ISA (TMG) Problem with PA-500 in vwire mode

Reply
Highlighted
Not applicable

ISA (TMG) Problem with PA-500 in vwire mode

background:

we have a new installation of a PA-500 (running 4.1.2) which sits behind our edge firewall (TMG 2010) in vwire mode.

basic setup. the pa-500 external interface connects directly into the edge firewalls internal interface and the pa-500 internal interface connects directly to our production network. our DNS, AD etc are all on this production network. the PA-500 is only doing content filtering for web / applications.

we have have the following rules (simplified but basically the important parts)

rule #1 allow internal to external for <selected users>

rule#2 allow internal to external for any users

rule #3 deny from internal to external for any

as you can see rule one is used for selected members on the domain

rule 2 shouldnt be required as this basically lets anyone who isnt a member of the selected group from rule 1 out to the internet anonymously.

and rule 3 is ther as a deny all (which should be there by default)

as you can see rule 2 should be removed BUT the problem is this

If we remove rule#2 our TMG firewall loses connectivity with the production network so loses its secure channel with the domain / domain controls. this causes the firewall to stop authenticating users thus the firewall kills all conenctions.

can you pleae confirm that rule#2 should never be in the pa-500 setup and confirm that in vwire mode the device should not stop non web/application protocols from communicating.

Tags (3)
L4 Transporter

Re: ISA (TMG) Problem with PA-500 in vwire mode

Hi Dave,

Could you please confirm if "selected users" are hitting rule #1, or are they hitting rule #2.  If there a few users from the  "selected users" used in rule #1 and are hitting rule #2, then we would need to look how the User-ID agent has been configured.

Thank you

Kal

Not applicable

Re: ISA (TMG) Problem with PA-500 in vwire mode

users who are a member of selected group hit rule one. anyone outwith rule one hits rules two (as you would expect)

we seem to have our user group issue solved kal.

now the main problem is getting rid of rule two and why the pa-500 is restricting our edge firewall from communicating with the network.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!