ISA Server has three client types:
- Firewall Client
-
Web Proxy Client
-
SecureNet client
Usually with Windows machines, they can be set as any client type or even
all of the above. But what about non Windows clients,
such as Unix/Linux or Apple Macintosh ( will be called as MAC in this article ) machines ? Well, Non Windows
Machines can be set only as Web Proxy Client and/or SecureNet Client. They can not be
set as Firewall Client, as the Firewall client software is an executable file
that can not be installed on non Windows machines.
If you do not require to force authentication for your MAC machines, then
simply set these machines as SecureNet clients. If you do require
authentication, that is to ask your users to provide username/password to be granted outbound
connection, then set these machines as Web Proxy Clients.
I will deal with every case separately and from
scratch, so that if you wish to follow one method, you
are completely independent of the other.
Setting the Macintosh Machines as Web proxy
Clients
If you do require to force authentication for
outbound connections, then set the MAC machines as Web
Proxy Client by following the below steps :
- Open Safari Web browser, and then
from the menu bar, click on Safari > Preferences
-
On the General page, click on the Advanced icon
-
Then click on Change Settings button beside Proxies
-
Under Select a protocol to configure, Select the check box
beside the Web Proxy (HTTP), then enter the Internal IP of ISA
Server and the port number under Web Proxy Server
That is all what you have to do on the Apple Macintosh machine to be set as
a Web Proxy client.
Now on ISA Server, we will create a general rule
to allow all the Internal Network users to have Internet
Access by creating the following rule :
Allow > HTTP/HTTPS > From Internal > To External
> Domain Users AD Group
Configurations on ISA Server for Web Proxy
Clients
To create the new rule, right click on the
Firewall Policy node from the left pane, click
on New and then on Access Rule
Give a descriptive name to the rules and then click
on Next
On the Rule Action page, select
Allow and then click on Next
On the Protocols page, click on the Add
button, the Add Protocols page will open, expand the
Common Protocols folder, and choose the protocol you want to add and
then click the Add button, once done, click on the
Close button.
The selected protocols will be displayed, if you need to add other protocols,
click the Add button again and start adding the required protocols, once done,
click Next
On the Access Rule Sources
page, click on the Add button and from
the Add Network Entities page, expand
the Networks folder, and click on
Internal and then press the Add
button, then close the Add network Entities
page by clicking on the Close button,
then on the Access Rules Sources page,
click Next
On the Access Rule Destination
page, click on the Add button and from
the Add Network Entities page, expand
the Networks folder, and click on
External and then press the Add
button, then close the Add network Entities
page by clicking on the Close button,
then on the Access Rules Destination
page, click Next
On the User Sets page, click on the
All Users group and then press the Remove
button. The All Users Group represents both Anonymous and
Authenticated users, but as we only need to allow
outbound connection for authenticated users, then you
can either add the All Authenticated Users
Group, or to add a custom user/group from Active
Directory for example, then click on the Add button
From the Add Users page, click on
New
Enter a descriptive name for the user/group you want
to create then click Next
On the Users page, click on Add >
then click on Windows users and groups
( I will choose my users/groups from Active Directory ).
On the Select users and Groups page, make sure that the
Entire Directory is displayed and not the Local machine
name, this can be done by clicking on the Locations
button and selecting the Entire Directory
Type the name of the user/group and then click on the
OK button ( if you are not sure if you
have written the name correctly , you can press the
Check Names button )
The group name will be displayed inside ISA Server,
click on Next to go to the review page, and then click
on Finish
Once the Finish button is pressed,
as you see the Domain Users group is now available
inside the Add Users page, click on it
and then click on the Add button to add
the Domain users group to the rule we are creating. Click
the Close button to close the
Add Users page, then on the Users Sets
page click on Next
Review the rule you have created, and then click on
Finish
The Allow Internet - Domain Users rules will be
displayed, click on the Apply button so that changes
take effect. now go to your Web proxy Macintosh machines
and try to surf the Internet. they will be request to
enter a username and password from Active Directory,
enter them as follows:
DomainName\username
Password
Setting the Macintosh machines as SecureNet
clients
From the top menu Bar, click on Apple Icon then click on System
Preferences...
or you can directly open the System Preferences by
clicking on its icon in the Dock.
The System Preferences will open, under Internet & Network,
click on Network
On the Network Page, click on Ethernet from the left pane. If you have
a DHCP Server in your Network, then choose Using DHCP, else if
you want to assign a Static IP Address to your Mac machines, then select
Manually from the Configure list.
Enter the IP address, Subnet Mask. The Router is the default gateway ,
which in simple network ( single subnet ) it should be set as the Internal IP
Address of ISA Server, so if your ISA Server Internal Network Card IP Address is
192.168.0.1, then the Router on this page should be set as 192.168.0.1. The last
entry is for your Internal DNS Server which should forward requests to your ISP
DNS Servers. Check my article
for more details. Click Apply.
With these steps, we have finished configuring the MAC machine as a SecureNet
client.
Configurations On ISA Server for SecureNet Clients
SecureNet clients can not authenticate, so we must create an outbound rule
with the condition All Users.
a sample rule would look like this:
Allow > Protocols > From Selected Computer List > To External > All
Users
To create such rule, follow these steps :
Open ISA Server Management Console, Click on Start > All Programs >
Microsoft ISA Server > ISA Server Management
As you can see, I only have three rules. One for the DNS server to
communicate with the ISP DNS Servers, rule # 2 to allow outbound internet access
for Domain Users and the 3rd rule is the default deny rules. We need to create a
rule for the Macintosh SecureNet clients.
To create the rule, right click on Firewall Policy node from the left
pane, click on New > then click on Access Rule
On the Welcome to the New Access Rule Wizard page, Enter a
descriptive name for the access rule, then click Next
On the Rule Action page, select Allow, then
click Next
On the Protocols page, click on the Add
button, the Add Protocols page will open, expand the
Common Protocols folder, and choose the protocol you want to add and
then click the Add button, once done, click on the
Close button.
The selected protocols will be displayed, if you need to add other protocols,
click the Add button again and start adding the required protocols, once done,
click Next
On the Access Rule Sources page, we need to create a
Computer Object/Set to include the IP(s) of our Apple Macintosh machine(s),
click on the Add button, click on Computer Set
so that we can include in it multiple IPs for different machines
Enter a name for the new Computer Set, click on the
Add button, then click on Computer, enter the
name of the Mac machine, the IP Address and then click on OK, repeat
these steps for every machine you want to add.
Once you finish adding all the machines inside the Computer Set, click on
OK, and from the Add Network Entities page,
expand Computer Sets folder, and you will see the new computer set that we
created, click on it and then click Add. The MACINTOSH MACHINES
computer set will be added in the Access Rule Sources page, Click Close
to close the Add Network Entities page then click Next
On the Access Rule Destination page, click on the
Add button, the Add Network Entities page will open,
expand Networks folder, and then click on External
, click Add to add the External Network entity
for the Access Rule Destination, once added, click on
Close to close the Add Network Entities page, and then
click Next on the Access Rule Destination page
On the User Sets page, keep the default group, All Users. We will not add any
other group, because SecureNet clients can not authenticate and hence we need to
use the All Users group, click Next
Review the summary of the rule and then click on Finish
Make sure that anonymous rules, rules created with
the condition All Users is above rules that require
authentication, in our case, we need to put the new
created rule above the Allow Internet- Domain Users
rule, you can change the order of the rules by clicking
on the up down arrows
Highlight the rule you want to change its order
by clicking on it, and then click the up/down arrow.
Once the order is done, click the Apply
button so that changes take effect.
Summary
Not only Windows Operating Systems can
connect to ISA Server, non windows machines can connect
too. You can set them as Web Proxy client and/or
SecureNet client.
Although in this article I have only covered Macintosh
machines, the same steps can be followed to set any
client as SecureNet or Web proxy client, as the
configurations on ISA Server is the same regardless of
the client operating system.
The only difference from one operating system to
another, is the way to set the default gateway or the
proxy settings.
Related links
Understanding the
ISA 2004 Access Rule
Processing
Back to top
