Welcome to ISAserver.org

RE: Discussion of the Using ISA Domain Name Sets for Internet Access Control

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: Discussion of the Using ISA Domain Name Sets for Internet Access Control

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 1:23:53 PM

srbaja

Posts: 6
Joined: 29.Aug.2006
Status: offline

Well, it usual that we have outsiders (bussines partners etc..) coming in with their notebooks and sometimes they need internet access. I need to make that work easily when no one from IT department is around to help them setup connection. Any such solution would be OK.

Thanks.

(in reply to tshinder)

Post #: 21

Featured Links*

RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 1:30:55 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Sr,

Put those users on an anonymous access wireless DMZ, that way you can allow anonymous access to those users. However, you really should at least create some sort of guest user acct that the visitors can use, allowing anonymous access is an invitation to a security breach, sort of like using a pix.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to srbaja)

Post #: 22

RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 2:11:40 PM

srbaja

Posts: 6
Joined: 29.Aug.2006
Status: offline

I am aware of that, but there are some things I can not change. Our employees also use WiFi, some guests plug into ethernet in conference room... I can safely assume that there is sufficent physical security in the building and no one malicious will enter the building (especially not with laptop). Besides, once that person connects to LAN, the last thing I care about is if he is using too much bandwidth. I thought about some domain guest account, and to put username/password on ISA error message, but isn't that bigger breach than unauthenticated http access? Should I maybe use ISA local account and lower its permissions and rights so it would be useful only for authenticating?

thanks!

(any gossips from Redmond about correcting that denying of unauthenticated users in allow rule?)

(in reply to tshinder)

Post #: 23

RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 2:53:57 PM

mohsindabomb

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline

Hi Tom

Thanks for your reply. I don't feel alone with my problem anymore.

I've read the 2000 book countless times but not the 2004 one. Just ordered two of yours for 2004 on amazon.

I'll wait eagerly for your article explaining this apparent mess I'm in with ISA that'll help me see where I'm going wrong.

For the moment, can you please quickly explain why Firewall clients and Webproxy clients are being asked for authentication?

Another quick question, if you (or some other helpful soul) can answer it please. In ISA 2000, we had the LAT table that separated internal resources from external ones and firewall clients simply didn't catch the requests for internal resources and didn't apply any policies to them at all. I'm having a bit of trouble here which involves access to internal servers being stopped by ISA even though I do not have any rules configured for access to internal resources. Can you please do a quick explanation? Managing ISA is only one of the 100 things I'm doing so I need somone to put me on the right track. I'll really appreciate it if you (or anybody) can help.

Thanks.

RedBull
Digital Dominance.

(in reply to tshinder)

Post #: 24

RE: Discussion of the Using ISA Domain Name Sets for In... - 1.Sep.2006 1:32:55 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:

ORIGINAL: srbaja

I am aware of that, but there are some things I can not change. Our employees also use WiFi, some guests plug into ethernet in conference room... I can safely assume that there is sufficent physical security in the building and no one malicious will enter the building (especially not with laptop). Besides, once that person connects to LAN, the last thing I care about is if he is using too much bandwidth. I thought about some domain guest account, and to put username/password on ISA error message, but isn't that bigger breach than unauthenticated http access? Should I maybe use ISA local account and lower its permissions and rights so it would be useful only for authenticating?

thanks!

(any gossips from Redmond about correcting that denying of unauthenticated users in allow rule?)

Hi Sr,

That's why we use DMZ segments for the anonymous wireless users. Easy to implement and doesn't require changing significant infrastructure.

For wired connections, you'll need to use something liek 802.1x

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to srbaja)

Post #: 25

RE: Discussion of the Using ISA Domain Name Sets for In... - 4.Sep.2006 8:56:41 AM

srbaja

Posts: 6
Joined: 29.Aug.2006
Status: offline

Ok, thanks for the advice Tom.

S.

(in reply to tshinder)

Post #: 26

RE: Discussion of the Using ISA Domain Name Sets for In... - 7.May2008 12:25:15 PM

ck2512

Posts: 5
Joined: 20.Feb.2003
Status: offline

In your article your refer to A rule called DNS outbound. I do not have such a rule, but my ISA seems to be working. Is this normal and okay? I also do not have an All Open rule. Both of these are referred to in your article.

(in reply to tshinder)

Post #: 27

RE: Discussion of the Using ISA Domain Name Sets for In... - 12.May2008 12:33:35 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

The ISA Firewall should be configured to use only Internal DNS servers that can resolve both internal and external host names. Thus, the DNS rule allows the DNS servers to resolve Internet host names.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ck2512)

Post #: 28

RE: Discussion of the Using ISA Domain Name Sets for In... - 12.May2008 12:39:32 PM

ck2512

Posts: 5
Joined: 20.Feb.2003
Status: offline

Tom, Thanks for getting back to me. I neglected to tell you we are using SBS2003. I sit possible there were rules created automatically that cover what you are saying? If not what would happen without these rules?

(in reply to tshinder)

Post #: 29

RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 9:23:31 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hmmm. Don't know how SBS works. I think they do allow external DNS configs, which can cause real big problems.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ck2512)

Post #: 30

RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 9:29:01 AM

ck2512

Posts: 5
Joined: 20.Feb.2003
Status: offline

What do you mean by problems? Anything i should look our for?

(in reply to tshinder)

Post #: 31

RE: Discussion of the Using ISA Domain Name Sets for In... - 14.May2008 12:34:47 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

The most common problem is that the ISA firewall machine won't be able to find the DC any longer, since it can switch to using only the external DNS server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ck2512)

Post #: 32

RE: Discussion of the Using ISA Domain Name Sets for In... - 16.May2008 2:29:42 PM

ck2512

Posts: 5
Joined: 20.Feb.2003
Status: offline

Tom,
I am not sure if you can help me with this. I got the firewall to work as far as restricting the internet access on some users to certain web sites. I used the Domain Name sets. The problem I am having is when a user goes to a website, and clicks on a link that takes him out of that domain. Example, one of the web sites is www.miteebite.com. They have a link for downloading CAD files. When you click on one of the parts to download, it fails. The address in the address bar shows the following: http://demo.3dpublisher.net/Miteebite/Default.asp?ModelName=22924
Is there a way to add a URL set or Domain Name set to cover this situation? I am sure this is not a unique situation. Any help you can give would be appreciated.

(in reply to tshinder)

Post #: 33

RE: Discussion of the Using ISA Domain Name Sets for In... - 18.May2008 12:45:40 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

You would need to block 3dpublisher.net

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ck2512)

Post #: 34