Can a machine not joined to a domain get access to internet?

Discussion in 'Windows Small Business Server' started by tristan, Dec 9, 2005.

  1. tristan

    tristan Guest

    Hi,

    Can I get a workstation which is not joined to the domain but is plugged
    into the LAN and use applications that support firewall settings to access
    the internet?

    I have Internet Explorer going already by setting up the proxy connection
    settings, but I'm unable to get MS Outlook Express news client or Messenger
    working. On the SBS03 box I have ISA 04 running, have created an access
    rule to allow this test machine with ip address 192.168.16.12 to get access
    to http/nntp/smtp/ftp/socks/dns/netboios name service.

    I've tried telnet msnews.microsoft.com 119 but it won't connect from test
    machine, is this because telnet doesn't allow me to specify a domain
    username and password?

    The whole point of this exercise is that I want to take my laptop along to a
    clients and connect it up to their SBS03 network to demonstration our
    application which utilizes the internet protocols mentioned above and don't
    want to join the machine to their domain for this presentation. I'm in
    charge of their IT environment so I can change their firewall if required
    and I have a valid AD domain account I can use for authentication if
    required.

    It doesn't seem to make a difference if I install the ISA04 client on our
    test machine and give it the server name. It says it can see the server,
    but after a few times of trying my app to connect ISA client displays a
    tooltip saying 'cannot autheticate to isa server servername'


    Thanks
    Tristan
     
    tristan, Dec 9, 2005
    #1
    1. Advertisements

  2. HI Tristan,

    Welcome to SBS newsgroup.

    Issue description:
    =============

    I understand that you want to know if you can use a client which is not
    joined the SBS domain to access the internet to use some internet services
    such as OE MSN.

    Analyzing and suggestion:
    =============

    Generally speaking, we can deploy a client outside domain to use the ISA
    2004 as the gateway to access the internet. Just as I know, if the client
    computer is not joined into SBS domain, we can not install the firewall
    client on this computer. But instead we can set up this client computer as
    SecureNat. Here I would like to give you some suggestion:

    Based on my research, when we use set up the secureNat on the client
    computer, we need to make sure the default gateway on the client computer
    have been set to the ISA 2004 internal NIC. Please also make sure that the
    proxy is well configured on the client's IE. Because it is a secureNat
    client, if you set the allow all IP traffic on the ISA 2004 firewall policy
    for that special client, the client computer can only be allowed to use the
    traffic that have already defined as the protocol on the ISA 2004. That
    means if you want to allow the user to access the MSN service on the
    internet, you have to define a protocol rules to open the ports for the MSN
    services. (Please note that it is your best interest to set allow all IP
    traffic for that special client, then the client will be only allowed to
    access the pre-defined protocol on ISA.

    (Please note that SecureNat client do not pass any user authentication to
    the ISA 2004 server.) For your convenience, you can refer to my suggestion
    below to set up a securenat client computer on SBS domain.

    SecureNAT client treats ISA as its gateway and all name resolution is
    resolved by the client itself.

    To configure SecureNAT clients on a simple network, we should set the
    SecureNAT client's Internet Protocol (IP) default gateway settings to the
    IP address of the ISA Server computer's internal network address card.

    SecureNAT client doesn't support user authentication through ISA and it
    does also not support Secondary Connection. If you have applied some ISA
    rules on the user groups, SecureNAT client cannot pass it.

    SecureNAT client perform the DNS resolution by itself, not by ISA server.

    If we configure the proxy settings in IE, the clients will work as a Web
    Proxy Client when opening IE to access Internet.

    You can also refer to the KB article below to see how to set up a secure
    Nat client to access the external POP3 server, although it is for POP3
    server access, you can also change it for another rules such NNTP so that
    you can use it deploy for other internet based services.

    891234 How to enable POP3 access to an external POP3 server in ISA Server
    2004
    http://support.microsoft.com/?id=891234

    I really appreciate your understanding on this issue, please feel free to
    post back. I am glad to be of assistance.



    Best regards,

    Charles Yang (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: "tristan" <>
    | Subject: Can a machine not joined to a domain get access to internet?
    | Date: Fri, 9 Dec 2005 14:18:48 +1300
    | Lines: 34
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <#lFfD6F$>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 202-0-41-44.paradise.net.nz 202.0.41.44
    | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:228900
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Hi,
    |
    | Can I get a workstation which is not joined to the domain but is plugged
    | into the LAN and use applications that support firewall settings to
    access
    | the internet?
    |
    | I have Internet Explorer going already by setting up the proxy connection
    | settings, but I'm unable to get MS Outlook Express news client or
    Messenger
    | working. On the SBS03 box I have ISA 04 running, have created an access
    | rule to allow this test machine with ip address 192.168.16.12 to get
    access
    | to http/nntp/smtp/ftp/socks/dns/netboios name service.
    |
    | I've tried telnet msnews.microsoft.com 119 but it won't connect from test
    | machine, is this because telnet doesn't allow me to specify a domain
    | username and password?
    |
    | The whole point of this exercise is that I want to take my laptop along
    to a
    | clients and connect it up to their SBS03 network to demonstration our
    | application which utilizes the internet protocols mentioned above and
    don't
    | want to join the machine to their domain for this presentation. I'm in
    | charge of their IT environment so I can change their firewall if required
    | and I have a valid AD domain account I can use for authentication if
    | required.
    |
    | It doesn't seem to make a difference if I install the ISA04 client on our
    | test machine and give it the server name. It says it can see the server,
    | but after a few times of trying my app to connect ISA client displays a
    | tooltip saying 'cannot autheticate to isa server servername'
    |
    |
    | Thanks
    | Tristan
    |
    |
    |
     
    Charles Yang [MSFT], Dec 12, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.