Switching from MIcrosft ISA to PIX questions

Discussion in 'Cisco' started by Jim Florence, Feb 28, 2005.

  1. Jim Florence

    Jim Florence Guest

    Hi,

    We are about to switch from running Microsoft ISA to PIX,at long last, but
    there are a few features I need to carry over from ISA that I don't think
    the PIX will give me easily.

    We run Active Directory and at the moment ISA lets us lock down protocols by
    username and group. We do this for mainly blocking and allowing FTP and
    HTTPS access to certain users and groups

    We also block certain room locations from web access from time to time, this
    is done on ISA at the moment but we plan to pass that on to N2H2 which
    currently handles our filtering.We do this by IP address.

    Any software that could help us with this would be great, we are also keen
    to get some better HTTP download and SMTP scanning tools.

    Any pointers gratefully accepted

    Regards

    Jim Florence
     
    Jim Florence, Feb 28, 2005
    #1
    1. Advertising

  2. In article <422357ba$0$12820$>,
    Jim Florence <> wrote:
    :We are about to switch from running Microsoft ISA to PIX,at long last, but
    :there are a few features I need to carry over from ISA that I don't think
    :the PIX will give me easily.

    :We run Active Directory and at the moment ISA lets us lock down protocols by
    :username and group. We do this for mainly blocking and allowing FTP and
    :HTTPS access to certain users and groups

    The PIX can do that by way of downloadable ACLs from a RADIUS server.
    There are, as I recall, two documented mechanisms. The reference wording for
    both could be somewhat clearer, I fear.

    One of the mechanisms involves literally specifying the ACL contents as one of
    the RADIUS attributes; when the user logs in, the ACL is downloaded on to the
    PIX and applied. There is a sysopt which controls whether the normal interface
    ACL has precidence over the downloaded ACL in case of conflict. [e.g.,
    is the ACL logically pre-pended or appended to the interface ACL.]

    The second mechanism involves the -name- of an ACL being specified as one
    of the RADIUS attributes. If the ACL is not already present on the system
    then it is somehow downloaded from the RADIUS server.

    As the documentation on these matters is a bit hard to read, it could be
    that these are actually the same mechanism in different guises: if the RADIUS
    attributes could contain both an ACL name and a literal ACL, then the
    mechanism could be that the named ACL will be used if it is already present
    and otherwise the literal ACL contents will be downloaded.

    There is, I seem to recall, a mechanism to deal with the possibility that
    the ACL on the server has been updated; I haven't looked closely at any
    of this.
    --
    History is a pile of debris -- Laurie Anderson
     
    Walter Roberson, Feb 28, 2005
    #2
    1. Advertising

  3. Jim Florence

    Jim Florence Guest

    Walter,

    Many thanks for the quick reply. I'll dig through the documentation.

    We were not planning on setting up a Radius server but It's definitely worth
    a look.Looks like I've even more to read up on now :0)

    Regards

    Jim Florence


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cvvm8q$h5i$...
    > In article <422357ba$0$12820$>,
    > Jim Florence <> wrote:
    > :We are about to switch from running Microsoft ISA to PIX,at long last,
    > but
    > :there are a few features I need to carry over from ISA that I don't think
    > :the PIX will give me easily.
    >
    > :We run Active Directory and at the moment ISA lets us lock down protocols
    > by
    > :username and group. We do this for mainly blocking and allowing FTP and
    > :HTTPS access to certain users and groups
    >
    > The PIX can do that by way of downloadable ACLs from a RADIUS server.
    > There are, as I recall, two documented mechanisms. The reference wording
    > for
    > both could be somewhat clearer, I fear.
    >
    > One of the mechanisms involves literally specifying the ACL contents as
    > one of
    > the RADIUS attributes; when the user logs in, the ACL is downloaded on to
    > the
    > PIX and applied. There is a sysopt which controls whether the normal
    > interface
    > ACL has precidence over the downloaded ACL in case of conflict. [e.g.,
    > is the ACL logically pre-pended or appended to the interface ACL.]
    >
    > The second mechanism involves the -name- of an ACL being specified as one
    > of the RADIUS attributes. If the ACL is not already present on the system
    > then it is somehow downloaded from the RADIUS server.
    >
    > As the documentation on these matters is a bit hard to read, it could be
    > that these are actually the same mechanism in different guises: if the
    > RADIUS
    > attributes could contain both an ACL name and a literal ACL, then the
    > mechanism could be that the named ACL will be used if it is already
    > present
    > and otherwise the literal ACL contents will be downloaded.
    >
    > There is, I seem to recall, a mechanism to deal with the possibility that
    > the ACL on the server has been updated; I haven't looked closely at any
    > of this.
    > --
    > History is a pile of debris -- Laurie Anderson
     
    Jim Florence, Feb 28, 2005
    #3
  4. Jim Florence

    Scott Lowe Guest

    On 2005-02-28 12:41:07 -0500, "Jim Florence" <> said:

    > We run Active Directory and at the moment ISA lets us lock down
    > protocols by username and group. We do this for mainly blocking and
    > allowing FTP and HTTPS access to certain users and groups
    >


    You could always keep ISA as a one-armed web proxy behind the PIX
    firewall, to continue to offer this kind of authentication service.
    Group Policy in Active Directory can be used to deploy the Firewall
    Client or to enforce web browser proxy settings so that users must go
    through the ISA proxy in order to get out. Similarly, an outbound ACL
    on the PIX can ensure that web access is allowed only via the ISA proxy.

    Just a thought.

    --
    Scott Lowe
     
    Scott Lowe, Apr 8, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Martin
    Replies:
    1
    Views:
    512
    The Poster Formerly Known as Kline Sphere
    Feb 13, 2004
  2. Costanza

    Microsft Outlook

    Costanza, Jan 21, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,022
    William
    Jan 21, 2004
  3. Mick.
    Replies:
    2
    Views:
    3,954
    Jerry G.
    Sep 18, 2004
  4. MDYOUNG23

    Microsft system

    MDYOUNG23, Apr 12, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    413
    =?ISO-8859-1?Q?R=F4g=EAr?=
    Apr 12, 2005
  5. =?Utf-8?B?TXVuZG8=?=

    i don't have any microsft certs at all

    =?Utf-8?B?TXVuZG8=?=, Feb 11, 2007, in forum: MCSE
    Replies:
    3
    Views:
    370
    =?Utf-8?B?cmVhZCBpdA==?=
    Feb 19, 2007
Loading...

Share This Page