Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Access rule with a user group.
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Access rule with a user group. - 6.Aug.2004 6:39:00 PM
|
|
|
andrew.toon
Posts: 26
Joined: 22.Jul.2004
Status: offline
|
I have a really strange issue.
When I create an access rule to allow only certain VPN users access to Certain Servers it doesn't work. If I replace the group that holds the users with "All Users" it works as you would expect (i.e. all users can access the servers). If I now add the group that holds the users to the "Exceptions" tab, it works as you would expect (i.e. it allows all users except the ones contained in the group).
Therefore it appears to be resolving the group OK when it's a member of the "Exceptions" list, but it doesn't resolve when it the only entry in the "Allowed users".
The ISA server is a member of the domain.
In summary the rules are -
Specified allowed users -
Protocols - Various Selected
From - VPN Clients
To - A Group with some servers added.
Users - A group with a selected domain Group.
This one doesn't work, I get access denied in the logs.
All users -
Protocols - Various Selected
From - VPN Clients
To - A Group with some servers added.
Users - All Users
This one works.
All users Except Group with domain group -
Protocols - Various Selected
From - VPN Clients
To - A Group with some servers added. Exceptions - A group with a selected domain group. (Same group as first rule above)
Users - All Users
This one works. So it does see that the user is a member of the group in the Exceptions list.
Thanks
Andrew
|
|
|
|
|
RE: VPN Access rule with a user group. - 6.Aug.2004 9:29:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I would think the real problem here is that the Exceptions prevents users from accessing internal resources.
Conceptually, once a client VPNs to the ISA Server, it is placed in the VPN Client network. In order to prevent Users access to the Internal network, they would need to have the Firewall Client installed as that is the only way that user authentication can occur for anything non-HTTP/FTP based. You can't restrict based off of user for ICMP, SMB, etc...
See Tom's article on this - you'll see that he applies the Rule to "All USers". You might do more testing on the "Exceptions" scenario and use the logging function to find out if that user is truly getting through the rule you think it is.
[ August 06, 2004, 09:34 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: VPN Access rule with a user group. - 7.Aug.2004 2:35:00 AM
|
|
|
andrew.toon
Posts: 26
Joined: 22.Jul.2004
Status: offline
|
I thought you could apply access rules on a VPN client on a user basis.
Chapter 5 of the VPN Deployment Kit seems to say that you can apply access rules to a VPN connection and limit these rules by user. I admit that I may be reading it wrong, but that's what I believe it says.
As for the testing, I've tested a number of times and it certainly appears that it will deny the connection if the user is part of a group that's in the Exceptions list, with All Users in the Allow list. But it doesn't seem to work when I put the group in the Allow list.
Thanks
Andrew
Thanks
Andrew
|
|
|
|
|
RE: VPN Access rule with a user group. - 8.Aug.2004 7:14:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
The credentials used are the credentials used by the VPN client to log into the network. So, if the user is a member of that group, it will work.
So, you example you give should work. At least it worked in the beta. I'll have to see if something has changed.
Thanks!
Tom
|
|
|
|
|
RE: VPN Access rule with a user group. - 8.Aug.2004 5:49:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Tom - do you have any idea how user authentication/verification is possible from the "VPN Clients" network to "Internal"?
I'm trying to wrap my head around this, but outside of the Firewall Client, I can't see how ISA would filter based on User in this scenario for SMB, PING, etc...
|
|
|
|
|
RE: VPN Access rule with a user group. - 8.Aug.2004 8:40:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Clint,
From the behavior I saw in the beta, the ISA firewall uses the credentials used on VPN log on to access servers and protocols on the Internal network.
For example, I create a group "OWA users" and populate that group with User1, User2 and User3. Then I create an access rule that allows the "OWA users" group access to the IP address of the OWA server using TCP 80 from the VPN Clients network.
If User4 connects to the VPN and tries to connect to the OWA server, that user will not be able to establish a TCP 80 connection with the OWA server, because that user is not a member of the "OWA Users" group. So, the connection for that user from the VPN Clients network to the OWA server on the Internal network would not be allowed.
Maybe I'm not following the scenario discussed in this thread correctly, but that seems to be what we want to accomplish. Right?
Thanks!
Tom
|
|
|
|
|
RE: VPN Access rule with a user group. - 8.Aug.2004 10:21:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
That's definitely the scenario we're talking about.
I'll try to illustrate what I'm talking about - for this example, let's not use HTTP since Internet Explorer can provide credentials - instead, let's use ICMP Echo Request and ICMP Echo Reply.
For example, say you have a WinXP client connect with user MSFIREWALL\TShinder and he gets assigned the IP address 192.168.50.50.
ISA has a Network Rule stating Route from "VPN Clients" to "Internal" and ISA also has a Firewall Policy Access Rule that allows "PING" only from the "VPN Clients" Network to "Internal" for the user group "Authenticated Users".
How does ISA know that 192.168.50.50 is associated with the User MSFIREWALL\TShinder since ICMP can't provide credentials to fit the "Authenticated Users" criteria. From another point of view, how can the user prove to ISA, at an ICMP level, that it is truly MSFIREWALL\TShinder?
Does that illustrate where I'm confused?
[ August 08, 2004, 10:22 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: VPN Access rule with a user group. - 9.Aug.2004 10:44:00 AM
|
|
|
andrew.toon
Posts: 26
Joined: 22.Jul.2004
Status: offline
|
It definitely knows the userid that initiated the connection, perhaps it keeps the userid and IP address that it gets assigned when a connection is initiated internally. So it knows that any traffic originating from that IP is from that user.
I have an Access Rule defined that allows access to certain protocols and certain servers for Traffic originating from the source network of ôVPN Clientsö. Instead of allowing ôAll Usersö I want to only allow certain users. I therefore define an ISA Group that contains a Domain Global Group, which in turn contains the allowed users.
When this ISA Group is set in the ôUsersö of the ôAccess Ruleö instead of allowing the user access it denies access. I can see from the log that it is denying access using the correct rule and thatÆs itÆs correctly identified the user, see below.
Original Client = YYY.YYY.YYY.YY
IP Transport = ICMP
Source Port = 0
Result Code = 0xc004000d FWX_E_POLICY_RULES_DENIED
Log Time = 09/08/2004 09:01
Destination IP = XXX.XXX.XXX.XXX
Destination Port = 0
Protocol = Ping
Action = Denied Connection
Rule = VPN Financial Clients
Client IP = YYY.YYY.YYY.YY
Client Username = USERID1
Source Network = VPN Clients
Destination Network = Internal
When I replace the ISA Group in the ôUsersö tab of the ôAccess Ruleö with ôAll Usersö, it works as expected and allows me through, see below.
Original Client = YYY.YYY.YYY.YY
IP Transport = ICMP
Source Port = 0
Result Code = 0x0
Log Time = 09/08/2004 09:01
Destination IP = XXX.XXX.XXX.XXX
Destination Port = 0
Protocol = Ping
Action = Initiated Connection
Rule = VPN Financial Clients
Client IP = YYY.YYY.YYY.YY
Client Username = USERID1
Source Network = VPN Clients
Destination Network = Internal
When I keep the ôAll Usersö setting and add the ISA Group to the ôExceptionsö box of the ôUsersö tab, it again works as expected and denies me access, see below.
Original Client = YYY.YYY.YYY.YY
IP Transport = ICMP
Source Port = 0
Result Code = 0xc004000d FWX_E_POLICY_RULES_DENIED
Log Time = 09/08/2004 08:53
Destination IP = XXX.XXX.XXX.XXX
Destination Port = 0
Protocol = Ping
Action = Denied Connection
Rule = VPN Financial Clients
Client IP = YYY.YYY.YYY.YY
Client Username = USERID1
Source Network = VPN Clients
Destination Network = Internal
So it definitely knows which user has initiated some type of connection because it has the correct userid in the ôClient Usernameö, but for some reason it doesnÆt work when that user is part of a Domain Group, which is part of a ISA Group and this group is the only one allowed in the ôUsersö tab of the ôAccess Ruleö. However if you put ôAll Usersö in that tab and then in the ôExceptionsö put the ISA Group, it does work because it blocks the connection.
I believe it should be working and at this stage although the server is in production, itÆs currently not being used IÆm sorely tempted to re-install from scratch. However I didnÆt want to go to this stage unless IÆd exhausted all other options, and I have confirmed that it should indeed work.
Thanks
Andrew
|
|
|
|
|
RE: VPN Access rule with a user group. - 9.Aug.2004 2:29:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
I'll try to test this today. I'm trying to finish up an article on the unihomed ISA firewall in Web Proxy mode in a DMZ of a packet filter firewall. I hope to be able to test this out this afternoon.
Thanks!
Tom
|
|
|
|
|
RE: VPN Access rule with a user group. - 9.Aug.2004 8:46:00 PM
|
|
|
andrew.toon
Posts: 26
Joined: 22.Jul.2004
Status: offline
|
Hi Tom,
Thanks for your help. In the end I trashed the machine and re-installed from scratch.
This appears to have fixed the issue and it's now working as I would expect.
Therefore you can limit the access to particular users or groups for VPN Client. Which is very impressive to say the least.
Thanks
Andrew
|
|
|
|
|
RE: VPN Access rule with a user group. - 10.Aug.2004 6:31:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Sorry to have led you astray (rather, I "tried" to lead you astray) Andrew.
This functionality isn't documented anywhere I've seen and it is indeed very slick - I tested it in my lab and it does work as Andrew states - I never would have tested it without this thread. Very interesting.
|
|
|
|
|
RE: VPN Access rule with a user group. - 10.Aug.2004 7:53:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Clint,
If you weren't aware of this, then something is seriously wrong with the messaging for the ISA firewall product.
I think I'll need to do a series on this to highlight its utility.
Thanks!
Tom
|
|
|
|
|
RE: VPN Access rule with a user group. - 15.Oct.2004 2:10:00 AM
|
|
|
RichISASE
Posts: 7
Joined: 24.Sep.2004
Status: offline
|
Hi all,
I've been trying to implement internal resources protection to VPN clients via Radius Server but no luck..
I've created ISA Groups with Radius Users defined and defined access rules with the exception list but still traffic is not blocked for Radius users.
Has anyone had success working with Radius Authentication and limiting resources to VPN clients. The ISA server is not part of a Domain!
Thank you,
Richard
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
