Environment configuration case!
- From: Morvan Daniel Muller <morvan@xxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 24 Oct 2001 19:15:17 -0200
Hello!
I am confused about the follow environment that I need to configure with ISA:
1) allow all my intranet users to access only my DMZ external FTP server
2) allow only some intranet machines to acess FTP servers on the internet.
I have SNAT clients only.
I didn´t setup the ISA as auxiliar DC (AD integrated), because I think that
it´s no a trust environment. In case of some weakness the intruder have
directly access to a DC.
For the case 2 I had this rules:
* Protocol Rules
RuleName = InternetFTP
Action = Allow
Protocol = FTP
Schedule = Always
Applies To = List of Intranet Ips allowed to ftp in the internet
* Site and content Rules:
RuleName = ContensOpenAccess
Destinations = All
Schedule = Always
Action = Allow
AppliesTo = My Intranet IP Range
HTTP Content = All content Groups
OBS:
My basic police is allow protocols, like HTTP, in the protocol rules, and
in "sites and content rules" I use a ContentOpenAccess rule.
To restric accesses to the internet I work with DENY rules based on
external destinations, as unliked WebSites, and based on unliked content
types.
My problem is for the case 2?
If I create a protocol rule that allow all intranet IPs for FTP protocol
I can't restric them to my external FTP server in "site and content rules"
because they can use the ContentOpenAccess rule to go to the internet.
If I deny "all external destinations" except to my external-ftp-server
the group of intranet users that can access internet ftp sites are
too denied, because they are part of my intranet users, and they
need to have access to the two places (my external-ftp-server and to the
internet-ftp-sites).
Could someone help me?
Morvan.
Other related posts:
