Block Internet Access 2

[Stuartp]

How can I prevent certain users on our network going onto the Internet? We are using Small Business Server 2000 with ISA Server. I have setup a rule in Site and Content Rules that denies access for me, as an experiment, but I can still go online even with this rule in place.

Please can someone point me in the right direction - there must be something I am missing here.

Many thanks

Stuart

 

[Neriah]

We block Internet access to selected PCs (in a call centre) by using DHCP to reserve specific IP for the PCs.

We then have a Client Address Set (under Policy Elements) in ISA that defines the IP address range of the Internet-restricted PCs.

Then we have a Site and Content Rule (under Access Policy) that applies to the Internet-restricted PCs, which denies access for all Destinations (see the Action tab).

Our approach is to block access by PC, as we do not want anyone screwing up the config of our call centre PCs. Alternatively if you want to restrict access on a per-user basis, you need to install the firewall client on your PCs. This will allow you to identify the logged-on user on each PC and thus in the ISA server Site and Content rule you can use "Users and groups" rather than Client Address Sets.

Have a look at

http://www.isaserver.org

it has lots of good FAQ on ISA.

 

[joeb1kenobe]

Using a DHCP scope like that is a pretty good idea. I will have to keep that in mind for later. But, to control access via users, you do not need to install the fw client. What you need to do is setup a global NT group, call it Internet or something of the like. Setup a content filtering/protocol rule that allows that specific group access to the internet. This was the easist way of doing it for us. Our company is spread across 7 states with about 500 internet users.

Joe

 

[Stuartp]

Hoping someone can offer a further insight into this. I've not tried anything since October (been busy with other things!) but I have tried to do it now using Security Groups and still cannot get it to work as intended.

All users are assigned to the group Domain Users. I then have two other security groups: BackOffice Internet Users and BackOffice Intranet Only Users. I have then created a rule that denies access to Intranet Only users and allows access to Internet Users.

Tried setting myself up as an Internet User, logged on but I'm blocked. I assumed it was because I was also a Domain User and Domain Users were not specifically allowed access. So I modified the allow rule to also let domain users have access and that worked.

Then tried taking myself out of the Internet Users and assigning myself to the Intranet Only group. Logged back in thinking I should be blocked, but I can still get through. I assumed it was because I was a Domain User who is allowed through, but I thought Deny rules were supposed to be processed before Allow rules?

This seems very complicated and I'm now utterly confused! Please can someone help me out with these rules?

Many thanks

Stuart

 

[Bachinat0r]

i just did this...before you create a site and content rule...you first have to create a destination set under policy element. once you have created the destination set, you can create a site and content rule for that specific destination set.

 

[Stuartp]

There are some destination sets defined, but I had my rule set to apply to All External Destinations.

What I didn't understand was making the rule apply to groups as defined in Security Groups i.e. backoffice internet user, domain user etc.

If I set a rule to apply to a group or groups, does a user have to be in all those groups for a rule to apply, or just one of them?

Thanks

 

[Bachinat0r]

if you set a rule to apply to a group or groups, the user should only have to be a member of one of the groups you listed in the rule for it to apply for the user.