Hi all, I have my internal host configured as both SecureNAT and FW Client (Default GW->Internal NIC IP address). When I add a protocol rule to restrict specific domain users from using FTP(Or telnet,etc), I can't get any protocols to work at all (even though FTP was the only protocol that was restricted). When i change from "applies to" specific users -> all destination, everything works fine again. Please tell me why User Authentication doesn't work with protocol rule. Thanks, Firepot
Strangely, all protocols stops working when I applies the rules to specific users/groups instead of specifying all requests or client sets. Any idea? (I have the internal server configured as FW Client and SNAT at the same time). Is it possible that the SNAT client takes precedence over the FW client? THanks, Firepot
I think I know what the problem is. You are absolutely right. Even though my ISA server is a member of the internal domain, my terminal server (sitting on the outside of the ISA external network) can't join the domain. I will follow your instruction on how to publish services for intradomain communication to see if it will resolve the problem. One concern I have is that will the TS users (with firewall client installed) be authenticated given the protocol rules defined to do so. Please let me know if you can help. I have my TS default gateway point to the external interface of the ISA server and use internal DNS servers for name resolution for the TS. Would this cause any problem ?
There are a lot of adverse consequences of the intradomain communcations setup I describe in that article. It was mostly a lab exercise. Check out this article:
================== INFO: ISA Server Does Not Support Domain Members In Perimeter Network The information in this article applies to: Microsoft Internet Security and Acceleration Server 2000 Microsoft Internet Security and Acceleration Server 2000 SP1
This article was previously published under Q329807 SUMMARY Microsoft Internet Security and Acceleration (ISA) Server 2000 does not support having domain members or domain controllers in the perimeter network that belongs to a domain on the internal network behind ISA.
Domain or inter-forest trust relationships between a domain or forest in a perimeter network and a domain or forest on the internal network behind ISA are also not supported. MORE INFORMATION This applies to both back-to-back and three-homed perimeter networks. Last Reviewed: 10/26/2002 Keywords: kbinfo KB329807 kbAudDeveloper ====================