Here's the deal; since you want to limit DNS to a specific computer, 1 - step away from the "Users" tab in the DNS rule 2 - place your anonymous (DNS) rules before your authentication (user-specific) rules or the anonymous connection will fail for lack of authentication. 3 - use subnet, address set, computer, <blah-blah> andything EXCEPT users. in the anonymous rule (DNS) 4. leave the "Users" tab empty, or select "All Users", but nothing else 5 - in the "From" tab, select (may have to create) the conputer object that represents the DNS server Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Fri, 1 Oct 2004 00:27:23 -0700 <auto122605@xxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim, What do you mean no user tab for computer object? What you are saying is creating a server publishing rule right? Though what i am doing is an access rule not a server publishing rules, therefore there is the user tab. Also i do not want to publish the dns server, i just want it to be able to make requests (DNS) to the internet, its an internal dns server. Now in the user's tab what shall i specify? IF i specify nothing it won't work, not even if i specify system and network service. Any idea? Regards, Nick Holmes On Thu, 30 Sep 2004 08:00:57 -0700 Jim Harrison <jim@xxxxxxxxxxxx> wrote: >http://www.ISAserver.org > >No use user tab for computer object. >Use "From" tab and select desired item from "computers" list in >"network Objects. when you click "Add". > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > >----- Original Message ----- >From: <auto122605@xxxxxxxxxxxx> >To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >Sent: Thursday, September 30, 2004 07:19 >Subject: [isalist] RE: Priority of Firewall Rules > > >http://www.ISAserver.org > >Hi, > >That is what i am doing in fact... > >the rule is : > >from : xxx.xxx.xxx.xxx (which is the internal ip of the dns server) >to : external >Protocol: DNS >User - what do i specify here? If i leave it empty it won't work >at >all! > >Any idea? > >On Thu, 30 Sep 2004 06:38:49 -0700 Jim Harrison <jim@xxxxxxxxxxxx> >wrote: >>http://www.ISAserver.org >> >>"There are other tabs than these" >>(three social point if you can identify author, book, character >>for this mangle misquote) >> >>Use the "from" tab when you want to create "non-human" limitations >>in your rules. >> >> Jim Harrison >> MCP(NT4, W2K), A+, Network+, PCG >> http://isaserver.org/Jim_Harrison/ >> http://isatools.org >> Read the help / books / articles! >> >> >>On Thu, 30 Sep 2004 00:45:01 -0700 >> <auto122605@xxxxxxxxxxxx> wrote: >>http://www.ISAserver.org >> >>Hi Tom, >> >>Thanks for your reply. Regarding create a computer object, in >the >>users >>section you can only specify a user right or a group? Correct >me >>if >>i am wrong.. also can you explain further regarding this issue >(Creating >>a computer account instead of everyone)? >> >>Cause i already asked ones in the mailing list about this but never >>got >>a reply. >> >>On Wed, 29 Sep 2004 08:34:40 -0700 Thomas W Shinder <tshinder@xxxxxxxxxxx> >>wrote: >>>http://www.ISAserver.org >>> >>>Also, don't allow EVERYONE to use DNS. Create a computer object >>>for your >>>DNS server. >>> >>>HTH >>> >>>Tom >>>www.isaserver.org/shinder >>>Get the book! >>>Tom and Deb Shinder's Configuring ISA Server 2004 >>>http://tinyurl.com/3xqb7 >>>MVP -- ISA Firewalls >>> >>> >>> >>>-----Original Message----- >>>From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx] >>> >>>Sent: Wednesday, September 29, 2004 10:12 AM >>>To: [ISAserver.org Discussion List] >>>Subject: [isalist] Priority of Firewall Rules >>> >>> >>>http://www.ISAserver.org >>> >>>I have just 2 rules on my isa 2K4 which are: >>> >>>(Rule 1) >>>Allow - (From) xxx.xxx.xxx.xxx to external >>>Protocol - DNS >>>Users - All users >>> >>>and >>> >>>(Rule 2) >>>Allow - (From) Internal network to external >>>Protocol - Any >>>Users - User1 >>> >>>Like this i have a DNS server which uses forwarders from the internet >>>and is used as an internal network DNS Server. When I move Rule >>>2 >>>before >>>Rule 1 the DNS stops working. How is this behaviour? Is it cause >>>Rule >>>2 allows only a specific user to access the internet therefore >>>automatically >>>all other users are denied? And therefore the DNS Server stops >>>working? >>> >>> >>>Thanks.. >>>Nick Holmes >>> >>>