Re: New to ISA
From: Lefteris Vladimiros \(MCT\) (notvalid_at_antispam.com)
Date: 06/27/04
- Next message: Jim Harrison [MSFT]: "Re: help required configuring half hour schedules"
- Previous message: Lefteris Vladimiros \(MCT\): "Re: Problem with 2nd IP address - Repost"
- In reply to: Jimmy Boy: "Re: New to ISA"
- Next in thread: Jimmy Boy: "Re: New to ISA"
- Reply: Jimmy Boy: "Re: New to ISA"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 27 Jun 2004 22:30:52 +0300
Hi Jimmy,
Yes it is.
Consider the following:
A user installs a trojan app. It will be allowed to send info to the outside
world.
You should limit the clients that are allowed to use Any IP traffic. For
example you *may* want to allow All IP traffic for the administrator PC...
But that is up to you...
Have fun using ISA Server
You are welcome,
Lefteris
-- Lefteris Vladimiros Microsoft Certified Trainer MCSA, MCSE: Security MCSA: Messaging New Horizons Athens ----- Post a reply to the newsgroups so that others may benefit from the discussion ----- "Jimmy Boy" <jhayes@verilet.com> wrote in message news:Os8TqavWEHA.1144@TK2MSFTNGP10.phx.gbl... > cool thanks for the reply. i got it working. > > now i have another question though. Is it safe to have protocol and content > rules open to all destinations if i don't really care where users go? or is > it a security risk? > > thanks, > "Lefteris Vladimiros (MCT)" <notvalid@antispam.com> wrote in message > news:Oy9KCKlWEHA.3012@tk2msftngp13.phx.gbl... > > Inline > > Njoy ;-) > > > > -- > > Lefteris Vladimiros > > Microsoft Certified Trainer > > MCSA, MCSE: Security > > MCSA: Messaging > > > > New Horizons Athens > > ----- > > Note: Do not send me a direct email reply cause this is a fake address > > Post a reply to the newsgroups so that others may benefit from the > > discussion > > ----- > > "Jimmy Boy" <jhayes@verilet.com> wrote in message > > news:%23whRPnhWEHA.2940@TK2MSFTNGP09.phx.gbl... > > > hi i am new to ISA and so far this is what i understand and wanted to > > check > > > if this is correct. > > > > > > Protocol rules are used to allow clients inside your networ to go out to > > the > > > internet. > > > > > Correct, based on what protocols they will want to use > > > > > Ip packet filters- what ports are open on your network, (this is where > you > > > do NATing as well right?) > > > > The ports that will open are for the external interface of ISA Server > > itself, or any services on a perimeter network (using an ISA Server with 3 > > interfaces, one internal, one external, one perimeter, with client > computers > > having public ip addresses) that you might want to have. Remember, Packet > > filters do not take advantage of the ISA Server advanced security features > > such as application-layer filtering etc... > > > > So basicly, If you are using packet filters, that means you are seting up > > rules for routing, not NATing! > > ISA Server 2000 can't use packet filters for NATed clients. > > > > > Site and content rules- This one seems a little redundant to protocol > > rules > > > as it blocks traffic going out. > > > > > Well protocol and site and content rules work together to allow/deny > access > > to external resources. Both of them are processed when an internal client > > wants to access an external resource. First the client has to be > explicitly > > allowed access through the protocol rules, then it has to be explicitly > > allowed access through a site & content rule. > > > > > All i want to do is NATing to my internal web servers and internet > access, > > > so from what i can understaing the three access policies above is where > i > > > will be working on, right? > > > > > For internal clients to access the internet, use protocol and site and > > content rules > > For allowing external clients to access resources to the internal network > > use web & server publishing rules > > For allowing external clients access perimeter resources, and/or allowing > > perimeter clients to access the external resources use packet filters. > > > > NOTE: When reffering to internal clients, these are the ONLY ones > specified > > (by IP address -- private) on the Local Area Table (LAT) configuration on > > ISA Server. Never add non-internal (ie external or perimeter ip > addresses -- > > public) on the LAT, or it will break any attempt to correctly setup ISA > > Server. > > > > > also am i correct at to what each of the policies above are used for? > any > > > additional explanation is welcomed. > > > > Well I guess this covers some of the basics... Check out www.isaserver.org > > for info on how to configure these various rules and more information. > > > > > > thanks, > > > > > > > Thanks for asking, > > Lefteris > > > > > > > > >
- Next message: Jim Harrison [MSFT]: "Re: help required configuring half hour schedules"
- Previous message: Lefteris Vladimiros \(MCT\): "Re: Problem with 2nd IP address - Repost"
- In reply to: Jimmy Boy: "Re: New to ISA"
- Next in thread: Jimmy Boy: "Re: New to ISA"
- Reply: Jimmy Boy: "Re: New to ISA"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
