• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

newbie question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> newbie question Page: [1]
Login
Message << Older Topic   Newer Topic >>
newbie question - 13.Apr.2007 11:20:15 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
i have tho following infrastructure:

hq -----> nat router -----> internet <----- nat router <------ home office (x-times)

the home offices are connected through ipsec vpn tunnels to the hq. at this time it is done by vpn router. the employees (at hq) should have restricted access to the internet. at this time we do it by blocking the pc of the employee at the router or grant access to single web-sites for general at the router. some employees should have complete access. because there are now several terminal-servers installed, we have to restrict access to the internet per-user, because one terminalserver is running with some employees logged on (and have internet access because ts has) and the most employees work on other ts (and have no internet-access bcause ts hasnīt). problem is the performance on the crowded server and the idle of the other one. now my questions.

- can i restrict access to the internet on a per-user base with isa server (ad authenticated users)?
- where is nat server beeing placed? instead of hq-router or between hq-router and the network?

thanks for any information ...

regards wolfgang
Post #: 1
RE: newbie question - 24.Apr.2007 8:40:30 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Why are site to site VPNs being used? It would be preferred that the users establish a remote access VPN client connection. Then you can control where the users can go on the corporate network and the Internet using the ISA Firewalls advanced VPN server. Works great.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 2
RE: newbie question - 25.Apr.2007 3:33:25 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
hello
site-2-site vpn connections are used, because in the ho are networkprinters, where from hq is printed on, so the vpn link has to be up all time.
at the ho are thin clients and printers. they work on ts at hq. all traffic is routed through the vpn link to the hq.
could i do the following? replace router at hq with the isa server. build steady vpn connections as before from ho to hq. limit internet acces per user (only a few users should have generall internetaccess)? open spezial internet-sites for all (most users need only a few sites)? contend filter for that users who has generall access (they shouldnīt surf through sex, porn or other sites with malicous code)?
all users work on terminalserver. only a few have fat clients. most have thin clients.

regards wolfgang

(in reply to tshinder)
Post #: 3
RE: newbie question - 25.Apr.2007 10:50:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
At the home offices, are they using thin clients or full OSs?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 4
RE: newbie question - 26.Apr.2007 3:31:50 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
they use thin clients.

wolfgang

(in reply to tshinder)
Post #: 5
RE: newbie question - 26.Apr.2007 2:49:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
OK, now I see the need for the site to site VPN.

You could terminate the site to site VPNs on the ISA Firewall, but you would need to create access rules allowing the remote site networks (which you can group into a single Network group) to what you want them to access on the corpnet and the Internet.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 6
RE: newbie question - 27.Apr.2007 3:30:18 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
So I see it right that i can cover all needs with the ISA Server?
- Grant internetaccess to all or single sites per AD authenticated user
- Make the ISA Server the VPN server
- Take log files of what sites are visited by a user (via extra tools)

Two additional questions:
- Could the ISA server log email traffic (NOT exchange), spezialy what attachments are send and when possible store a copy of the attachment?
- Could the ISA server log file copys via VPN tunnels? Or could the ISA server restrict the traffic to "RDP" and "print" traffic. Background is to prevent employees from copying data to their hdd at home.

regards wolfgang

(in reply to tshinder)
Post #: 7
RE: newbie question - 29.Apr.2007 9:27:19 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
 Could the ISA server log email traffic (NOT exchange), spezialy what attachments are send and when possible store a copy of the attachment?
TOM: No

- Could the ISA server log file copys via VPN tunnels? Or could the ISA server restrict the traffic to "RDP" and "print" traffic. Background is to prevent employees from copying data to their hdd at home.
TOM: No -- This is why I really hate RDP access -- you cannot control any aspect of the protocol and you provide complete desktop access to the users. There are no RDP filters that I'm aware of that will allow you to control the traffic, other than something like controll what app can be used, which can be easily bypassed by a skilled hacker
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 8
RE: newbie question - 30.Apr.2007 5:39:54 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
Hello Tom,
if i do following steps, is that ok for a good security? main purpose is to prevent user from carrying out data!
- replace all fat-clients with thin-clients where possible. some clients canīt be changed, because they are cad-workstations. for these clients i will implement a policy which disables access to movable drives.
- change the router in hq with a isa server.
- disable access to local media in rdp protocol.
- search for a solution, which makes copies of email attachments.
- implement web monitor on isa server
- grant web-access in isa server per user based on active-directory authentication (possible?)
- disable posibility from putting data out to an ftp server in isa server (possible?)

or do you prefer another way to secure the data / network ?

thanks
wolfgang

(in reply to tshinder)
Post #: 9
RE: newbie question - 2.May2007 8:01:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wolfgang,

Yes, but you will need to install the Firewall client on the Terminal Server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 10
RE: newbie question - 3.May2007 4:19:13 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
Thanks for your help Tom,
one last question. ISA Server ist sold per CPU. Is a dual-core CPU 1 or 2 CPUīs for ISA-Server?

Regards
Wolfgang

(in reply to tshinder)
Post #: 11
RE: newbie question - 3.May2007 7:59:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wolfgang,

A dual core on a single die counts for a single license. So you don't need to license two processors.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to wmeibers)
Post #: 12
RE: newbie question - 4.May2007 6:22:55 AM   
wmeibers

 

Posts: 7
Joined: 13.Apr.2007
Status: offline
Thanks a lot for all that information ...

Wolfgang

(in reply to tshinder)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> newbie question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts