I am no expert at ISA 2004, so I want to make sure I understand this. So are you saying that if I have any 'User-based' rules BEFORE any of my 'Anonymous' rules the traffic will be blocked regardless of protocol? Now that I hear/see this, this makes a huge difference! The way I thought of it was as the traffic comes in, it looks in order (top down) for a rule that -specifically- allows or denies that protocol specified only. Then I set my last rule to 'Deny All'. What happens if I 'require authentication' for all users on the internal interface itself instead of requiring authentication only on individual rules? Would my SMTP traffic stop flowing out? Like I said, I am still new at this. Environment: ISA 2004 using an 'Edge Firewall' configuration, Published Internal SMTP server, Mixed: Web Proxy (laptops) and Firewall clients (workstations). Thanks for your insight, Paul -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, October 05, 2004 11:47 AM Subject: RE: Firewall Policy Rules Order That statement is absolutely, blatantly incorrect. Rule order is very much important. For instance, if you have a rule that allows anonymous SMTP for your mail server that follows a rule allowing HTTP for authenticated users, the mail server will fail at the HTTP rule. Generally speaking, you want to order your rules as: Anonymous Deny rules Anonymous Allow rules User-based Deny rules User-based Allow rules Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Ara Avvali" <ara@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, October 04, 2004 04:59 Subject: [isalist] RE: Firewall Policy Rules Order http://www.ISAserver.org Hi Add rules based on group or ip address to it. Also as far as I know it doesn't matter what order they are; it matters to see what will be the effective permissions -----Original Message----- From: Raji Arulambalam [mailto:RajiA@xxxxxxxxxxxxxx] Sent: October 4, 2004 12:28 AM To: [ISAserver.org Discussion List] Subject: [isalist] Firewall Policy Rules Order http://www.ISAserver.org Hi I know that the rules are executed top down, but what is best practice in grouping the rules in Firewall Policy 1) Outgoing Access rules 2) Incoming Access rules 3) Web Server Publish 4) Mail Server 5) Server Publish Thanks Email disclaimer: This email and any attachments are confidential. If you are not the intended recipient, do not copy, disclose or use the contents in any way. If you receive this message in error, please let us know by return email and then destroy the message. Environment Bay of Plenty is not responsible for any changes made to this message and/or any attachments after sending. ****************************************************** This e-mail has been checked for viruses and no viruses were detected. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx