ISA 2006 and Computer Sets....

ISA 2006 and Computer Sets....

  • Comments 2
  • Likes

**Updated - Tom Shinder over at ISASERVER.ORG pointed out some legacy thinking I had in my post regarding ISA being in a Workgroup vs a Domain. He has an excellent article on this at this link. Microsoft also has an article regarding the pros and cons of ISA being in a domain. (This article is a good one too...) My own ISA server is joined to my domain in fact and for some of the reasons Tom points out. Thanks for the catch! **

I received the following email yesterday and through it would make a good blog post.....

On my internal network I have 200 Internet users that pass thru my gateway (Windows 2003 Server Std Edition SP2) to access the Internet.

Of these 200 users, I want only 20 users to have unrestricted access to the Internet, while the remaining 180 users to be restricted to only 6 web sites. Please kindly help me out on how to achieve this, I will prefer to prevent users thru their machine names rather that the IP Addresses.

In a follow-up email it was noted that the Windows 2003 "gateway" is an ISA 2006 server...

There is no built in method for applying an access policy to computers using built in Windows Groups or OU's. We rely on Computer Sets to get close to the same thing in ISA. In larger environments this can be a little cumbersome to manually enter a large number of machine names and IP addresses. There is an import feature in the GUI, but the import asks for the information to be in XML format and it is a little clunky.

So I pinged our internal ISA DL and got a response from resident ISA expert, Jim Harrison (Jim also helps run the isatools.org site)  He pointed me out to a site called isascripts.org where I found a script called ISA_Fill_Computer_set_Computers.vbs that does exactly what the question above asks for.

While we can't rely solely on the machine name in ISA access policies (ISA uses the IP address of the machine in question while the name is simply to help us humans identify the machine), we can use the script to import the machinename,IPAddress information into a computer set which can then be used in the access policy. Save a lot of time over manually entering a couple hundred machine to IP address mappings into a computer set.

To use the tool, we first need to generate a delimited .txt file with the computers and IP addresses in the form of -

According to the information in the script, the delimiter can be a space, comma, tab, semicolon, colon, forwardslash or backslash. I tested this using a comma and it worked perfectly.

So.... for the question posed to me we would need to generate a file called unrestricted.txt that contains the 20 machines that need unrestricted access to the Internet. Another named restricted.txt that contains the 180 machines that are restricted to the 6 URL's suggested by the admin.

So how do we get the machine names and IP addresses into the text file? If we type them in we might as well just do that in the ISA computer sets since it will take just about the same amount of time.

After a little searching I found another script called Network Inventory over at the AdminScriptEditor site that can scan your network and generate an Excel file listing a bunch of details about the machines on your network including the machine name and IPaddress. The script will have to be run from a machine that has Excel loaded on it. I ran it from a Vista workstation running Excel 2007 and generated the results below on my own network (machine name changed). Of course this is only going to work if the machines are powered on and accessible. I have a simple network at home on a single IP subnet. I am going to guess this script will not pass through routers to other IP segments so you may have to run it on a machine in each segment and combine the results to get a full map.

The script collects a lot of information that we don't need for our ISA solution. To get this into a usable format, we can delete the columns that aren't needed as well as the 1st row. Once this is done, save the file out as a master file. Then trim out the machines not used for the Unrestricted Computer Set and save as a Comma Separated Value (CSV) file (unrestricted.txt). Then open the master again, trim out the machines not included in the Restricted Computer Set and again save as a CSV file (restricted.txt).

We can now use the ISA_Fill_Computer_set_Computers.vbs script to import each file into our computer sets. I just created a folder off the root and dropped the script and the CSV text files into the folder. Drop to a command prompt and go to the folder you create and run the import script. The format of the command is --

ISA_Fill_Computer_set_Computers.vbs setname file.txt

setname = the name of the computer set you wish to create in ISA

file.txt = the CSV file you wish to import.

For the questioned posed to me, there will also need to be a URL set created with the 6 web sites that the restricted user have access to and the appropriate Access Rule created. Then the Access Rule created for the Unrestricted computers.

Things to watch for --

As noted, the Network Inventory script will not find machines that are powered off or otherwise inaccessible. Firewalls, Routers and other network issues may result in an incomplete list. There may be some manual updating of the Excel or CSV files to get an accurate list for import.

The Network Inventory script appears to only pull back the IPv6 address on Vista machines. The workaround would be to disable IPv6 on the Vista machines (a pain if you have a bunch) or modify the script to grab only the IPv4 address.

The import script will overwrite an existing named computer set. It does not merge or append.

Computer sets can be manually edited as machines are added/removed from the network.

Request --

If you have a more efficient way t0o do this, I would love to know! Especially if it allows us to use the native XML import mechanism.

 

Cheers!

Comments
  • PingBack from http://blogs.isaserver.org/shinder/2007/04/29/serious-error-regarding-isa-firewall-security-design-made-at-microsoft-technet-blog-site/

  • His desired methodology of

    "I will prefer to prevent users thru their machine names rather that the IP Addresses."

    is in contradiction to his desired results:

    "I want only 20 users to have unrestricted access to the Internet, while the remaining 180 users to be restricted to only 6 web sites."

    Restricting computers does not restrict users. He/she needs to require domain authentication for outbound access and create rules so that only the six users have unrestricted access while everyone else defaults to the six web sites.

    Doing it by computer name (actually by IP address) will fail as soon as DHCP gives someone a new address.

    Ray

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment