Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Extending ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools >> Extending ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Extending ISA - 4.May2008 12:08:59 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		ITENG:
how about to do a GUI that would disable, enable rules remotely.
for example, i used to work in a school, where the teacher needs to enable the rule to be used by his student, once his lecture ends, he needs to disable the rule.
as an ISA admin, i dont wish to give admin access for every teacher, so to have a simple stand alone GUI that would enable disable rule(s) remotely is a wonderful solution.

< Message edited by fixitchris -- 12.May2008 3:53:55 PM >
Post #: 1
RE: Extending ISA - 4.May2008 12:11:14 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		Something like this I would recommend creating via a web service.  The reason for this is that the ISA remote console would have to be installed only on the web server.

How should we get around the security issue of what teacher should have control over which rule?

(in reply to fixitchris)
Post #: 2
RE: Extending ISA - 4.May2008 12:20:59 PM   
ITEngineer

 

Posts: 258
Joined: 3.Feb.2006
Status: offline 		If you want to develop it as a web interface, then each teach would have to authenticate first via a logon page, and then based on that provided credentials, a set of permitted actions would be granted to the teacher.

these permitted actions would be supplied by the isa admin to each teacher

(in reply to fixitchris)
Post #: 3
RE: Extending ISA - 4.May2008 12:50:02 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		This would work, however now we're getting into developing a database to keep track of teachers, rules and actions.

http://technet.microsoft.com/en-us/magazine/cc462798.aspx
If this is a active directory enabled domain, then what we can do is add attributes to each user such as:

syncio-ISA_Array_Permissions
syncio-ISA_Rules_Allowed_To_Admin
syncio-ISA_Rules_Permissions

Array Permissions:
Update configuration
Restart services

Rules Permissions:
Full control
Disable
Enable
Traffic destinations
modify Users


example:
syncio-ISA_Array_Permissions=U
syncio-ISA_Rules_Allowed_To_Admin=LAB1::LAB2::CLASSROOM1
syncio-ISA_Rules_Permissions=DE::DE::DEU

< Message edited by fixitchris -- 6.May2008 9:44:45 AM >

(in reply to ITEngineer)
Post #: 4
RE: Extending ISA - 6.May2008 4:54:23 PM   
ITEngineer

 

Posts: 258
Joined: 3.Feb.2006
Status: offline 		you are the expert in this  , i know nothing when it goes for programming

what we would like to have also with ISA Server, is a splash screen, that reads the terms of use for example for the user when he first opens his IE and tries to browse for any website, he is first redirected to this splash screen and then once he click for example the agree button , he is granted the OK to surf for the website he was trying to go to.

got me ?

(in reply to fixitchris)
Post #: 5
RE: Extending ISA - 6.May2008 10:05:54 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		Regarding the splash screen... you want to pop up once when user goes to google.com and then again when he decides to go to yahoo.com???  or do you want it to pop up only when he first opens IE?  If you want it only when he first opens IE then you can deploy a custom home page with group policy in a windows domain.

The other way, someone would have to write an extension on the TCPIP stack known as a layered service provider (eg. Firewall Client), or an ISA filter.  I am not a very good C++ programmer. 




< Message edited by fixitchris -- 6.May2008 10:13:53 PM >

(in reply to ITEngineer)
Post #: 6
RE: Extending ISA - 7.May2008 4:43:42 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		Whoever has been following this thread, please make yourself familiar with ADAM

http://blogs.technet.com/btrst4/archive/2004/07/27/198655.aspx

I will be using an ADAM instance as a database. This way I don't mess with your active dir ;)

(in reply to fixitchris)
Post #: 7
RE: Extending ISA - 9.May2008 3:37:02 AM   
elmajdal

 

Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline 		Hi Chris,

The most important thing, is NOT to install this web app on ISA Server itself.

Make sure to have it install on another IIS Machine and not on the LocalHost.

As we usually do not recommend installing IIS On a Firewall .

Thanks.

Great work

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to fixitchris)
Post #: 8
RE: Extending ISA - 9.May2008 12:14:52 PM   
fixitchris

 

Posts: 124
Joined: 23.May2007
Status: offline 		Here is the first binary. Please test.

http://

Add this to your IIS server and run http://[IISserver]/[webapp_location]/Default.aspx

Prereqs for your IIS server:
- .NET framework 3.5
- ISA Remote Console installation
- Save room for an ADAM installation and leave ports 50010 and 50011 open



< Message edited by fixitchris -- 12.May2008 3:54:12 PM >

(in reply to elmajdal)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools >> Extending ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts