Is it possible in ISA 2004 to get an authentication box to pop up when attempting to access the internet. The senario is we have a couple of POS computers that we don't want casual staff accessing the internet on. However when senior staff are sometimes working from these computers we would like them to be able to enter a username and password into a pop up box in Internet Explorer and be given access to the internet. I have noticed that the authentication appears to be integrated with the login account, is it possible to get around this??
From: New Jersey
Create a rule specific to the POS computers. Instead of your access rule being "authenticated users", create an AD group called Internet Users, add the users permitted to access the Internet from the POS systems to that group. Those users can then authenticate when needed, or have transparent access if they log on with their credentials. Other users will not be able to access the Internet from those systems at all.
I have created the specific firewall rule with only allows AD group "Internet Users" access to protocols HTTP & HTTPS. This is blocking web traffic for the login which is used on the Point Of Sale computers. However there appears to be no way of providing a different username to the proxy server without logging off the user and logging on as a different user. This isn't practical as the generic login is required for the role the computer is performing. Is there a way to get the proxy server to prompt for a username and password when the user opens internet explorer and tries to browse external web content?
This will produce an authentication prompt when users are denied access and allow an alternate user to be defined...
However, if the POS runs under the same context as the user, I cannot see how you will be able to differentiate access rules between them??? Can you not run the POS application under a speciifc user/service account to allow you to differentiate between the POS system and the actual user logged on?
Another option is to restrict access to a specific destination set that is required for the POS system - this will allow the POS to work, but restrict access to other web sites when they share the same user ID. If the user then tries to browse to other website they will be denied and the above change should produce an authentication prompt. So in theory you will have two rules as follows:
Rule 1: Allow web access for the POS system and limit to certain destinations - this will also be applied to the logged on user if using a shared account Rule 2: Allow web access to all other websites for senior users by using a specific group
< Message edited by Jason Jones -- 27.Mar.2008 7:21:57 AM >