Subject: How ISA rule base works and how to bind users IP with MAC.

From: lordhighfixer@earthlink.net
Date: 10/24/02


Date: Wed, 23 Oct 2002 23:28:16 -0700
From: <lordhighfixer@earthlink.net>
To: tiger@justmailz.com

Some possible solutions below.

> -----Original Message-----
> From: Tiger [mailto:tiger@justmailz.com]
> Sent: Wednesday, October 23, 2002 7:46 AM
> To: security-basics@securityfocus.com; focus-ms@securityfocus.com
> Subject: How ISA rule base works and how to bind users IP with MAC.
>
> Hi All,
>
> Microsoft ISA Server・s rule base engine first of all denies all
> requests and then allows. This increases complicacy. How this rule
> base works is not very clear to me. First of all implicitly it denies
> all request given in rule base, than allows explicitly allowed rules
> and rest deny all.
> When it says allow explicitly allowed rules, then what does it mean?
> How it picks rules and what would be the sequence?

"Deny rules are normally processed before Allow rules. However, special
situations of HTTP requests that come from the Firewall Service to the Web
Proxy Service, the 'rules engine' seeks a rule that allows for 'anonymous'
connections before denying the request." - Configuring ISA Server 2000 by Dr.
Shinder

If a "Site and Content" rule base is setup to deny access by:

IP Address (destination/internal/external/destination sets)
Application (text, zip, Mpeg, AVI etc.)
Schedule
Username/Group name

Then request is denied if any of these are true. If any of these aren't true,
then the connection has to pass the "Protocol Rule" base (the client must be
given the right to access this site with a given protocol like FTP, Telnet,
HTTP, HTTPS etc.)

Only after passing these two rules then the connection is allowed. By
default, Site and Content is everyone allowed all sites/any content/at any
hour but no one has any rights to access any sites via any protocols. So, by
default, the Protocol Rules wizard will try and create a quick rule for your
users with the basics, HTTP/HTTPS/FTP/Gopher. However, you can create other
rules or change the basic rule to add in all protocols. For troubleshooting
situations you will want to create a Protocol Rule with "All" protocols
allowed and keep it disabled. When you need to troubleshoot an app or a
connection, try enabling this to help pinpoint the problem.

> 1. Access Policy
> Site and Content Rules
> Packet Filters
> 2. Publishing Rule
> Web Publishing
> Server Publishing

I'm not sure about the publishing rules.

> I can・t understand logic behind Microsoft・s such design, why not
> simple rule base like checkpoint or any other firewall.
>
> I have ISA Server Installed. Only selected LAN users are allowed to
> access Internet. It・s authenticating users from Domain Controller.
> Here my requirement is to allow selected LAN users to access Internet
> only from their machine. I have tried allowing them through two ways
> 1.IP Basis 2.User Basis but both has its limitations
> 1. IP based: a user can ask or guess someone・s IP and put in his
> machine and get access when allowed machine is powered off or NIC is
> disabled.
> 2. User based: Passwords can be shared among users and they can
> access Internet from any machine.
> There should be some way in Domain Controller to bind user・s access
> from their machine or assigned IP only. Any Idea?
> OR
> Is there any solution in ISA only?

I'm sure there are several things that can be done here. However, I would
seriously consider writing a computer usage policy stating that employees are
not allowed to share their accounts nor change their IP addresses and such
actions are being monitored. Make sure everyone reads and signs off on the
new policy.

There maybe something you can do with System/Group policies. I believe
there's some software out there that will notify you when someone's MAC and IP
addresses change.

>
> We can reserve IP in DHCP with MAC address and works fine only in the
> case when user request DHCP to release IP.
> I mean when user select option to :Obtain IP address automatically;
> If he assign IP manually then he can enter into domain and access
> internet. My purpose can be solved if I get any way to restrict him
> to domain.

You can setup ISA in its own domain and have a one-way trust relationship to
one domain only. Internet access will have to come through ISA. That is of
course if it's the only way out of your network.

There are a couple of confusing things here. There's 3 clients that I know
of.

One client is NAT: any computer that sets up there Default Gateway to the
internal address of the ISA server

2nd client is Web Proxy: any computer that sets up their browsers to use the
ISA server

3rd client is Firewall Client: you must install the firewall client software.

What's more is that you can be more than one client and some clients won't
allow you to be another particular client, just can't remember which off hand.
 I believe it is NAT and Web Proxy but not Web Proxy and Firewall Client.

>
> My friend has cable connection. His machine is not into domain. He is
> getting access through MAC + IP address only. Coz of some reason if
> he changes MAC or IP his internet doesn・t works.
> Any suggestion most welcome
>
The new IP Address may have a different Gateway? Also, the new IP Address may
belong to another subnet that has not been added to the Local Address Table on
the ISA server?

Most of these questions would also be answered at www.isaserver.org it is an
excellent site.

Hope this helps.

>
> Cheers!
> Tiger
>
>
> ______________________________________________________________________
> Get Free POP & IMAP Email Accounts on www.justmailz.com !
> Quote : "All life is an experiment."
>
>
> ______________________________________________________________________
> Get Free POP & IMAP Email Accounts on www.justmailz.com !
> Quote : "Our character is what we do when we think no one is looking."



Relevant Pages