We have a number of sites with local PC user accounts that are not members of the internet users group however are still allowed to access a short list of valid sites. This works fine. However when they enter a url that is not allowed they get prompted for a username/password to access the internet.
I have another access rule that allows domain users who are members of the internet users group full internet access.
I would like local users to get the redirect rule saying they are not a member of the internet users group contact the Helpdesk etc rather then just getting an authentication prompt. Any help would be appreciated.
You can do this by creating a DENY rule based upon the following criteria: Action: Deny (redirect HTTP requests to this web page) provide the URL to a webpage that indicates "they are not a member of the internet users group contact the Helpdesk". Protocols: All outbound traffic (or just web protocols HTTP, HTTPS, if that's what your requirements are based upon) From: Internal To: External Users: All Users | Exceptions: the User Set you've created for domain\internet users group.
And make sure that you account for the excess logging on your ISA Server if you chose to enable logging for this rule. Obviosly you should enable logging until you ensure that the rule is working as expected.
Also make sure that you place this rule above all other access rules that require authentication, and below any rules that all the anonymous proxy access your environment requires.
Thanks for the info, unfortuantely still the same authentication prompt when trying to go to a non valid site rather then the access denied page.
A little more information the local users are local administrators with blank passwords a no no i know but that what i have been given to work with. When the local administrator password is set to the same as the isa server this rule works fine. My problem is i cant reset the local admin password for all these users and in the short term they will have to stay blank. The isa servers local admin password cannot be set to blank.
Any other ideas for a work around? Thanks in advance.
my apologies I totally glossed over the fact that these are local users, rather than domain users... Are these local users which are allowed to access the short list of sites are hitting an Access Rule that is configured for All Users? If not, how is this Access rule configured?
I have not tried this, but it makes sense to me at the moment. You'll need two Access rules:
First the Deny Rule: Deny_Anonymous_HTTP Action: Deny (redirect HTTP requests to the Helpdesk URL) Protocols: All outbound from: Internal To: External (execptions - add the small list of sites, either by adding them to a domain name set or URL Set) Users: All Users
Next create the Allow rule, below the Deny Rule: Allow_Anonymous_HTTP Action: Allow Protocols: HTTP, HTTPS (others if needed) From: Internal To: (the small list of sites, added to the domain name set or URL Set mentioned in the Deny exception list above.) Users: All Users.
Try this and let me know... but please be aware of where this fits in your policy, it will need to be above any authenticated rules, and depending on where it's placed and what your secureNAT clients are doing may interfere with them.
If you can identify the anonymous web proxy users by their IP address. You could create a computer set and add each client IP into that computer set, and then use that computer set in the Rules:
First the Deny Rule: Deny_Anonymous_HTTP Action: Deny (redirect HTTP requests to the Helpdesk URL) Protocols: All outbound (or just the protocols used in the Allow Rule) from: Computer_Set_of_Anonymous_Users To: External (execptions - add the small list of sites, either by adding them to a domain name set or URL Set) Users: All Users
Next create the Allow rule, below the Deny Rule: Allow_Anonymous_HTTP Action: Allow Protocols: HTTP, HTTPS (others if needed) From: Computer_Set_of_Anonymous_Users To: (the small list of sites, added to the domain name set or URL Set mentioned in the Deny exception list above.) Users: All Users.
Let me know if that does the trick. Otherwise you may be better off going with a 3rd party plug-in capable of authorization and content filtering, such as Websense.
< Message edited by abqtech -- 17.Jan.2008 10:00:38 AM >