I have two ISA 2004 servers Enterprise Edition on my LAN.
My all users are accessing internet if they want to go by ISA1 or by ISA2 from changing the name of ISA server from firewall client BUT!!!
I have 2 users one has winXP home addition and another has winXP professional edition but winXP professional edition is not a part of my domain both are accessing internet from ISA1 but not from ISA2 when I put the name of ISA2 in the firewall and click on test it gives an error unable to resolve. even I have added both (winXP home and pro) users host entry in my local DNS.
Sir in short i mean to say my domain members are easily using the internet from ISA Server2004 (EE) but if any user comes from outside with laptop or a computer which is not the domain part wants to use internet from ISA Server 2004 (EE) so those PC,s or Laptops are not able to resolve the array name when they click on TEST SERVER from the firewall client.
how to resolve array name from the firewall client from the PC,s who are not the members of domain
RE: client are not able to browse and even not resolve - 9.Jan.2007 6:34:20 AM
Hi Z, no. not with ISACertTOOL.exe. it is for ISA array members. what exactly do you want to authenticate? http traffic? very simple. configure the clients to use ISA as proxy and they will be promted to enter their credentials and after that they can surf the web(if they using linux or other OS check the basic authentication too). if the user name and password of those clients match a local user name and password on ISA they will not be promted, they can acces Internet direct with no problem. if they are not domain members: they are not trusted -> so they should be on a different network, implicit in a different security/trust zone.
RE: client are not able to browse and even not resolve - 9.Jan.2007 7:58:35 AM
no chance with that. the only way to do it is with FWC in place. you will have to decide if those computers can be member of the domain or not. if not, your control over them is at a low level. this means a lot of things. you can put them on a separate network since they are not domain members and just give them access to what they strictly need. a walk-arround is possible playing with security zones but not having such a granular control over them as described by you above.