From my understanding of ISA, it is supposed to go from the broadest
category down to the most granular when checking for allow/deny. Also,
if there is a deny rule on, say, the packet filter level, that will
override the allow on the Access Policy.

With the way that the system can be configured, you should be able to
have "overlapping" access policies and create two rules for access. One
based on IP and one based on the User Authentication. This should make
it check for both conditions. (You'll have to forgive me for being a
little fuzzy on this, because I've been administering CheckPoint 95% of
the time for the past 6 months...)

The publishing rules are essentially maps to your internal servers. Web
publishing and SMTP publishing are custom "filters" that MS put into the
ISA server so that people wouldn't have to manually configure them.

As for your friend with the cable connection, most cable companies
usually associate the MAC address and the IP address for user access.
Many times, they also force a specific machine name for internet access.

My .02 worth...

Damien

-----Original Message-----
From: Tiger [mailto:tigerjustmailz.com]
Sent: Wednesday, October 23, 2002 9:46 AM
To: security-basicssecurityfocus.com; focus-mssecurityfocus.com
Subject: How ISA rule base works and how to bind users IP with MAC.

Hi All,

Microsoft ISA Server¡¦s rule base engine first of all denies all
requests and then allows. This increases complicacy. How this rule base
works is not very clear to me. First of all implicitly it denies all
request given in rule base, than allows explicitly allowed rules and
rest deny all.
When it says allow explicitly allowed rules, then what does it mean? How
it picks rules and what would be the sequence? 1. Access Policy
        Site and Content Rules
        Packet Filters
2. Publishing Rule
        Web Publishing
        Server Publishing
I can¡¦t understand logic behind Microsoft¡¦s such design, why not
simple rule base like checkpoint or any other firewall.

I have ISA Server Installed. Only selected LAN users are allowed to
access Internet. It¡¦s authenticating users from Domain Controller. Here
my requirement is to allow selected LAN users to access Internet only
from their machine. I have tried allowing them through two ways 1.IP
Basis 2.User Basis but both has its limitations 1. IP based: a user can
ask or guess someone¡¦s IP and put in his machine and get access when
allowed machine is powered off or NIC is disabled. 2. User based:
Passwords can be shared among users and they can access Internet from
any machine. There should be some way in Domain Controller to bind
user¡¦s access from their machine or assigned IP only. Any Idea?
OR
Is there any solution in ISA only?

We can reserve IP in DHCP with MAC address and works fine only in the
case when user request DHCP to release IP. I mean when user select
option to ¡§Obtain IP address automatically¡¨ If he assign IP manually
then he can enter into domain and access internet. My purpose can be
solved if I get any way to restrict him to domain.

My friend has cable connection. His machine is not into domain. He is
getting access through MAC + IP address only. Coz of some reason if he
changes MAC or IP his internet doesn¡¦t works.
Any suggestion most welcome ļ

Cheers!
Tiger

______________________________________________________________________
Get Free POP & IMAP Email Accounts on www.justmailz.com !
Quote : "All life is an experiment."

______________________________________________________________________
Get Free POP & IMAP Email Accounts on www.justmailz.com !
Quote : "Our character is what we do when we think no one is looking."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]