Welcome to ISAserver.org

Wireless DMZ

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Wireless DMZ

Page: [1]

Message

<< Older Topic Newer Topic >>

Wireless DMZ - 19.Jan.2007 2:55:08 AM

rabjac

Posts: 17
Joined: 10.Jan.2006
Status: offline

I've finally got my home ISA wireless DMZ operation (yipppeeeee!!). What I've got is a very relaxed Internet connection (can access all sites from the wireless DMZ). Files can be stored / printed etc from my DC using a VPN connection from the wireless DMZ.

What I want to be able to do is block sites that my kids can get to when using the Internet connection. Is this possible with the set-up I've got (I have been following Tom's book for a wireless DMZ set-up). I have a mixture of wireless XP laptops (home and pro versions).

Post #: 1

Featured Links*

RE: Wireless DMZ - 19.Jan.2007 4:34:15 AM

elmajdal

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

Sure,

check this : Using ISA 2004 Firewall Domain Name Sets to Control Internet Access

start populating the domain name set with the sites u need to block, also block this 3rd Party Proxy Sites ( 7KB / 662 Domains & URL's) so that ur kids do not bypass ur blocked sites using anonymous proxies.

the whole list is here : http://isaserver.bm/destination_sets.html

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to rabjac)

Post #: 2

RE: Wireless DMZ - 19.Jan.2007 7:59:40 AM

rabjac

Posts: 17
Joined: 10.Jan.2006
Status: offline

Hi elmajdal,

Thanks for the reply. I've had a quick scan through Tom's article. In general terms the article is based on user/group authentication (unless I've got my Friday afternoon hat on and reading it incorrectly!).

At this moment, I've only got anonymous Internet access (no authentication) from the wireless DMZ. Does this mean that I need to somehow make the users from the wireless DMZ trusted? If so how do I go about doing this?

(in reply to elmajdal)

Post #: 3

RE: Wireless DMZ - 19.Jan.2007 10:08:26 AM

Boedus

Posts: 146
Joined: 8.Sep.2006
Status: offline

If your kids are using a different PC than you, you could import those ruleset DB for the Kid's PC only.
Or you could set up a HTTP access rule with about 20-30 websites only for the specific kid's PC.

Iserver.bm is a pretty nice initiative but there is over 80 millions porn websites so the list is far to be finished :-) But is is free and provides an extra filtering layer to ISA, so it is not bad at all.

< Message edited by Boedus -- 19.Jan.2007 10:10:35 AM >

_____________________________

WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".

(in reply to rabjac)

Post #: 4

RE: Wireless DMZ - 19.Jan.2007 10:27:55 AM

mrupright

Posts: 68
Joined: 18.Oct.2004
Status: offline

Hi rabjac,

If you have an extra pc lying around, you might want to also check out www.censornet.com it is the best open-source content filter available and isn't very difficult to setup.

HTH

Mark

(in reply to Boedus)

Post #: 5

RE: Wireless DMZ - 19.Jan.2007 11:00:34 AM

Guest

Hi Robert,
you are reading correctly.
From what I see you need to have an authenticated access in order to make a difference between users. For example you might like to access some sites that your kids should not.
With your current setup you can't do that.
There might be a tweek. The only problem: it has some security issues. but with the use you are giving to your network this might not be a problem.
to get that tweek working first you need to enable the web proxy on that dmz network because you must have a mechanism to authenticate users. this is the most simple one. without such a mechanism it is impossible to differentiate between users
then just put on their browsers the ip address of ISA's dmz interface and the port 8080(default).
the tweek is to create some local accounts on ISA which will match the user names and passwords that your kids are using.
In this way you don't need that the computers on dmz to be domain members to authenticate.
After that you can play with the domain name sets suggested by Tarek and add your name to the exception list.
By the way: I recommend you to use encryption on your wireless network.
Have fun!

< Message edited by adrian_dimcev -- 19.Jan.2007 11:09:44 AM >

(in reply to mrupright)

Post #: 6

RE: Wireless DMZ - 19.Jan.2007 12:43:04 PM

elmajdal

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

quote:

Hi elmajdal,

Thanks for the reply. I've had a quick scan through Tom's article. In general terms the article is based on user/group authentication (unless I've got my Friday afternoon hat on and reading it incorrectly!).

At this moment, I've only got anonymous Internet access (no authentication) from the wireless DMZ. Does this mean that I need to somehow make the users from the wireless DMZ trusted? If so how do I go about doing this?

Its up to you , either you need or dont need authentication.

if you dont need just create your rule with the Condition : ALL USERS ( = anonymous)

u might be interested in this article : Configuring an Untrusted Wireless DMZ on the ISA Firewall

On the other hand , If you do need authentication, then follow Adrian steps.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to rabjac)

Post #: 7