Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNat - restricting access with destination set
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNat - restricting access with destination set - 3.Mar.2005 1:39:00 AM
|
|
|
wewa
Posts: 5
Joined: 22.Nov.2003
Status: offline
|
Im having a problem with trying to restrict sercureNat clients and authentication. Isuzu has changed their web access to a new portal.(dealers.isuzu.com)
To logon to it you must enter a username, password and a domain. I have experimented with this enough to know only the username and password are required, You can leave the domain blank.
If i configure the secure nat for no restrictions to any web site and limited protocals it works fine. But if you try to restrict the secure nat client with a destination set, by using a site and content rule with a selected destination set the Isuzu will fail when you try to logon. The destination set contains about 500+ web sites. It will also fail if i select all destinations except the following set. I do not use any user names/groups, all client sets are IP only. I have tryed everything i can find at isaserver.org even seting up a dns server. Setting the http redirector to send directly to web server. All combinations of firewall, proxy, securenat client. Giving the sercure nat client full access to all web sites is ok for the inhouse administrators but not the users.
Im open for any sugestions and even considering getting isa server 2004 if i can clear this problem with it.
julio
|
|
|
|
|
RE: SecureNat - restricting access with destination set - 13.Mar.2005 3:31:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi julio,
what happens if you configure your clients as Web Proxy clients?
HTH,
Stefaan
|
|
|
|
RE: SecureNat - restricting access with destination set - 24.Mar.2005 9:19:00 PM
|
|
|
wewa
Posts: 5
Joined: 22.Nov.2003
Status: offline
|
This document contains the known configuration
to make Isuzu Portal (dealers.isuzu.com) work
when using Microsoft ISA Server 2000.
Problem: When you browse to dealers.isuzu.com
an authentication screen appears with user name,
password and domain. You type in the user name
and password and the authenication fails and the
screen returns with the user name and no
password. Note: the domain can be left blank.
My computer has windows 2000 server and microsoft
isa server 2000 installed in firewall mode only.
All service packs and patches.
ISA Server settings: The HTTP redirector filter
must be set to (send to requested web server).
If the user is configured for full access to
the internet with no restriction to any web
site and limited protocals. Then set the client
to secureNAT. Isuzu will work just fine with
this configuration. No proxy settings in
Internet Explorer, No firewall client, no
exception in IE proxy advanced. A secureNAT
is a client with the default gateway set to
the ip address of the isa server. However I
have found web sites other than Isuzu need to
have web proxy client configured also. So the
configuration I use is secureNAT client and web
proxy client and dealers.isuzu.com in the
exceptions list, for all users that have full
access to the internet.
If the user is configured with a destination set
that allows access only to certain web sites and
limited protocals or has access to all web sites
except the following destination set and limited
protocals. Then configure the user as a web proxy
client and install the firewall client software.
You must place the web site (dealers.isuzu.com)
into the exceptions list inside the Internet
Explorer proxy advanced settings. Isuzu will work
just fine with this configuration. However I have
found web sites other than Isuzu need the
secureNAT configured also. So the configuration I
use is secureNAT client, web proxy client,
firewall client and dealers.isuzu.com in the
exceptions list, for all users that have limited
access to the internet. Note that when you
install the firewall software any exceptions
inside IE will be erased. So you will have to
add the site dealers.isuzu.com back into the IE
proxy advanced setting.
Other isa server configuration notes:
Client Address Sets - No users/groups are
defined, all are IP address for each computer
Client configuration - web browser - direct
access has no effect on this problem.
Outgoing web request - TCP port 8080 or port 80
has no effect on this problem.
Outgoing web request - ask unauthenicated users
for identification has no effect on this problem.
Operating systems used on test machines were
Windows 98, 2000 pro, and XP pro.
julio
[ March 24, 2005, 09:22 PM: Message edited by: julio ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
