• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Integration with active directory

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Integration with active directory Page: [1]
Login
Message << Older Topic   Newer Topic >>
Integration with active directory - 7.Aug.2008 7:56:06 PM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
I have seek on the forums and google but see no clear anwser to how ISA 2006 integrates with AD,  I just installed the ISA and joined it to my domain, I tried to define a firewall rule to be applied to a AD users group but it seems to have no effect.

Any idea how to make ISA server authenticates agains the AD infraestructure.

Thanks in advance
Post #: 1
RE: Integration with active directory - 8.Aug.2008 7:56:19 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

Did you installed ISA and then joined the machine to the domain?
It´s better you to remove ISA and first join the computer to domain, then install ISA server. Because this way when you´re installing ISA, it will enable the appropriate system rules to communicate with your DC.

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 2
RE: Integration with active directory - 8.Aug.2008 11:56:21 AM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
hi Paulo,

I installed the server, then joined to the domain and then installed ISA server.  I created a group in AD called webacces and put there some users to test, on ISA I created a FW rule to web browsing and set it to that group.

With the this rule applied the users inside the group cannot access internet
[img=http://img227.imageshack.us/img227/1508/fwrulesq3.th.jpg]

here the group definition that points to the webacces group in the domain.
[img=http://img141.imageshack.us/img141/8695/groupdefek8.th.jpg]

I have to put all users in the FW rule and that ways yes work but for all users and I need to allow access just to certain users.

(in reply to paulo.oliveira)
Post #: 3
RE: Integration with active directory - 8.Aug.2008 1:42:14 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

how´s your ISA´s NIC configured? Is your internal DNS forwarding the requests?

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 4
RE: Integration with active directory - 8.Aug.2008 2:19:12 PM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
Hi,

Here how the NICs configured at ISA server:

[img=http://img228.imageshack.us/img228/4940/nicswq6.th.jpg]

(in reply to paulo.oliveira)
Post #: 5
RE: Integration with active directory - 8.Aug.2008 2:59:08 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

remove the DNS of your External NIC. It must not contain any DNS on it!

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 6
RE: Integration with active directory - 8.Aug.2008 3:13:05 PM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
Hi,

Thanks that seems to enable the web access for the client, but still it got anonymous as user client name,   any idea how to track the user to the current windows logged user ?

NOTE:  I think I ran to fast to write the response,  the FW does not work if I remove the all users group.


Thanks

< Message edited by sqlcoder -- 8.Aug.2008 3:17:25 PM >

(in reply to paulo.oliveira)
Post #: 7
RE: Integration with active directory - 8.Aug.2008 4:10:35 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what do you mean by "...the FW does not work if I remove the all users group."?
What type of client are you using?

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 8
RE: Integration with active directory - 8.Aug.2008 4:54:32 PM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
Hi,

FW I mean the firewall policy, if I just let the AD web users group as detailed in the pict the client does not access the internet if I add the all users groups then the client can connect the internet. 

The client is a Windows XP machine joined to the domain and the browsers are Internet explorer 6 and firefox 3.

< Message edited by sqlcoder -- 8.Aug.2008 5:08:20 PM >

(in reply to paulo.oliveira)
Post #: 9
RE: Integration with active directory - 8.Aug.2008 5:42:10 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

sorry if I was not specific, but when I said clients, I mean secureNAT, web proxy, Firewall clients.

I think you´re using secureNAT clients, as long as only all users can access the internet. Please configure your browser to point to ISA´s internal NIC on 8080 port (internal_ISAIP:8080).

Note: All users mean authenticated and unauthenticated users (anonymous). Only web proxy and fw clients can authenticate.

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 10
RE: Integration with active directory - 9.Aug.2008 10:30:27 AM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
Hi Paulo, thanks for all the help and your patience with me.

The need I have is this, there a few users that needs internet access from those few there a segment that also uses chat and other stuff (the "executives"), so I need to limit the access to 3 main groups:
1. Executives (full internet access)
2. Professionals (limited and time based internet access, no chat)
3. Users (zero access to internet).

Also I need to report how the named users are using the internet, time and sites they browse and so on. 

If ISA can handle this and you can help the right point, I might be doing something wrong, you said a fw client: do I have to install another soft on client machines ?

Thanks in advance.

(in reply to paulo.oliveira)
Post #: 11
RE: Integration with active directory - 11.Aug.2008 8:25:23 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

there are three types of ISA clients:
SecureNAT: have the ISA´s internal IP address configured as their GW. Can´t authenticate with ISA.
Webproxy: have the ISA´s internal IP address configured in their browser. Can authenticate with ISA.
Firewall: must install a client sw located on ISA´s installation CD (<cd-rom>:\FPC\setup.exe). Can authenticate with ISA.

As you are a ISA newbie and want to use the great authentication feature, I recommend use webproxy clients. To do that you must configure your clients browser (i.e. Internet Explorer) pointing to ISA´s internal NIC (i.e. 192.168.2.1:8080).

More info about ISA clients you can find here:
A different look at the ISA Clients
Internal Client Concepts in ISA Server 2006

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 12
RE: Integration with active directory - 21.Aug.2008 7:16:42 PM   
sqlcoder

 

Posts: 7
Joined: 7.Aug.2008
Status: offline
can the client be mozilla firefox ??

(in reply to paulo.oliveira)
Post #: 13
RE: Integration with active directory - 22.Aug.2008 2:29:19 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

Yes!

Regards,
Paulo Oliveira.

(in reply to sqlcoder)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Integration with active directory Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts