Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
System Policy Setup Error?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
System Policy Setup Error? - 17.Mar.2008 2:41:26 PM
|
|
|
wlazzell
Posts: 17
Joined: 22.Jan.2008
Status: offline
|
Hello All,
I locked down internet access to only members of an AD group who are aupposed to have internet access. In testing everything seems to be OK, however, an interesting side effect has occured. I cannot ping any external sites from any workstation EXCEPT the ISA server. I have been editing the system policies to try and get this to work (our network management tool uses ICMP to check external DNS servers and a VPN connection to an external site).
Do I need another access rule to allow ICMP to specific IP addresses?
Does anyone have any ideas? My ISA server is a member of the domain.
Thanks in advance.
|
|
|
|
|
RE: System Policy Setup Error? - 17.Mar.2008 4:07:10 PM
|
|
|
wlazzell
Posts: 17
Joined: 22.Jan.2008
Status: offline
|
OK, I found out what I needed to do, I had to move my internet rule down after all my publishing rules (it was blocking outbound e-mail), I also added a rule to allow ICMP immediately prior to my internet rule.
My only other issue now is instant messenging. We use it in the IS department. I will think about that one tonight and see if I can figure it out.
|
|
|
|
|
RE: System Policy Setup Error? - 18.Mar.2008 7:44:31 AM
|
|
|
wlazzell
Posts: 17
Joined: 22.Jan.2008
Status: offline
|
Found another issue this morning, WSUS 3.0 will not sync with microsoft's server now. It gives me an HTTP error, so I need a rule allowing HTTP for only the WSUS server, I think. Anyone have any other ideas?
|
|
|
|
|
RE: System Policy Setup Error? - 18.Mar.2008 8:12:19 AM
|
|
|
wlazzell
Posts: 17
Joined: 22.Jan.2008
Status: offline
|
Ok, what worked for my configuration is a rule immediately prior to my internet access rule allowing HTTP and HTTPS only to a defined domain set of microsoft update sites (preconfigured in ISA 2006). A manual syncronization worked with no errors, so I will see how it works tonight. Internet access is still blocked for unauthorized users.
|
|
|
|
|
RE: System Policy Setup Error? - 18.Mar.2008 11:17:36 AM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Yep, an anoynous (all users) access rule (with limited protocols and destinations) above the internet access rule is often the way to go for Microsoft update.
Can you not configure WSUS to use the proxy and define authentication credentials in order to limit anonymous access though?
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
