• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall Policy - External Access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Firewall Policy - External Access Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall Policy - External Access - 29.Dec.2006 4:20:16 PM   
SteveCDN

 

Posts: 11
Joined: 2.Mar.2005
Status: offline
I've got a firewall policy that restricts access for access to windows updates for my SMS server.  I've created a domain name set and added the domain, windowsupdates.com, but for some reason, I've also got to add a computer set with the domain server's IP address range otherwise with just the domain name set, access is denied.  When monitor the traffic, I see that in the URL field, it's trying to go to the IP address (http://64.212.100.69-100) and I need to add that as a computer set before the rule allows access to the site.

I thought that the domain name set should be enough to access the site.  Having to maintain the IP addresses (as they probably change periodically as servers are added/removed) is hassle.

Any idea on how I can fix this so that only having the domain name set should allow access?

Thanks.
Post #: 1
RE: Firewall Policy - External Access - 2.Jan.2007 11:40:03 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Steve,

That's correct. Only the domain name set is required.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveCDN)
Post #: 2
RE: Firewall Policy - External Access - 2.Jan.2007 11:53:49 AM   
aklimkin

 

Posts: 182
Joined: 28.Jun.2006
Status: offline
Configure your clients to be web proxy or firewall clients to your ISA server. Also deny snat clients web browsing.
You're experiencing that issues because snat clients resolve FQDNs to the particular IP addresses *before* their requests even reach  the ISA server, so it is unaware of the  requested FQDN and could not apply appropriate firewall policy.

_____________________________

Regards,
Andrew

(in reply to SteveCDN)
Post #: 3
RE: Firewall Policy - External Access - 2.Jan.2007 12:12:21 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Steve,

the sites you have to allow access to are defined in MSKB article  http://support.microsoft.com/kb/885819/. As Tom said, a domain name set should do the trick *if* the clients are configured as Web Proxy clients.

If you try Windows Update as a SecureNAT client it won't work that well because at some point an SSL connection is setted up. This request is obviously made by IP address. As a result, ISA must perform a reverse DNS lookup in order to match the request to a Domain Name or URL set. Yet, this will not succeed because *no* proper reverse DNS entries exists for the Windows Update sites.

HTH,
Stefaan

(in reply to tshinder)
Post #: 4
RE: Firewall Policy - External Access - 13.Jan.2007 12:55:22 PM   
SteveCDN

 

Posts: 11
Joined: 2.Mar.2005
Status: offline
If by web proxy you mean, configure IE via tools, internet options, connections, lan settings, use proxy server for LAN and point to ISA, I have done that.  I have also installed the ISA client on each workstation, but for some websites I still need to grant access to the domain name as well as the IP address of the server.  Without the IP address, users cannot get to the website because we've restricted all sites, but those that we give access to.  I thought that ISA's capability should be that all I need to do is provide the domain name.  There must be a config setting that I'm missing..

(in reply to SteveCDN)
Post #: 5
RE: Firewall Policy - External Access - 13.Jan.2007 2:12:30 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Steve,

I highly recommend you use automatic configuration for the Web and Firewall client. For more info, check out my article Understanding the Web Proxy and Firewall Client Automatic Configuration. Also, my blog Solving the "Directly access these servers or domains" issue in ISA Server 2004 SP2 could be useful to get the whole picture.

If you have to add IP addresses than that means to me that the client send the requests by IP address instead of by FQDN. This occures if the the destination is on the direct access list or if the destination is specified as an IP address instead of an FQDN (i.e. http://192.168.1.1).

Now, whenever ISA gets an IP address that must be matched to a Domain Name or an URL set than ISA has to perform a reverse DNS lookup. Thus the outcome of this reverse DNS lookup will determine if a match can be found or not. For more info, check out my article Understanding the ISA 2004 Access Rule Processing.

HTH,
Stefaan

(in reply to SteveCDN)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Firewall Policy - External Access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts