RE: Firewall Service Authentication

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 13 Mar 2002 07:24:01 -0800

Interesting response, but the question was regarding protocol rules, hence
an internal request...

I've been able to validate that client address sets seem to take priority in
this scenario.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Joseph" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, March 12, 2002 11:10 AM
Subject: [isalist] RE: Firewall Service Authentication


http://www.ISAserver.org


When ISA Server processes a request from an external client, it checks
IP packet filters, publishing rules, and routing rules to determine if
the request is allowed and which internal server should service the
request.

For an incoming Web request, rules are processed in the following order:


IP packet filters. If packet filtering is enabled, then if an IP packet
filter specifically denies the request, the request is denied.
Web publishing rules. If a Web publishing rules specifically denies the
request, then the request is denied.
Routing rules. If a routing rule specifies that the requests be routed
to a specific upstream server or an alternate hosted site, then the
specified server handles the request. If a routing rule specifies that
the requests be routed to the specified server, then the internal Web
server returns the object.

Joseph

-----Original Message-----
From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, March 12, 2002 6:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Firewall Service Authentication

http://www.ISAserver.org



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Since Tom said I had the hardest questions at Blackhat, I feel like I
have
to ensure that they are all difficult ;)

To that end, I pose the following question:

Lets say you have a protocol rule to allow IP based on a client address
set
(IP address), and another identical protocol rule that is based on
user/group.  If a user meets both criteria, i.e, is in the client
address
set and is also a member of the group-based rule, which rule is used?

AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPI4UWIhsmyD15h5gEQLXbgCgr6LZIZQ9SrxNP0Qrt+G4P6gLrpoAoLmL
6eYzkH8aa0llKFb/P1AaFygg
=Q0m9
-----END PGP SIGNATURE-----

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: