RE: Changing Protocal access rules
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 3 Oct 2005 11:01:33 -0700
OK - that's useful info.
First, the question of how users log on / off and whether or not they
can change the state of their workstations is *not* a problem ISA can
help you solve. This is strictly an employer policy enforcement issue.
Until they publish these policies that you're trying to enforce through
ISA and enforce them via termination or formal charges, you'll fail;
period.
Regarding the SecureNAT question, "Joe(sephine) User" shouldn't be a
SecureNAT client, period. They need to be either Web Proxy or Firewall
clients, only.
Regarding the network routing question, you'll need to provide much more
detail about the deployment than you have before anyone can offer useful
advice. You'll probably want to take that part offline.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: James May [mailto:Jmay@xxxxxxxxxx]
Sent: Monday, October 03, 2005 10:26
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changing Protocal access rules
http://www.ISAserver.org
Jim,
I'm currently testing the isa2004 server in a test environment for
future deployment for a small metropolitan Local area network. This is a
non profit alcohol and drug rehabilitation center, they have 4 locations
linked together with T1 access, all 4 centers are tunneled using GRE
protocol 47. We need to block scum ware and stop users from downloading
and installing programs mp3 and exe files etc. Their biggest problem is
users downloading and installing programs on the computers. Not to
mention users were logging on to the domain with the administrator
password both the domain admin and the local admin passwords were the
same when I took this facility over. The nature of the organization
might tell a story in itself.
I have been given the go-ahead to lock down all the workstations to
user level access and install a firewall filtering computer at each
location. At this point I think the isa2004 servers will probably be web
caching http filtering only because of the topology that's in place at
the moment the default gateway will have to be the Cisco router. I will
be using the GRE tunnel to authenticate and set up a GPO for each
location to force proxy settings on IE. Money is definitely an issue at
the place the T1 lines are donated.
The only way I can think of making the isa box the default gateway is
to create a perimeter network on the public tunnel, have a isa 2004 box
and a domain controller at each location.
What have done at the moment is started reading Tom's Book beginning
with chapter 4 maybe more will be revealed to me??
Thanks for the information. Jim May
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, October 03, 2005 8:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changing Protocal access rules
http://www.ISAserver.org
Yes - they're mutually exclusive requirements.
The ISA help and several articles on isaserver.org discuss this.
Exactly what apps are you trying to work with and exactly what are you
trying to accomplish for each?
You can separate rules into anonymous and authenticated - ISA was
designed to provide just this sort of granularity.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
