• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Access by IP address

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Access by IP address Page: [1]
Login
Message << Older Topic   Newer Topic >>
Access by IP address - 2.May2006 5:44:46 PM   
AdrianOC

 

Posts: 28
Joined: 27.Apr.2006
Status: offline
Hi all,

Very new to ISA, I have however recently inherited a job that requires me to manage an already setup ISA 2000 server.

My problem is this,
I wish to allow access to my proxy server by IP address or range.
Currently they log in by Username / Password.

Under Policy Elements --> Client Address lists 
I have set up a group with the address range I wish to be allowed xxx.xxx.xxx.0 - xxx.xxx.xxx.255

However this doesnt seem to resolve my problem because whenever I disable the login account. They cant seem to access the internet at all. Also the browser ( IE ) also still asks for the Username and Password.

I feel I am probably making a schoolboy error but I cant seem to spot my mistake.

Any help / Pointers would be much appreciated.

Kind Regards
Post #: 1
RE: Access by IP address - 2.May2006 7:42:56 PM   
jklick

 

Posts: 36
Joined: 25.May2005
Status: offline
follow these steps:

1. create a client address set that defines the IP address range that you wish to allow access
2. create a protocol rule that allows the desired protocols and apply it only to the client address set you just defined (checking the Spedific computers button in the wizard)
3. create a site and content rule that allows access to the desired sites/content and apply it only to the client address set you just defined (checking the Spedific computers button in the wizard)

(in reply to AdrianOC)
Post #: 2
RE: Access by IP address - 3.May2006 10:51:00 AM   
AdrianOC

 

Posts: 28
Joined: 27.Apr.2006
Status: offline
jklick Thanks very much for your help! I have set up ISA has you mentioned.

Then I disabled the User account. Restarted the client PC and tryed again to access

Unfortunatly It still asks me for a username + password, If I hit ok or cancel it seems to stall and then crash out after a while.

Also although our sites are connected to head office through 256 - 512K lines it seems to take a long time to users to connect
Can this be speeded up in any way? or more to the point could we be slowing the link down through some rules / Configuration on the current ISA server.

Again thanks for all your help so far, I do appreciate it :)


(in reply to jklick)
Post #: 3
RE: Access by IP address - 3.May2006 2:58:06 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
If I had to guess (and I must since you provided no details), I would say your DNS is not setup correctly.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to AdrianOC)
Post #: 4
RE: Access by IP address - 3.May2006 3:41:17 PM   
ITSEC

 

Posts: 8
Joined: 2.May2006
Status: offline
In addition to DNS....

You may want to ensure that the "Ask unauthenticated users for identification" check box is not checked.  You can find this by right-clicking the array and selecting properties and then select the Outgoing Web Requests tab.

I have also seen this slow down performance in some environments.

(in reply to LLigetfa)
Post #: 5
RE: Access by IP address - 4.May2006 11:07:42 AM   
AdrianOC

 

Posts: 28
Joined: 27.Apr.2006
Status: offline
LLigetfa,ITSEC Thanks for your help

Ive checked the properties of the array and the "Ask unauthenticated users for identification"  box is checked on both incoming and outgoing. If I uncheck this box will that force users to be checked by the IP address?

From what I understood I thought that ISA would check / pickup the IP address of the client and authenticate them before it asked for the username password. Which could be where I am going wrong.

Currently I am setup as jklick instructed.

Or do all my problems revolve around a DNS misconfiguration? Can I check this some way?

Sorry Im just a little lost

(in reply to ITSEC)
Post #: 6
RE: Access by IP address - 8.May2006 5:17:37 PM   
AdrianOC

 

Posts: 28
Joined: 27.Apr.2006
Status: offline
OK Ive just unticked the "Ask unauthenticated users for identification"  box on both incoming and outgoing.

This seems to have solved the problem I had, people are connecting now through IP address.

But does this not create a huge security hole? because now anyone who comes into our office and connects to the network will automatically be able to connect to the net.

Can this be addressed in any way?

< Message edited by AdrianOC -- 8.May2006 5:22:16 PM >

(in reply to AdrianOC)
Post #: 7
RE: Access by IP address - 8.May2006 5:39:05 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
OK, I'm confused.  First you said:
quote:

My problem is this,
I wish to allow access to my proxy server by IP address or range.
Currently they log in by Username / Password

What do you want, by IP, by name, either or both?
If you want both, remove "All users".
If you want either, you will need multiple rules with the anonymous rules above the authenticating rules.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to AdrianOC)
Post #: 8
RE: Access by IP address - 8.May2006 6:08:26 PM   
AdrianOC

 

Posts: 28
Joined: 27.Apr.2006
Status: offline
Hi LLigetfa,

My workplace is a very mixed up one. We have sites all around the country, some of which are members of the domain and some which are not. Mainly due to political reasons. We also look after a number of other sites which we support but dont / cant administrate.

Basically I need to be able to allow everyone access to the Internet through the proxy server.

I thought that if I allowed the Workgroup Sites access by IP address I could very easily administer them that way and so control them.
Also in a lot of the workgroup sites, alot of people use the same username and password.

In the domain, everyone is authenicated anyway by using the domain account and so I can control them.

The problem I had was that the people in the workgroup sites were having to wait a very long time before they were even asked to authenticate, I thought I could clear this all up by using IP addresses.

What I was hoping to achieve was to authenticate by using IP addresses in the remote sites that were not part of the domain.
While those people in the domain would authenticate by their usual domain accounts.
That way I could easily enough administer both (I hope)

What I dont want is any body who plugs into the network to have internet access without having to get permission first.

I hope this clears things up a bit

Do you think that this is a good way to go about it? or am I completly going about it the worng way


(in reply to LLigetfa)
Post #: 9
RE: Access by IP address - 8.May2006 6:59:52 PM   
ITSEC

 

Posts: 8
Joined: 2.May2006
Status: offline
As long as you do not have anonymous users or all users in your rules, unchecking the ask unauthenticated users for authentication should not create a security hole.  I would suggest for the rules that allow all of your domain users out, use the authenticated users group instead of all users or anonymous users.  this would make the following true:

1. Anyone on a machine that has rules based on IP address will be allowed/denied that access
2. anyone not covered by the IP addresses would have to authenticate based on there being no anonymous rules.

If you require the use of all users or anonymous users, then anyone who "plugs into your network" will have fall under those rules. 

(in reply to AdrianOC)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Access by IP address Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts