• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

System Policy Setup Error?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> System Policy Setup Error? Page: [1]
Login
Message << Older Topic   Newer Topic >>
System Policy Setup Error? - 17.Mar.2008 2:41:26 PM   
wlazzell

 

Posts: 17
Joined: 22.Jan.2008
Status: offline
Hello All,
I locked down internet access to only members of an AD group who are aupposed to have internet access. In testing everything seems to be OK, however, an interesting side effect has occured. I cannot ping any external sites from any workstation EXCEPT the ISA server. I have been editing the system policies to try and get this to work (our network management tool uses ICMP to check external DNS servers and a VPN connection to an external site).
Do I need another access rule to allow ICMP to specific IP addresses?
Does anyone have any ideas? My ISA server is a member of the domain.

Thanks in advance.
Post #: 1
RE: System Policy Setup Error? - 17.Mar.2008 4:07:10 PM   
wlazzell

 

Posts: 17
Joined: 22.Jan.2008
Status: offline
OK, I found out what I needed to do, I had to move my internet rule down after all my publishing rules (it was blocking outbound e-mail), I also added a rule to allow ICMP immediately prior to my internet rule.
My only other issue now is instant messenging. We use it in the IS department. I will think about that one tonight and see if I can figure it out.

(in reply to wlazzell)
Post #: 2
RE: System Policy Setup Error? - 18.Mar.2008 7:44:31 AM   
wlazzell

 

Posts: 17
Joined: 22.Jan.2008
Status: offline
Found another issue this morning, WSUS 3.0 will not sync with microsoft's server now. It gives me an HTTP error, so I need a rule allowing HTTP for only the WSUS server, I think. Anyone have any other ideas?

(in reply to wlazzell)
Post #: 3
RE: System Policy Setup Error? - 18.Mar.2008 8:12:19 AM   
wlazzell

 

Posts: 17
Joined: 22.Jan.2008
Status: offline
Ok, what worked for my configuration is a rule immediately prior to my internet access rule allowing HTTP and HTTPS only to a defined domain set of microsoft update sites (preconfigured in ISA 2006). A manual syncronization worked with no errors, so I will see how it works tonight. Internet access is still blocked for unauthorized users.

(in reply to wlazzell)
Post #: 4
RE: System Policy Setup Error? - 18.Mar.2008 11:17:36 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yep, an anoynous (all users) access rule (with limited protocols and destinations) above the internet access rule is often the way to go for Microsoft update.

Can you not configure WSUS to use the proxy and define authentication credentials in order to limit anonymous access though?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to wlazzell)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> System Policy Setup Error? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts