Thanks for your reply. I am with you about the domain authentication process. However, consider the followings; 1) Our Lan and intranet users log in to the domain. So, there is no problem with these user authentications. On the other site, I have an extranet site which does not belong to our W2K domain (moreover they do not use any domain, but simple workgroup), but they access the internet through our ISA+SurfControl proxy machine. In this case, my solution was to open a user name on the ISA server locally for each person coming from the extranet site (this solution worked until the SurfControl v4.2). 2) Microsoft officially suggest that, when especially using A.D., we should put domain users into Global Security groups, then make these global groups a member of local group on which machine you try to give some permissions, and then give any right locally to these local groups!!!!!!!! Regards, -------------------------------------------------------------------- Rami SIK System & Network Administrator CCNA Kimyatas Istanbul / Turkey Tel:90-212-334 4963 -------------------------------------------------------------------- -----Original Message----- From: William Robertson [mailto:william.robertson@xxxxxxxxx] Sent: Friday, January 24, 2003 9:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SurfControl web filter http://www.ISAserver.org Hi Rami I have SurfControl WEB Filter installed as well and I have confirmed that which you say, but my question is this, if your ISA Server is a member of the Win2K Domain, then surely you only use Usernames created within your Active Directory, and not on your individual servers? With this in mind, I cannot see why you would ever want to start authorizing access within SurfControl based upon a group or user that is local to the ISA Server alone, because who is going to authenticate against the ISA Server instead of against your Win2K domain? The thing is, when you are surfing through ISA Server's WEB Proxy service, Internet Explorer will pass your currently logged-on credentials through to ISA Server. These credentials are the username you use to log onto your workstation, and I don't know about you, but when I log on to my workstation I use the domain username, not a username created locally on my ISA Server firewall. Cheers William R. -----Original Message----- From: Rami SIK [mailto:rami@xxxxxxxxxxxxxxx] Sent: 24 January 2003 08:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] SurfControl web filter http://www.ISAserver.org Hi all, If you are using SurfControl Web filter for ISA, please read the following problem. I am using SurfControl version 4.2. When I try to establish rules for the SurfControl, I can see the W2k Domain users and groups, but not local users & groups on which ISA server runs. (ISA server is a member of the W2K domain). Regards, -------------------------------------------------------------------- Rami SIK System & Network Administrator CCNA Kimyatas Istanbul / Turkey Tel:90-212-334 4963 -------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rami@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')