• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help with AD Groups in Rules

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Help with AD Groups in Rules Page: [1]
Login
Message << Older Topic   Newer Topic >>
Help with AD Groups in Rules - 16.Sep.2004 4:00:00 PM   
Gabe2434

 

Posts: 2
Joined: 16.Sep.2004
From: London
Status: offline
Hi All,

Weve recently setup a WIN2K3 server with ISA 2004.

We are using ISA as a single adapter. Now the problems we have encountered are through setting up a simple rule to allow certain users to use MSN messenger, over Port 1863.

If I add new single users from the domain - the rule works correctly, and they can use MSN messenger. If they are not in there, they are blocked.

If I add one of my preset AD groups for MSN messenger usage, they can connect.

If I remove a user from this group in AD, and then try and connect, the user still can!

EVEN IF the user is not in this group, and any other group is added (i.e a test group) the user can still connect!

I have made sure that the rule is above any authorised user rule.

So why is ISA2004 not picking up the AD groups correctly??? It works completely fine with just single users...

Anyone have any ideas.

Cheers!

Gabe
Post #: 1
RE: Help with AD Groups in Rules - 17.Sep.2004 4:55:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Gabe,

1. Install a second adapter

2. Make sure that each adapter is on a different network ID and network segment

3. Create an access rule that allows the required protocol

HTH,
Tom

(in reply to Gabe2434)
Post #: 2
RE: Help with AD Groups in Rules - 21.Sep.2004 1:24:00 PM   
Gabe2434

 

Posts: 2
Joined: 16.Sep.2004
From: London
Status: offline
Thanks for the reply

We are currently only using ISA 2004 as our web proxy, it is not our default gateway.

AD Groups added into access policies do not work at all. Yet single users from the AD tree do.

Is there anything to try?

I have setup a Verifier from ISA 2004, and it can see and register my AD server OK.

thanks

(in reply to Gabe2434)
Post #: 3
RE: Help with AD Groups in Rules - 3.Oct.2005 9:13:00 AM   
abruggeman

 

Posts: 10
Joined: 29.Jun.2005
From: Leiden, The Netherlands
Status: offline
Hi all,

I searched around in the forum and the description in this thread was most similar to the problem that I have.
Our ISA 2004 enterprise edition has 3 interfaces and is part of our domain. I use AD user groups for control, so I add the AD user group to an ISA user group and add this to my access rule. When creating the rule, it works (most of the time).
But when I add or remove a member to/from the AD group, it is not picked up by the ISA: Added members cannot connect (denied by the default rule), and removed members can still connect (allowed by the access rule where this user group is in). Only when I add the users directly in the ISA user group (not in the AD group) it works.
It looks like the ISA is not checking changes in the AD groups when authenticating.

Can anyone help?
Thanks,
Albert Bruggeman

(in reply to Gabe2434)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Help with AD Groups in Rules Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts