• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Understanding the ISA 2004 Access Rule Processing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: Understanding the ISA 2004 Access Rule Processing Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Understanding the ISA 2004 Access Rule Processing - 19.Oct.2007 11:26:26 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeff,

drop Tom an email at tshinder@isaserver.org and point him to this topic. I'm sure he will respond.

HTH,
Stefaan

(in reply to JeffVandervoort)
Post #: 21
RE: Understanding the ISA 2004 Access Rule Processing - 19.Mar.2008 11:54:00 AM   
davidgwilson

 

Posts: 10
Joined: 9.Mar.2006
Status: offline
I have come across a strange issue with VPN client access to ISA 2006 where the VPN user is in a trusted NT 4 domain. I realise this may be slightly off topic but it is directly connected to matching access rules.
 
Basically although the initial VPN authentication completes ok the authenticated NT 4 user credentials do not then seem to be passed to the VPN access rule which allows full access from the VPN Clients network to All Protected Networks. The User condition for the rule is All Authenticated Users and I can see from the logging that this Allow rule is actually the rule denying access so I can only suppose that the traffic is being treated as anonymous rather than authenticated (although strangely the username appears in the deny event in the log which I thought meant it was authenticated??)
 
In my test lab I found a workaround which was to change the access rule from All Authenticated Users to All Users.
(N.B. I also had to add a rule so the NT 4 Domain Controllers could send NetBios datagrams to the ISA localhost in order for the initial VPN authentication to work)

 
Changing the rule to All Users didn't give me all I needed in production however where I have several types of VPN users e.g. extranet users and so the VPN access rule had an exception list for Users which were the third party users. So even though All Users is allowed, the fact that I have a group specified as an Exception for Users causes the rule to deny instead of allow. I can only guess that the way it is implemented is that in order to check that the users are not in the Exceptions user list the ISA must be looking for authentication and for some reason the VPN client doesn't provide the authentication (something to do with NT 4 user authentication I guess). Having the Firewall client running on the VPN client does not help either.
 
I thought I had found a solution however by removing the Exception user list from the normal VPN access rule and creating a deny all rule for the third party users and placing it above the normal VPN rule but below the other VPN third party access rules. This fails however for the same reason as the original rule. Because the rule requires authentication and for some reason ISA thinks the VPN client isn't authenticated then the deny all rule for third party users is matched for the ordinary VPN client who is supposed to be ignored by that rule.
 
Any thoughts as to why the NT 4 user accounts fail to match "All Authenticated Users" in the first place?
 
Any thoughts on a workaround?

 
Thanks
David
 
P.S. Great article by the way. Has Microsoft ever documented how the rule matching works in that level of detail? (I know there's a simplified version of rule matching in the On-line help.)
 

< Message edited by davidgwilson -- 19.Mar.2008 12:50:19 PM >

(in reply to spouseele)
Post #: 22
RE: Understanding the ISA 2004 Access Rule Processing - 4.Feb.2010 7:47:04 AM   
vb

 

Posts: 1
Joined: 4.Feb.2010
Status: offline
Hi!
In my case in To (destination) I have FQDNs "mail.rabota.ru" . It's hasn't reverse DNS, so all  requests matches that To (destination).
Is it normal?

(in reply to spouseele)
Post #: 23
ISA 2004 Access Rule Processing - 30.Jul.2010 10:56:13 AM   
kashifsh98

 

Posts: 4
Joined: 23.Jul.2010
Status: offline
Dear All,

I am beginner in ISA 2004, After installation of ISA all inbound and outbound trafic is blocked, I have added Internel Lan range 10.0.0.1 till 10.255.255.255 in network set.
I am using edge firewall.

Can any one solve my problem.

Thanks
Kashif
kashifsh98@gmail.com  

(in reply to spouseele)
Post #: 24

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> RE: Understanding the ISA 2004 Access Rule Processing Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts