• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange Behaviour

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> Strange Behaviour Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange Behaviour - 5.Jun.2005 5:23:00 PM   
cyrcocq

 

Posts: 8
Joined: 22.Mar.2005
Status: offline
Hi all,

Theres something strange...
I've several firewall rules:
1- Allows DNS from internal Network to local Host
2- allows HTTP/HTTPS from internal network for all destinations for peopple belongigng to the internet group (witch contains the internet Active directory group)
3- Allows access for all kind of trafic for frienddomain.com (URLs and domain) for all users.
4- Allows access for all kind of trafic for all destinations for administrators.
5- deny all (default rule)

When one SecureNat client tries to browse www.frienddomain.com... It doesn't work!
In the log, the http requests are treated like if the 2nd rules applies thus it secure Nat client and Secure Nat client are anonymous... "[Confused]"

What do I miss?
Post #: 1
RE: Strange Behaviour - 5.Jun.2005 6:04:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Re-order the rules with anonymous rules at the top.

(in reply to cyrcocq)
Post #: 2
RE: Strange Behaviour - 6.Jun.2005 7:22:00 AM   
cyrcocq

 

Posts: 8
Joined: 22.Mar.2005
Status: offline
Thanks.
You're right.
someone here told me about this article http://www.isaserver.org/articles/ISA2004_AccessRules.html
which I hadn't read (thinking that I had understood these things)
And I've seen that when there's no identification every rule depending on authentication deny access.

Is it a bug? Will it be corrected? Is it possible to consider Secure Nat access as if it's done by some "guest" account?

(in reply to cyrcocq)
Post #: 3
RE: Strange Behaviour - 6.Jun.2005 2:10:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
No - it is not a bug.

Think about it - if you have a Firewall that processes access rules in order and you have a rule that allows access based on user account, what would you rather have happen? Allow an anonymous request go through, or limit disallow the request if the firewall can't validate all aspects of the rule?

ISA chooses the more secure option which happens to be latter scenario.

quote:
Laziness, not necessity, is the mother of invention.

This has got to be the stupidest thing I've seen on the Internet yet.

[ June 06, 2005, 02:13 PM: Message edited by: ClintD ]

(in reply to cyrcocq)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> Strange Behaviour Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts