RE: Rules not working.
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 1 May 2002 15:32:47 -0500
Hi Erik,
OK, let's try to get to the bottom of this problem!
In your Firewall log, configure it to log Rule#1 and Rule#2. This will
give you information about what Protocol Rule and Site and Content Rule
is allowing the requests through the ISA Server.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Erik Sojka [mailto:esojka@xxxxxxxx]
Sent: Wednesday, May 01, 2002 2:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Rules not working.
http://www.ISAserver.org
Inline prefaced with EPS>
> -----Original Message-----
> From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, May 01, 2002 1:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Rules not working.
>
>
> http://www.ISAserver.org
>
>
> Hi Erik,
>
> ISA Server ONLY passes traffic you allow. Period. So, there
> are several
> possibilities:
>
> 1. The PIX operator is wrong
>
EPS> I've seen the PIX config and the logs. When I try a test
connection
through ISA to http://www.whatever.com:8000 (actual server name and port
do
not matter) the PIX logs the attempt coming from the ISA server and
denies
it.
> 2. The LAT is configured incorrectly
EPS> I double checked; There are only LAT entries for our internal
VLANs.
>
> 3. Packet filtering is not enabled on the ISA Server
>
EPS> Packet filtering is enabled; There are two packet filters:
Predefined
"ICMP All Outbound" and Predefined "ICMP Ping Response (in)". Both are
enabled and applied to all remote computers and default IP addresses on
external interfaces.
> 4. All "all open" Protocol Rule is there somewhere
>
EPS> Where? Somewhere other than "S&C Rules", "Protocol Rules", and "IP
Packet Filters" under the Access Policy container?
> That said, you do NOT need to create a deny rule for all
> protocols that
> are not allowed. If you do not create an allow rule for these other
> protocols, they will not be allowed.
>
EPS> Hence my asking the question; I do see the behavior I'm reporting.
Any
other thoughts?
> HTH,
> Tom
> www.isaserver.org/shinder
>
>
> -----Original Message-----
> From: Erik Sojka [mailto:esojka@xxxxxxxx]
> Sent: Wednesday, May 01, 2002 11:55 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Rules not working.
>
> http://www.ISAserver.org
>
>
>
> Server: ISA Server SP1 running on W2K SP2 + SRP + patches in
> Standalone/Integrated mode in an Active Directory domain. The ISA
> server
> sits behind our Cisco Pix firewall.
>
> We previously ran our server on the above config using only caching
> mode.
> The Pix administrator reported that requests for nonstandard ports
> (things
> other than 80, 443, 20/21) were being passed through from ISA but
> blocked at
> the Pix. As part of our troubleshooting efforts, we rebuilt
> the server
> and
> added the firewall featureset (yielding the config above).
>
> Site and Content rule (1 rule):
> - Allow all traffic to all destinations at all times; applied to an NT
> group
> we created that has all users allowed to surf the Internet;
> all content
> groups allowed.
>
> Protocol Rules:
> - We initially had a single rule - Allow selected protocols (HTTP,
> HTTPS,
> FTP DL Only) at all times applied to the NT user group
> mentioned above).
> ISA should normally not allow traffic through that is not allowed,
> right?
> With this single protocol rule, IE requests for pages at
> different ports
> were passed through to the PIX.
> - Then we created a second protocol rule - Deny all requests to
> protocols
> except HTTP, HTTPS, FTP DL only; applied always and to the NT group. -
> Same
> thing.
>
> What am I missing? Why is ISA passing this traffic through when it
> seems
> like it shouldn't?
>
> TIA,
>
> *****************************
> * Erik Sojka, MOS, MCSE *
> * Manager, Network Services *
> * esojka@xxxxxxxx *
> *****************************
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: esojka@xxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
