From: Chicago, IL
I'm kind of at my wits end on this issue, so please bear with me as I try to explain a problem that seems simple in nature, but has baffled me nonetheless.
My firm has SBS 2003 running with ISA 2000 acting as our firewall. After upgrading to SBS 2003, our firewall seems to have started a crackdown on blocking access through various ports and protocols.
I have read numerous articles, books, and references that detail SecureNAT and Firewall Client issues, but none seem to really tell me the difference between the two, why one works better than others, how to set one up, etc...but I digress.
Here are the issues I am having: 1) My users can access the internet without issue if they use a browser. MSN Messenger works fine, as well as AOL's AIM. Yahoo Messenger does not work at all. What are the differences? I don't know.
2) I attempted to block AIM by setting up a protocol definition and protocol rule, but AIM access still works.
3) I attempted to allow access to certain ports for a program called Bloomberg, but no matter what i have turned on, established protocol definitions for, etc it's all blocked.
4) I seriously have no clue what the purpose of the Firewall Client program is on my user's computers as they seem to have internet access regardless if it's enabled, disabled, or completely uninstalled.
Could someone please point me in the right direction or assist me with the obvious ISA Void that resides in my brain?
just because a client does not have the firewall client doesn't nessisarily mean that a client wouldn't be able to access the ISA firewall or points beyond. The firewall client is required by certain applications running through the ISA firewall and also can be used as null set filtering mechanism to only allow certian clients to access certina features. In most cases I don't employ the firewall client in my ISA environments.
As far as your selective blocking goes, Yahoo and AIM operate on different ports I believe, so there is the difference there. The blocking AIM and having it not work is a bit strange. In regard to allowig access to all apps, try to create an allow all rule (outbound only of course) and apply the rule to the client set which contains the clieny systems in question. Also ensure that you don't have any site and content rules that are conflciting with the protocol rules. Hope that helps some.
quote:Thats our problem isn't it?...we don't take anything seriously....unless its on a harddrive.