Deny by ip (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies


rglauser -> Deny by ip (9.Jun.2006 6:05:05 AM)

In my ISA 2000 server I control access to the internet with a combination of local user accounts on the ISA server and access denied lists of ip addresses for the machines that I do not want to access the internet. We are now migrating to ISA 2004. I have created the user accounts and where ever possible have used membership in active directory security groups to control access to the internet. This has been working well for months. Now management wants to control access by ip as well.
I created the computer sets that contained single ips and ip ranges. I then added them to certain specific access rules as exceptions. At first it seemed to work. If you had a user account and a valid ip you could gain access to the internet via that access rule. After an hour or so more and more users could not access the internet; including users in subnets that were not covered by the exception sets. Users whose access to the internet was controlled by security group or local account only could no longer connect to the internet. It got to the point that the server would not even respond to a ping unless you had a valid ip address from the network segments that were part the exception sets. I finally had to remove these exceptions sets and reboot the server to return access to all authorized users.
My question is why did an exception set on a specific access rule cause such an access problem?

LLigetfa -> RE: Deny by ip (9.Jun.2006 3:13:43 PM)

Something weird there...

From what I know of exceptions, they do not deny but rather defer to the next rule.  If you want to deny, you need either a deny rule or no match on any allow rules so the default rule can deny.

Don't forget about rule ordering... very important.

rglauser -> RE: Deny by ip (12.Jun.2006 7:31:35 PM)

The reason that I went with this approach is that in testing, if I added my computer ip address or a range of ip addresses as an exception to the "traffic from these sources" window of the access rule that applied to me, I was denied access. Now granted, this was the first of several access rules. There are several more rules that restrict access to certain protocols and sites. It was when I applied the computer sets to access rules further down the stack that the problems began.  

Page: [1]