I've setup up a VPN-Pass through rule (allow-pptp-internal-external-All Users) which works good. But when I change the condition to a user group (that contains a domain group that contains me) I get DENIED by this rule.
I did expect to be allowed, wierd that I'm not (I use the FW-client, but no authentication info shows up in the monitor, not even anonymous).
The most disturbing fact however, I think, is that the rule DENIES me, If I'm not allowed I expect the traffic to be distributed down the chain so that all other policies get checked and that the default rule (deny all) would be the one to deny me! Or am I totally wrong here?
OK, I understand now why authentication won't happen, but why does the rule Deny the traffic.
How is it possible that a rule that allows under certain criteria DENIES when the criteria aren't met. Shouldn't the rule just hand it over to the next rule in line?? That's my understanding of how this version works, checking all rules, allowing traffic if there is a specific allow, and going down the list to finally get blocked by the last (default) rule.
The rule matching process is somewhat odd with ISA 2004. First, it matches the connection characteristics *other than* the user. If the connection matches the characteristics in the rule, then it checks to see if the user is authenticated.
If the rule requires authenitcation, and the user does not authenticate (an anonymous connection) then the rule drops the connection! Yes, I know, it should move to the next rule, but that is not what happens.