Site to Site Firewall Policy (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN


zoro -> Site to Site Firewall Policy (11.Jun.2008 2:29:38 PM)


I have few Site to Site Firewall rules in place from central site to branch offices and all works fine. One of the other sites is ISA 2004 Std. as well, while the other sites are with third party HW firewall.
At the moment, I have firewall rules between sites that has ISA's built in All Users allowed in both direction to authenticate.
I wanted to restrict this and I did change from All Users to Domain Users and then I was not able to do anything, not even ping the other end. Then, I added Network and System Services and still the same.
It works OK, if  I put back All Users only.

If anyone can tell me what I am I missing here?



paulo.oliveira -> RE: Site to Site Firewall Policy (11.Jun.2008 5:14:06 PM)

Hi Zorao,

I would advice you to let All Users. Because, if you set Domain users, all packets who is going to you branch office ISA will require authentication. But you canīt make ping command to authenticate and so many others.

PS: check the ISA logs and you will see something like "ISA canīt fullfil the request..."

Paulo Oliveira.

zoro -> RE: Site to Site Firewall Policy (12.Jun.2008 9:27:50 AM)


Thanks a lot on your prompt answer. I did look in ISA log files and windows log files and was not able to find such an error.
Anyway, this answer was what I was looking for. So, I'll leave as it is .

Thanks again,


paulo.oliveira -> RE: Site to Site Firewall Policy (12.Jun.2008 10:41:27 AM)


glad I could help and thanks for giving us feedback.


Page: [1]