• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

More SNAT Problems

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> More SNAT Problems Page: [1]
Login
Message << Older Topic   Newer Topic >>
More SNAT Problems - 6.Nov.2002 4:05:00 PM   
ddaley

 

Posts: 8
Joined: 6.Nov.2002
Status: offline
Hi!

I have setup ISA 2000 Standard on my NT-Domain network. At the beginning of the implementation, I set it up with basicly no rules. The rules I did put, it's all allow all anywhere.

Site an content rules allow anyone to anywhere, same with my protocol rules. Everything is working 100% for everyone.

OK, time to add some rules so that only a chosen few can access the internet. Mind you, I have a mixed PC/Mac network.
I created the rule and let only certain people out unlimited (via site and content rules) and another rule to allow everyone else to certain sites (fedex.com, etc). I set everyone's IE to the proxy server and everything worked peachy.

Now, my problem (Finally) ..
All my other protocols has ceased to work. Noone can get out using anything except IE! FTP clients don't work, AIM chatting don't work, nothing except IE. It's resolving correctly, I can see that but the connection isn't happening.

I've tried messing a bit with IP packet filters but that's not happening (put everything back to default, in the end).

Help! Seems the only way out (to anything but IE) is to allow everyone and their mother full access to the Net.. A Big no-no

*Added:
It'll work perfectly if I install the mspclnt on the workstations that I want out but that's not an option on a mac. And well, I don't want to go around installing that on every PC =).

Thanks for you help
Dan

[ November 06, 2002, 04:07 PM: Message edited by: Dan ]
Post #: 1
RE: More SNAT Problems - 6.Nov.2002 6:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dan,

Only the Web Proxy and Firewall clients can send credentials. If you require authentication, you'll have to use them.

HTH,
Tom

(in reply to ddaley)
Post #: 2
RE: More SNAT Problems - 6.Nov.2002 8:24:00 PM   
ddaley

 

Posts: 8
Joined: 6.Nov.2002
Status: offline
Thats the thing, my mac clients can't send any authentication except for web proxy.

So, is it possible to have their FTP client and other such apps go out by way of SecureNAT? -anonymously

I created a Client Set to allow all my mac guys out to SMTP and FTP but now they have full access out to everything [Frown]

What am I to do?!

(in reply to ddaley)
Post #: 3
RE: More SNAT Problems - 7.Nov.2002 3:51:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dan,

You can use a client address set to allow SecureNAT clients access to selected protocols.

HTH,
Tom

(in reply to ddaley)
Post #: 4
RE: More SNAT Problems - 7.Nov.2002 4:44:00 PM   
ddaley

 

Posts: 8
Joined: 6.Nov.2002
Status: offline
Then they have full internet access. I can't allow that.

Is it safe to assume that if you have anything in your S&C rules other then allow all /any /any /any, SecureNAT becomes useless?

(in reply to ddaley)
Post #: 5
RE: More SNAT Problems - 7.Nov.2002 6:36:00 PM   
PeckBob

 

Posts: 15
Joined: 9.Oct.2002
From: Cleveland, OH
Status: offline
If you have "Applies to Any", no blocking occurs (I learned that here!)

If you simply make a Client Address Set, even if it contains your entire network, it is no longer "anonymous" and you can block certain things.

Since mac's can't NTLM authenticate (I've got the same problem) try using DHCP reservations and restricting by different Client Address Sets. A pain, but if the office is small, no biggie.

(in reply to ddaley)
Post #: 6
RE: More SNAT Problems - 7.Nov.2002 7:39:00 PM   
ddaley

 

Posts: 8
Joined: 6.Nov.2002
Status: offline
Lucky enough, my Mac network is on a different subnet. I created a client set and a S&C rule for just them so they can get out via SMTP to our mail server and be able to FTP to our clients sites.

Because they FTP to different clients all the time, I can't simply make a destination set. I had to allow all destinations.

I would love to have all protocols (except http) allowed out no problem via SecureNAT. Then have all HTTP traffic go out through Web Proxy and have that doing its authentication thing.

Does any of this make sense?

(in reply to ddaley)
Post #: 7
RE: More SNAT Problems - 9.Nov.2002 6:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dan,

You can allow SecureNAT clients access to all protocols contained in the Protocol Definitions node in the ISA Management console with an "all open" rule.

HTH,
Tom

(in reply to ddaley)
Post #: 8
RE: More SNAT Problems - 10.Nov.2002 11:50:00 AM   
md3v

 

Posts: 308
Joined: 22.Jan.2002
Status: offline
I truely hope that our friends at Microsoft can develop better ISA support for non-Microsoft operating systems. If they want the product utilized in hibred environments then its a must.

m.

(in reply to ddaley)
Post #: 9
RE: More SNAT Problems - 11.Nov.2002 5:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi M,

I don't think its so much a MS operating system issue, but an issue with NAT editors/application filters. What NAT/Firewall do you know that supports *all* protocols for NAT clients?

Thanks!
Tom

(in reply to ddaley)
Post #: 10
RE: More SNAT Problems - 22.Nov.2002 7:36:00 AM   
prasanthn

 

Posts: 2
Joined: 22.Nov.2002
From: Hyderabad
Status: offline
Make sure that you have unchecked the "Ask unauthenticated users for Identification" option. For Secure NAT you should disable above said option. First you try with this option. And let me know whether that can solve your problem or not.

thanks
prasanth

(in reply to ddaley)
Post #: 11
RE: More SNAT Problems - 7.Dec.2002 1:14:00 AM   
jgisler

 

Posts: 56
Joined: 10.Apr.2001
Status: offline
You should be using client sets. Then create protocol rules that are control by the client sets. You should have no allow all rules. Lock them down to client sets. If you need an allow all rule, make sure that is setup with all the client sets you want to have full access. Then you have to setup the Site rules also.

(in reply to ddaley)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> More SNAT Problems Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts