RE: How ISA rule base works and how to bind users IP with MAC.

From: John Morello (johnlmorello@hotmail.com)
Date: 10/24/02


From: "John Morello" <johnlmorello@hotmail.com>
To: "'Tiger'" <tiger@justmailz.com>, <ataveras@oxygen.com>, <security-basics@securityfocus.com>, <focus-ms@securityfocus.com>
Date: Thu, 24 Oct 2002 14:56:35 -0400

This is also possible. ISA uses Client Address Sets in these
situations. For example, if you want to allow access to anyone that
happens to be coming from a certain computer or IP address, regardless
of who is logged on.

Check out the online product documentation for more details:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/isa/proddocs/isadocs/M_P_H_CreateClientSet.asp

Also, as others have suggested, isaserver.org is a great resource for
learning more about the product and has screenshot walkthroughs of many
of these kinds of scenarios. Good luck!

-----Original Message-----
From: Tiger [mailto:tiger@justmailz.com]
Sent: Thursday, October 24, 2002 7:04 AM
To: ataveras@oxygen.com; tiger@justmailz.com;
security-basics@securityfocus.com; focus-ms@securityfocus.com
Subject: RE: How ISA rule base works and how to bind users IP with MAC.

Thanks for the suggestions Aristides!
"you'll want to probably look at using the firewall client to control
who has access through the firewall"
My requirement is to allow selected users from his machine only. It
might be through ISA or domain. Thanks again.

Cheers!
Tiger

---- Original Message ----
From: ataveras@oxygen.com
To: tiger@justmailz.com, security-basics@securityfocus.com,
>focus-ms@securityfocus.com
Subject: RE: How ISA rule base works and how to bind users IP with
>MAC.
Date: Wed, 23 Oct 2002 13:40:15 -0400

>Check out www.isaserver.org. Great site with a lot of information.
>It's design is a little weird at first but you get used to it. It's
>actually a very interesting package.
>
>If you're looking to lockdown user access sounds like you're looking
>at a combination of restricting their login via domain user account
>permissions, and then you'll want to probably look at using the
>firewall client to control who has access through the firewall. The
>client folder will have been created automatically as a share off of
>your isa server.
>
>-----Original Message-----
>From: Tiger [mailto:tiger@justmailz.com]
>Sent: Wednesday, October 23, 2002 10:46 AM
>To: security-basics@securityfocus.com; focus-ms@securityfocus.com
>Subject: How ISA rule base works and how to bind users IP with MAC.
>
>
>Hi All,
>
>Microsoft ISA Server・s rule base engine first of all denies all
>requests and then allows. This increases complicacy. How this rule
>base works is not very clear to me. First of all implicitly it denies
>all request given in rule base, than allows explicitly allowed rules
>and rest deny all.
>When it says allow explicitly allowed rules, then what does it mean?
>How it picks rules and what would be the sequence?
>1. Access Policy
> Site and Content Rules
> Packet Filters
>2. Publishing Rule
> Web Publishing
> Server Publishing
>I can・t understand logic behind Microsoft・s such design, why not
>simple rule base like checkpoint or any other firewall.
>
>I have ISA Server Installed. Only selected LAN users are allowed to
>access Internet. It・s authenticating users from Domain Controller.
>Here my requirement is to allow selected LAN users to access Internet
>only from their machine. I have tried allowing them through two ways
>1.IP Basis 2.User Basis but both has its limitations
>1. IP based: a user can ask or guess someone・s IP and put in his
>machine and get access when allowed machine is powered off or NIC is
>disabled.
>2. User based: Passwords can be shared among users and they can
>access Internet from any machine.
>There should be some way in Domain Controller to bind user・s access
>from their machine or assigned IP only. Any Idea?
>OR
>Is there any solution in ISA only?
>
>We can reserve IP in DHCP with MAC address and works fine only in the
>case when user request DHCP to release IP.
>I mean when user select option to :Obtain IP address automatically;
>If he assign IP manually then he can enter into domain and access
>internet. My purpose can be solved if I get any way to restrict him
>to domain.
>
>My friend has cable connection. His machine is not into domain. He is
>getting access through MAC + IP address only. Coz of some reason if
>he changes MAC or IP his internet doesn・t works.
>Any suggestion most welcome f
>
>
>
>Cheers!
>Tiger
>
>
>_____________________________________________________________________
>_
>GetFreePOP & IMAP EmailAccountsonwww.justmailz.com!
>Quote : "All life is an experiment."
>
>
>_____________________________________________________________________
>_
>GetFreePOP & IMAP EmailAccountsonwww.justmailz.com!
>Quote : "Our character is what we do when we think no one is
>looking."
>
>
>
>This e-mail is the property of Oxygen Media, LLC. It is intended
>only for the person or entity to which it is addressed and may
>contain information that is privileged, confidential, or otherwise
>protected from disclosure. Distribution or copying of this e-mail or
>the information contained herein by anyone other than the intended
>recipient is prohibited. If you have received this e-mail in error,
>please immediately notify us by sending an e-mail to
>postmaster@oxygen.com and destroy all electronic and paper copies of
>this e-mail.
>
>

______________________________________________________________________
GetFreePOP & IMAP EmailAccountsonwww.justmailz.com!
Quote : "Patience makes lighter



Relevant Pages