see no clear anwser to how ISA 2006 integrates with AD, I just installed the ISA and joined it to my domain, I tried to define a firewall rule to be applied to a AD users group but it seems to have no effect.
Any idea how to make ISA server authenticates agains the AD infraestructure.
Thanks in advance
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 7:56:19 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
Did you installed ISA and then joined the machine to the domain?
It´s better you to remove ISA and first join the computer to domain, then install ISA server. Because this way when you´re installing ISA, it will enable the appropriate system rules to communicate with your DC.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 1:42:14 PM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
how´s your ISA´s NIC configured? Is your internal DNS forwarding the requests?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 2:59:08 PM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
remove the DNS of your External NIC. It must not contain any DNS on it!
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 3:13:05 PM
|
|
|
sqlcoder
Posts: 7
Joined: 7.Aug.2008
Status: offline
|
Hi,
Thanks that seems to enable the web access for the client, but still it got anonymous as user client name, any idea how to track the user to the current windows logged user ?
NOTE: I think I ran to fast to write the response, the FW does not work if I remove the all users group.
Thanks
< Message edited by sqlcoder -- 8.Aug.2008 3:17:25 PM >
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 4:10:35 PM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
what do you mean by "...the FW does not work if I remove the all users group."?
What type of client are you using?
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 4:54:32 PM
|
|
|
sqlcoder
Posts: 7
Joined: 7.Aug.2008
Status: offline
|
Hi,
FW I mean the firewall policy, if I just let the AD web users group as detailed in the pict the client does not access the internet if I add the all users groups then the client can connect the internet.
The client is a Windows XP machine joined to the domain and the browsers are Internet explorer 6 and firefox 3.
< Message edited by sqlcoder -- 8.Aug.2008 5:08:20 PM >
|
|
|
|
|
RE: Integration with active directory - 8.Aug.2008 5:42:10 PM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
sorry if I was not specific, but when I said clients, I mean secureNAT, web proxy, Firewall clients.
I think you´re using secureNAT clients, as long as only all users can access the internet. Please configure your browser to point to ISA´s internal NIC on 8080 port (internal_ISAIP:8080).
Note: All users mean authenticated and unauthenticated users (anonymous). Only web proxy and fw clients can authenticate.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 9.Aug.2008 10:30:27 AM
|
|
|
sqlcoder
Posts: 7
Joined: 7.Aug.2008
Status: offline
|
Hi Paulo, thanks for all the help and your patience with me.
The need I have is this, there a few users that needs internet access from those few there a segment that also uses chat and other stuff (the "executives"), so I need to limit the access to 3 main groups:
1. Executives (full internet access)
2. Professionals (limited and time based internet access, no chat)
3. Users (zero access to internet).
Also I need to report how the named users are using the internet, time and sites they browse and so on.
If ISA can handle this and you can help the right point, I might be doing something wrong, you said a fw client: do I have to install another soft on client machines ?
Thanks in advance.
|
|
|
|
|
RE: Integration with active directory - 11.Aug.2008 8:25:23 AM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
there are three types of ISA clients:
SecureNAT: have the ISA´s internal IP address configured as their GW. Can´t authenticate with ISA.
Webproxy: have the ISA´s internal IP address configured in their browser. Can authenticate with ISA.
Firewall: must install a client sw located on ISA´s installation CD (<cd-rom>:\FPC\setup.exe). Can authenticate with ISA.
As you are a ISA newbie and want to use the great authentication feature, I recommend use webproxy clients. To do that you must configure your clients browser (i.e. Internet Explorer) pointing to ISA´s internal NIC (i.e. 192.168.2.1:8080).
More info about ISA clients you can find here:
A different look at the ISA Clients
Internal Client Concepts in ISA Server 2006
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Integration with active directory - 21.Aug.2008 7:16:42 PM
|
|
|
sqlcoder
Posts: 7
Joined: 7.Aug.2008
Status: offline
|
can the client be mozilla firefox ??
|
|
|
|
|
RE: Integration with active directory - 22.Aug.2008 2:29:19 PM
|
|
|
paulo.oliveira
Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
Yes!
Regards,
Paulo Oliveira.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
