ISA Setup Experience Summary

The company has recently requested restrictions on the Web site that employees visit, allowing only the specified Web site to be used, and then setting up the URL set for ISA.

The specific requirements are: All employees only allowed access to the designated site, and the normal use of Skype and mail, not allowed on QQ, some manager-level requirements Unlimited.

The company's network structure is: Extranet---ISA---intranet, intranet for workgroup mode.

Because I have not studied the Isa before, so it feels more difficult, I think for the people who do the network, it does not matter, as long as the studious, because no one can all the network applications are very proficient, the other online enthusiastic people a lot, they selflessly contribute their own experience to share with us, It is by the strong internet and enthusiastic dedication of people, I basically achieved the requirements, the specific process is as follows:

First configure the ISA network card:

ISA Dual network card, a connecting network, network card set to the data (IP, mask, Gateway, DNS), the network card only with IP and mask, IP and intranet IP for the same network segment, I match only 192.168.16.1, because before ISA time everybody computer network management all set is 192.168.16.1, want to adopt Snat client agent, lest also want to change gateway, trouble ...

Set up a good network card is equipped with ISA, the process is as follows:

First, open all personnel to the specified URL set, because the ISA default rule is to prohibit all protocols from all networks to all networks, which means nothing, I add a permit--all protocols--Internal---URL set-all user's protocols, URL set to add the need to open the site, Includes POP3 and SMTP URLs used by mailbox clients, if this is filled in the IP address, it is best to create a new computer, IP filled out for the mail server IP, together with the "to" inside, and the URL, and other need to access can also be added together, here to say is DNS, Because we do not have a DNS server inside the company, all of the completed is the telecommunications to DNS, so here also to the DNS server also added together.

Second, allow Skype, because just then set up is not guaranteed to use Skype, because Skype uses peer-to-peer mode, no fixed server, so can not use the way to the Skype server, find data, Skype could use 443-port access, Port 443, which is the HTTPS protocol, is added to allow the--HTTPS protocol--Internal--external--to all users, test Skype can log in

Third, disable QQ, disable QQ is used http://hongwei.blog.51cto.com/533436/114979 This blog method, set up the IP range of QQ server, disable it, and then establish udp8000 port blocking protocol, disable it

There is also a better, interested can also see http://zhangzhengtao.blog.51cto.com/374502/86831

Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/