Firewall Policy - External Access (Full Version)

All Forums >> [ISA Server 2004 General ] >> General


SteveCDN -> Firewall Policy - External Access (29.Dec.2006 4:20:16 PM)

I've got a firewall policy that restricts access for access to windows updates for my SMS server.  I've created a domain name set and added the domain,, but for some reason, I've also got to add a computer set with the domain server's IP address range otherwise with just the domain name set, access is denied.  When monitor the traffic, I see that in the URL field, it's trying to go to the IP address ( and I need to add that as a computer set before the rule allows access to the site.

I thought that the domain name set should be enough to access the site.  Having to maintain the IP addresses (as they probably change periodically as servers are added/removed) is hassle.

Any idea on how I can fix this so that only having the domain name set should allow access?


tshinder -> RE: Firewall Policy - External Access (2.Jan.2007 11:40:03 AM)

Hi Steve,

That's correct. Only the domain name set is required.


aklimkin -> RE: Firewall Policy - External Access (2.Jan.2007 11:53:49 AM)

Configure your clients to be web proxy or firewall clients to your ISA server. Also deny snat clients web browsing.
You're experiencing that issues because snat clients resolve FQDNs to the particular IP addresses *before* their requests even reach  the ISA server, so it is unaware of the  requested FQDN and could not apply appropriate firewall policy.

spouseele -> RE: Firewall Policy - External Access (2.Jan.2007 12:12:21 PM)

Hi Steve,

the sites you have to allow access to are defined in MSKB article As Tom said, a domain name set should do the trick *if* the clients are configured as Web Proxy clients.

If you try Windows Update as a SecureNAT client it won't work that well because at some point an SSL connection is setted up. This request is obviously made by IP address. As a result, ISA must perform a reverse DNS lookup in order to match the request to a Domain Name or URL set. Yet, this will not succeed because *no* proper reverse DNS entries exists for the Windows Update sites. [:(]


SteveCDN -> RE: Firewall Policy - External Access (13.Jan.2007 12:55:22 PM)

If by web proxy you mean, configure IE via tools, internet options, connections, lan settings, use proxy server for LAN and point to ISA, I have done that.  I have also installed the ISA client on each workstation, but for some websites I still need to grant access to the domain name as well as the IP address of the server.  Without the IP address, users cannot get to the website because we've restricted all sites, but those that we give access to.  I thought that ISA's capability should be that all I need to do is provide the domain name.  There must be a config setting that I'm missing..

spouseele -> RE: Firewall Policy - External Access (13.Jan.2007 2:12:30 PM)

Hi Steve,

I highly recommend you use automatic configuration for the Web and Firewall client. For more info, check out my article Understanding the Web Proxy and Firewall Client Automatic Configuration. Also, my blog Solving the "Directly access these servers or domains" issue in ISA Server 2004 SP2 could be useful to get the whole picture.

If you have to add IP addresses than that means to me that the client send the requests by IP address instead of by FQDN. This occures if the the destination is on the direct access list or if the destination is specified as an IP address instead of an FQDN (i.e.

Now, whenever ISA gets an IP address that must be matched to a Domain Name or an URL set than ISA has to perform a reverse DNS lookup. Thus the outcome of this reverse DNS lookup will determine if a match can be found or not. For more info, check out my article Understanding the ISA 2004 Access Rule Processing.


Page: [1]