Hi Erik, ISA Server ONLY passes traffic you allow. Period. So, there are several possibilities: 1. The PIX operator is wrong 2. The LAT is configured incorrectly 3. Packet filtering is not enabled on the ISA Server 4. All "all open" Protocol Rule is there somewhere That said, you do NOT need to create a deny rule for all protocols that are not allowed. If you do not create an allow rule for these other protocols, they will not be allowed. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Erik Sojka [mailto:esojka@xxxxxxxx] Sent: Wednesday, May 01, 2002 11:55 AM To: [ISAserver.org Discussion List] Subject: [isalist] Rules not working. http://www.ISAserver.org Server: ISA Server SP1 running on W2K SP2 + SRP + patches in Standalone/Integrated mode in an Active Directory domain. The ISA server sits behind our Cisco Pix firewall. We previously ran our server on the above config using only caching mode. The Pix administrator reported that requests for nonstandard ports (things other than 80, 443, 20/21) were being passed through from ISA but blocked at the Pix. As part of our troubleshooting efforts, we rebuilt the server and added the firewall featureset (yielding the config above). Site and Content rule (1 rule): - Allow all traffic to all destinations at all times; applied to an NT group we created that has all users allowed to surf the Internet; all content groups allowed. Protocol Rules: - We initially had a single rule - Allow selected protocols (HTTP, HTTPS, FTP DL Only) at all times applied to the NT user group mentioned above). ISA should normally not allow traffic through that is not allowed, right? With this single protocol rule, IE requests for pages at different ports were passed through to the PIX. - Then we created a second protocol rule - Deny all requests to protocols except HTTP, HTTPS, FTP DL only; applied always and to the NT group. - Same thing. What am I missing? Why is ISA passing this traffic through when it seems like it shouldn't? TIA, ***************************** * Erik Sojka, MOS, MCSE * * Manager, Network Services * * esojka@xxxxxxxx * ***************************** ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')