Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

tshinder — Mon, 16 Jan 2006 18:17:05 GMT

Hi Ziv,
This is a fantastic set of facts, tips and tricks! Keep up the good work and give us more! :) Thanks! --Tom.

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

Rayne Wiselman — Tue, 17 Jan 2006 10:06:28 GMT

More about this at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/internalclientaccess.mspx

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

isablog — Tue, 17 Jan 2006 12:18:28 GMT

The updated on-line (product) help also has a topic titled "Access rules and server publishing rules" which includes a table comparing the different rule types.

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

ClintD — Tue, 17 Jan 2006 16:31:01 GMT

I have a suggestion for a future article.

Explain, in detail, why an access rule (for example, allowing Secure NAT HTTP but the user condition is 'All Authenticated Users') that Allows access can result in traffic being denied.

The rationale seems pretty straightforward, 'If ISA can't verify all parameters of a rule, then the rule should deny the request', but examples of when this is required would be very helpful. There have been some heated discussions on isaserver.org newsgroups about the wisdom of this decision - some consider it a design flaw or bug, while others feel it is the right decision (I'm in the latter group).

Is it a simple problem with the browser? As in, a Secure-NAT client resolves the destination web server through DNS and attempts to connect to it - since the destination of the packet is the external web server, ISA can't simply inject a HTTP 407 response to the browser since ISA isn't the destination of the packet?

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

ClintD — Tue, 17 Jan 2006 17:47:27 GMT

Just to clarify - the folks who consider the 'Denied by an Allow Rule' scenario a bug feel that if ISA can't verify a parameter (as in a rule allowing HTTP access for All Authenticated Users and Secure NAT clients getting blocked as a result of this), it should move on to the next rule.

Furthermore, they feel the 'Default Deny' rule should be the only rule that denies access, short of admins creating Deny rules.

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

Tom Shinder — Tue, 17 Jan 2006 19:43:20 GMT

Hi Clint,
I recall mentioning this during the private beta in the newsgroups, and they were aware of the issue. I think it was recognized that this would create confusion, but it was too late to change the model. Maybe in an upcoming version anonymous connections will only match anonymous rules? --Tom

Quickie: The ISA Team is Blogging!

Blog du Tristank — Wed, 08 Feb 2006 04:04:38 GMT

Yes, the folks behind ISA Server have their own blog now. And have done for a month. &nbsp;Go subscribe!...

re: Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

HD Video Converter — Tue, 26 May 2009 09:17:48 GMT

If no IP addresses are in the list and you want to prevent requests from IP address 127.0.9.1 from being routed, add 127.0.0.1 as an FQDN to the list.