How to set ISA access rules to combine SecureNat with web proxy/firewall clients on the same network?
Tuesday, December 04, 2012 6:14 AM
We have 2 ISA 2006 Enterprise Servers with 2 NICs each on our LAN behind hardware firewalls. Both are on the same subnet. The only reason we have two is so any one of the two ISA servers can be rebooted or fail/crash without anyone losing Internet access.
I would like to set ISA rules for a mix of computers on our network.
1. Firewall Clients: Our domain-joined XP and Windows 7 desktop workstations get the firewall client and proxy settings set by GPO.
2. Authenticated Web Proxy Clients: Our laptops, plus other computers on our employee LAN that aren't joined to our domain would be web proxy clients with browsers set to automatically detect proxy settings. WPAD settings would be configured in DNS and DHCP.
3. SecureNat clients: Other computers on the network that cannot have the firewall client installed and have applications that need to get out to the local network and Internet without having to know proxy settings need to work as SecureNat clients. . We would rather not have any of these groups bypass the proxy completely, but instead default to SecureNat.
4. Anonymous web proxy clients. Wireless network for visitors to use to get access the Internet.
5. Exceptions. Servers or workstations that have some process or application that cannot be made to work through any proxy configuration including Securenat. These will need to bypass the proxy on a case by case basis either as a temporary workaround while a fix is found or else permanently.
How would array firewall access rules be set for this and in what order to make them all work correctly?
- Edited by MyGposts Tuesday, December 04, 2012 6:47 AM
Tuesday, December 04, 2012 8:50 AM
First you should create a rule For "SecureNat clients", "Anonymous web proxy clients". When creating the rule, at "From/listener"column,you should specify the computer IP addresses of "SecureNat clients" and "Anonymous web proxy clients", at "Condition" column, it should be "All users"
Secondly, you should create a rule for "Firewall Clients" and "Authenticated Web Proxy Clients", at "From/listener"column, it should be inernal network, at "Condition" column, it should be "All authenticated users".
For "Exceptions", you should configure your firewall to allow the internet access, as ISA does not receive the "Exceptions" requests, ISA does not control it.