ISA deny rule to allow a custom protocol

Why do I need a deny rule to make an allow rule for a custom protocol work correctly?


Protocol definitions
include lists of primary connections, secondary connections, and associated application
filters. Each primary connection includes a port range, which may cover one or more
port numbers. When traffic is sent to an ISA Server computer, ISA Server uses the
port on which it arrives to identify its protocol.  

When a policy rule
allows traffic for a certain protocol, the Firewall service checks the definition
of the protocol and passes the traffic to all the application filters associated
with the protocol definition for processing.

If traffic of a specific
type is sent to a port corresponding to a predefined protocol that is associated
with an application filter and you do not want the application filter to process
this traffic, you can define a custom protocol that has the same primary and secondary
connections as the predefined protocol but is not associated with the application
filter. Then you can use your custom protocol in a policy rule that allows this
traffic. Protocol definitions with primary connections that include the same port
are called overlapped protocol definitions.

As an example, let’s
say that you have an internal server to which VPN clients send nonstandard HTTP
traffic through TCP port 80. When this traffic is allowed by a matching access rule
that uses the predefined HTTP protocol and is configured to allow traffic from the
VPN Clients network to the Internal network, the Web Proxy Filter is invoked and
rejects this traffic because it does not comply with HTTP standards. To allow nonstandard
HTTP traffic to reach your nonstandard HTTP server, you can create a custom protocol
definition that has a primary connection for outbound traffic through TCP port 80
and is not associated with the Web Proxy Filter. We will refer to this protocol
as the CustomHTTP protocol.

To allow the nonstandard
HTTP traffic, you need to create two access rules:

    

An access rule that
uses the CustomHTTP protocol and allows traffic from the VPN Clients network
to the computer object representing the nonstandard HTTP server.

   

An access rule that
uses the predefined HTTP protocol and denies traffic from the VPN Clients
network to the computer object representing the nonstandard HTTP server.

The new allow rule
must come before your original rule that allows HTTP traffic from the VPN Clients
network to the Internal network in the ordered list of policy rules, and the new
deny rule should be placed immediately after the new allow rule.


 



The following table
lists the rules that you should have to enable traffic in this scenario:



 













































Order




Name




Action




Protocols




From




To




1




Allow CustomHTTP
to Nonstandard HTTP Server




Allow




CustomHTTP




VPN Clients




Nonstandard
HTTP Server




2




Deny HTTP
to Nonstandard HTTP Server




Deny




HTTP




VPN Clients




Nonstandard
HTTP Server




3




Allow HTTP
to Internal Servers




Allow




HTTP




VPN Clients




Internal




4




Default
rule




Deny




All Traffic




All Networks




All Networks




 



 



So why do I need
the new deny rule (the second rule)? The short answer is that this rule is needed
to prevent the third rule or any other rule from invoking the Web Proxy Filter for
traffic that matches the first rule.



 



To understand why
this rule is needed, you need to know how ISA Server processes traffic sent to a
port that is associated with overlapped protocols. When traffic arrives at a port
that is associated with overlapped protocols, the first policy rule that matches
the traffic for each of the overlapped protocols (the HTTP and CustomHTTP protocols)
is found, and the rule that is highest in the list of rules is applied. In our case,
that would be the first rule with the CustomHTTP protocol, which allows traffic
to the nonstandard HTTP server but does not invoke the Web Proxy Filter. In addition,
all the rules for the overlapped protocols in the ordered list of rules are processed,
their secondary connections are added to the session, and the application filters
associated with them are invoked until an access rule that denies traffic is encountered.
In our case, the second rule, which is a deny rule, stops this processing. Without
the second rule, the third rule would be processed for traffic that matches the
first rule, and the Web Proxy Filter would be invoked for it.



 



If the Web Proxy
Filter would be invoked by the third rule, the Web Proxy Filter would discover that
the traffic does not conform to HTTP standards. The Web Proxy Filter would then
block the traffic and add an entry to the Web Proxy log indicating that the Allow
HTTP to Internal Servers rule blocked the traffic.



Comments

alex smith said…
vpn is an excellent service, speed is great and I am able to access all my sites without any issues.
08:40
Post a Comment

Popular posts from this blog

Exchange Server Error -1018: How Microsoft IT Recovers Damaged Exchange Databases

Image
I found this paper on the showcase site from microsoft I hope it is of help to you. It sure helped me!     Technical White Paper Published: August 1, 2005 Executive Summary Error –1018 (JET_errReadVerifyFailure) is a familiar—and dreaded—error in Microsoft® Exchange Server. It indicates that an Exchange database file has been damaged by a failure or problem in the underlying file system or hardware. This paper explains the conditions that result in error –1018. It also covers the detection mechanisms that Exchange uses to discover and recover from damage to its database files. The Microsoft Information Technology group (Microsoft IT) runs one of the most extensive Exchange Server organizations in the world. Exchange administrators at Microsoft have investigated and recovered from dozens of –1018 error problems. This paper shows you how Microsoft IT monitors fo
Read more

Server and Domain Isolation Using IPsec and Group Policy

Image
Microsoft Solutions for Security and Compliance Server and Domain Isolation Using IPsec and Group Policy © 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Table of Contents Chapter 1: Introduction to Server and Domain Isolation. 1 Executive Summary. 1 Who Should Read This Guide. 2 The Business Challenge. 3 The Business Benefits. 3 The Technology Challenge. 4 Creating a Project Team.. 6 Guide Overview.. 7 Chapter 1: Introduction to Server and Domain Isolation. 7 Chapter 2: Understanding Server and Domain Isolation. 7 Chapter 3: Determining the Current State of Your IT Infrastructure. 7 Chapter 4: Designing and Planning Isolation Groups. 8 Chapter 5: Creating IPsec Policies for Isolation Groups.
Read more

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

Image
I had the error below in my application eventlog.     Event Type:    Error Event Source:    Userenv Event Category:    None Event ID:    1085 Date:        30-09-2008 Time:        15:20:30 User:        NT AUTHORITY\SYSTEM Computer:    TBG-TS01 Description: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .   My problem was with my site to zone assignment list I used a wildcard like this: “ *microsoft.com ” but what you need to do is this “ *.microsoft.com ” So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot. Below is the microsoft explaination:   This policy setting allows you to manage a list of sites that you want to associate with a particular s
Read more