RE: ISA rule processing order
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 25 Sep 2002 17:43:40 -0500
Hi Alfonso,
If you enable packet filtering, everything not explicitly allowed *is*
denied!
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Alfonso Lopez de Ayala [mailto:alopezdeayala@xxxxxxxxxxxx]
Sent: Wednesday, September 25, 2002 11:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA rule processing order
http://www.ISAserver.org
DISCLAIMER: I'm not an expert so this may all be totally wrong! :)
Having said that:
Hi, ISA gurus... not a question this time... just something I thought
I'd share... it's so hard always to figure out what ISA will do with
requests. all articles and documentation (and even rule processing
flowcharts) are so long and complex. so (after reading & digesting them
all), I made my own "for dummies" cheat-sheet to make sense on how ISA
processes ANY request... I believe it sweetly covers how ISA will act in
any case you can think of... (lemme know if I screwed up somewhere...
it's so simple I must have missed something!)
----------------------------------------------------------------
------> How to tell whether a request will pass thru ISA <------
----------------------------------------------------------------
NOTE: Think of this flowchart the opposite way of what they always tell
you -- in this case EVERYTHING IS ALLOWED unless it doesn't meet the
conditions I write in parenthesis (it's the only way I could make the
flowchart so simple and comprehensive at the same time):
INCOMING REQUESTS -- processed in this order:
1. Packet filters (must NOT have filter that blocks the request)
2. Web publishing rules (must NOT have rule denying request)
3. Routing rules (MUST have specific rule)
4. Bandwidth rules
That's it! Simple, huh?
OUTGOING REQUESTS -- processed in this order:
1. Bandwidth rules
2. Protocol rules (MUST have ALLOWING rule, AND NO DENYING rule)
3. Site and content rules (MUST have ALLOWING rule and NO DENYING
rule)
(i.e., must have a S&C Content Rule IN ADDITION to a Protocol Rule)
4. Routing rules (specifies where to route)
5. Packet filter (MUST NOT have filter that blocks the request)
That's it!
----------------------------------------------------------------
Notes & observations:
1.- one interesting discovery (that's obvious to experts like you but
not so to me even after reading ISA Help and many other papers) is that
"Protocol Rules" and "Site and Content Rules" are used ONLY when
processing OUTBOUND requests. They have nothing to do with INBOUND
requests!
2.- another interesting observation is that Packet Filters ALLOW
EVERYTHING that's not explicitly denied (as long as there's a Routing
Rule). So that
golden ISA rule they teach all the time that "everything not explicitly
allows is denied" is misleading, I think.
3.- these two "flowcharts" don't cover side things like how listeners,
authentication, and extensions (HTTP redirector, etc.) affect request --
maybe someone would care to add that and make a "master comprehensive
ISA flowchart"... :)
Alfonso
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
