ISA Server 2004: Howto Prevent Multiple Users Login on MS ISA 2004 VPN Server :)~ [Alternate Way]

Article by Syed Jahanzaib !

For setups, running Microsoft ISA server 2004 / 2006 , serving as VPN server for LAN users , or internet cable type setups where user id sharing is common among users , and you want to restrict that only (vpn) dialin users net should work, one id one session at a time (stop multiple login with same id). There are few solution available to your problem. Search GOOGLE and you will find many. There are some ‘limitlogin’ type addons available which limits users login to single session, But I achieve this by my my customized designed way. I can give you a kind of workaround. I recently setup this sort of scenario at my friends cable network.

I presume you have properly configured ISA and VPN Server (If not, please visit this link to setup VPN in ISA.
http://www.isaserver.org/articles/2004vpnserver.html

Create a user in Active directory  (If you have domain environment, if not, create user in computer management), in user DIALIN properties assign him a FIX IP. (any series you like, in this case 192.168.x.x , remember for every user, you must assign the user a fix address
(This step is must , only those users net will work, to whom you assign ip from 192.168.x.x pool)

Now Create an allow rules in ISA SERVER to allow all traffic from ‘VPN Clients’ to ‘EXTERNAL’

Now In Policy Elements, Define new Computer set name ‘Fake Users’. Add ip range for Fake Users like 10.0.0.1-10.0.0.255, (Remember that these series internet will be blocked by ISA FW Rule that we will create below)

Now in ISA Server, create a DENY rule which DENY traffic from this FAKE USERS computer set / ip range (10.0.0.1-10.0.0.255) ‘TO’ ‘EXTERNAL’ only.
[This step is taken for those users who are not logged in via dialer, or for those who tries to use already connected user id/pwd for login, this way they will be able to connect to isa server, but they will be redirected to ACCESS DENIED page)

So now if a user id is already connected, and some smart azz tries to use the same iD PWD to connect, he will connect, but he will get ip from 10.0.0.1 series and thus internet access will be denied because of deny rule you created for 10.0.0.x series.

Only first connected user will get valid ip (that you define i.e 192.168.x.x) and only his net will work.

Few days back, I configured Radius Manager 3.9 on Linux alongwith Mikrotik 4.17 server with scratch card / refill system. Its really cool and customizable giant. You can Read the full story at :

https://aacable.wordpress.com/2011/07/05/a-network-design-glass-line-pvt-ltd-june-2011/

Regard’s
Syed Jahanzaib

24.851000 67.008300

Linux Transparent Squid Proxy Server Guide

How To Install Squid in Ubuntu Linux

As http://whatis.techtarget.com/definition/squid-proxy-server.html defines, Squid is a Unix-based proxy server that caches Internet content closer to a requestor than its original point of origin. Squid supports caching of many different kinds of Web objects, including those accessed through HTTP and FTP. Caching frequently requested Web pages, media files and other content accelerates response time and reduces bandwidth congestion.

Squid works by tracking object use over the network. Squid will initially act as an intermediary, simply passing the client’s request on to the server and saving a copy of the requested object. If the same client or multiple clients request the same object before it expires from Squid’s cache, Squid can then immediately serve it, accelerating the download and saving bandwidth.

Internet Service Providers (ISPs) have used Squid proxy servers since the early 1990’s to provide faster download speeds and reduce latency, especially for delivering rich media and streaming video. Website operators frequently will put a Squid proxy server as a content accelerator, caching frequently viewed content and easing loads on Web servers. Content delivery networks and media companies employ Squid proxy servers and deploy them throughout their networks to improve the experience of viewers requesting programming, particularly for load balancing and handling traffic spikes for popular content.
Here I will discuss on howto setup it on popular linux flavour “Ubuntu“.
After installing Ubuntu , configure network interface cards, you must have at least 2 LAN cards , one for local LAN, second with internet connection e.g DSL

After configuring networking, make sure you are able to browse the internet. After that install & Configure Squid.

Default login type to linux is GUI (in Ubuntu Desktop or FEDORA) First login as root.

a) Then install SQUID service by issuing following command:

apt-get install squid squid-common 

b) Now configure it using default squid configuration file.

gedit /etc/squid/squid.conf

If you have CLI access, then use nano e.g:

nano /etc/squid/squid.conf

o change squid port  from http_port 3128 to http_port 8080

o find the http_access section, uncomment the following 2 lines and add your own networks (for example 192.168.0.0/24):

acl our_networks src 192.168.0.0/24
http_access allow our_networks

o change hostname in the visible_hostname section after:

#Default: # is none , just add:
visible_hostname proxy.aacable.com

Now save file, and exit and restart squid to implement changes we made to squid configuration:

service squid restart

Now in client browser, set proxy address to SQUID lan ip and port 8080, and test the browsing. If you don’t want to manually set the proxy at client end, setup squid in transparent mode.

Configure Squid as Transparent Proxy (Squid version >= 2.6)

Edit the Squid configuration file
gedit /etc/squid/squid.conf

o change from: http_port 8008 to,
http_port 8080 transparent

Save & Exit. and restart squid proxy server by

service squid restart
OR
squid -k rec

☺

Iptables configuration

Next, add following rules to forward all http requests (coming to port 80) to the Squid server port 8080 :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

Where 192.168.0.1 is the ip of the Proxy LAN interface. & eth0 is LAN , and eth1 is WAN]

*  Save the new iptables:
iptables-save

OR use the following

https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/

++++++++++++++++++++++++++++++++++++

Also, following is a great guide which will gonna help you in installing SQUID proxy server in transparent mode.

http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

24.851000 67.008300