Re: New ISA 2004 Rule Not Working
- From: "SBS 2003 User" <user@xxxxxxxxxxxxxx>
- Date: Mon, 15 Jan 2007 15:57:18 -0800
OK from what I see this is all wrong. Looks like you removed the default SBS
Internet Acces Rule and created your won. No problem as long as you
duplicated the SBS rule which you did not. here's what you should have.
SBS Internet Access Rule
Action: Allow
Protocol: All outbound traffic
From/Listener: All Protected Networks
To: External
Condition: SBS Internet Users
Your "Deny" rule should look identical with the exception of Action to be
"Deny". You should create a new AD group with the names of those you want to
deny access to and of course they must not be in the SBS Internet Users
Group.
It also appears that you have removed many of the default ISA rules that
were installed by default. This will affect your DHCP as I can see you no
longer have that in there. Looks like you got a lot of rebuilding to replace
those default ISA rules.
Like I said it would help if I could see a screen shot of the ISA rules with
all available columns to view.
"Richard K" <RichardK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1081085C-8528-412E-8B5A-2594F24FD9E8@xxxxxxxxxxxxxxxx
OK, here are the 5 rules that I have, in this order. Believe me I don't
want
to make this a "federal case". I'm just trying to figure out what I am
missing. I tried working this without rule #1 and making sure that user
was
not in the SBS Internet Users group but since that didn't work I created
the
Limited Users rule figuring I would head it off. It not only fails but
the
user follows the Protected Network Access Rule (#4) which makes no sense
since it only talks about traffic to protected networks which does not
include External so that should immediatly eliminate any internet traffic.
Thanks for the help!!!
-Richard K
1. Limited Users - Deny / All Outbound Traffic / From Internal / To
External / Limited Users Group (AD security group with that 1 user) / 24x7
/
All Content
2. SBS Outbound Access Rule - Allow / All Outbound Traffic / From
Protected
networks / To External / SBS Internet Users (AD security group where my
account is the only member) / 24x7 / All Content
3. SBS Inbound Access Rule - Allow / All Outbound Traffic / From External
/
To Local Host / All Users / 24x7 / All Content
4. SBS Protected Network Access Rule - Allow / All Outbound Traffic /
From
Protected Networks / To Protected Networks / All Users / 24x7 / All
Content
5. Default Rule - Deny / All Traffic / From All Networks (and local host)
/
To All Networks (and local host) / All Users / 24x7 / All Content
"SBS 2003 User" wrote:
Richard you are correct. This is simple and you're making it into a
federal
case here. See my previous post about both rules being identical. Post
all
properties for both the deny and allow rules.
"Richard K" <RichardK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:94F1D264-0EAE-492B-BBF1-CD2446DB3830@xxxxxxxxxxxxxxxx
There is the rule "SBS Outbound Access Rule" for: Allow / All traffic
/
From
Protected Networks / To External / SBS Internet Users / 24x7 / All
Content.
That rule was created by the CIECW Wizard. When I check the SBS
Internet
Users group in the AD I am the only member. That is why I created the
deny
rule. I agree I should not have even had to create it.
It ignores the deny for the user and hits on the SBS protected network
access rule which it shouldn't even hit that. That is why I am
confused.
I
know it is something stupid that I am missing.
Any and all help is appreciated!!
-Richard K
"SBS 2003 User" wrote:
OK You state that you are the only one in the SBS Internet Users group
that
has internet access so I'm trying to understand why you need this
"deny"
rule if you are the only one that is allowed access to begin with? Try
changing that "Deny" rule. From "All protected networks" to "External.
"Richard K" <RichardK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:146B18D8-D809-4E78-83C7-AE03EF172877@xxxxxxxxxxxxxxxx
OK, I am setting up a new ISA 2004 Firewall Access Rule that should
catch
all
users in a specific AD security group and deny them any access to
the
internet. The clients are all running XP using the ISA server as
the
web
proxy. The rule basically reads
Deny / HTTP + HTTPS / From Internal / To External / Limited Access
Users /
24x7 schedule / All content types.
Limited Access Users is a User set made up of the AD security group
I
created. In the AD security group I put in one user.
When I have that user login and I watch their traffic via the ISA
Monitor
it
bypasses this rule (1st rule in order) and ends up using the a rule
farther
down my list (SBS Protected Network Access Rule - default set up by
CIECW).
Why does it ignore my rule? Why does it even use the rule it does
because
that rule talks about TO = All Protected Networks of which External
is
not
one of them. I'm very confused. What did I miss?
Thanks!
-Richard K
.
- Follow-Ups:
- Re: New ISA 2004 Rule Not Working
- From: Jeff Teel
- Re: New ISA 2004 Rule Not Working
- From: Richard K
- Re: New ISA 2004 Rule Not Working
- References:
- Re: New ISA 2004 Rule Not Working
- From: SBS 2003 User
- Re: New ISA 2004 Rule Not Working
- From: SBS 2003 User
- Re: New ISA 2004 Rule Not Working
- From: Richard K
- Re: New ISA 2004 Rule Not Working
- Prev by Date: Re: Can't send email from some locations while on the road.
- Next by Date: Re: companyweb, page cannot be displayed
- Previous by thread: Re: New ISA 2004 Rule Not Working
- Next by thread: Re: New ISA 2004 Rule Not Working
- Index(es):
Relevant Pages
|
