Connecting Macintosh Machines Behind ISA Server
These days almost every corporate has different operating systems installed in its Network, such as Windows, Unix / Linux, Macintosh etc..
As an ISA Server administrator, you should know how to configure each of the different operating systems to be able to communicate with ISA Server and which of the different ISA Server clients is supported on each of the different operating systems.
In this article, we are going to show you how to configure Macintosh machines so that they can have Internet access through ISA Server, either as Web Proxy Client or SecureNet client.
ISA Server has three client types:
- Firewall Client
- Web Proxy Client
- SecureNet client
Usually with Windows machines, they can be set as any client type or even all of the above. But what about non Windows clients, such as Unix/Linux or Apple Macintosh (will be called as MAC in this article) machines? Well, Non Windows Machines can be set only as Web Proxy Client and/or SecureNet Client. They can not be set as Firewall Client, as the Firewall client software is an executable file that can not be installed on non Windows machines.
If you do not require to force authentication for your MAC machines, then simply set these machines as SecureNet clients. If you do require authentication, that is to ask your users to provide username/password to be granted outbound connection, then set these machines as Web Proxy Clients.
We will deal with every case separately and from scratch so that if you wish to follow one method, you are completely independent of the other.
- Setting the Macintosh machines as Web Proxy clients
- Configurations On ISA Server for Web Proxy Clients
- Setting the Macintosh machines as SecureNet clients
- Configurations On ISA Server for SecureNet Clients
Setting the Macintosh Machines as Web Proxy Clients
If you do require to force authentication for outbound connections, then set the MAC machines as Web Proxy Client by following the below steps:
Open Safari Web browser, and then from the menu bar, click Safari > Preferences
On the General page, click the Advanced icon
Then click Change Settings beside Proxies
Under Select a protocol to configure, select the check box beside the Web Proxy (HTTP), then enter the Internal IP of ISA Server and the port number under Web Proxy Server
That is all you have to do on the Apple Macintosh machine to be set as a Web Proxy client.
Now on ISA Server, we will create a general rule to allow all the Internal Network users to have Internet Access by creating the following rule:
Allow > HTTP/HTTPS > From Internal > To External > Domain Users AD Group
Configurations on ISA Server for Web Proxy Clients
To create the new rule, right-click the Firewall Policy node from the left pane, click New and then Access Rule
Give a descriptive name to the rules and then click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/new_rules_wp_2.jpg
On the Rule Action page, select Allow and then click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/4_Action_Allow.jpg
On the Protocols page, click the Add button, the Add Protocols page will open, expand the Common Protocols folder, and choose the protocol you want to add and then click the Add button, once done, click the Close button.
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/5_Selected_protocols.jpg http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/6_Add_Protocols.jpg
The selected protocols will be displayed. If you need to add other protocols, click the Add button again and start adding the required protocols, once done, click Next
On the ** Access Rule Sources** page, click the Add button and from the Add Network Entities page, expand the Networks folder, and click Internal and then press the Add button, then close the Add Network Entities page by clicking on the Close button, then the Access Rules Sources page, click Next
On the ** Access Rule Destination** page, click the Add button and from the Add Network Entities page, expand the Networks folder, and click External and then press the Add button, then close the Add Network Entities page by clicking the Close button, then the Access Rules Destination page, click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/16_Destination.jpg
On the User Sets page, click the All Users group and then press the Remove button. The All Users Group represents both Anonymous and Authenticated users, but as we only need to allow outbound connection for authenticated users, then you can either add the All Authenticated Users Group, or to add a custom user/group from Active Directory for example, then click the Add button
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/17_All_Users.jpg
From the Add Users page, click on New
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/create_group.jpg
Enter a descriptive name for the user/group you want to create then click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/group_name.jpg
On the Users page, click on Add > then click Windows users and groups (we will choose users/groups from Active Directory ). On the Select Users and Groups page, make sure that the Entire Directory is displayed and not the Local machine name, this can be done by clicking the Locations button and selecting the Entire Directory
Type the name of the user/group and then click the OK button (if you are not sure if you have written the name correctly, you can press the Check Names button)
The group name will be displayed inside ISA Server, click Next to go to the review page, and then click on Finish
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/review_group.jpg
Once the Finish button is pressed, as you see the Domain Users group is now available inside the Add Users page, click it and then click the Add button to add the Domain Users group to the rule we are creating. Click the Close button to close the Add Users page, then the Users Sets page click Next
Review the rule you have created, and then click Finish
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/REVIEW_RULE_2.jpg
The Allow Internet - Domain Users rules will be displayed, click o the Apply button so that changes take effect. now go to your Web proxy Macintosh machines and try to surf the Internet. they will be request to enter a username and password from Active Directory, enter them as follows:
DomainName\username
Password
Setting the Macintosh machines as SecureNet clients
From the top menu Bar, click Apple Icon then click System Preferences...
or you can directly open the System Preferences by clicking its icon in the Dock.
The System Preferences will open, under Internet & Network, click Network http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/securenet/Network.jpg
On the Network Page, click Ethernet from the left pane. If you have a DHCP Server in your Network, then choose Using DHCP, else if you want to assign a Static IP Address to your Mac machines, then select Manually from the Configure list.
Enter the IP address, Subnet Mask. The Router is the default gateway, which in a simple network (single subnet) it should be set as the Internal IP Address of ISA Server, so if your ISA Server Internal Network Card IP Address is 192.168.0.1, then the Router on this page should be set as 192.168.0.1. The last entry is for your Internal DNS Server which should forward requests to your ISP DNS Servers. Check my article Internal DNS Forwarding Through ISA Server 2004/2006 for more details. Click Apply.
With these steps, we have finished configuring the MAC machine as a SecureNet client.
Configurations On ISA Server for SecureNet Clients
SecureNet clients cannot authenticate, so we must create an outbound rule with the condition All Users.
A sample rule would look like this:
Allow > Protocols > From Selected Computer List > To External > All Users
To create such rule, follow these steps :
Open ISA Server Management Console, Click Start > All Programs > Microsoft ISA Server > ISA Server Management
As you can see, we only have three rules. One for the DNS server to communicate with the ISP DNS Servers, rule #2 to allow outbound internet access for Domain Users and the third rule is the default deny rules. We need to create a rule for the Macintosh SecureNet clients.
To create the rule, right-click Firewall Policy node from the left pane, click on New > then click Access Rule
On the Welcome to the New Access Rule Wizard page, enter a descriptive name for the access rule, then click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/3_Rule_name.jpg
On the Rule Action page, select Allow, then click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/4_Action_Allow.jpg
On the Protocols page, click the Add button, the Add Protocols page will open, expand the Common Protocols folder, and choose the protocol you want to add and then click the Add button, once done, click the Close button.
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/5_Selected_protocols.jpg http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/6_Add_Protocols.jpg
The selected protocols will be displayed. If you need to add other protocols, click the Add button again and start adding the required protocols, once done, click Next
On the Access Rule Sources page, we need to create a Computer Object/Set to include the IP(s) of our Apple Macintosh machine(s), click the Add button, click Computer Set so that we can include in it multiple IPs for different machines
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/8_Source_network.jpg http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/9_Computer_Set.jpg
Enter a name for the new Computer Set, click the Add button, then click Computer, enter the name of the Mac machine, the IP Address and then click OK, repeat these steps for every machine you want to add.
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/11_Add_Computer.jpg http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/12_Add_Computer_Name.jpg
Once you finish adding all the machines inside the Computer Set, click OK, and from the Add Network Entities page, expand Computer Sets folder, and you will see the new computer set that we created, click it and then click Add. The MACINTOSH MACHINES computer set will be added in the Access Rule Sources page, Click Close to close the Add Network Entities page then click Next
On the Access Rule Destination page, click the Add button, the Add Network Entities page will open, expand Networks folder, and then click External , click Add to add the External Network entity for the Access Rule Destination, once added, click Close to close the Add Network Entities page, and then click Next on the Access Rule Destination page
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/16_Destination.jpg
On the User Sets page, keep the default group, All Users. We will not add any other group, because SecureNet clients can not authenticate and hence we need to use the All Users group, click Next
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/17_All_Users.jpg
Review the summary of the rule and then click Finish
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/REVIEW_RULE.jpg
Make sure that anonymous rules, rules created with the condition All Users is above rules that require authentication, in our case, we need to put the new created rule above the Allow Internet- Domain Users rule, you can change the order of the rules by clicking the up down arrows http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/img2.gif
http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server/RULE_ORDER.jpg
Highlight the rule you want to change its order by clicking it, and then click the up/down arrow. Once the order is done, click the Apply button so that changes take effect.
Summary
Not only Windows Operating Systems can connect to ISA Server, non windows machines can connect too. You can set them as Web Proxy client and/or SecureNet client. Although in this article I have only covered Macintosh machines, the same steps can be followed to set any client as SecureNet or Web Proxy client, as the configurations on ISA Server is the same regardless of the client operating system. The only difference from one operating system to another, is the way to set the default gateway or the proxy settings.
**[ This article is posted at ElMajdal.Net website: **http://www.elmajdal.net/ISAServer/Connecting_Macintosh_Machines_Behind_ISA_Server.aspx ]