• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Protocol rules does not work when applied to domain users/groups

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Protocol rules does not work when applied to domain users/groups Page: [1]
Login
Message << Older Topic   Newer Topic >>
Protocol rules does not work when applied to domain use... - 7.Jan.2003 1:03:00 AM   
firepot408

 

Posts: 19
Joined: 8.Dec.2002
Status: offline
Hi all,
I have my internal host configured as both SecureNAT and FW Client (Default GW->Internal NIC IP address). When I add a protocol rule to restrict specific domain users from using FTP(Or telnet,etc), I can't get any protocols to work at all (even though FTP was the only protocol that was restricted). When i change from "applies to" specific users -> all destination, everything works fine again. Please tell me why User Authentication doesn't work with protocol rule.
Thanks,
Firepot
Post #: 1
RE: Protocol rules does not work when applied to domain... - 7.Jan.2003 4:43:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Fireport,

Create protocol rules that allow access, and assign permissions to those users/groups you want to use it. Don't include users/groups that you don't want to use it.

HTH,
Tom

(in reply to firepot408)
Post #: 2
RE: Protocol rules does not work when applied to domain... - 7.Jan.2003 4:58:00 PM   
firepot408

 

Posts: 19
Joined: 8.Dec.2002
Status: offline
Strangely, all protocols stops working when I applies the rules to specific users/groups instead of specifying all requests or client sets. Any idea? (I have the internal server configured as FW Client and SNAT at the same time). Is it possible that the SNAT client takes precedence over the FW client?
THanks,
Firepot

(in reply to firepot408)
Post #: 3
RE: Protocol rules does not work when applied to domain... - 7.Jan.2003 7:02:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi firepot,

What protocol rule seems to be stopping everyone from accessing the site? Enable all fields in your Web Proxy and Firewall logs and then check for what rules are blocking access.

HTH,
Tom

(in reply to firepot408)
Post #: 4
RE: Protocol rules does not work when applied to domain... - 7.Jan.2003 9:45:00 PM   
firepot408

 

Posts: 19
Joined: 8.Dec.2002
Status: offline
Any protocol rules that apply to specific users/groups instead of applying to any request would stop the protocols from working. Need help badly.
thanks,firepot

(in reply to firepot408)
Post #: 5
RE: Protocol rules does not work when applied to domain... - 8.Jan.2003 3:36:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Firepot,

When you assign a user/group to a protocol rule, does it stop that one protocol rule from working, or does it stop all protocol rules from working?

Thanks!
Tom

(in reply to firepot408)
Post #: 6
RE: Protocol rules does not work when applied to domain... - 8.Jan.2003 5:09:00 PM   
firepot408

 

Posts: 19
Joined: 8.Dec.2002
Status: offline
It stops that one protocol from working.

(in reply to firepot408)
Post #: 7
RE: Protocol rules does not work when applied to domain... - 9.Jan.2003 7:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Firepot,

OK, it looks like a problem with authentication. Is the ISA Server a member of the domain that the users belong to?

Are the users logging into the domain?

Are the machines memebers of the domain?

Use netdiag to confirm domain connectivity.

HTH,
Tom

(in reply to firepot408)
Post #: 8
RE: Protocol rules does not work when applied to domain... - 10.Jan.2003 5:53:00 PM   
firepot408

 

Posts: 19
Joined: 8.Dec.2002
Status: offline
I think I know what the problem is. You are absolutely right. Even though my ISA server is a member of the internal domain, my terminal server (sitting on the outside of the ISA external network) can't join the domain. I will follow your instruction on how to publish services for intradomain communication to see if it will resolve the problem. One concern I have is that will the TS users (with firewall client installed) be authenticated given the protocol rules defined to do so. Please let me know if you can help. I have my TS default gateway point to the external interface of the ISA server and use internal DNS servers for name resolution for the TS. Would this cause any problem ?

THanks,
Firepot

(in reply to firepot408)
Post #: 9
RE: Protocol rules does not work when applied to domain... - 11.Jan.2003 8:28:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Firepot,

There are a lot of adverse consequences of the intradomain communcations setup I describe in that article. It was mostly a lab exercise. Check out this article:

==================
INFO: ISA Server Does Not Support Domain Members In Perimeter Network
The information in this article applies to:
Microsoft Internet Security and Acceleration Server 2000
Microsoft Internet Security and Acceleration Server 2000 SP1

This article was previously published under Q329807
SUMMARY
Microsoft Internet Security and Acceleration (ISA) Server 2000 does not support having domain members or domain controllers in the perimeter network that belongs to a domain on the internal network behind ISA.

Domain or inter-forest trust relationships between a domain or forest in a perimeter network and a domain or forest on the internal network behind ISA are also not supported.
MORE INFORMATION
This applies to both back-to-back and three-homed perimeter networks.
Last Reviewed: 10/26/2002
Keywords: kbinfo KB329807 kbAudDeveloper
====================

HTH,
Tom

(in reply to firepot408)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Protocol rules does not work when applied to domain users/groups Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts