I think we're answering different questions. Non-TCP/UDP traffic is limited to SecureNAT clients alone and no traffic from a SecureNAT request can be authenticated. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Wednesday, December 01, 2004 2:03 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Authentication, http://www.ISAserver.org VLAN's won't affect anything. If you are doing inter-VLAN routing on the network, as long as you have a usable path to the ISA box it won't matter. A route is a route is a route. Routes don't care what kind of traffic is put on them. ACL's and filters are for controlling traffic. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, December 01, 2004 8:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Authentication, http://www.ISAserver.org You can't use machine names because ISA doesn't reverse-resolve client hostnames. This is processor-expensive and is dependent on the name resolution support in the internal network. ICMP (ping, tracert), like PPTP is SecureNAT-only. SecureNAT traffic can't be authenticated. This is why ping fails for this test. You should take a read in the ISA help about "client types" (search on that term). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx] Sent: Wednesday, December 01, 2004 5:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Authentication, http://www.ISAserver.org I am not using the Remote Management options in the system policy editor because it requires IP of the machine rather than the user name, if I want to specify the machine names of the IT staff its still dynamic IPs and can't be fixed to static. ________________________________ From: Ruba Al Omari, Eng. Sent: Wednesday, December 01, 2004 9:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Authentication, http://www.ISAserver.org I have a VLAN (in fact 13 but this question is related to only one VLAN), it has a group of users, I want the IT people only to be able to ping , telnet, terminal services etc... everything to the ISA server, they can't now and the log session shows its denied because of the "default rule". So I add a "Allow_IT" rule to allow all the IT staff from where ever VLAN they are in to manage the ISA, after the rule they still can't do it, but now it says because of the rule "Allow_IT" it's denied! I think the rule is right (the rule setup is simple and its on the top of the rules). In the sessions when an IT staff pings it shows it's a secure NAT session not a web proxy session and it considers it not authorized (so it denies it). This is my understanding of the situation. I can work around it if in the "Allow_IT" rule I say instead of the IT group I say allow All Users group which includes any one even if not authorized, and then in the exception I exclude every one except the IT group, but it seems a bit weird to do that, besides am worried there is a security risk of this All Users group. Any suggestions? thanks, ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.