I work at a school. We are using ISA2006 as firewall/proxy, and so far everything has been running smoothly. I have applied all the access rules that are necesseary for providing access to the internet and applications needed, including all the rules that will stop the students from gaming every minute of their school-session. Every now and then they have exams, and I have created a rule that will only let them access file-shares and homedirs that they are allowed to use. Internet is usually blocked for students who are taking their exams.
So far I have not experienced any problems, until today. Recently, I have allowed private laptops in my network, allowing them to access the internet and also file shares (as long as they provide their credentials). But it seems that when I activate the "block internet-access for all the exam-students"-rule, it also denies the private laptops (who are of course not authenticated as they are not logged in to any domain). Logs show that they are denied by the very same rule as the one blocking exam-students.
Does anybody know why this is happening?
The blocking rule has the following format: Deny all outbound traffic from Internal to External, rule applies to ExamGroup (retrieved from AD)
Everything works ok, until this rule is applied.
< Message edited by sjbnil -- 16.Apr.2007 1:12:40 PM >
I have an update on this issue, hopefully someone might understand what the solution is this time.
All the firewall-rules I have applied, are all about granting access for several applications running on different ports, with condition All Users, and the only "Deny" rules I inserted are for limiting acces to specific sites, for All Users. All in all, the rules are valid for All Users.
Then, I apply another rule that is supposed to block internet access for one specific Active Directory-user. It also applies to all non-domain computers, for some reason.
I tried the following; took one of my domain computers and deleted its membership in Active Directory. Installed the Firewall Client, which could not detect the ISA-server. Entered the ISA IP in the HOSTS file of the now non-domain computer, entered the manual configuration in FWC, and it detected the ISA server fine. Opened Internet Explorer, and everything worked.
Then I tried a fresh installation of Windows XP on the same computer, and did not make it a domain-member. Tried the same procedure that worked the last time. The ISA was detected, and the system-tray icon said that everything was ok. Then I tried opening IE, and the connection to the ISA-server dropped. When moving the mouse over the system-tray icon, it says the following: "Could not authenticate to ISA server".
I'm thinking; of course, that's why. Before I inserted the blocking rule, all traffic was allowed, except for some pages that also applied to everyone. Non-domain computers applied all those rules along with domain-members, but when inserting a rule that will block all traffic for only one AD-user, the non-domain computers need to authenticate themselves so that they will NOT pick up the rule.
So, I cooked everything down to this; I need to let non-domain computers identify themselves to ISA somehow. Anybody got a good idea? I tried to implement BASIC authentication to the internal network, but that did not work.