• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Confused with ISA 2004 firewall policies

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Confused with ISA 2004 firewall policies Page: [1]
Login
Message << Older Topic   Newer Topic >>
Confused with ISA 2004 firewall policies - 15.Sep.2004 11:56:00 AM   
Kun

 

Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi All

I am very confused with how ISA firewall policy works. I have ISA2004 installed on a W2k3 member server of my domain. I configured a firewall policy to allow HTTP, PING and PPTP access for a group of users called "Programmers". HTTP access works fine, but cannot get PING and PPTP working. Check the log and found they were denied by the exact rule I created. However if I change the User to "All Uuser", it works straight away. Any ideas of why this would be??

BTW, I tried on machines with and with out Firewall client, all the same.

Greatly appreciate any reply..
Post #: 1
RE: Confused with ISA 2004 firewall policies - 15.Sep.2004 7:12:00 PM   
y0sh1

 

Posts: 25
Joined: 14.Sep.2004
Status: offline
Did you config your System Policy?
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/systempolicy.mspx

(in reply to Kun)
Post #: 2
RE: Confused with ISA 2004 firewall policies - 16.Sep.2004 10:27:00 AM   
Kun

 

Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh

Thanks for the reply. Yes I had configure my System policy to allow Active Directory authentication. The wired thing is, I can only have the all user rule, as soon as I try to put a rule in front of the all user rule which only apply to Programmers, both the All User Rule and Programmers will stop working, thus blocks PING and PPTP for everyone in AD. HELP!

[ September 16, 2004, 10:52 AM: Message edited by: Kun ]

(in reply to Kun)
Post #: 3
RE: Confused with ISA 2004 firewall policies - 16.Sep.2004 12:05:00 PM   
y0sh1

 

Posts: 25
Joined: 14.Sep.2004
Status: offline
Hmm... i don't know... may be you shoud try this:
Try "first rule" to do a block rule for protocols ping and pptp for all users and with exeption "Programmers" and "admins" (on users tab - exeption list). Good luck!

[ September 16, 2004, 12:06 PM: Message edited by: y0sh1 ]

(in reply to Kun)
Post #: 4
RE: Confused with ISA 2004 firewall policies - 16.Sep.2004 1:59:00 PM   
Kun

 

Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh

Will try that and let you know how I went. Just tried doing the same thing on another ISA 2004 server in a different domain, same thing happened. Wondering has anyone managed to get firewall rules working base on AD users.

(in reply to Kun)
Post #: 5
RE: Confused with ISA 2004 firewall policies - 16.Sep.2004 2:28:00 PM   
Kun

 

Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh

Just tried what you had suggested, still no go. Found something interesting though. In logging, when users in Programmers group make a web request, their user name actually show up together with the IP address. However, when they PING, their user name doesn't show up in the logs, only their IP did, and the result was denied access. I have firewall client installed and enabled on all the PCs, but looks like it is not passing the user info through when making a PING request.....

(in reply to Kun)
Post #: 6
RE: Confused with ISA 2004 firewall policies - 17.Sep.2004 10:44:00 AM   
Carlo.Olivieri

 

Posts: 6
Joined: 10.Sep.2004
Status: offline
Hi
I think you cannot have authenticated ping and PPTP session because the Firewall Client (used for authentication) works only on TCP and UDP protocol (AFAIK) while ping use ICMP and PPTP use TCP and GRE.
This explain why you see authenticated web session and anonymous (only ip) ping sessions ...

Carlo

(in reply to Kun)
Post #: 7
RE: Confused with ISA 2004 firewall policies - 17.Sep.2004 1:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Carlo,

Bingo! That is correct. The GRE protocol required by PPTP isn't mediated by the Firewall client, so you must use the SecureNAT client config, and that doesn't allow user/group authentication. You can enforce authentication by using L2TP/IPSec for VPN connections.

Also, to answer another question in this thread, System Policy has NO effect on internal clients. When the ISA firewall is a member of the domain, then System Policy is automatically configured to allow communications with domain controllers.

HTH,
Tom

(in reply to Kun)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Confused with ISA 2004 firewall policies Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts