I have a problem using the Firewall Client of ISA Server 2004 in my test environment. I observed in my environment a strange behaviour when I use User Sets to control access to a communication protocol with user accounts and/or domain groups.
Lets proceed with a fictive example with a simple test environment to illustrate that problem. I have an internal Windows Server 2003 domain with a windows XP PC, A Win2003 Domain Controller and an ISA 2004 Server SP1 with two network interfaces: Internal and External. All my PC and Servers in my internal network are members of a Win2003 Active Directory Domain. I have a Windows XP PC in my external network that is member of a Workgroup and that is connected to the external interface of my ISA 2004 Server. This one simulates Internet and External access.
For the purpose of my test and my question, I want to allow access to my external PC with Remote desktop (Terminal Services) (TCP 3389)through my ISA 2004 Server. To achieve this, I installed the Firewall Client in my Windows XP PC in my internal network. I also created an access rule in my ISA 2004 server that allows RDP from internal network to external network for a domain group call ˘Access 3389÷.
My problem arrives at that point.
1. If I put ˘All users÷ to my access rule to RDP in ISA Server, it works. This one if just to test and confirm that everything is well connected and functionnal to proceed further.
2. Usually, in our organization, we control access with group membership. So, I created a domain group in my Domain Controler named ˘ACCESS 3389÷ and I put one user in that group. I will use this user to communicate with RDP from my internal PC to my external PC. To accomplish that, I modified my rule. I removed All users and I created a new ISA 2004 user set named ISA ACCESS 3389. I mapped this ISA userset to my domain group ˘Access 3389÷ previously created. After that, I committed changes to ISA. I tried the same access from my internal Windows XP PC to my external Windows XP PC. It failed. Acces is denied at the ISA Server level. It failed with the last default (deny) rule.
3. I modified my ISA 2004 access rule to make another test. I removed my domain group from the ISA 2004 User Set and I put directly the domain user code that I wish to use to access RDP through my ISA server in the ISA User Set. I committed all my changes. I went to my client PC in my internal network and that time it worked !
Resulting from my tests I feel that maybe there is some problem using domain groups with ISA 2004 user sets. According to my testings, if we put a domain user account in an ISA 2004 user set, it works. If we put a domain group where the user account is member in the ISA 2004 User set, this does not seem to workÓÓ ISA does not seem to be able to go find the user in the domain group defined in the user set.
Does anyone has seen something similar to this before ? Am I missing something ? Is is a known problem ? Do you have any solutions for this one ?
If ISA 2004 server is part of the domain, it should be able to resolve the AD group memberships. Having said that, you will need to make sure that you haven't disabled any system policies allowing accesst to internal DC.
Apply ISA 2004 SP1.
Does this happen for all other protocols too?
What type of authentication you allow for the Internal Network?