• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Deny by ip

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny by ip Page: [1]
Message << Older Topic   Newer Topic >>
Deny by ip - 9.Jun.2006 6:05:05 AM   


Posts: 102
Joined: 25.Feb.2002
From: Toledo, Ohio
Status: offline
In my ISA 2000 server I control access to the internet with a combination of local user accounts on the ISA server and access denied lists of ip addresses for the machines that I do not want to access the internet. We are now migrating to ISA 2004. I have created the user accounts and where ever possible have used membership in active directory security groups to control access to the internet. This has been working well for months. Now management wants to control access by ip as well.
I created the computer sets that contained single ips and ip ranges. I then added them to certain specific access rules as exceptions. At first it seemed to work. If you had a user account and a valid ip you could gain access to the internet via that access rule. After an hour or so more and more users could not access the internet; including users in subnets that were not covered by the exception sets. Users whose access to the internet was controlled by security group or local account only could no longer connect to the internet. It got to the point that the server would not even respond to a ping unless you had a valid ip address from the network segments that were part the exception sets. I finally had to remove these exceptions sets and reboot the server to return access to all authorized users.
My question is why did an exception set on a specific access rule cause such an access problem?
Post #: 1
RE: Deny by ip - 9.Jun.2006 3:13:43 PM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Something weird there...

From what I know of exceptions, they do not deny but rather defer to the next rule.  If you want to deny, you need either a deny rule or no match on any allow rules so the default rule can deny.

Don't forget about rule ordering... very important.


The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to rglauser)
Post #: 2
RE: Deny by ip - 12.Jun.2006 7:31:35 PM   


Posts: 102
Joined: 25.Feb.2002
From: Toledo, Ohio
Status: offline
The reason that I went with this approach is that in testing, if I added my computer ip address or a range of ip addresses as an exception to the "traffic from these sources" window of the access rule that applied to me, I was denied access. Now granted, this was the first of several access rules. There are several more rules that restrict access to certain protocols and sites. It was when I applied the computer sets to access rules further down the stack that the problems began.  

(in reply to LLigetfa)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny by ip Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts