Dual internal Network Authentication

[jshepherd]

Most of our users are required to authenticate when using the internet via our ISA 2K4 server. But I have a couple of users who require the internet without any authentication request (mainly due to banking and payroll software). Is this possible?

I tried to create an additional internal network both with specific internal IP address ranges and I thought in theory this should work but ISA didn’t like it for some reason and it created a conflict report. The first range worked as expected but the second range didn’t.

Regards,

John

 

[tvbruwae]

Sure this is possible. We have a similar situation where most people have to be authorized to access the internet, some people have access to banking applications and a few have unlimited access.

If you put accounts that are allowed access to certain sites in a group in AD you can set up the following rules:

(1. Give http(s) access to a list of IP addresses / URL's that are allowed for everyone (like sites from the own company) )
2. Allow access for a small user group (AD group) to a rule opening up special ports (like for banking applications). Have the users of these banking applications use the FW Client software
3. Allow http(s) access to another AD group, holding all accounts authorized to access the internet

With the ISA Firewall client we were able to solve all banking and payroll applications (over 10 different ones), allowing only authorized users to access them. Just put those users in both AD groups (the one for the special ports and the one for internet access).

Hope this helps..