• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Problem RULES with users of Untrusted domain.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Problem RULES with users of Untrusted domain. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Problem RULES with users of Untrusted domain. - 14.May2009 3:47:09 AM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
If ISA is used by users in the different domains, there is a BIG problem.
If a trust is deleted, you can not to modify any rule, which has users from Untrusted domain. And can not to backup ISA configuration. You get error
0x800706fc.
I tried to find this user-set in the registry or in the ADAM,i found it, but there is no any attribute with the user list to modify manually.

< Message edited by gray -- 15.May2009 2:28:12 AM >
Post #: 1
RE: Problem RULES with users of Untrusted domain. - 15.May2009 8:38:48 AM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
I found that SID-s located in the msFPCAcess attribute of the User-set. But its in the hex format. and i can't read it.

(in reply to gray)
Post #: 2
RE: Problem RULES with users of Untrusted domain. - 15.May2009 11:14:47 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Delete the effected rules
Then delete the relevant user sets
Create new rules

Rules not effected by this do not need touched.

_____________________________

Phillip Windell

(in reply to gray)
Post #: 3
RE: Problem RULES with users of Untrusted domain. - 15.May2009 11:17:59 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Note that if you would not point directly to users/groups from the other Domain in the Rules this would not have happend.

If you would have embedded the users/groups from the other domain into Groups in your own domain,...and them pointed the Rules to them, this probably wouldn't have happened.  You would have just went into AD and removed the foreign users/groups from your AD groups and ISA would not have been touched.

_____________________________

Phillip Windell

(in reply to gray)
Post #: 4
RE: Problem RULES with users of Untrusted domain. - 15.May2009 3:37:35 PM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
It was made by another admin. And i can't delete rule, because i don't remember all users and groups in this user-set to make it again.

< Message edited by gray -- 15.May2009 3:38:37 PM >

(in reply to pwindell)
Post #: 5
RE: Problem RULES with users of Untrusted domain. - 15.May2009 3:45:37 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I don't know what to tell you.


_____________________________

Phillip Windell

(in reply to gray)
Post #: 6
RE: Problem RULES with users of Untrusted domain. - 15.May2009 3:51:20 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Re-establish the Trust.
Fix the ISA
Get rid of the Trust,..again.

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 7
RE: Problem RULES with users of Untrusted domain. - 16.May2009 2:19:41 PM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
Due to restructing of company this domains were deleted.
:-(

(in reply to pwindell)
Post #: 8
RE: Problem RULES with users of Untrusted domain. - 18.May2009 9:08:52 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Uninstall the ISA
Reinstall theISA
Design the Rules your way instead of worrying about how the previous admin had them

_____________________________

Phillip Windell

(in reply to gray)
Post #: 9
RE: Problem RULES with users of Untrusted domain. - 18.May2009 2:53:07 PM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
:-(
It is used by 3k of users. It can't be stoped more then 5 minutes.

(in reply to pwindell)
Post #: 10
RE: Problem RULES with users of Untrusted domain. - 18.May2009 4:10:21 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
There is what the users want....

Then there is the real world....

They don't want it to stop for three seconds actually, but they can not always get what they want. 

You'll have to work all that out,..I don't know what to tell you. 

If you were using proxy autodetection with WPAD then you could power off the ISA and put a simple NAT Device in its place with the same IP to keep them going until the ISA was fixed.  The autodetection would discover that ISA is not available and let the user go "direct", which would get picked up by the NAT Device.  You then setup the ISA and slip it in place of the NAT Device. WPAD would start picking it up again and then you could continue from there.



_____________________________

Phillip Windell

(in reply to gray)
Post #: 11
RE: Problem RULES with users of Untrusted domain. - 19.May2009 1:12:11 AM   
gray

 

Posts: 27
Joined: 22.Aug.2006
Status: offline
Our company is ISP. And there is a shaping soft on ISA server, which shape bandwidth for different client companies. That's why NAT  device is not solution of this problem.
I think that solution is to find how to decode hex attribute msFPCAcess in the ADAM scheme, which contain list of SIDs.





20.02.2009
I decode it manually to list of hex SIDs, then translate it to readable view  like "S-1-5-nnnnnnn-xxxxxxx" and killed SID from deleted domain.

< Message edited by gray -- 20.May2009 8:52:22 AM >

(in reply to pwindell)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Problem RULES with users of Untrusted domain. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts