Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi All
I am very confused with how ISA firewall policy works. I have ISA2004 installed on a W2k3 member server of my domain. I configured a firewall policy to allow HTTP, PING and PPTP access for a group of users called "Programmers". HTTP access works fine, but cannot get PING and PPTP working. Check the log and found they were denied by the exact rule I created. However if I change the User to "All Uuser", it works straight away. Any ideas of why this would be??
BTW, I tried on machines with and with out Firewall client, all the same.
Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh
Thanks for the reply. Yes I had configure my System policy to allow Active Directory authentication. The wired thing is, I can only have the all user rule, as soon as I try to put a rule in front of the all user rule which only apply to Programmers, both the All User Rule and Programmers will stop working, thus blocks PING and PPTP for everyone in AD. HELP!
[ September 16, 2004, 10:52 AM: Message edited by: Kun ]
Hmm... i don't know... may be you shoud try this: Try "first rule" to do a block rule for protocols ping and pptp for all users and with exeption "Programmers" and "admins" (on users tab - exeption list). Good luck!
Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh
Will try that and let you know how I went. Just tried doing the same thing on another ISA 2004 server in a different domain, same thing happened. Wondering has anyone managed to get firewall rules working base on AD users.
Posts: 14
Joined: 20.Dec.2002
From: Australia
Status: offline
Hi Y0sh
Just tried what you had suggested, still no go. Found something interesting though. In logging, when users in Programmers group make a web request, their user name actually show up together with the IP address. However, when they PING, their user name doesn't show up in the logs, only their IP did, and the result was denied access. I have firewall client installed and enabled on all the PCs, but looks like it is not passing the user info through when making a PING request.....
Hi I think you cannot have authenticated ping and PPTP session because the Firewall Client (used for authentication) works only on TCP and UDP protocol (AFAIK) while ping use ICMP and PPTP use TCP and GRE. This explain why you see authenticated web session and anonymous (only ip) ping sessions ...
Bingo! That is correct. The GRE protocol required by PPTP isn't mediated by the Firewall client, so you must use the SecureNAT client config, and that doesn't allow user/group authentication. You can enforce authentication by using L2TP/IPSec for VPN connections.
Also, to answer another question in this thread, System Policy has NO effect on internal clients. When the ISA firewall is a member of the domain, then System Policy is automatically configured to allow communications with domain controllers.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Confused with ISA 2004 firewall policies 
Confused with ISA 2004 firewall policies - 
RE: Confused with ISA 2004 firewall policies - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread