Good Morning Tom, I am still waiting for ur suggestion on the previous mail. Do u think if I disable SecureNat (by having no anonymous rules) and installing Firewall Client and enabling proxy, I will have the best config for clients ( as u suggested)? Whats the downside if the clients uninstall firewall clients?? (some have admin rights) And do I still have to disable the HTTP filter for web access (doesn't the firewall client fwd credentials in ISA 2004 ?) Please suggest Thanks Aman ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------- -----Original Message----- From: Aman Bedi [mailto:gurkirpal.bedi@xxxxxxxxxxx] Sent: Tuesday, September 14, 2004 10:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Listeners http://www.ISAserver.org Thanks Tom, But some machines have admin rights. I want to force them to use firewall ( so that they can authenticate and I can set rules based on that like for web sites ) If they uninstall Firewall client, they will be proxy clients or secureNAT clients and I wont be able to restrict their access to Websites. What is the best config for clients so that they always authenticate and I control their access. ?? In ISA 2004, "firewall client credentials are forwarded to the web proxy service", so I think the best option is to configure clients are firewall clients, disable Proxy on the internal network , and remove anonymous access rules to prevent SecureNAT connections. This way I force Firewall Clients. What do u suggest, my main aim is to "config for clients so that they always authenticate and I control their access." Thanks ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, September 14, 2004 9:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Listeners http://www.ISAserver.org Hi Aman, My recommended setup is to install the Firewall client on all Windows client machines and configure all Web browsers as Web Proxy clients. Do not install the Firewall client on servers, and make the Servers Web Proxy clients depending on how you manage them. I would make them Web Proxy clients "just in case", as you can force authentication for any user who 'happens' to log onto the server, provides an account based audit trail. HTH, Tom -----Original Message----- From: Aman Bedi [mailto:gurkirpal.bedi@xxxxxxxxxxx] Sent: Monday, September 13, 2004 2:43 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Listeners http://www.ISAserver.org Cool, Thanks Jim Now I know how it works for firewall clients. ;) Thanks About the 2nd part of question addressed to Tom, everyone else is also requested to comment ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ ---- ----------------------------------- -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, September 13, 2004 3:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Web Listeners http://www.ISAserver.org Read this: http://isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html There's no gain to using an external listener to reach an internal resource... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Aman Bedi" <gurkirpal.bedi@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, September 13, 2004 12:07 Subject: [isalist] Web Listeners http://www.ISAserver.org Hi everyone. I have published 2 webservers on our internal domain. When someone accesses the sites from outside they work fine. >From internal network, I can access the sites thru local ip, but doesn't work thru website name or public ip . (securenat clients) It works fine for Firewall clients . Any ides ? ALSO tom, whish one is better, to force a client to be firewall client or to force them to be proxy client? i read in ISA 2004 "firewall client credentials are forwarded to the web proxy service". This is unlike ISA 2000 .right ? that means if i force users to be firewall clients only, then i can have rules based on user credentials ...( which was not possible is isa 2000, as u said in ur article that to do so we should force clients to be proxy clients) please clarify this point. Thanks ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gurkirpal.bedi@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gurkirpal.bedi@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gurkirpal.bedi@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx