Extending ISA (Full Version)

All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools



Message

fixitchris -> Extending ISA (4.May2008 12:08:59 PM)

ITENG:
how about to do a GUI that would disable, enable rules remotely.
for example, i used to work in a school, where the teacher needs to enable the rule to be used by his student, once his lecture ends, he needs to disable the rule.
as an ISA admin, i dont wish to give admin access for every teacher, so to have a simple stand alone GUI that would enable disable rule(s) remotely is a wonderful solution.



fixitchris -> RE: Extending ISA (4.May2008 12:11:14 PM)

Something like this I would recommend creating via a web service.  The reason for this is that the ISA remote console would have to be installed only on the web server.

How should we get around the security issue of what teacher should have control over which rule?



ITEngineer -> RE: Extending ISA (4.May2008 12:20:59 PM)

If you want to develop it as a web interface, then each teach would have to authenticate first via a logon page, and then based on that provided credentials, a set of permitted actions would be granted to the teacher.

these permitted actions would be supplied by the isa admin to each teacher



fixitchris -> RE: Extending ISA (4.May2008 12:50:02 PM)

This would work, however now we're getting into developing a database to keep track of teachers, rules and actions.

http://technet.microsoft.com/en-us/magazine/cc462798.aspx
If this is a active directory enabled domain, then what we can do is add attributes to each user such as:

syncio-ISA_Array_Permissions
syncio-ISA_Rules_Allowed_To_Admin
syncio-ISA_Rules_Permissions

Array Permissions:
Update configuration
Restart services

Rules Permissions:
Full control
Disable
Enable
Traffic destinations
modify Users


example:
syncio-ISA_Array_Permissions=U
syncio-ISA_Rules_Allowed_To_Admin=LAB1::LAB2::CLASSROOM1
syncio-ISA_Rules_Permissions=DE::DE::DEU



ITEngineer -> RE: Extending ISA (6.May2008 4:54:23 PM)

you are the expert in this [8D] , i know nothing when it goes for programming [:)]

what we would like to have also with ISA Server, is a splash screen, that reads the terms of use for example for the user when he first opens his IE and tries to browse for any website, he is first redirected to this splash screen and then once he click for example the agree button , he is granted the OK to surf for the website he was trying to go to.

got me ?



fixitchris -> RE: Extending ISA (6.May2008 10:05:54 PM)

Regarding the splash screen... you want to pop up once when user goes to google.com and then again when he decides to go to yahoo.com???  or do you want it to pop up only when he first opens IE?  If you want it only when he first opens IE then you can deploy a custom home page with group policy in a windows domain.

The other way, someone would have to write an extension on the TCPIP stack known as a layered service provider (eg. Firewall Client), or an ISA filter.  I am not a very good C++ programmer. 





fixitchris -> RE: Extending ISA (7.May2008 4:43:42 PM)

Whoever has been following this thread, please make yourself familiar with ADAM

http://blogs.technet.com/btrst4/archive/2004/07/27/198655.aspx

I will be using an ADAM instance as a database. This way I don't mess with your active dir ;)



elmajdal -> RE: Extending ISA (9.May2008 3:37:02 AM)

Hi Chris,

The most important thing, is NOT to install this web app on ISA Server itself.

Make sure to have it install on another IIS Machine and not on the LocalHost.

As we usually do not recommend installing IIS On a Firewall .

Thanks.

Great work [:D]



fixitchris -> RE: Extending ISA (9.May2008 12:14:52 PM)

Here is the first binary. Please test.

http://

Add this to your IIS server and run http://[IISserver]/[webapp_location]/Default.aspx

Prereqs for your IIS server:
- .NET framework 3.5
- ISA Remote Console installation
- Save room for an ADAM installation and leave ports 50010 and 50011 open

[image]http://sync-io.net/Public/ISA_RulesAdmin1.JPG[/image]



Page: [1]