RE: Rules not working.

• From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 1 May 2002 12:05:50 -0500

Hi Erik,

ISA Server ONLY passes traffic you allow. Period. So, there are several
possibilities:

1. The PIX operator is wrong

2. The LAT is configured incorrectly

3. Packet filtering is not enabled on the ISA Server

4. All "all open" Protocol Rule is there somewhere

That said, you do NOT need to create a deny rule for all protocols that
are not allowed. If you do not create an allow rule for these other
protocols, they will not be allowed.

HTH,
Tom
www.isaserver.org/shinder


-----Original Message-----
From: Erik Sojka [mailto:esojka@xxxxxxxx] 
Sent: Wednesday, May 01, 2002 11:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Rules not working.

http://www.ISAserver.org



Server: ISA Server SP1 running on W2K SP2 + SRP + patches in
Standalone/Integrated mode in an Active Directory domain.  The ISA
server
sits behind our Cisco Pix firewall.  

We previously ran our server on the above config using only caching
mode.
The Pix administrator reported that requests for nonstandard ports
(things
other than 80, 443, 20/21) were being passed through from ISA but
blocked at
the Pix.  As part of our troubleshooting efforts, we rebuilt the server
and
added the firewall featureset (yielding the config above).

Site and Content rule (1 rule):
- Allow all traffic to all destinations at all times; applied to an NT
group
we created that has all users allowed to surf the Internet; all content
groups allowed.

Protocol Rules:
- We initially had a single rule - Allow selected protocols (HTTP,
HTTPS,
FTP DL Only) at all times applied to the NT user group mentioned above).
ISA should normally not allow traffic through that is not allowed,
right?
With this single protocol rule, IE requests for pages at different ports
were passed through to the PIX.  
- Then we created a second protocol rule - Deny all requests to
protocols
except HTTP, HTTPS, FTP DL only; applied always and to the NT group. -
Same
thing.

What am I missing?  Why is ISA passing this traffic through when it
seems
like it shouldn't?

TIA, 

*****************************
* Erik Sojka, MOS, MCSE     *
* Manager, Network Services *
* esojka@xxxxxxxx           *
***************************** 



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Rules not working.
• » RE: Rules not working.
• » RE: Rules not working.
• » RE: Rules not working.
• » RE: Rules not working.
• » RE: Rules not working.

1. Home
2. isalist
3. Archive
4. 05-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---