RE: Priority of Firewall Rules
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Oct 2004 08:34:24 -0500
Hi Nick,
No problem. In fact, it really was no problem. I just copied and pasted
the ISA Help file :-))
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx]
Sent: Friday, October 01, 2004 8:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Priority of Firewall Rules
http://www.ISAserver.org
HI Jim,
so back to the beginning of the topic.. i was right, all i can do in
such cases is give the DNS server anonymous access right?
BTW, Tom thanks for the explanation...
On Fri, 01 Oct 2004 06:11:17 -0700 Jim Harrison <jim@xxxxxxxxxxxx>
wrote:
>http://www.ISAserver.org
>
>Here's the deal; since you want to limit DNS to a specific computer,
>>
>1 - step away from the "Users" tab in the DNS rule
>2 - place your anonymous (DNS) rules before your authentication
>(user-specific) rules or the anonymous connection will fail for lack
>of authentication.
>3 - use subnet, address set, computer, <blah-blah> andything EXCEPT
>users. in the anonymous rule (DNS)
>4. leave the "Users" tab empty, or select "All Users", but nothing
>else
>5 - in the "From" tab, select (may have to create) the conputer
>object that represents the DNS server
>
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
>On Fri, 1 Oct 2004 00:27:23 -0700
> <auto122605@xxxxxxxxxxxx> wrote:
>http://www.ISAserver.org
>
>Hi Jim,
>
>What do you mean no user tab for computer object? What you are
>saying
>is creating a server publishing rule right? Though what i am doing
>is
>an access rule not a server publishing rules, therefore there is
>the
>user tab.
>
>Also i do not want to publish the dns server, i just want it to
>be able
>to make requests (DNS) to the internet, its an internal dns server.
>
>Now in the user's tab what shall i specify? IF i specify nothing
>it
>won't work, not even if i specify system and network service.
>
>Any idea?
>
>Regards,
>Nick Holmes
>
>On Thu, 30 Sep 2004 08:00:57 -0700 Jim Harrison <jim@xxxxxxxxxxxx>
>wrote:
>>http://www.ISAserver.org
>>
>>No use user tab for computer object.
>>Use "From" tab and select desired item from "computers" list in
>>"network Objects. when you click "Add".
>>
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>>
>>----- Original Message -----
>>From: <auto122605@xxxxxxxxxxxx>
>>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>>Sent: Thursday, September 30, 2004 07:19
>>Subject: [isalist] RE: Priority of Firewall Rules
>>
>>
>>http://www.ISAserver.org
>>
>>Hi,
>>
>>That is what i am doing in fact...
>>
>>the rule is :
>>
>>from : xxx.xxx.xxx.xxx (which is the internal ip of the dns server)
>>to : external
>>Protocol: DNS
>>User - what do i specify here? If i leave it empty it won't work
>>at
>>all!
>>
>>Any idea?
>>
>>On Thu, 30 Sep 2004 06:38:49 -0700 Jim Harrison <jim@xxxxxxxxxxxx>
>>wrote:
>>>http://www.ISAserver.org
>>>
>>>"There are other tabs than these"
>>>(three social point if you can identify author, book, character
>>>for this mangle misquote)
>>>
>>>Use the "from" tab when you want to create "non-human" limitations
>>>in your rules.
>>>
>>> Jim Harrison
>>> MCP(NT4, W2K), A+, Network+, PCG
>>> http://isaserver.org/Jim_Harrison/
>>> http://isatools.org
>>> Read the help / books / articles!
>>>
>>>
>>>On Thu, 30 Sep 2004 00:45:01 -0700
>>> <auto122605@xxxxxxxxxxxx> wrote:
>>>http://www.ISAserver.org
>>>
>>>Hi Tom,
>>>
>>>Thanks for your reply. Regarding create a computer object, in
>>the
>>>users
>>>section you can only specify a user right or a group? Correct
>>me
>>>if
>>>i am wrong.. also can you explain further regarding this issue
>>(Creating
>>>a computer account instead of everyone)?
>>>
>>>Cause i already asked ones in the mailing list about this but
>never
>>>got
>>>a reply.
>>>
>>>On Wed, 29 Sep 2004 08:34:40 -0700 Thomas W Shinder
<tshinder@xxxxxxxxxxx>
>>>wrote:
>>>>http://www.ISAserver.org
>>>>
>>>>Also, don't allow EVERYONE to use DNS. Create a computer object
>>>>for your
>>>>DNS server.
>>>>
>>>>HTH
>>>>
>>>>Tom
>>>>www.isaserver.org/shinder
>>>>Get the book!
>>>>Tom and Deb Shinder's Configuring ISA Server 2004
>>>>http://tinyurl.com/3xqb7
>>>>MVP -- ISA Firewalls
>>>>
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: auto122605@xxxxxxxxxxxx [mailto:auto122605@xxxxxxxxxxxx]
>>>>
>>>>Sent: Wednesday, September 29, 2004 10:12 AM
>>>>To: [ISAserver.org Discussion List]
>>>>Subject: [isalist] Priority of Firewall Rules
>>>>
>>>>
>>>>http://www.ISAserver.org
>>>>
>>>>I have just 2 rules on my isa 2K4 which are:
>>>>
>>>>(Rule 1)
>>>>Allow - (From) xxx.xxx.xxx.xxx to external
>>>>Protocol - DNS
>>>>Users - All users
>>>>
>>>>and
>>>>
>>>>(Rule 2)
>>>>Allow - (From) Internal network to external
>>>>Protocol - Any
>>>>Users - User1
>>>>
>>>>Like this i have a DNS server which uses forwarders from the
>internet
>>>>and is used as an internal network DNS Server. When I move Rule
>>>>2
>>>>before
>>>>Rule 1 the DNS stops working. How is this behaviour? Is it
>cause
>>>>Rule
>>>>2 allows only a specific user to access the internet therefore
>>>>automatically
>>>>all other users are denied? And therefore the DNS Server stops
>>>>working?
>>>>
>>>>
>>>>Thanks..
>>>>Nick Holmes
>>>>
>>>>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com
>Leading Network Software Directory: http://www.serverfiles.com
>No.1 Exchange Server Resource Site: http://www.msexchange.org
>Windows Security Resource Site: http://www.windowsecurity.com/
>Network Security Library: http://www.secinf.net/
>Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List
>as: auto122605@xxxxxxxxxxxx
>To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
>Report abuse to listadmin@xxxxxxxxxxxxx
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
