A couple of things.... Exchange has godly rights...why??...should be published...and an ftp rule to allow updates from GFI only. Is the firewall client installed on the workstations, if not how is ISA to know who is using these protocols. If I was you...and I'm not....:), give the authorized users dhcp reservations and create an address set for then within ISA for the protocols you want to allow them. S ________________________________ From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx] Sent: Monday, January 24, 2005 3:49 PM To: ISA Mailing List Subject: [isalist] RE: Firewall dropping packets from some machines http://www.ISAserver.org Sorry, I neglected to give hardware/os specs. ISA 2000 - dedicated mode w/ Windows Server 2003. Machine is a Compaq Prolient ML330 with 2GB of memory. Kenny -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Monday, January 24, 2005 1:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Firewall dropping packets from some machines http://www.ISAserver.org Which version of ISA?? S ________________________________ From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx] Sent: Monday, January 24, 2005 12:30 PM To: ISA Mailing List Subject: [isalist] Firewall dropping packets from some machines http://www.ISAserver.org I'm having some issues that are difficult to pin down what is going on. I currently use SSH to get out of my network here (work) to get into my box at home. I use Putty. It's not only SSH that has this problem, but it's enough to relate to right now... For a while, life was good and it all worked hunkey dory (sp?). Then out of no where (gasp?) it stopped. More than likely I tweaked a setting, added a patch, or did something stupid and didn't notice it. Here is where the fun part comes in. If I create a Client Address Set and create a protocol rule to allow full outbound access to whatever I want, it works as if by magic. However, if I create a protocol rule and allow certain users (such as myself) full outbound access, it does not work. When I say it doesn't work, instead of blocking my packets directly, it just drops them. What happens is Putty tries to connect, makes the first connection, then ISA blocks it. Many other programs are running into the same issues. I really don't like adding tons of Client Address Set for this because it just sounds wrong and insecure -- and difficult (DHCP -- except for our mail server and ISA server). Has anyone ran into this before? I've paid to have someone come out here and spend an hour trying to figure out what the heck is going on, but he couldn't figure it out and needed more time. At the time it was only SSH and remote desktop, which I was able to deal without at the time and live with the CAS method. Now it seems, other things aren't working that I didn't notcie. I got MailEssentials for Exchange and it says it fails to update (yes, it's on the mail server -- which should have godly rights -- and still doesn't work). Yes, in the previously paragraph I say the Client Address Set method doesn't work for that computer and yet in the passage before that one, I say it works. I should say that it's picky about the machines it wants to work on. I have looked at my logs and it shows nothing. I'm half way tempted to reinstall ISA Server just becuase this is a little too weird to be a config problem... Thoughts? Kenny ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: kennymann@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx