• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion of the Using ISA Domain Name Sets for Internet Access Control

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: Discussion of the Using ISA Domain Name Sets for Internet Access Control Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 1:23:53 PM   
srbaja

 

Posts: 6
Joined: 29.Aug.2006
Status: offline
Well, it usual that we have outsiders (bussines partners etc..) coming in with their notebooks and sometimes they need internet access. I need to make that work easily when no one from IT department is around to help them setup connection. Any such solution would be OK.

Thanks.

(in reply to tshinder)
Post #: 21
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 1:30:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sr,

Put those users on an anonymous access wireless DMZ, that way you can allow anonymous access to those users. However, you really should at least create some sort of guest user acct that the visitors can use, allowing anonymous access is an invitation to a security breach, sort of like using a pix.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to srbaja)
Post #: 22
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 2:11:40 PM   
srbaja

 

Posts: 6
Joined: 29.Aug.2006
Status: offline
I am aware of that, but there are some things I can not change. Our employees also use WiFi, some guests plug into ethernet in conference room... I can safely assume that there is sufficent physical security in the building and no one malicious will enter the building (especially not with laptop). Besides, once that person connects to LAN, the last thing I care about is if he is using too much bandwidth. I thought about some domain guest account, and to put username/password on ISA error message, but isn't that bigger breach than unauthenticated http access? Should I maybe use ISA local account and lower its permissions and rights so it would be useful only for authenticating?

thanks!

(any gossips from Redmond about correcting that denying of unauthenticated users in allow rule?)

(in reply to tshinder)
Post #: 23
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 2:53:57 PM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline
Hi Tom

Thanks for your reply. I don't feel alone with my problem anymore.

I've read the 2000 book countless times but not the 2004 one. Just ordered two of yours for 2004 on amazon.

I'll wait eagerly for your article explaining this apparent mess I'm in with ISA that'll help me see where I'm going wrong.

For the moment, can you please quickly explain why Firewall clients and Webproxy clients are being asked for authentication?

Another quick question, if you (or some other helpful soul) can answer it please. In ISA 2000, we had the LAT table that separated internal resources from external ones and firewall clients simply didn't catch the requests for internal resources and didn't apply any policies to them at all. I'm having a bit of trouble here which involves access to internal servers being stopped by ISA even though I do not have any rules configured for access to internal resources. Can you please do a quick explanation? Managing ISA is only one of the 100 things I'm doing so I need somone to put me on the right track. I'll really appreciate it if you (or anybody) can help.

Thanks.

RedBull
Digital Dominance.


(in reply to tshinder)
Post #: 24
RE: Discussion of the Using ISA Domain Name Sets for In... - 1.Sep.2006 1:32:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: srbaja

I am aware of that, but there are some things I can not change. Our employees also use WiFi, some guests plug into ethernet in conference room... I can safely assume that there is sufficent physical security in the building and no one malicious will enter the building (especially not with laptop). Besides, once that person connects to LAN, the last thing I care about is if he is using too much bandwidth. I thought about some domain guest account, and to put username/password on ISA error message, but isn't that bigger breach than unauthenticated http access? Should I maybe use ISA local account and lower its permissions and rights so it would be useful only for authenticating?

thanks!

(any gossips from Redmond about correcting that denying of unauthenticated users in allow rule?)


Hi Sr,

That's why we use DMZ segments for the anonymous wireless users. Easy to implement and doesn't require changing significant infrastructure.

For wired connections, you'll need to use something liek 802.1x

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to srbaja)
Post #: 25
RE: Discussion of the Using ISA Domain Name Sets for In... - 4.Sep.2006 8:56:41 AM   
srbaja

 

Posts: 6
Joined: 29.Aug.2006
Status: offline
Ok, thanks for the advice Tom.

S.

(in reply to tshinder)
Post #: 26
RE: Discussion of the Using ISA Domain Name Sets for In... - 7.May2008 12:25:15 PM   
ck2512

 

Posts: 6
Joined: 20.Feb.2003
Status: offline
In your article your refer to A rule called DNS outbound. I do not have such a rule, but my ISA seems to be working. Is this normal and okay? I also do not have an All Open rule. Both of these are referred to in your article.

(in reply to tshinder)
Post #: 27
RE: Discussion of the Using ISA Domain Name Sets for In... - 12.May2008 12:33:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ISA Firewall should be configured to use only Internal DNS servers that can resolve both internal and external host names. Thus, the DNS rule allows the DNS servers to resolve Internet host names.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ck2512)
Post #: 28
RE: Discussion of the Using ISA Domain Name Sets for In... - 12.May2008 12:39:32 PM   
ck2512

 

Posts: 6
Joined: 20.Feb.2003
Status: offline
Tom, Thanks for getting back to me. I neglected to tell you we are using SBS2003. I sit possible there were rules created automatically that cover what you are saying? If not what would happen without these rules?

(in reply to tshinder)
Post #: 29
RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 9:23:31 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hmmm. Don't know how SBS works. I think they do allow external DNS configs, which can cause real big problems.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ck2512)
Post #: 30
RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 9:29:01 AM   
ck2512

 

Posts: 6
Joined: 20.Feb.2003
Status: offline
What do you mean by problems? Anything i should look our for?

(in reply to tshinder)
Post #: 31
RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 12:34:47 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The most common problem is that the ISA firewall machine won't be able to find the DC any longer, since it can switch to using only the external DNS server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ck2512)
Post #: 32
RE: Discussion of the Using ISA Domain Name Sets for In... - 16.May2008 2:29:42 PM   
ck2512

 

Posts: 6
Joined: 20.Feb.2003
Status: offline
Tom,
I am not sure if you can help me with this. I got the firewall to work as far as restricting the internet access on some users to certain web sites. I used the Domain Name sets. The problem I am having is when a user goes to a website, and clicks on a link that takes him out of that domain. Example, one of the web sites is www.miteebite.com. They have a link for downloading CAD files. When you click on one of the parts to download, it fails. The address in the address bar shows the following: http://demo.3dpublisher.net/Miteebite/Default.asp?ModelName=22924
Is there a way to add a URL set or Domain Name set to cover this situation? I am sure this is not a unique situation. Any help you can give would be appreciated.

(in reply to tshinder)
Post #: 33
RE: Discussion of the Using ISA Domain Name Sets for In... - 18.May2008 12:45:40 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You would need to block 3dpublisher.net

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ck2512)
Post #: 34
RE: Discussion of the Using ISA Domain Name Sets for In... - 28.Nov.2010 11:17:07 PM   
m_ab_malik

 

Posts: 32
Joined: 4.Apr.2007
Status: offline
I want block all internet trafic except following sites,
https://mail.worldcall.pk/webmail/login.php
https://login.yahoo.com
http://www.yahoo.com/
http://www.hotmail.com
https://login.live.com

I have created Domain sets but not working,
domain sets:
*.worldcall.pk
*.yahoo.com
*.hotmail.com

Please sugest me what I do.

I am using ISA 2006

Thank You

(in reply to tshinder)
Post #: 35

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: Discussion of the Using ISA Domain Name Sets for Internet Access Control Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts