• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help in Polices

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Help in Polices Page: [1]
Login
Message << Older Topic   Newer Topic >>
Help in Polices - 7.Nov.2009 2:19:09 PM   
kenzo

 

Posts: 22
Joined: 7.Nov.2006
Status: offline
hi all
this is  my isa policy
my quistion is : the policy order is Correct
i have no problems nut i want best performence
Print screen from my isa server mangment consloe :
<img src="http://up.arab-x.com/Nov09/F1p20997.jpg">

Details:
DC:  Machine that host Domain Controler
Full use : user have access to all site
limited user : users with limited access to some web sites

thx alot
Post #: 1
RE: Help in Polices - 7.Nov.2009 3:10:13 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

What is the job of Rule # 1 ???? Is your ISA Server, a DNS Server as well ???

How about Rule # 3 ?? why you want it??

For rule # 4 , you are allowing full accessing from the Firewall machine itself ??? why ?? are you using it like any other workstation ?? The Firewall Machine should not have full access !

Is your DC a webserver as well ? this is what we can understand from # 5.

For # 6, how it is limited use, and the users have ALL Outbound Protocols ?!

For rule # 7 & 8, do i undertsand that your ISA Server, is a DHCP Server as well ??

For rule # 10, you dont need it, there is a remote management system policy . Check the system policy and configure the Source Network.

< Message edited by elmajdal -- 7.Nov.2009 3:12:28 PM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kenzo)
Post #: 2
RE: Help in Polices - 8.Nov.2009 12:11:38 AM   
kenzo

 

Posts: 22
Joined: 7.Nov.2006
Status: offline
hi
Thxxxxx for ur fast replay

* What is the job of Rule # 1 ???? Is your ISA Server, a DNS Server as well ???
- rule 1 to allaow DNS trafic from internal network to DNS server 
- DC is domian controler and DNS , DHCP server
- ISA server in not my DNS server

* How about Rule # 3 ?? why you want it??
-rule # 3 to allaow trafic from domain controler computer (DC)  to ISA server .
ISA server machine is member of domain.

* For rule # 4 , you are allowing full accessing from the Firewall machine itself ??? why ?? are you using it like any other workstation ?? The Firewall Machine should not have full access !
- i create this rule to allow windows update for Firewall machine .
the correct rule that allow trafic to windows update servers only ??? or
remove Local host from this rule .

* Is your DC a webserver as well ? this is what we can understand from # 5.
- yeah it's webserver i create a web page  with ASP to let internal users fill a maintainance request through lan .

*For # 6, how it is limited use, and the users have ALL Outbound Protocols ?!
- i configure HTTP  (signature) to block access (download, proxy,hack,....)

For rule # 7 & 8, do i undertsand that your ISA Server, is a DHCP Server as well ??
- DC is DHCP server  ,  not the ISA server
Ooops , i have to replace "local host" with "Internal"

* For rule # 10, you dont need it, there is a remote management system policy . Check the system policy and configure the Source Network
- Done ,  i configured it as u explain to me .

thxxxxx again for ur nice help u r always Nice

wait ur Prof comments

< Message edited by kenzo -- 8.Nov.2009 12:19:48 AM >

(in reply to elmajdal)
Post #: 3
RE: Help in Polices - 8.Nov.2009 4:32:37 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

* What is the job of Rule # 1 ???? Is your ISA Server, a DNS Server as well ???
- rule 1 to allaow DNS trafic from internal network to DNS server
- DC is domian controler and DNS , DHCP server
- ISA server in not my DNS server


You Do not need this rule then !! ISA only controls what is passing through it. Your DC is in your Internal LAN right ?? then you dont need this rule. Unless Your Internal LAN is behind one network card and your dc is behind another network card.

quote:

* How about Rule # 3 ?? why you want it??
-rule # 3 to allaow trafic from domain controler computer (DC) to ISA server .
ISA server machine is member of domain.


You Dont need this rule, there is already a system policy rule for allowing ISA Server to communicate with DC. Check the system policy.


quote:

* For rule # 4 , you are allowing full accessing from the Firewall machine itself ??? why ?? are you using it like any other workstation ?? The Firewall Machine should not have full access !
- i create this rule to allow windows update for Firewall machine .
the correct rule that allow trafic to windows update servers only ??? or
remove Local host from this rule .


Again, in System policy there is a rule to allow ISA Server machine itself ( LocalHost ) to get connected to Windows Update sites.
Remove this rule and Check system policy.



quote:

* Is your DC a webserver as well ? this is what we can understand from # 5.
- yeah it's webserver i create a web page with ASP to let internal users fill a maintainance request through lan .

OK


quote:

*For # 6, how it is limited use, and the users have ALL Outbound Protocols ?!
- i configure HTTP (signature) to block access (download, proxy,hack,....)

This is what i was looking for. But you can limit the protocols as well if you want.


quote:

For rule # 7 & 8, do i undertsand that your ISA Server, is a DHCP Server as well ??
- DC is DHCP server , not the ISA server
Ooops , i have to replace "local host" with "Internal"

Check point # 1, ISA Server does not control what happens behind it. It Only controls what passes through it.
Remove this rule.



quote:

* For rule # 10, you dont need it, there is a remote management system policy . Check the system policy and configure the Source Network
- Done , i configured it as u explain to me .

Great.

< Message edited by elmajdal -- 8.Nov.2009 4:34:22 AM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kenzo)
Post #: 4
RE: Help in Polices - 8.Nov.2009 5:27:14 AM   
kenzo

 

Posts: 22
Joined: 7.Nov.2006
Status: offline
i configured all rules as u told me
i add a new rule to block all trafic from a computer lab to internet
this is the last view :
<img src="http://up1.arb-up.com/files/arb-up-2009-9/4pg75810.jpg">

any recomendation  to reach to high performence with isa

again and always thx for u professional help

(in reply to elmajdal)
Post #: 5
RE: Help in Polices - 8.Nov.2009 6:12:36 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

No Need for rule # 4... as your Internal is the source and DC is the destinatio and traffic for this is not passing through ISA Server. Remove the rule.

The protocols in rule # 6 are already inlcuded in rule # 5. so you can remove it.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kenzo)
Post #: 6
RE: Help in Polices - 9.Nov.2009 1:05:22 AM   
kenzo

 

Posts: 22
Joined: 7.Nov.2006
Status: offline
hi
i configured all wt u told me

this is last view
<img src="http://up1.arb-up.com/files/arb-up-2009-9/xBZ46609.jpg">

any other recomendation

thx

(in reply to elmajdal)
Post #: 7
RE: Help in Polices - 9.Nov.2009 2:47:55 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
You Skipped this :

quote:

No Need for rule # 4... as your Internal is the source and DC is the destinatio and traffic for this is not passing through ISA Server. Remove the rule.


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kenzo)
Post #: 8
RE: Help in Polices - 9.Nov.2009 4:23:58 AM   
kenzo

 

Posts: 22
Joined: 7.Nov.2006
Status: offline
Done

(in reply to elmajdal)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Help in Polices Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts