• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to deny Internet Access based on Computer Name in ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Unable to deny Internet Access based on Computer Name in ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to deny Internet Access based on Computer Name i... - 8.May2010 9:57:08 AM   
nasser

 

Posts: 2
Joined: 8.May2010
Status: offline
Hi All,
I am unable to stop internet access based on computer names. All denied computer have been added to a group in AD.
I tried tired to put computers in Exception section in Internet Access but doesn’t work. Also I created a deny access rule for these computers but unsuccessful to stop internet.

Could you please guide me how to create an Internet Access rule to meet the following requirement:
• Allow internet access for all users except users and computers available in specific group.
If this requirement could not be achieved by ISA 2006, will TMG 2010 can help
Post #: 1
RE: Unable to deny Internet Access based on Computer Na... - 24.May2010 1:11:25 PM   
selman

 

Posts: 22
Joined: 28.Feb.2010
Status: offline
Hi Nasser,

Yes you can achive these tasks with ISA Server 2006 without any problems.

In active directory you can create the group for users that should have internet access. populate that group with usernames that should have access to internet (do not pute here users that you do not want to have internet access).

On isa server under firewall policy\toolbox\users you create a user set and here you call the group of users that you want to allow internet access.

Then you create access rule where you allow internet traffic from internal network to external network and under users you call the group that you have previuosly created.
With this you will allow only selected users access to internet and all the others will be blocked.

Similarely you can block internet access with using computer accounts even though i do not see the reason why would you use that strategy where the rule abouve should do the trick.

If you need furether assistance do not hesitete to write.

Cheers,

_____________________________

System Engineer
MCT, MCSA, CCNA, CCNP, CCDA
www.besa-ag.eu

(in reply to nasser)
Post #: 2
RE: Unable to deny Internet Access based on Computer Na... - 25.May2010 1:07:10 AM   
nasser

 

Posts: 2
Joined: 8.May2010
Status: offline
Hi,

Thanks for the reply, I was waiting long back. First let me tell you my scenario:

Purpose: Blocking internet from some computers (Training computers). Users are using training computers to access internet by their credentials where they should not.
A Group created in AD called deny group contains computer accounts and user accounts
Rule created:
Allow > All Users (Built-in Group) > Exception (deny group mentioned above)> First on the list.
Note, policy applied successfully to users account but computers account not affected at all.

The problem is the computer accounts in deny group placed in Exception doesn’t affected at all and continue to have access while user accounts in deny group get effected.

I have to block internet based on computer wise but I READ in other threat this is not possible. Your help is highly appreciated

(in reply to nasser)
Post #: 3
RE: Unable to deny Internet Access based on Computer Na... - 25.May2010 3:04:19 AM   
selman

 

Posts: 22
Joined: 28.Feb.2010
Status: offline
Hi,

Ok than, calling the group with computers that you have created in AD will not work.

You need to creat a computer set in isa server firewall rule and there you should put a FQDN name of coimputers that you want to block and use button find in order to map the computer account with appropriate address. After you have placed there all computers you need to create a rule where you will denay traffice from this computer set to external network and for the user part leave all users. place the rule on top of the firewall rules. This will do the job.

cheers,

Selman

_____________________________

System Engineer
MCT, MCSA, CCNA, CCNP, CCDA
www.besa-ag.eu

(in reply to nasser)
Post #: 4
RE: Unable to deny Internet Access based on Computer Na... - 30.Dec.2015 8:47:27 AM   
Bahaafarhat

 

Posts: 2
Joined: 30.Dec.2015
Status: offline
Sorry i did not understand FQDN name of coimputers
please may you specify the steps of denying computers

please i need to deny some ips from internet and not users.



note: when choosing users to deny from active directory i have the following error:
Windows can not process the object with the name "..." because of the following error
The remote procedure call failed and did not execute

(in reply to selman)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Unable to deny Internet Access based on Computer Name in ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts