• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on Granular Access Control for ISA VPN Clients

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on Granular Access Control for ISA VPN Clients Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on Granular Access Control for... - 9.Aug.2005 9:16:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the articles on Granular Access Control for VPN clients over at http://isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VP N-Part1.html and http://isaserver.org/tutorials/ISA-Firewall-Configure-Granular-Access-Controls-VPN-Part2.html

Thanks!
Tom

[ August 16, 2005, 10:18 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on Granular Access Control... - 9.Aug.2005 11:45:00 AM   
DatDamnZotz

 

Posts: 10
Joined: 18.Nov.2004
Status: offline
One thing I would like to add, is the DHCP server has to be started and functioning BEFORE the Routing and Remote access server starts, other wise it will never discover that the DHCP server is alive and use the DHCP pool.

It will issue the 169.254.x.x addresses.

We discovered this the hardway when we lost a switch.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on Granular Access Control... - 10.Aug.2005 6:31:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi DDZ,

Absolutely right!

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on Granular Access Control... - 23.Aug.2005 7:39:00 PM   
Guest
The article states ...

quote:
There are real, repeatable, usable and consistently demonstrated reasons why an ISA firewall domain member significantly increases the level of security the ISA firewall can provide...
I would be interested to hear of instances of
quote:
real, repeatable, usable and consistently demonstrated reasons
Alec

(in reply to tshinder)
  Post #: 4
RE: Discussion about article on Granular Access Control... - 23.Aug.2005 7:54:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alec,

I'm working on an article, but some include:

1. Full support for the Firewall client
2. Logging user names, application names, and site names in the ISA firewall logs
3. Full support for user certificate authentication
4. Avoidance of RADIUS authentication, which passes credentials using PAP
5. Centralized security adminstration via group policy
6. Full support for domain group policy for IPSec secured connections using Kerberos
7. And many more.

Stay tuned for the article!

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on Granular Access Control... - 23.Aug.2005 11:07:00 PM   
aaronparker

 

Posts: 22
Joined: 31.Jan.2005
From: Australia
Status: offline
Does this granular access for VPN clients require the Firewall Client? I am assuming that the answer is yes because you are authenticating users for these protocols, but I've not had the opportunity to implement this scenario yet.

TIA, Aaron

(in reply to tshinder)
Post #: 6
RE: Discussion about article on Granular Access Control... - 25.Aug.2005 12:42:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Aaron,

No! That's the beauty of the VPN client access control. The Firewall client is required to auth the users with the ISA firewall on the internal network.

But VPN users have to auth with the ISA firewall to *establish the VPN connection*. This means the ISA firewall has the user's identity and you can use the strong user/group based access control *without the Firewall client* for VPN users.

Cool, eh?

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about article on Granular Access Control... - 25.Aug.2005 8:55:00 AM   
aaronparker

 

Posts: 22
Joined: 31.Jan.2005
From: Australia
Status: offline
Now that is very, very cool. That means I can apply this to Linux users as well [Wink]
Thanks, Tom.

Could you update the document with that information? I'm sure someone else will ask the same question.

[ August 25, 2005, 08:57 AM: Message edited by: aaronparker ]

(in reply to tshinder)
Post #: 8
RE: Discussion about article on Granular Access Control... - 26.Aug.2005 9:36:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Aaron,

Will do!

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on Granular Access Control... - 29.Aug.2005 7:47:00 AM   
joseff

 

Posts: 2
Joined: 29.Aug.2005
Status: offline
Hi Tom

Great article. I hope you can shed some light on these follwing observtions I have made whilst implementing some of the rules in you article. I am using global groups in my domain for the user groups. I have set up the DNS, Outlook MAPI and File Share rules.

1. for the Outlook MAPI access to work I have to add the RPC16 protocol to the access rule.

2. I am being asked for authentication to my exchange mailbox when I open Outlook. Having given my credentails it connects no problem.

3. If I attempt to browse the network I get an error message that I 'might not have permission to browse this network resource'

To try and see where the problem lies I modified all rules so that they allow 'all outbound traffic' to the specified destinations.

I can then observe the following:

A. LDAP (UDP) calls that were being denied are now being allowed.

B. There are now Kerberos-Sec (UDP) and (TCP) calls that weren't present before.

C. Everything works fine (not a great surprise) and I don't have to give authentication information when I open Outlook.

I guess I could just allow these extra protocols but I think I should at least understand why before I do this. Any help on this will be appreciated

(in reply to tshinder)
Post #: 10
RE: Discussion about article on Granular Access Control... - 3.Sep.2005 10:19:00 AM   
newbievn

 

Posts: 14
Joined: 14.Aug.2005
From: Vietnam
Status: offline
Hi Tom,

Why does the Active Directory domain users weÆll place in this ISA firewall groups ? And we donÆt need to create this groups on a domain controller, as these are ISA firewall Groups, not Active Directory Global groups ? I had some confused about this. Could you please explain more ? Thanks.

(in reply to tshinder)
Post #: 11
RE: Discussion about article on Granular Access Control... - 6.Sep.2005 8:46:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Tom,

1. I didnÆt see anything regard the client side so is that mean the same procedure of VPN will be followed, such as these steps in this site:
http://www.windowsdevcenter.com/pub/a/windows/2004/03/09/vpn_connection.html

And using the external ISA interface IP for dial the VPN server.

2. When do you think the VPN get close to security risk?

Thanks,
Al-Taee

(in reply to tshinder)
Post #: 12
RE: Discussion about article on Granular Access Control... - 21.Sep.2005 4:54:00 AM   
DKompe

 

Posts: 4
Joined: 14.Feb.2005
From: Germany
Status: offline
Hi!
Which role plays the Domain-Group in the VPN-Properties (Groups-Tab)? Do I need this, if I create groups as described in the document "..configure granular access...Part2"?
Thanks Daniel

(in reply to tshinder)
Post #: 13
RE: Discussion about article on Granular Access Control... - 21.Sep.2005 11:56:00 AM   
jossebrice

 

Posts: 14
Joined: 1.Jun.2005
From: LBV
Status: offline
I'm ok with the article, but i want to know how to just allow vpn client with specific public ip.
In fact i don't want to allow all wolrdwide vpn client.
How can i do it?

(in reply to tshinder)
Post #: 14
RE: Discussion about article on Granular Access Control... - 27.Sep.2005 5:03:00 PM   
joseff

 

Posts: 2
Joined: 29.Aug.2005
Status: offline
quote:
Originally posted by jossebrice:
I'm ok with the article, but i want to know how to just allow vpn client with specific public ip.
In fact i don't want to allow all wolrdwide vpn client.
How can i do it?

Hi, I think this article from Microsoft will help - Exclude addresses from VPN Source Networks

Regards
Joseff

(in reply to tshinder)
Post #: 15
RE: Discussion about article on Granular Access Control... - 17.May2006 5:01:41 PM   
dleinert

 

Posts: 9
Joined: 25.Jul.2004
From: Germany
Status: offline
Hi, I hope this thread is still alive ;-)

This is a great article, as I didn't realize before, what can be done with ISA to grant access to Exchange, but not shares, etc.

I have implemented Toms tutorial, beside the UNIX one. I have a coulple of questions:
- Tom do you have a schedule on the anounced parts on CMAK and the logs in regards to the VPN
- if I want to share a single network printer (actually the fax) ony through the VPN, what are the different settings
- can the access on file sharing only be on a "server" basis, or also on single shares (usually there a many shares on file servers,
which we control via the file system security). It would be great for e.g. contractors to only see "their" single share.

Well, hope someone has a clue on this,

regards,
Dieter

(in reply to tshinder)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on Granular Access Control for ISA VPN Clients Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts