Hi All, I am unable to stop internet access based on computer names. All denied computer have been added to a group in AD. I tried tired to put computers in Exception section in Internet Access but doesn’t work. Also I created a deny access rule for these computers but unsuccessful to stop internet.
Could you please guide me how to create an Internet Access rule to meet the following requirement: • Allow internet access for all users except users and computers available in specific group. If this requirement could not be achieved by ISA 2006, will TMG 2010 can help
Yes you can achive these tasks with ISA Server 2006 without any problems.
In active directory you can create the group for users that should have internet access. populate that group with usernames that should have access to internet (do not pute here users that you do not want to have internet access).
On isa server under firewall policy\toolbox\users you create a user set and here you call the group of users that you want to allow internet access.
Then you create access rule where you allow internet traffic from internal network to external network and under users you call the group that you have previuosly created. With this you will allow only selected users access to internet and all the others will be blocked.
Similarely you can block internet access with using computer accounts even though i do not see the reason why would you use that strategy where the rule abouve should do the trick.
If you need furether assistance do not hesitete to write.
Thanks for the reply, I was waiting long back. First let me tell you my scenario:
Purpose: Blocking internet from some computers (Training computers). Users are using training computers to access internet by their credentials where they should not. A Group created in AD called deny group contains computer accounts and user accounts Rule created: Allow > All Users (Built-in Group) > Exception (deny group mentioned above)> First on the list. Note, policy applied successfully to users account but computers account not affected at all.
The problem is the computer accounts in deny group placed in Exception doesn’t affected at all and continue to have access while user accounts in deny group get effected.
I have to block internet based on computer wise but I READ in other threat this is not possible. Your help is highly appreciated
Ok than, calling the group with computers that you have created in AD will not work.
You need to creat a computer set in isa server firewall rule and there you should put a FQDN name of coimputers that you want to block and use button find in order to map the computer account with appropriate address. After you have placed there all computers you need to create a rule where you will denay traffice from this computer set to external network and for the user part leave all users. place the rule on top of the firewall rules. This will do the job.
Sorry i did not understand FQDN name of coimputers please may you specify the steps of denying computers
please i need to deny some ips from internet and not users.
note: when choosing users to deny from active directory i have the following error: Windows can not process the object with the name "..." because of the following error The remote procedure call failed and did not execute