Sorry that is change rule 2 to apply to testuser -----Original Message----- From: Muqeem Syed [mailto:Syed.Muqeem@xxxxxxxxxxxx] Sent: 14 November 2001 16:57 To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org Hi JOhn, Sorry for the confusion I am starting...OK let me get the entire thing clear again I have installed the firewall client on a test machine. Create Rule: Allow all destinations, Applies to: Requests coming from-----> domain\domain users, Exceptions : Domain\testlog Rule (2) Rule : allow to the destionation set specified Applies to: Requests coming from Domain\Domain Users UserA from group A logs in .... test machine (With firewall client), gets access to all sites. User B logs in on test machine (With firewall client), authentication dialogbox pops us...gets no access to any site..I have changed the homepage as well to poin to www.dhl.com (one of the sites mentioend in the destination set). Even then the authentication boxs pops up. User B logs on to machine xyz (no firewall client) gets the authentication box, typoes in username and password.. does not get access to any site. Regards Rule (2) Rule : Allow access to the specified destination set. Applies to : Domain\domain users -----Original Message----- From: John Burridge [mailto:JBurridge@xxxxxxxxx] Sent: Wednesday, November 14, 2001 6:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org Ok lets start again - this is getting a bit confused. Have you done this? Installed firewall client on test machine. Create rule: Allow http to any destination Apply: to group A users Create rule: Allow http to the defined destination sets. Apply: to group B users Log on to test machine as a group A member. You should be able to access everything. Log on to test machine as a group B memebr. You should only be able to access the destination sets -----Original Message----- From: Muqeem Syed [mailto:Syed.Muqeem@xxxxxxxxxxxx] Sent: 14 November 2001 16:33 To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org I have just installed the firewall client on one machine.. and testing it out on that... but like i mentioned in the previous mailll the mail just before this one.. that it prompts me for authentication but still does not allow access to the specific site.. the order in which i have set the site and content rules is as follows.. Site and content rule (1) action allow applies to all domain users, except group b destination to all sites site and content rule (2) applies to: all domain users Action : allow Destination: to the sites mentioned in the destination set. I ahave installed the firewall client on only one machine and logging on that with the test user account, who belongs to group B. REgards -----Original Message----- From: John Burridge [mailto:JBurridge@xxxxxxxxx] Sent: Wednesday, November 14, 2001 6:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org If they are not using the firewall client they are not authenticating with the ISA server. Have you made these rules apply to user groups? If you have, you need to have the users authenticate so that ISA knows who to apply the rules to. The only other way I can think of doing it is if your users in group B are assigned IP's from one pool and the rest of your users from another. Then assign your rules to these IP pools respectively. John Burridge -----Original Message----- From: Muqeem Syed [mailto:Syed.Muqeem@xxxxxxxxxxxx] Sent: 14 November 2001 16:12 To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org No.. none of them are usinfg the firewall client... is that neccessary...??? Regards -----Original Message----- From: John Burridge [mailto:JBurridge@xxxxxxxxx] Sent: Wednesday, November 14, 2001 6:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org Are all your users using the firewall client? -----Original Message----- From: Muqeem Syed [mailto:Syed.Muqeem@xxxxxxxxxxxx] Sent: 14 November 2001 16:06 To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org We have installed ISA server in our production environment. The main intention is for web caching and to control internet acecss to users. I have created a destination set that includes a few sites. We have 2 user groups.. one needs to get full access to the internet while the other should be able to access only the sites mentioned in the destination set. I have created 2 site and contet rules... one allows group a access ot the entire internet and the other allows all users access to the specific sites mentioned in the destionation set. Even though i have mentioned this, the users from group b, cannot access the sites mentioned in the destionation set. Please help me with the confgiuration. Regards -----Original Message----- From: Periyasamy, Raj [mailto:psraj@xxxxxxxxxxxx] Sent: Wednesday, November 14, 2001 6:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org John, Thanks alot for the information. Regards, Raj -----Original Message----- From: John Burridge [mailto:JBurridge@xxxxxxxxx] Sent: November 14, 2001 10:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: standalone vs array http://www.ISAserver.org 1) Yes - you enter two DNS entries for whatever name you choose, and point them to the internal NICS ip address on each 2)To get fault tolerance, install the firewall client on end users machines. Arrays are a real pain in the proverbial if one line goes down. You will get no access for any user until you stop the services on the down server, or the line comes back up. I got around this by installing webtrends on each server, and creating a job that pinged an external router. If it couldnt reach that, I had it run a job that stopped the services, and then ran one to start them when the line came back up. It has worked very successfully so far. 3)You could get load balancing, as the DNS entry will alternate which server you are sent to, but you will not get fault tolerance without the Firewall Client. John Burridge -----Original Message----- From: Periyasamy, Raj [mailto:psraj@xxxxxxxxxxxx] Sent: 14 November 2001 15:31 To: [ISAserver.org Discussion List] Subject: [isalist] standalone vs array http://www.ISAserver.org I am currently managing two standalone ISA serevrs load balanced with NLB for internal users. All users access the ISA using the NLB virtual host name. I am planning to migrate these two servers to an array (since our AD is now in place). Once the array is inplace NLB will be uninstalled.None of the clients are using firewall client in my network. Questions: 1) Once I migrate to an array, will it be possible to access the array using a virtual host name like used by NLB. How is the virtual name assigned to the array? 2) How is the fault tollarance and load balancing applied to the clients? Currently none of my clients are using the auto configuration script, They point to the VHost name of the NLB host. 3) Is it possible to make use of the array's FT and LB features without using the firewall client in workstations? I would appreciate all inputs... Thnaks in advance. Regards, Raj ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jburridge@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: psraj@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: syed.muqeem@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jburridge@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: syed.muqeem@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jburridge@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: syed.muqeem@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jburridge@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: syed.muqeem@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jburridge@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')