Re: ISA SP3 lockdown?
- From: DanaK <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Jan 2008 06:56:00 -0800
Hi Jim,
And thanks for your patience in this. It looks like "RDP over VPN" would be
a more proper use of nomenclature here. What I should have made clear is
that we have a Cisco PIX box in our DMZ that we use to connect to other PIXs
of various types in our geographic area over the Internet. I have, this
morning been able to connect to another IP address and conduct a RDP session
sucessfully from my workstation behind our ISA server so it looks like the
problem really lies within the scripting of our local PIX. Our Cisco person
was able to connect to the PIX we usually target yesterday from his location
and all of this seems to have resulted after my changing the internal IP
address for the PIX and external NIC on the ISA to another range. For my
understanding, though, I can't say why I would still be able to conduct a RDP
session to the other IP address and not our usual one.
Also, yes, what I was looking for with the ISA logging function that is
located in the Monitoring section of ISA's interface is what traffic was
going through the ISA when our RDP user was trying to connect to her remote
computer. I was looking for some kind - any kind - of traffic and NOTHING
showed up in that log session as she was attempting her connection. ISA
comes with RDP predefined in its list of protocols but neither it or any
other traffic showed up in that logging session of which I defined those
protocols for. What is even more confusing to me - I WILL read the article
you referred to below - is that when I shut down the ISA rule that made
allowance for RDP and all other tunneling or other protocols used to
establish remote connection sessions I could STILL connect to the alternate
IP address with RDP from my workstation behind the ISA. I'm assuming the
Allow All rule I made allowed this ... ?
"Jim Harrison (ISA SE)" wrote:
Sorry, that size ("Remote Desktop for VPN access") doesn't fit. you can.
either use RDP or VPN, or RDP over VPN, but RDP does not "replace" VPN, nor
does it provide "VPN-like access". The closest you can get is to provide
access to your local resources (drives, printers, etc.) by the remote host;
not the other way 'round.
Regarding how to limit access, this can be done by using IP addresses; not
workstation names. You also have the ability to use user names if you
deploy the Firewall client. "can't establish the RDP session" - meaning
what, exactly? What is the client experience? What is in the ISA logs?
What "logging service"? How does that fit in with your AV update process?
What's becoming clear ("I also added ICA, RDP Server, Rlogin and SSH
protocols") is that you're trying to to solve all the problems at once using
a shotgun approach (if I add enough protocols, I'm bound to get there
eventually). This is more likely to cause than cure your pain. Break them
down and deal with each one separately.
This might help you understand how ISA policies work:
http://www.microsoft.com/technet/isa/2004/plan/firewall_policy.mspx
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECB4A930-C23E-4DEB-970A-BC6C795229C8@xxxxxxxxxxxxxxxx
Ok, that sounds well and fine but try this one on for size: previously (the
previous ISA 2004 server) we could use Remote Desktop for VPN access to
another computer at our fiscal agent school across the Internet. I created
the Allow rule for RDP protocol but couldn't specify which workstation on
our
end would be the originator of the connection request as I could before when
it worked. For the "From" setting I have to just specify "internal"
network
and for the "To" setting the "external" network. Even so I still can't
establish the Remote Desktop connection as yet.
In testing via the logging service I also added ICA, RDP Server, Rlogin and
SSH protocols to this Allow rule and nothing show up in the log when
attempting to connect to the remote computer. I guess this tells me that
I'm
making allowance for the wrong protocols ... ?
"Jim Harrison (ISA SE)" wrote:
1. AV server - this will require a single rule allowing whatever protocol
the AV client uses to get updates between the SIA and the AV server. No
"network browser" functionality required.
2. "Browsing Network neighborhood using Windows Explorer" uses the Windows
Browser functionality and this is a workstation process.
I can appreciate the need to multi-purpose the ISA, but you're better off
to
avoid creating huge holes in your firewall for convenience sake.
ISA already provides a default system policy allowing you to connect to
file
shares internally using SMB. "Browsing" typically involves a lot of
broadcast traffic which ISA doesn't support.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:489D56B0-9CEF-4B42-9FFF-ECD13873B575@xxxxxxxxxxxxxxxx
For one thing our antivirus server is internal on the network and I need
to
set up rules for its protocols so the ISA can be protected and updated.
Also, I'm talking about browsing the network via Network Neighborhood in
Windows Explorer. I don't generally use the ISA as a workstation. The
capability just gives you options when you have a budget as low as mine -
10
schools, 1 office, ~120 computers and (maybe) $8000. I'm just glad I get
paid!
"Jim Harrison (ISA SE)" wrote:
Why do you want "Windows browser" to work from the ISA?
You shouldn't be using it as a workstation.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF9C679F-4200-48A3-A3FE-418183FB9906@xxxxxxxxxxxxxxxx
"...correcting ISA behavior..." Yes, I guess you could say that it does
just
that. Once we got the extenal NIC addresses corrected AND shut the
server
down once or twice the mail protocols began going thorough. Thanks.
Now I have to figure out why the ISA can't browse the internal network.
It
wouldn't do this even before sp3. The server was joined to the network
before I installed ISA. I'll run the troubleshooting tool tomorrow and
see
what else comes up.
Thanks to you both.
Dana
"Jim Harrison (ISA SE)" wrote:
This is an unsupported deployment.
SP3 helps you understand that by correcting ISA behavior in this
regard.
--
Jim Harrison (ISA SE)
This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html
"DanaK" <DanaK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECD5017A-5A25-4A68-A494-3CB6E6D3D892@xxxxxxxxxxxxxxxx
Apparently ISA 2004's sp3 is much less forgiving when it comes to
denying
protocol throughput. I must confess that I do not have a separate IP
range
configured yet for my external NIC and am, thus, getting a regular
notice
of
such since I installed sp3 just in case that is the problem. I'm
trying
to
get clearance from the people that set up our Cisco firewall in our
DMZ
to
change that internal IP, though. They have yet to answer. However,
prior
to
installing sp3 I could get e-mail protocols through the ISA with no
problems
with just an "Allow All" rule for all protocols even though the
internal
IP's
were the same. Since installing sp3 I've created the new e-mail
protocol
rules but to no avail.
Even though I have "Allow" rules set up for all e-mail protocols -
POP3
through SMTP Server AND an Allow All rule - ISA tells me in its log
for
e-mail protocols that these connections are denied due to the
Firewall's
Default Rule which denies access to everyone on any protocol. What's
going
on with this?
- References:
- Re: ISA SP3 lockdown?
- From: Jim Harrison \(ISA SE\)
- Re: ISA SP3 lockdown?
- From: DanaK
- Re: ISA SP3 lockdown?
- From: Jim Harrison \(ISA SE\)
- Re: ISA SP3 lockdown?
- From: DanaK
- Re: ISA SP3 lockdown?
- From: Jim Harrison \(ISA SE\)
- Re: ISA SP3 lockdown?
- From: DanaK
- Re: ISA SP3 lockdown?
- From: Jim Harrison \(ISA SE\)
- Re: ISA SP3 lockdown?
- Prev by Date: Re: Secure NAt in ISA2006
- Next by Date: Re: Domain name set
- Previous by thread: Re: ISA SP3 lockdown?
- Next by thread: Can I block incoming req's by domain or IP ?
- Index(es):
Relevant Pages
|
