I got stumped in configuring Microsoft ISA 2004 in order for it to be able to completely replace our Squid server: The configurations that I need to work with ISA are as follow:
- Proxy client users need to authenticate their session with ISA before can start browsing (I got it work thru by using RADIUS, by giving the checkmark on require authentication on the ISA proxy configuration. Forcing authentication apparently requires everybody to authenticate, while not giving the checkmark makes anybody can access the Internet)
- Certain hosts/ IP from Internal network can browse the Internet without authenticating with ISA at all. (we have some servers that need to be able to go to the Internet to obtain their updates from several vendors without being asked for username or password at all. This configuration currently does not work because I have to give a checkmark on "require authentication", in order to make (1) works.)
- Certain hosts and users can browse a limited number of sites on the Internet without authenticating with ISA at all. (we have a service that is outsourced to a third party, and everybody no matter whether they have account in the AD or not, must be able to go this website, and not to any other website unless they authenticate themselves).
- Able to restrict some websites for certain users, and allow other users to be able to browse freely.
Now my question is can I accomplish the goals above with ISA 2004? It seems to me with ISA server (for authentication), it's either everybody must authenticate, or everybody does not need to authenticate at all.
1. Autentication and access is controlled by Access Rules, not the "ask unauthed users to auth" checkbox. You should never enable that checkbox because of other problems it brings to fore
2. If the ISA firewall is in the path, and you have configured Access Rules requiring authentication, then no one will ever bypass the ISA firewall to access the Internet.
3. Access rules control what users can access what sites and at what times. You can also configure access per IP address and not require authentication, or you can allow unauthenticated connections to specific sites as well. The ISA firewall is very powerful in giving you extremely granular access control.