• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Lock Down Access Destinations To 1 User

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Lock Down Access Destinations To 1 User Page: [1]
Login
Message << Older Topic   Newer Topic >>
Lock Down Access Destinations To 1 User - 28.Feb.2009 4:25:54 AM   
FlashPan

 

Posts: 30
Joined: 11.Feb.2009
Status: offline
Hello all again
 
Either my mindset is completely whacked out or I am just stupid.
 
I having difficulty allowing access through the isa server for 1 AD account.
 
Although I am working on this as a test lab scenario some users do use this setup and all authenticated users can access the web, email etc etc.
 
What I am trying to do is setup logmein on some of teh other test las servers only (as I would acutaly like to go home on time for a change and work from there). Our hardware firewall blocks RDP from the outside and would not be easy for me to get that lifted.
 
My setup is as follows - 2006 Ent, 2 Nics.
 
Access rule 1
Protocols - HTTPS, Logmein default TCP Port 2002 (manually defined and mirrored in the logmein proxy settings app).
From - Listed servers that will connect to logmein.
To - Listed IP's logmein provide to connect to.
Conidtion - Single AD User Account called "Logmein User" (mirrored in the logmein proxy settings app).
 
Access rule 2
Protocols - HTTP, HTTPS
From - Internal
To External
Condition - AD Group populated with AD users account, called "Allow-Web-Access"
 
Now I thought that if the logmein rule is above the web access rule, when the "Logmein User" connects Access rule 1 would kick in before hitting Access rule 2.
 
The account "Logmein User" is not a member of the "Allow-Web-Access" AD group.  In this case the "Logmein User" fails to connect.
 
If I place this user into "Allow-Web-Access" then it connects to logmein fine.
 
What I am basically trying to do is lockdown the "Logmein User" account to only being able to pass through "Access Rule 1" - mainly to stop someone from using that account to browse the internet etc.
 
Has anyone any thoughts on this please as it is going to become more important in the future as I will be wanting to implement similar scenarios for locking down other accounts?
 
Cheers and thanks for reading.
Post #: 1
RE: Lock Down Access Destinations To 1 User - 28.Feb.2009 11:29:39 AM   
FlashPan

 

Posts: 30
Joined: 11.Feb.2009
Status: offline
SOLVED:
 
Well after much fiddling around I figured out that if I ditched the logmein ip's (Address Ranges) and used a Domain Name Set instead and then within Acces Rule 2 in the Users section, added the Logmein User into the exceptions box it works fine and dandy
 
Got to be honest though even though the servers which have logmein installed on are WP clients I don't fully understand why the rule did not understand/work directly with ip addresses?

Hope this info helps for anyone who may need it.

Cheers


< Message edited by FlashPan -- 28.Feb.2009 11:41:36 AM >

(in reply to FlashPan)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Lock Down Access Destinations To 1 User Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts