Understanding the ISA 2004 Access Rule Processing

Understanding the ISA 2004 Access Rule Processing (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies

Message

spouseele -> Understanding the ISA 2004 Access Rule Processing (25.Feb.2005 3:59:00 PM)
This thread is for the Understanding the ISA 2004 Access Rule Processing article. Thanks, Stefaan [ February 25, 2005, 05:03 PM: Message edited by: spouseele ]

steavg -> RE: Understanding the ISA 2004 Access Rule Processing (12.Mar.2005 12:53:00 AM)
Hi Stefaan, Great article, sure helps a lot to understand ISA 2004 a bit better. I was wondering if it is possible for ISA 2004 to define the authentication methode based on the subnet the request came from ? e.g. : Users connecting from subnet 1 will be authenticated using authentication methode A (e.g. Basic) Users connecting from subnet 2 will be authenticated using authentication methode B (e.g. Integrated) Do you think this might work ? PS: Best wel iets om trots op te zijn hT als Belg zo hoog aangeschreven staan op ISAServer.org ! Groeten, Stefan

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (12.Mar.2005 12:11:00 PM)
Hi Stefan, thanks for the kind words! The authentication methods allowed for the Web Proxy clients are a property of the Networks (Web Proxy tab). Therefore, that property is bound to an interface adapter and the allowed authentication method applies to all subnets reachable through that interface. PS: yep, het geeft een leuk gevoel! HTH, Stefaan [ March 12, 2005, 12:16 PM: Message edited by: spouseele ]

asifshabbir -> RE: Understanding the ISA 2004 Access Rule Processing (31.Aug.2005 5:30:00 AM)
Hi Stefaan Pouseele, Have read ur article it very much informative as i am a newbie to ISA server 2004. i have one prob, i hope u can solve this or guide me to the better solution. ------------------------------------------- I have a network scenario as below DSL Router with WLAN dsl router = 10.0.0.138 wlan and lan clients = 10.0.0.x ISA Server 2004 external NIC = 10.0.0.3 Internal NIC = 192.168.0.1 DC IP = 192.168.0.10 DG = 192.168.0.1 Rest Of the domain clients IP= 192.168.0.x DNS= 192.168.0.10 (DC IP for DNS,please note that this dns is forwarder dns and sends it requests other than domain to the next dns) DG=192.168.0.1 now the problem: I am able to use domain resources from the computers that are on the IP Rangs 192.168.0.x but computers that are on the different network 10.0.0.x cant access the domain resources. from domain clients 192.168.0.x i can ping 10.0.0.x clients.but 10.0.0.x clients are bot able to ping 192.168.0.x. ------------------------------- if u can help me in this scenario i will be gratefull to u Regards

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (1.Sep.2005 2:39:00 PM)
Hi asifshabbir, I suggest you do a site search on http://www.isaserver.org on the key words 'DMZ' or 'Perimeter'. I'm sure Tom Shinder has written some articles on this subject. HTH, Stefaan

kjman -> RE: Understanding the ISA 2004 Access Rule Processing (20.Sep.2005 4:49:00 PM)
Hi I hope you can help me solve this problem i am havig with my isa 2004 server. My server is also a VPN server for remote usres. I have configured an allow all rule for all protocols and to all destinations and i ahve applied this rule to all users. Now i am trying to block all protocols and sites and apply this rule to a windows AD group, but when i aply the rule user who VPN into the network are unable to access our CRM server on the internal network, as soon as i disable the rule access is restored. I have alos tried making acceptions on the rule for VPN, and local host, but i still get the same problem. P.s I have moved the denay rule above the allow all rule. What am i missing with this?

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (21.Sep.2005 3:34:00 PM)
Hi kjman, please post the exact access rule info of both rules. HTH, Stefaan

kjman -> RE: Understanding the ISA 2004 Access Rule Processing (21.Sep.2005 5:09:00 PM)
Do you want me to post the XML file of the two rules?

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (22.Sep.2005 4:39:00 PM)
Hi kjman, no, that's too hard to read! Just spell the different tabs out in readable text. HTH, Stefaan

Spyke -> RE: Understanding the ISA 2004 Access Rule Processing (26.Oct.2005 3:59:00 PM)
I am trying to change the http filtering to enable our MS Sharepoint portail to work properly. The problem is that the "Configure HTTP" option is NOT visible when I right click on a firewall rule. I have read that web proxy must be enabled but that is already enabled on the firewall. I searched everywhere and I could not find an explanation why this is not visible on my isa server 2004. I have another firewall in another office and that option is visible... HELP Please! any suggestion is welcomed! Thanks

ClintD -> RE: Understanding the ISA 2004 Access Rule Processing (26.Oct.2005 4:38:00 PM)
Did you create a custom protocol for HTTP and specify it in the rule? The only time I have seen this is when a custom protocol has been created and the admin didn't associate the Protocol with the Web Proxy filter, or the admin has dis-associated the Web Proxy filter from the HTTP protocol definition. In the main Firewall Policy screen, in the Protocols column of the rule you're trying to configure, double click on the HTTP protocol and you should get a General and Parameters screen for the protocol itself - on the Parameters tab under Application Filters, is Web Proxy enabled? [ October 26, 2005, 04:42 PM: Message edited by: ClintD ]

Spyke -> RE: Understanding the ISA 2004 Access Rule Processing (27.Oct.2005 12:49:00 PM)
It works. Excellent! Web proxy filter was unchecked. Thanks a lot ClintD!

kimble -> RE: Understanding the ISA 2004 Access Rule Processing (18.May2007 11:14:55 AM)
Hi, Stefaan, I encountered the problem "proxy chain loop" and the workaround described at "http://www.microsoft.com/technet/isa/2004/plan/ts_proxy_traffic.mspx#traffic" did work for me. But I still not understand the reason to "Add a deny rule from the Local Host network to the External network for HTTP, and set it as the second rule", and according to what you said, that rule seems to be unreachable. :-( Any idea about this? Thanks very much!

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (18.May2007 2:50:37 PM)
Hi Kimble, check out the ISA Server Product Team Blog article Why do I need a deny rule to make an allow rule for a custom protocol work correctly. I also used that mechanisme to enable Secure FTP with ISA 2004/2006 (Solving the Secure FTP dilemma with ISA Server 2004 and 2006). HTH, Stefaan

kimble -> RE: Understanding the ISA 2004 Access Rule Processing (19.May2007 10:43:00 AM)
Hi Stefaan, That alticle is really cool! And I've got exactly what I need. Thank you! Kimble

bugtook -> RE: Understanding the ISA 2004 Access Rule Processing (20.May2007 12:47:15 AM)
hi steefan, will you please help me on how to share internet in isa server 2004? how to configure i have two NIC one conneted to my broadband modem and the other to my internal network with 10 workstation. Thanks, Bugs

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (20.May2007 10:17:01 AM)
Hi Bugs, please, start a new topic and do not hijack a unrelated and/or existing one. Thanks, Stefaan

JeffVandervoort -> RE: Understanding the ISA 2004 Access Rule Processing (17.Oct.2007 10:13:25 PM)
How does this work with Enterprise & Array rules? I'm a newbie to ISA EE, though not to SE. What I'm finding so far is that post-array rules are not being processed. Summary: My rules are all "Allow" Access rules and Publishing rules, all duplicated from the existing (and working) ISA 2004 SE config. Some are anonymous, some authenticated. Since Publishing rules must be Array rules, I've had to disregard your first "Best Practice" recommendation, but that aside, I've arranged it as follows: Enterprise Access rules, anonymous Array Publishing rules Array Access rules, anonymous Array Access rules, authenticated Enterprise Access rules, authenticated What I've found from the ISA log is that the only post-array rule applied is the Enterprise default rule, so access for those rules is denied. If I move a post-array rule to become a pre-array rule, it starts working. This is true even when there are no array rules that match the connection attempt. What am I missing?

spouseele -> RE: Understanding the ISA 2004 Access Rule Processing (18.Oct.2007 2:41:38 PM)
Hi Jeff, I can't comment on that because I never played with ISA EE. As of today, I'm an ISA SE only guy! [;)] Greetings, Stefaan

JeffVandervoort -> RE: Understanding the ISA 2004 Access Rule Processing (19.Oct.2007 8:58:25 AM)
Thanks anyway, Stefaan. Hopefully an "EE guy" will jump in. Meantime, I think I may have figured it out. I used this article http://isaserver.org/tutorials/Offline-Rule-Bases-Objects.html to import my ISA 2004 SE rules to the ISA 2006 EE array. I did the entire rule set, complete. In so doing, I imported the Default deny rule, which became the last rule in the Array. It's always puzzled me that it was there, but without any other EE experience to know it didn't belong there, or other EE machines to compare it to, I figured ISA just ignored it. I didn't realize I was the one who put it there. I found this screen shot in another ISAServer.org article which confirms there is not supposed to be a default deny rule in the Firewall Policy Rules. (Presumably the "All Open" rule isn't normally found there, either!) [image]http://www.isaserver.org/img/upl/image0381151940387356.jpg[/image] Last Enterprise Default Rule should be the only Default Rule. That makes sense, and explains my problem. Looking at the XML, it looks like the read-only attribute is easy to flip. Hopefully I can export, edit, and import the Array Default Rule. Then delete the rule. Worst case is export the whole EE config to XML, edit the XML to remove the Default Rule, uninstall/reinstall ISA, and import the modified XML. The server's not in production yet so that's not a big deal. This is a BIG gotcha for using that article to move from ISA SE to ISA EE: I know now I should have exported the rules one at a time, omitting the default rule, or else edited the "all rules" export to remove SE's Default Rule before importing to EE. (Or do it Microsoft's way, from scratch, where I'd still be manually re-creating Rules and Elements for another week before I'd be able to try it! They really need to work on making ISA SE to EE upgrades efficient.) [Edit] Yup...that was it. So this question turned out to be off-topic; sorry! To bring it back on-topic, the order I showed in my first post was correct. The Default Rule at the Array level was the problem. Interestingly, ISA Logging identified it as the Enterprise-level Default Rule. That's part of what threw me off. Evidently this was a scenario Microsoft (reasonably) did not anticipate! Their logic: If a Default Rule is used, it must be the Enterprise default rule because there isn't one at the array level, so that's how we'll display it.

Page: [1] 2 next > >>