From: Syracuse, NY
Hello, I'm having trouble figuring out the Firewall Client. Up to this point, we have not been actively utilizing the Firewall Client. We have a pretty small office, so it's not a huge deal. We're using just SecureNAT, just by default, I believe. We are getting more and more people in our office and I want to start locking down outbound access and access within the network.
My understanding, conceptually, is that the Firewall Client will allow me to both log outbound requests (i.e. web page requests) and also selectively allow or deny protocols on a per user or per group basis. These users or groups can be individual Active Directory users or groups--or can even be a set of users defined within ISA 2004 itself.
I have setup 1 client machine, connected to the Domain (the ISA is also a member of the Domain). On this machine, I have installed the Firewall Client. When I go to "logging" and just do an unfiltered query of live traffic, I can see that my Firewall Client shows my username passed in and all the web requests it is making. All other traffic (from other computers) show up as either anonymous or nothing at all.
I'm trying to create Firewall Policy rules to mess with my 1 Firewall Client machine to make sure I understand how it works. However, I can't do stuff like deny outgoing HTTP to only "registered users" or a custom user set with my username included. Everything still acting just as if the Firewall Client was not present.
Eventually, I would like to deny all outbound traffic to all unauthenticated users and then selectively allow protocols to specified users, conversely selectively denying other protocols to other users.
I know this is a little vague and I'll try to monitor this topic closely so that hopefully as you experts ask me more questions to drill down, I can answer them in a timely manner. Thanks.
From: fort frances.on.ca
If you go into production with anonymous allow rules, it gets a bit more complicated to experiment on authenticated rules. Because the anonymous rules need to be above the authenticated rules, they can give you access before the rule you are testing. You will need to constrain your anonymous rules so that your test subjects do not qualify yet not so constrained that no further rules are processed. You may want to create computer sets or use IP ranges.
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
From: Syracuse, NY
LLigetfa, Is an anonymous allow rule a rule which just has "All Users?" Creating computer sets or IP ranges is a good idea too. Is it a good practice to use computer sets / IP ranges for client computers in the production environment? (although since I am only just now deploying the Firewall Client, I guess I'm past the "ideal case" for the production environment...)