Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Setup Access Rule correctly...disable All Users
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Setup Access Rule correctly...disable All Users - 20.May2004 1:54:00 AM
|
|
|
SetiQueue
Posts: 5
Joined: 19.Dec.2003
From: Fort Pierce, Florida
Status: offline
|
Hello All,
Currently I have ISA 004 set to allow all outbound access. I want to restrict this based on domain membership...but everytime I remove the All Users from the access rule it blocks the servers I have on the internal network.
If anyone can help I would appreciate it.
My current setup is as follows:
Windows 2003 Server running ISA 2004 setup as an edge network (No servers running)
Windows 2003 Server Running Active Directory, DNS, FTP & Web (IIS), SMTP & POP3 and etc.
My network is the following:
WAN - Static IP provided by firewall.
LAN - 192.168.1.X for Wired LAN and 192.168.2.X for wireless lan
DMZ - Network card currently disabled...Servers are on LAN segment.
When I remove the All Users section from the access rule (Keeping the groups Domain Users and Domain Admins), I get denied messages from DNS and Pop3 (Because no user information is available) and cannot access my web/ftp servers remotely.
If anyone has a similar setup, can you let me know how you made yours work?
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 21.May2004 1:04:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi SQ,
Make sure the machines are configured as Firewall and SecureNAT clients.
Thanks!
Tom
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 21.May2004 5:42:00 AM
|
|
|
SetiQueue
Posts: 5
Joined: 19.Dec.2003
From: Fort Pierce, Florida
Status: offline
|
Hello Tom,
Thank you for your response, the machines are setup as SecureNAT and firewall clients. I will retry the access policy again tonight though just to be sure...then I can grab a copy of the log if needed as well.
Thanks,
Jeff
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 21.May2004 7:27:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
OK, the Firewall client should be able to send credentials to the ISA firewall. Is the ISA firewall a member of the same domain as the client sending the credentials? Or, are you using RADIUS for Web proxy authentication? Actually, that only works for Web proxy clients (I think, I better best this!).
Thanks!
Tom
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 21.May2004 10:00:00 PM
|
|
|
SetiQueue
Posts: 5
Joined: 19.Dec.2003
From: Fort Pierce, Florida
Status: offline
|
quote:
Originally posted by tshinder:
Hi Jeff,
OK, the Firewall client should be able to send credentials to the ISA firewall. Is the ISA firewall a member of the same domain as the client sending the credentials? Or, are you using RADIUS for Web proxy authentication? Actually, that only works for Web proxy clients (I think, I better best this!).
Thanks!
Tom
Hello Tom,
The ISA Firewall is a member of the same domain as the client sending the credentials.
When I remove "All Users" from my access policy I do see some firewall connections (mainly relating to Web connections). It seems that the system services are not connecting (I have set these in the access policy as well).
I wasn't able to make the changes last night, but will do that tonight so I can post additional details.
Thanks,
Jeff
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 23.May2004 5:04:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
Great! Make the changes and double check the setup and let us know what happens.
Thanks!
Tom
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 24.May2004 11:13:00 AM
|
|
|
SetiQueue
Posts: 5
Joined: 19.Dec.2003
From: Fort Pierce, Florida
Status: offline
|
Well I made the changes...and by viewing the default rules that were created by the template wizard for various roles I ended up creating the following:
DNS - All Users (For my DNS Server that forwards unknown requests to my ISP server)
POP3 - All Users (For a mail filter I have installed that retrieves my ISP mail and forwards to my exchange account)
Unrestricted Access - Domain Admins/Domain Users
Seems that this is working fine for me...I still don't know why it couldnt authenticate the system services with the firewall client installed.
If anyone has any other recomendations it would be appreciated =)
[ May 24, 2004, 11:14 AM: Message edited by: SetiQueue ]
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 24.May2004 12:53:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
What do you mean authenticating "system services"? Only logged on users can authenticate.
HTH,
Tom
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 26.May2004 12:09:00 PM
|
|
|
SetiQueue
Posts: 5
Joined: 19.Dec.2003
From: Fort Pierce, Florida
Status: offline
|
My apologies that I didn't specify that a bit more...in my access rule there was an option to allow system and network services for access. I have this option specified but it still blocked the DNS server, and my POP3 Filter which are running under a network/system account.
|
|
|
|
|
RE: Setup Access Rule correctly...disable All Users - 30.May2004 2:51:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jeff,
Only users can authenticate, not remote SYSTEM accounts.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
