In-Reply-To: <[EMAIL PROTECTED]>
Hi Chris,
In danger of teaching you to sucks eggs:
Make sure that any client PC has to go through the ISA server to get to
the router owned by your ISP (i.e. the Internet) first. This way, none of
your users will be able to bypass the your secure gateway and therefore
gain unauthorised access to the outside world (sounds a little restrictive
when put like that!). NB Firewalls are meant to protect one from the
INBOUND traffic though they can also provide OUTBOUND restriction and ISA
is really a glorified proxy server.
To achieve this, all your internal PC's should be configured with either a
default gateway address that eventually leads, perhaps via internal
routing, to your Gateway, which I am assuming is your ISA server. If you
do not have any internal routing, i.e. your ISA and PC's are on the same
subnet, then just make the ISA's internal interface the default gateway
for your clients. some might suggest to not configure a default gateway
but instead use your 'proxy clients' (Browser?) settings to connect -
this'll work but is limited to certain protocols or services. Ideally you
have the browser set to go to the proxy for HTTP /s FTP etc and use the
native routing for all other protocols that you may wish to allow (hence
the probs with your telnet client I suspect).
PC ---- ISA ---- router ----- ISP core ----- 'Internet'
Don't allow PC's to circumvent this - i.e. use a cross-over cable between
ISA external interface and router rj-45 presentation or e0 (cisco)
interface.
Meanwhile...
Once this is done, just have a look at your ISA settings and make sure
that each protocol is accounted for. I've only played with ISA a couple of
times for customers but I just deleted all the default rules and started
again so i knew exactly what was what.
I suggest that you make sure that the Protocol Rules, IP Packet filters
and protocol definitions are all configured correctly. To test, try
backing up your current config and starting again for maybe just telnet
and ICMP echo reply/request configured on the afore mentioned
rules/setting templates - when rebuilding the rules, keep the given
defaults as, guess what, these leave things wide open. Once tested, you
can look at hardening. Unfortunate that you are doing this in production
environment...not secure and quite disruptive.
Feel free to get in touch if any of above is unclear or if you would like
more detailed help.
ta
Gwyd1on
>From: Chris Berry <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Firewall problem
>
>
>
> We're using MS ISA server as our firewall. In accordance with their
>best practices recommendation I've put it on a dual-homed machine and set
>up only the external interface with a default gateway. Our internet
>connection is working well, and as far as I can tell reasonably secure.
>However we can't connect telnet traffic, nor can I ping internet sites,
>even though I have rules configured that should allow this.
>
