The computers in my office consist of 2 different setting,
The one which joined the company domain
The one which does not join the company domain
I would like to apply the User filtering for the access to the Internet and block certain application, like "Skype". To do this,
I remove the Gateway setting on all the clients.
Installed Microsoft Firewall Clients to all the clients.
Now I'm facing some problems,
The clients which joined the company domain does not have any problem at all.
The clients which does not join the company domain cannot access the Internet as they a not authenticated.
I set the ReturnAuthRequiredIfAuthUserDenied to TRUE but no login dialog box is displayed for the clients which does not join the domain.
I tried solving this problem by setting the Web Proxy the require All users to authenticate. Now the auto discovery of ISA Server for Microsoft Firewall Client fails to detect the ISA Server. I need to manually set the ISA Server for all the clients. Checking the log, I found the following,
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code Cache Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL Error Information HTTP Status Code
0.0.0.0 No Proxy CRUX wpad.ppdg.no-ip.org TCP - - - - - - 0 1 2651 67 0x0 Web Proxy Filter 11/01/2006 12:39:54 192.168.1.2 80 http Denied Connection 192.168.1.100 anonymous GET [link=http://wpad.ppdg.no-ip.org/wspad.dat]http://wpad.ppdg.no-ip.org/wspad.dat[/link] 0x0 12229 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
To make things worst, even an authenticated user (who had log into the domain) must be authenticated again.
The "require all users to authenticate" checkbox and the ReturnAuthRequiredIfAuthUserDenied setting don't help with firewall clients, only web proxy clients.
It seems to me that you have two choices:
1. For the computers not on your domain, make them Secure NAT clients by making their default gateway the address of the ISA Server's internal NIC. This would give you the control you want over what the computers access, but you would not be able to use rules that are based on who is signed in.
2. Stick with Firewall Client but join the computers either to your domain or to a trusted domain. You really need to get users authenticated upon login to an authority recognized by the ISA Server if you want Firewall Client to work.
I'v found that not all the ReturnAuthRequiredIfAuthUserDenied script found here work well (didn't work for me). When you look here http://forums.isaserver.org/m_250038300/tm.htm you will found an advanced version that does work(it did for me).