While we're on the subject of security, would you advice disabling all of the system policies and configuring rules your self? or you never bother doing that? Also, I'm a little confused with my ISA config as users seem to be able to do a lot of things that I haven't actually set rules for, for example people can PING I believe, and use remote desktop, and netbios seems to work, I'll probably have to check through the system rules again but I didn't notice any to say allow rdp for internal network.
TOM: No need to disable all the System Policy Rules, and you really don't want to do that. Instead, check each one carefully and make sure it's appropriate for your Network. If not, make a change or disable it.
Another quick question, does the internal network have full access to the internal network by default? I was under the impression that nothing had access unless u sepcified it apart from the system policies.
TOM: Internal to Internal communications are not handled by the ISA Firewall, so the ISA Firewall is never involved.
Last question (I think) I have two groups of users, group a & group b, and I would like group a to have full access to the internet all the time, while group b can only use internet at scheduled times and are not allowed to download anything. Do you have any articles showing me how to do this, I know this is probably a peace of cake, but for when i tried implementing it, it started prompting the other group to authenticate which isn't what i was expecting.
TOM: Create two rules, one for the group that has always access, and one for the group that has limited access. There is no such thing as a "download" protocol, so you will need to configure the protocols and other characteristics of the protocols to stop downloads for the specific protocol. Easy? No. That's why Websense is a rich company :)
Any advice or help would be great?
Ok, last last question :-) do you know if ISA can block by MAC address, or setup rules via MAC address.
TOM: No, MAC address control is of no use, as most ISA Firewall enterprise deployments have the internal interface on a stub segment, and remote segment MAC addresses are invalid on the stub.
Thomas W Shinder, M.D.