Re: How I can implement this case with ISA?

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 3 Jan 2002 07:02:33 -0800

Create a protocol rule denying FTP for those snat_ip that you want to block.
Deny rules get processed before allow rules.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!

----- Original Message -----
From: "Morvan Daniel Muller" <morvan@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, January 03, 2002 07:09
Subject: [isalist] How I can implement this case with ISA?


http://www.ISAserver.org


I have difficulty with ISA because isn't possible associate
protocol, source and destination in the same rule.

My problem is with this follow case:

1) all_snat_ips  allow  HTTP to       any_internet_dest     anytime
2) all_snat_ips  allow  FTP  only-to  my_public_ftp_server  anytime
3) some_snat_ips allow  FTP  to       any_internet_dest     anytime

ISA need to match one rule in "protocol rules" and in "site and content
rules" to allow the request, so:

* Protocol Rules
FTP  allow anytime applies-to(all_snat_ips)
HTTP allow anytime applies-to(all_snat_ips)

* Site and content Rules:
RuleName = OpenAccess
Destinations = All
Schedule = Always
Action = Allow
AppliesTo = all_snat_ips
HTTP Content = All content Groups

I need an "OpenAccess rule" to grant HTTP to all internet destinations.
But so I too permit FTP and I don't like it.
The problem is that I can't associate the protocol, source and destination
in the same rule and ISA don´t use sequence, only process
deny before allow rules.

Obs. The client set "some_snat_ips" is part of the client set
"all_snat_ips".

Any suggestions.

Regards,


Morvan Daniel Muller
morvan@xxxxxxxxxxxxxxx
Analista de Suporte - Softplan/Poligraph
Sistema da Qualidade Certificado - ISO9001 - BRTUV/INMETRO
Fone: 0XX(48)333-0389
Florianópolis - SC

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » How I can implement this case with ISA?
• » Re: How I can implement this case with ISA?

1. Home
2. isalist
3. Archive
4. 01-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---