Hi Bill, Computer authentication is not supported. You can use computer sets for IP address based access control. General rule of thumb for ordering rules: Deny anonymous Deny authenticated Allow anonymous Allow authenticated Like all bromides, this is a vast simplification. But it'll get you 90% of where you want to go. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?** ________________________________ From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Thursday, November 03, 2005 10:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] Mixed Authentication Environment http://www.ISAserver.org Hello, I would like to setup a "mixed" environment of ISA firewall clients and Secure NET Clients. The goal is to control access based on which user has logged onto The firewall client machines without having the secure NAT clients affected. After reading through http://www.isaserver.org/articles/ISA2004_AccessRules.html In the section on user authentication rules: The article describes the behavior of rules when the user can not be authenticated which is the case for Secure Net Clients. What I am having trouble with is that unless I force all users to authenticate the Rules that have restrictions placed on them don't work. In other words it appears that the users must be validated in order for them to work. Forcing validation by setting all users my authenticate fixes the ISA Firewall Clients but breaks the Secure Net Clients. Is there a way to create and All unauthenticated users rule set and make it an exception to a rule in ISA2004? Is there some way to apply a rule to someone who has presented credentials but has not necessarily been validated? (Yes I know this would be really weak security its just a question). Is there a way to validate a computer account for Secure Net Clients? I guess if I fixed the IP address of all of these then I could make them exceptions to a rule or could I ? Client IP is evaluated before user correct? Thanks Bill ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx