Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Firewall Policy - Rules behaviour
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Firewall Policy - Rules behaviour - 27.Apr.2004 11:54:00 AM
|
|
|
Danee
Posts: 18
Joined: 22.Mar.2004
Status: offline
|
Hi All,
I found a wierd thing:
I've setup up a VPN-Pass through rule (allow-pptp-internal-external-All Users) which works good. But when I change the condition to a user group (that contains a domain group that contains me) I get DENIED by this rule.
I did expect to be allowed, wierd that I'm not (I use the FW-client, but no authentication info shows up in the monitor, not even anonymous).
The most disturbing fact however, I think, is that the rule DENIES me, If I'm not allowed I expect the traffic to be distributed down the chain so that all other policies get checked and that the default rule (deny all) would be the one to deny me! Or am I totally wrong here?
Cheers,
Danee
|
|
|
|
|
RE: Firewall Policy - Rules behaviour - 29.Apr.2004 1:39:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Danee,
The firewall client only handles TCP/UDP protocols, and PPTP requires GRE (IP protocol 47). So, the firewall client can't help authenticate these connections.
A good reason to use L2TP/IPSec NAT-T if you can, because you can set user based access rules for the UDP protocols it requires.
HTH,
Tom
|
|
|
|
|
RE: Firewall Policy - Rules behaviour - 5.May2004 1:15:00 PM
|
|
|
Danee
Posts: 18
Joined: 22.Mar.2004
Status: offline
|
Hi Tom, thank for the reply.
OK, I understand now why authentication won't
happen, but why does the rule Deny the traffic.
How is it possible that a rule that allows under certain criteria DENIES when the criteria aren't met. Shouldn't the rule just hand it over to the next rule in line?? That's my understanding of how this version works, checking all rules, allowing traffic if there is a specific allow, and going down the list to finally get blocked by the last (default) rule.
Thanks,
Danee
[ edit: typos ]
[ May 05, 2004, 01:16 PM: Message edited by: Danee ]
|
|
|
|
|
RE: Firewall Policy - Rules behaviour - 9.May2004 5:51:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Danee,
The rule matching process is somewhat odd with ISA 2004. First, it matches the connection characteristics *other than* the user. If the connection matches the characteristics in the rule, then it checks to see if the user is authenticated.
If the rule requires authenitcation, and the user does not authenticate (an anonymous connection) then the rule drops the connection! Yes, I know, it should move to the next rule, but that is not what happens.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
