Welcome to ISAserver.org

Why would anonymous requests got denied by this rule?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Why would anonymous requests got denied by this rule?

Page: [1]

Message

<< Older Topic Newer Topic >>

Why would anonymous requests got denied by this rule? - 21.Jan.2006 12:34:42 AM

controlair

Posts: 46
Joined: 1.Aug.2005
Status: offline

I am studying the logs of ISA 2004 and try to tune up the policies to make our ISA runs smoother. I see something weird but I wouldn't say it is faulty, I just want to understand why this happens...

Okay I have a rule defined as below:

**********************************
Name: Deny request from inet_NoAccess users
Action: Deny
Protocols: All Outbound Traffic
From: Internal
To: External
Condition: user = a domain security groups, where we add users who don't have internet access into
**********************************

It works perfectly in blocking access request from any user who is in that security group, however I am seeing all request from "anonymous" got denied by this rule as well. I know where those requests come from, they are from IE as first attempt without sending any authentication information, but my question is that since the user name "anonymous" does not really meet the condition of user creteria in this rule, why did those requests even got processed by this rule?

In my opinion, if the "username" of requests does not meet any condition in any customized rule, shouldn't those requests be denied by the "Last Default Rule"?

< Message edited by controlair -- 23.Jan.2006 5:50:07 PM >

Post #: 1

Featured Links*

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 12:43:12 AM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

No.
It will deny because it cannot authenticate. This is expected behavior and the reason why you need to order anonymous rules first. This topic has been discussed here at great length.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to controlair)

Post #: 2

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 12:45:27 AM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

What I don't understand is why you would need an authentticated deny rule. Just don't allow it in the first place and the default rule will deny it.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to LLigetfa)

Post #: 3

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 12:58:25 AM

controlair

Posts: 46
Joined: 1.Aug.2005
Status: offline

quote:

ORIGINAL: LLigetfa

What I don't understand is why you would need an authentticated deny rule. Just don't allow it in the first place and the default rule will deny it.

The purpose of creating this particulr rule is to be able to find out from the log (by using filter defination) how many users who are in inet_NoAccess group *are trying* to access the Internet and what sites are they trying.

If this rule did not exsit, all of those logs of attempts will get mixed with all other traffics denied by "Last Default Rule", then it will take forever to sort out because I can't add that group of users into the filter. It's more for monitoring purpose than for functioning.

I hope this makes sense to you?

< Message edited by controlair -- 21.Jan.2006 1:12:03 AM >

(in reply to LLigetfa)

Post #: 4

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 1:04:43 AM

controlair

Posts: 46
Joined: 1.Aug.2005
Status: offline

quote:

ORIGINAL: LLigetfa

No.
It will deny because it cannot authenticate. This is expected behavior and the reason why you need to order anonymous rules first. This topic has been discussed here at great length.

LLigetfa,

Sorry I did not know this has been discussed a lot here, I did do my homework before posting -- I searched but all cases I've found are related to problems by using "All users" instead of "All Authunticated Users" or something like that.

If you don't mind could you please give me some more hint for:

1. How do I create a rule just for anonymous requests? I mean, "anonymous" isn't really something that I can add into "users", and from your comments above it looks like I could create a rule for anonymous and put that on the very top of rules?

2. Is there somewhere I could configure my ISA to deny *ALL* anonymous request, so I don't have to worry about which rule those requested got denied at?

(in reply to LLigetfa)

Post #: 5

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 1:36:32 AM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

Sorry,
When I said, "This topic has been discussed here at great length" I did not mean for you to infer you didn't do your homework, only that you are not alone in your way of thinking. A lot of people take exception to the way rules are processed.

Interesting statistic to monitor, even if it's not my cup of tea. In fact, I created a deny rule that deliberately does not log because I don't care to see stuff I don't care about filling up my logs.

Basically "All Users" incudes "anonymous" but is all inclusive that does not exclude authenticated so that wouldn't work for you. What is wrong with the deny rule you have now? From what you say, it is working for you.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to controlair)

Post #: 6

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 1:42:33 AM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

quote:

2. Is there somewhere I could configure my ISA to deny *ALL* anonymous request, so I don't have to worry about which rule those requested got denied at?

oops... missed that Q.

In my case I must have anonymous allow rules so it would not work for me, but if you don't need anonymous rules, you can select 'all users must authenticate" on the network rule. That would basically stop all anonymous rule processing.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to LLigetfa)

Post #: 7

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 7:04:05 AM

ClintD

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

You raise an interesting point...

"Is there somewhere I could configure my ISA to deny *ALL* anonymous request..."

I 'think' this would have the unexpected result of denying all traffic, at least from a Web Proxy perspective. Since, as you mentioned, all initial requests from IE are anonymous by default, I think ISA would deny all Web Proxy attempts before even before sending them the Proxy Auth required challenge - the initial request is anonymous so ISA says 'OK - it matches this rule - hope my admin knows what he's doing'. Sorry for the sarcasm...

I don't have my ISA server in front of me, but I think this is what would happen.

(in reply to LLigetfa)

Post #: 8

RE: Why woul�� anonymous request got denied by this rule? - 21.Jan.2006 3:07:24 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

OK, now I think Clint is splitting hairs...
There is authentication of the client AND there is anonymous requests. Even authenticated clients make anonymous requests, that is a given. Forcing authentication on the network rule (which I don't do) IIRC, excludes S-NAT clients.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to ClintD)

Post #: 9

RE: Why woul�� anonymous request got denied by this rule? - 23.Jan.2006 5:06:01 PM

controlair

Posts: 46
Joined: 1.Aug.2005
Status: offline

This rule that I created does not have problem doing what I want it to do, I just didn't understand why all anonymous requests got logged here instead of the Last Default Rule. But now I got it.

LLigetfa, ClintD, thank you both for the help, I could see that an "authnticated denial rule" isn't really the standard way to confire a proxy, I guess the best way is to delete this rule, and work up my filtering options, so I can get the same information I want (regarding to how many users who don't suppose to have Internet access are trying to access) from the log of the Lat Default Rule.

Sounds like a good plan?

(in reply to LLigetfa)

Post #: 10