Hi Mblayo, I've read how ISA processes rules in order but still ... Now, given the default Deny rule (the last one) and given my situation, could you please help revise my rules in a manner sensible to ISA? :-) There are only a few hosts (top dogs) to be exempted from filtering. So do I begin with a rule like: Action=Allow; Protocols=All outbound traffic; From=top dog ips; To=External, right? I imagine this will only allow unrestricted access to top dogs, because I did not use "internal". Next rule I should use: Action = Allow; Protocols = DNS, pop3(s), smpt(s), imap(s); From=Internal; To = External -> This should allow them mail traffic, right? I include DNS because they use names as opposed to IPs for mail servers. Actually, SBS/ISA server is their DNS server so may be including DNS is superficial? Now my headache comes in when I need to allow only selected websites for "Internal diaspora" (after top dogs are already allowed everything). In squid, if I wanted to allow access to google.com and any subdomains, I'd specify a destdomain rule. So I can do: .google.com, .yahoo.com, .gmail.com, etc. Not with ISA! Does anyone know how to achieve the same with ISA (2004 here, btw)?? If someone visits yahoo.com and it comes up with yahoo.com/something, ISA denies it. ISA wants me to specify every possible contraption on a domain<LOL> Actually, I am willing to give someone with time access to my ISA to help me out. Imenichosha:-) On Thu, Jul 8, 2010 at 2:52 PM, Brian Munyao Longwe <blongwe@gmail.com>wrote:
Wash,
the ISA is a weird animal
tips:
1) ISA process rules in ascending order i.e. 1,2,3,4.... 2) Any DENY rules should come *last* i.e. at the bottom of the list 3) In any case you shouldn't need any DENY rules as the last default rule denies everything
Don't know if that'll help - but I see you've started with a deny rather than an allow
B
On Thu, Jul 8, 2010 at 2:38 PM, Odhiambo Washington <odhiambo@gmail.com>wrote:
I happen to be familiar with Unix firewalls but this Microsoft one is another - simply does not obey my rules. I need someone expert with it to help me out. I have a LAN in the 192.168.0.0 - 255.255.0.0 address range. ISA is running on SBS 23k. This PC has is multi-homed, with one public interface.
I need to do the following:
1. Allow pop3, pop3s, smtp, smtps, imap and imaps for everyone 2. Deny ALL Internet Access except to a few hosts. These exempted hosts have static IPs dished out via DHCP servers running either on the SBS or Cisco.
Now this is what I have attempted.
(a) Policy no. 1: Action = Deny; Protocols = All outbound traffic except selected (like above), From = Internal (with Exceptions), To = External (b) Policy no. 2: Action = Allow; Protocols = Selected (FTP, HTTP, HTTPS) From = Internal; To = Selected Websites ....
Then I have the default Last Rule that DENYs everything.
What happens is that rule 1 stops the guys even from Accessing their e-mails and does NOT allow the PCs in the Exception list to access the Internet.
I am stumped.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Brian Munyao Longwe e-mail: blongwe@gmail.com cell: + 254 722 518 744 blog : http://zinjlog.blogspot.com meta-blog: http://mashilingi.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube