Dear all, We are about to use Isa server to support banking and trading applications via the Firewall service. We have however the following security requirement: We need to be able to create connection based rules that can specify which user is allowed to use what ports to what destination addresses. While it is perfectly possible to allow ports to users, and to allow access to Internet hosts on a per user base, the problem is combining these two rules to a connection based rule, allowing a user to communicate via a port or protocol to a specific host. The limitation for example is that there doesn't seem to be a way for a specific user or group to: * allow access to any site via HTTP * allow access to ftp.microsoft.com via FTP protocol * deny access to ftp.adobe.com via FTP protocol other than * Creating a protocol rule which adds the user to the ACL of HTTP protocol * Creating a protocol rule which adds the user to the ACL of FTP protocol * creating a packet filter that allow HTTP traffic to any host; * creating a packet filter that allow FTP traffic to ftp.microsoft.com; However, when another user needs access to ftp.adobe.com, then the following needs to be done: * adding this user to the ACL of FTP protocol * creating a packet filter that allow FTP traffic to ftp.adobe.com; This however will allow the first user access to ftp.adobe.com as well, if thereafter a (site and content) rule is created to deny access to ftp.adobe.com for that user, than all traffic, including HTTP will be denied as well to this server. This chance of cross-overs between users and destinations makes security a little bit obscure. Could anyone provide me if and if so how I can address the mentioned requirements with ISA Server? Thanks in advance, Jeroen Bijen ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ==================================================================