RE: ISA Authentication,

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 1 Dec 2004 17:40:05 -0800

I think we're answering different questions.
Non-TCP/UDP traffic is limited to SecureNAT clients alone and no traffic
from a SecureNAT request can be authenticated.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] 
Sent: Wednesday, December 01, 2004 2:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Authentication,

http://www.ISAserver.org

VLAN's won't affect anything.  If you are doing inter-VLAN routing on
the
network, as long as you have a usable path to the ISA box it won't
matter.
A route is a route is a route.  Routes don't care what kind of traffic
is
put on them.  ACL's and filters are for controlling traffic.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Wednesday, December 01, 2004 8:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Authentication,


http://www.ISAserver.org

You can't use machine names because ISA doesn't reverse-resolve client
hostnames.  This is processor-expensive and is dependent on the name
resolution support in the internal network.

ICMP (ping, tracert), like PPTP is SecureNAT-only.  SecureNAT traffic
can't be authenticated.  This is why ping fails for this test.
You should take a read in the ISA help about "client types" (search on
that term).  

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 01, 2004 5:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Authentication,

http://www.ISAserver.org


I am not using the Remote Management options in the system policy editor
because it requires IP of the machine rather than the user name, if I
want to specify the machine names of the IT staff its still dynamic IPs
and can't be fixed to static.

 

 

________________________________

From: Ruba Al Omari, Eng. 
Sent: Wednesday, December 01, 2004 9:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Authentication,

 

http://www.ISAserver.org

 

I have a VLAN (in fact 13 but this question is related to only one
VLAN), it has a group of users, I want the IT people only to be able to
ping , telnet, terminal services etc... everything to the ISA server,
they can't now and the log session shows its denied because of the
"default rule".

 

So I add a "Allow_IT" rule to allow all the IT staff from where ever
VLAN they are in to manage the ISA, after the rule they still can't do
it, but now it says because of the rule "Allow_IT" it's denied! I think
the rule is right (the rule setup is simple and its on the top of the
rules).

 

In the sessions when an IT staff pings it shows it's a secure NAT
session not a web proxy session and it considers it not authorized (so
it denies it). This is my understanding of the situation.

 

I can work around it if in the "Allow_IT" rule I say instead of the IT
group I say allow All Users group which includes any one even if not
authorized, and then in the exception I exclude every one except the IT
group, but it seems a bit weird to do that, besides am worried there is
a security risk of this All Users group.

 

Any suggestions?

 

thanks,

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » ISA Authentication
• » ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » RE: ISA Authentication
• » ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,
• » RE: ISA Authentication,

1. Home
2. isalist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---