Hi Nick, No problem. In fact, it really was no problem. I just copied and pasted the ISA Help file :-)) Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx] Sent: Friday, October 01, 2004 8:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Priority of Firewall Rules http://www.ISAserver.org HI Jim, so back to the beginning of the topic.. i was right, all i can do in such cases is give the DNS server anonymous access right? BTW, Tom thanks for the explanation... On Fri, 01 Oct 2004 06:11:17 -0700 Jim Harrison <jim@xxxxxxxxxxxx> wrote: >http://www.ISAserver.org > >Here's the deal; since you want to limit DNS to a specific computer, >> >1 - step away from the "Users" tab in the DNS rule >2 - place your anonymous (DNS) rules before your authentication >(user-specific) rules or the anonymous connection will fail for lack >of authentication. >3 - use subnet, address set, computer, <blah-blah> andything EXCEPT >users. in the anonymous rule (DNS) >4. leave the "Users" tab empty, or select "All Users", but nothing >else >5 - in the "From" tab, select (may have to create) the conputer >object that represents the DNS server > > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > >On Fri, 1 Oct 2004 00:27:23 -0700 > <auto122605@xxxxxxxxxxxx> wrote: >http://www.ISAserver.org > >Hi Jim, > >What do you mean no user tab for computer object? What you are >saying >is creating a server publishing rule right? Though what i am doing >is >an access rule not a server publishing rules, therefore there is >the >user tab. > >Also i do not want to publish the dns server, i just want it to >be able >to make requests (DNS) to the internet, its an internal dns server. > >Now in the user's tab what shall i specify? IF i specify nothing >it >won't work, not even if i specify system and network service. > >Any idea? > >Regards, >Nick Holmes > >On Thu, 30 Sep 2004 08:00:57 -0700 Jim Harrison <jim@xxxxxxxxxxxx> >wrote: >>http://www.ISAserver.org >> >>No use user tab for computer object. >>Use "From" tab and select desired item from "computers" list in >>"network Objects. when you click "Add". >> >> Jim Harrison >> MCP(NT4, W2K), A+, Network+, PCG >> http://isaserver.org/Jim_Harrison/ >> http://isatools.org >> Read the help / books / articles! >> >>----- Original Message ----- >>From: <auto122605@xxxxxxxxxxxx> >>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >>Sent: Thursday, September 30, 2004 07:19 >>Subject: [isalist] RE: Priority of Firewall Rules >> >> >>http://www.ISAserver.org >> >>Hi, >> >>That is what i am doing in fact... >> >>the rule is : >> >>from : xxx.xxx.xxx.xxx (which is the internal ip of the dns server) >>to : external >>Protocol: DNS >>User - what do i specify here? If i leave it empty it won't work >>at >>all! >> >>Any idea? >> >>On Thu, 30 Sep 2004 06:38:49 -0700 Jim Harrison <jim@xxxxxxxxxxxx> >>wrote: >>>http://www.ISAserver.org >>> >>>"There are other tabs than these" >>>(three social point if you can identify author, book, character >>>for this mangle misquote) >>> >>>Use the "from" tab when you want to create "non-human" limitations >>>in your rules. >>> >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> >>> >>>On Thu, 30 Sep 2004 00:45:01 -0700 >>> <auto122605@xxxxxxxxxxxx> wrote: >>>http://www.ISAserver.org >>> >>>Hi Tom, >>> >>>Thanks for your reply. Regarding create a computer object, in >>the >>>users >>>section you can only specify a user right or a group? Correct >>me >>>if >>>i am wrong.. also can you explain further regarding this issue >>(Creating >>>a computer account instead of everyone)? >>> >>>Cause i already asked ones in the mailing list about this but >never >>>got >>>a reply. >>> >>>On Wed, 29 Sep 2004 08:34:40 -0700 Thomas W Shinder <tshinder@xxxxxxxxxxx> >>>wrote: >>>>http://www.ISAserver.org >>>> >>>>Also, don't allow EVERYONE to use DNS. Create a computer object >>>>for your >>>>DNS server. >>>> >>>>HTH >>>> >>>>Tom >>>>www.isaserver.org/shinder >>>>Get the book! >>>>Tom and Deb Shinder's Configuring ISA Server 2004 >>>>http://tinyurl.com/3xqb7 >>>>MVP -- ISA Firewalls >>>> >>>> >>>> >>>>-----Original Message----- >>>>From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx] >>>> >>>>Sent: Wednesday, September 29, 2004 10:12 AM >>>>To: [ISAserver.org Discussion List] >>>>Subject: [isalist] Priority of Firewall Rules >>>> >>>> >>>>http://www.ISAserver.org >>>> >>>>I have just 2 rules on my isa 2K4 which are: >>>> >>>>(Rule 1) >>>>Allow - (From) xxx.xxx.xxx.xxx to external >>>>Protocol - DNS >>>>Users - All users >>>> >>>>and >>>> >>>>(Rule 2) >>>>Allow - (From) Internal network to external >>>>Protocol - Any >>>>Users - User1 >>>> >>>>Like this i have a DNS server which uses forwarders from the >internet >>>>and is used as an internal network DNS Server. When I move Rule >>>>2 >>>>before >>>>Rule 1 the DNS stops working. How is this behaviour? Is it >cause >>>>Rule >>>>2 allows only a specific user to access the internet therefore >>>>automatically >>>>all other users are denied? And therefore the DNS Server stops >>>>working? >>>> >>>> >>>>Thanks.. >>>>Nick Holmes >>>> >>>> > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com >Leading Network Software Directory: http://www.serverfiles.com >No.1 Exchange Server Resource Site: http://www.msexchange.org >Windows Security Resource Site: http://www.windowsecurity.com/ >Network Security Library: http://www.secinf.net/ >Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List >as: auto122605@xxxxxxxxxxxx >To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist >Report abuse to listadmin@xxxxxxxxxxxxx Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx