Posts: 5
Joined: 1.Dec.2002
From: amman, jordan
Status: offline
Heya, I am having a headached, i tried the articles, and i looked the in the forums, but i found nothing. my problem is as following: my isa server is a domain controller in a domain. i have domain computers, plus 4 computers that are in a workgroup, but on the same physical network. each one of these pcs have the firewall client installed. my isa config is as follow: 1. integrated authentication - plus "ask unathenticated users for ..." checked. 2. access policies that allow everyone to do basicly everything ( heh, talking about security my 4 workgroup clients run firewall applications as usual, everything's alright. now i have to deny some users from inside the domain of using some protocols, so i create a protocol rule denying that based on domain user accounts. everything's fine, except that: now my 4 firewall-clients-in-the-workgroup are being asked for authentication, since they are out of the domain, i get that "authentication failed" firewall client icon thing. those 4 firewall-clients-in-the-workgroup are supposed to be allowed to run anything. I think i fully understand what's happening, so i thought that i could do the SMB "trick" (creating domain accounts for my local users - not joining the machines to the domain, so that when my users on the 4-firewall-clients try to get to isa, they pass their username/password to the server, and the server can then find them in AD). problem: the SMB "trick" doesn't work.
now my questions is: how can i fix it. suppose i have a domain (D1) with an ISA server in it, and firewall clients in another domain (D45). not in the same forest, no trust relationship. how can i make users of D45 authenticate themselves to the ISA server in D1 ?
Thanks a lot in advance, and sorry for taking too much space eyas
Posts: 20
Joined: 1.May2003
From: New York
Status: offline
There are several things going on here. I would first suggest taking ISA Server off of your DC and putting it on another server. ISA on a DC is not a great choice for several reasons, security definitely being at the top of the list. If security isn't a concern (which it doesn't really sound like it is here), then the next question to ask is why have machines in another workgroup, particularly if you have a domain with users in it. Typically, if you had your ISA server in one domain and computers or users in another domain, you could setup a 2-way trust and be able to manage/administer ISA across the 2 domains, but using a workgroup here most likely will not work.
The only thing I could suggest in your scenario is to setup everyone in your workgroup as secureNAT clients. There's no user-level authentication, but it'll give them the access out. You'll need to set the workgroup PCs to point to the ISA Server as the Gateway in their TCP/IP settings. Uninstall the fw client from these machines, and remove any proxy server settings you have in the browsers on these machines. Just understand that setting up secureNAT clients gives those clients complete access to the internet (no rules will be processed or followed by these clients).
In your domain, you can still setup your rules and they'll just apply to your domain accounts. Since you're using workgroups, I'm assuming that these machines are using static IP addresses. If not, you'll need to setup static IPs for those workgroup computers, because the ISA server has to be the default gateway in order for this to work. Alternatively, you can set your DHCP server's gateway to the IP address of the ISA Server and get the same results, but it sounds like you have a small network in this workgroup. Plus, if you only have one DHCP server, that may cause issues on the domain side of your network.