Interesting response, but the question was regarding protocol rules, hence an internal request... I've been able to validate that client address sets seem to take priority in this scenario. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Joseph" <cismic@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, March 12, 2002 11:10 AM Subject: [isalist] RE: Firewall Service Authentication http://www.ISAserver.org When ISA Server processes a request from an external client, it checks IP packet filters, publishing rules, and routing rules to determine if the request is allowed and which internal server should service the request. For an incoming Web request, rules are processed in the following order: IP packet filters. If packet filtering is enabled, then if an IP packet filter specifically denies the request, the request is denied. Web publishing rules. If a Web publishing rules specifically denies the request, then the request is denied. Routing rules. If a routing rule specifies that the requests be routed to a specific upstream server or an alternate hosted site, then the specified server handles the request. If a routing rule specifies that the requests be routed to the specified server, then the internal Web server returns the object. Joseph -----Original Message----- From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] Sent: Tuesday, March 12, 2002 6:45 AM To: [ISAserver.org Discussion List] Subject: [isalist] Firewall Service Authentication http://www.ISAserver.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since Tom said I had the hardest questions at Blackhat, I feel like I have to ensure that they are all difficult ;) To that end, I pose the following question: Lets say you have a protocol rule to allow IP based on a client address set (IP address), and another identical protocol rule that is based on user/group. If a user meets both criteria, i.e, is in the client address set and is also a member of the group-based rule, which rule is used? AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPI4UWIhsmyD15h5gEQLXbgCgr6LZIZQ9SrxNP0Qrt+G4P6gLrpoAoLmL 6eYzkH8aa0llKFb/P1AaFygg =Q0m9 -----END PGP SIGNATURE----- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')