• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall Policy - Rules behaviour

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall Policy - Rules behaviour Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall Policy - Rules behaviour - 27.Apr.2004 11:54:00 AM   
Danee

 

Posts: 18
Joined: 22.Mar.2004
Status: offline
Hi All,

I found a wierd thing:

I've setup up a VPN-Pass through rule (allow-pptp-internal-external-All Users) which works good. But when I change the condition to a user group (that contains a domain group that contains me) I get DENIED by this rule.

I did expect to be allowed, wierd that I'm not (I use the FW-client, but no authentication info shows up in the monitor, not even anonymous).

The most disturbing fact however, I think, is that the rule DENIES me, If I'm not allowed I expect the traffic to be distributed down the chain so that all other policies get checked and that the default rule (deny all) would be the one to deny me! Or am I totally wrong here?

Cheers,

Danee
Post #: 1
RE: Firewall Policy - Rules behaviour - 29.Apr.2004 1:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Danee,

The firewall client only handles TCP/UDP protocols, and PPTP requires GRE (IP protocol 47). So, the firewall client can't help authenticate these connections.

A good reason to use L2TP/IPSec NAT-T if you can, because you can set user based access rules for the UDP protocols it requires.

HTH,
Tom

(in reply to Danee)
Post #: 2
RE: Firewall Policy - Rules behaviour - 5.May2004 1:15:00 PM   
Danee

 

Posts: 18
Joined: 22.Mar.2004
Status: offline
Hi Tom, thank for the reply.

OK, I understand now why authentication won't
happen, but why does the rule Deny the traffic.

How is it possible that a rule that allows under certain criteria DENIES when the criteria aren't met. Shouldn't the rule just hand it over to the next rule in line?? That's my understanding of how this version works, checking all rules, allowing traffic if there is a specific allow, and going down the list to finally get blocked by the last (default) rule.

Thanks,

Danee

[ edit: typos ]

[ May 05, 2004, 01:16 PM: Message edited by: Danee ]

(in reply to Danee)
Post #: 3
RE: Firewall Policy - Rules behaviour - 9.May2004 5:51:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Danee,

The rule matching process is somewhat odd with ISA 2004. First, it matches the connection characteristics *other than* the user. If the connection matches the characteristics in the rule, then it checks to see if the user is authenticated.

If the rule requires authenitcation, and the user does not authenticate (an anonymous connection) then the rule drops the connection! Yes, I know, it should move to the next rule, but that is not what happens.

HTH,
Tom

(in reply to Danee)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> Firewall Policy - Rules behaviour Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts