Partner Intranet access rules issues (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


ijohnson -> Partner Intranet access rules issues (7.Oct.2009 11:39:02 AM)

I have a ISA 2006 server with 3 network connections, the Internet, Internal network, and an outside companies network.  I need to provide access for some of my users to the partner companies Intranet but I also need to restrict some of my internal users from accessing their Intranet.

I have this setup now, and the problem I'm having is that users that shouldn't have access to the Partner's Intranet do have access.  If you look at the diagram below, User 2 which is supposed to have Internet access but no access to the Partner's Intranet is actually able to have access to the Partner's Intranet.

The way I have the rule setup currently is:
Allow: HTTP, HTTPS
From: Internal
To: Partner Domain Name Set (contains *.partner1.local, *.partner2.local, *.partner3.local, *.partner4.local)
Users: Partintranet Users
Schedule: Always
Content Types: All

If I take a look at the log, it shows the allowed connection and the allowed rule is the "Outbound Internet Access for approved users".  I tried setting up a deny rule but that denied users that were supposed to have access (User 3 and User 4).



[image]http://imgur.com/RDh4W.gif[/image]




paulo.oliveira -> RE: Partner Intranet access rules issues (7.Oct.2009 2:41:54 PM)

Hi,

check the order of your access rule. ISA firewall evaluate the access rule from top to bottom.

http://www.isaserver.org/articles/ISA2004_AccessRules.html

Regards,
Paulo Oliveira.




ijohnson -> RE: Partner Intranet access rules issues (7.Oct.2009 2:50:59 PM)

The rule permitting Partintranet access is the first rule, while the Internet Access rule is the 4th.  I think the problem is that the Outbound Internet access is:

Allow: HTTP, HTTPS
From: Internal
To: External
Users: Authorized Internet Users
Schedule: Always
Content Types: All

ISA must also consider the Partner network an External site so is that why?  I don't have the Partner VLAN setup in Networks at all currently - although while I was trying to get this setup right I had it setup as an External network.  Once I did that it didn't seem to change anything.




paulo.oliveira -> RE: Partner Intranet access rules issues (8.Oct.2009 1:43:45 PM)

Hi,

anything not defined on ISA Networks is considered as External Network on ISAīs point of view.

Add exceptions to your access rule, it should look like this:
Allow: HTTP, HTTPS
From: Internal
To: External
Except: Partner Domain Name Set
Users: Authorized Internet Users
Schedule: Always
Content Types: All

It should do the trick.

Regards,
Paulo Oliveira.




ijohnson -> RE: Partner Intranet access rules issues (8.Oct.2009 1:58:47 PM)

quote:

ORIGINAL: paulo.oliveira

Hi,

anything not defined on ISA Networks is considered as External Network on ISAīs point of view.


I tried a few things and I disagree with that statement above from my tested results.
Instead of domain names I used IP addresses of their network.  I went ahead and defined those IP subnets for the partner network explicitly as new External network called "Partner IP Subnets".  I then changed the rule so it was:

Allow: HTTP, HTTPS
From: Internal
To: Partner IP Subnets
Users: Partintranet Users
Schedule: Always
Content Types: All

I did not have to change my regular user Internet Access rule.  That seemed to work, and I no longer have "User 2" able to get to the Partner Intranet.  The regular Internet Access rule still is setup to allow to all external, and I did not have to put in any exceptions.

When User 2 tries to access www.partner.local here is the denied request in the log:

Denied Connection
Log type: Web Proxy (Forward) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: Default rule Source: Internal (10.7.x.x) Destination: Partner IP Subnets (10.x.x.x:443) Request: www.partner.local:443




pwindell -> RE: Partner Intranet access rules issues (8.Oct.2009 4:27:19 PM)

quote:

To: Partner Domain Name Set (contains *.partner1.local, *.partner2.local, *.partner3.local, *.partner4.local)


This is probably your problem.  Forget Domain Names (Sets),...they only work for Web Proxy Clients,..and even if you think they are only operating as Web Proxy Clients,...things aren't always what they appear.  Use an Address Set that contains all the IP#s of the resources they need to use.  Or just use the Network Name of the "partner companies network".

Make sure that you correctly add the full IP# ranges to the "network" when you created the "partner companies network" Defintion in ISA.




paulo.oliveira -> RE: Partner Intranet access rules issues (9.Oct.2009 12:32:24 PM)

Hi,

I must disagree with you. On ISA when you create a new Network, you must bound (associate) it to a physical NIC. If you donīt do this, ISA wonīt work as you expect.

Give a try on what Phillip said.

Regards,
Paulo Oliveira.




ijohnson -> RE: Partner Intranet access rules issues (12.Oct.2009 11:33:30 AM)

I might have not been clear in my previous post (from 8.Oct.2009 1:58:47 PM).  I was able to resolve the issue on my own.  The resolution was:

-Create a new network, include all the IP subnets of the external partner network.  Setup the new network as an external network.

-Modify the access rule so that instead of granting access to the domain names (*.partner.local) the rule is granting access to the IP subnets.

This resolved the problem I was experiencing.

Thank you the replies and assistance.




pwindell -> RE: Partner Intranet access rules issues (12.Oct.2009 11:44:20 AM)

It may work either way,..but the network type probably should have been "internal",...not "external".

Don't be confused by the way ISA uses terms.  Internal and External are Network Names.  But Internal is also of the "internal type"  and External is of the "external type".   However the Name and the Type are still two different things,...they could as easily have called them LAN and WAN with LAN="type internal" and WAN="type external"

Generlly "other" subnets of a Network are of the type "internal" as long as they are not a perimeter (DMZ) network. Geography does not matter, they could be in the same room or accross the planet.   There is rarely more that one "external" type.




ijohnson -> RE: Partner Intranet access rules issues (12.Oct.2009 6:01:11 PM)

quote:

ORIGINAL: pwindell

It may work either way,..but the network type probably should have been "internal",...not "external".

Don't be confused by the way ISA uses terms.  Internal and External are Network Names.  But Internal is also of the "internal type"  and External is of the "external type".   However the Name and the Type are still two different things,...they could as easily have called them LAN and WAN with LAN="type internal" and WAN="type external"

Generlly "other" subnets of a Network are of the type "internal" as long as they are not a perimeter (DMZ) network. Geography does not matter, they could be in the same room or accross the planet.   There is rarely more that one "external" type.


I agree with that, I believe the only difference that I noticed was that when creating an Internal network, the network properties allow Web Proxy access, while by default an External does not.  Since I did not need to allow Web proxy in from the Partner network External worked perfectly fine.




pwindell -> RE: Partner Intranet access rules issues (13.Oct.2009 9:42:26 AM)

Ok, sounds good.
Good luck with it all!




Page: [1]