• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Restrict access to some sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Restrict access to some sites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Restrict access to some sites - 6.Feb.2004 4:33:00 AM   
Guest
Hi, in my case, i created new access rule with configuration:
Action: Deny, Redirect to http://www.elem.ru
Protocols: All Outbound Protocols
From: Internal network
To: Some Sites ( URL Set), for example, www.xxx.com

Users: All Users

Allowed autentication methods: Integrated.

It's working, but when I connect to a site,
for example, www.xxx.com, I receive a window of input of the name/password instead of a redirect to my site (www.elem.ru)
  Post #: 1
RE: Restrict access to some sites - 6.Feb.2004 5:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

Is there an allow rule for that site?

When you enter your name and password, are you redirected to the site?

Thanks!
Tom

(in reply to Guest)
Post #: 2
RE: Restrict access to some sites - 6.Feb.2004 5:59:00 AM   
Guest
>>Is there an allow rule for that site?
I have allow rule for HTTP(S)
from internal to external

>>When you enter your name and password, are you redirected to the site?
No, after three windows, browser display
page "Access Denied"

(in reply to Guest)
  Post #: 3
RE: Restrict access to some sites - 6.Feb.2004 11:46:00 AM   
Guest
In Logging service,
this packets shown with client username - anonimous

(in reply to Guest)
  Post #: 4
RE: Restrict access to some sites - 6.Feb.2004 1:59:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

Are you using the firewall client? If not, then you need to enable the Web Proxy listener, if you want authentication.

Right click on the Internal network and click Properties. Then configure the Web listener for outbound connections.

HTH,
Tom

(in reply to Guest)
Post #: 5
RE: Restrict access to some sites - 9.Feb.2004 6:07:00 AM   
Guest
I am not using firewall clients.
In my case, I use Web Proxy clients.

Enable HTTP
HTTP Port :8080
SSL - Disabled
Authentication - Integrated (Only)
Number of connection - Unlimited

When I add Basic authentication on my ISA Server,
the result to be identical.

I don't know, where to me to move now.

(in reply to Guest)
  Post #: 6
RE: Restrict access to some sites - 9.Feb.2004 11:00:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

Are the clients members of the same domain as the ISA2004 machine?

Thanks!
Tom

(in reply to Guest)
Post #: 7
RE: Restrict access to some sites - 9.Feb.2004 11:28:00 AM   
Guest
I have one ISA2004 mashine configured as EDGE firewall, and it have access to Internet over machine with ISA2000 as SecureNAT client.

(in reply to Guest)
  Post #: 8
RE: Restrict access to some sites - 9.Feb.2004 3:27:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

Is this a Web Proxy chaining configuration?

Thanks!
Tom

(in reply to Guest)
Post #: 9
RE: Restrict access to some sites - 10.Feb.2004 3:55:00 AM   
Guest
>>Are the clients members of the same domain as the ISA2004 machine?
Yes, I have single local domain.
>>Is this a Web Proxy chaining configuration?
Yes, of course.

(in reply to Guest)
  Post #: 10
RE: Restrict access to some sites - 10.Feb.2004 5:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

In a Web Proxy chaining configuration, you need to configure a user account on the downstream that the upstream will use to authenticate connections. Did you configure that account's properties on the downstream, and then create that account on the upstream?

Thanks!
Tom

(in reply to Guest)
Post #: 11
RE: Restrict access to some sites - 10.Feb.2004 6:35:00 AM   
Guest
No, in my case, i setup ISA Server 2004 as SecureNAT client for ISA2000 Machine.
On the ISA2000 machine, I created Adress range with IP of ISA2004.
When I connect to any web site, my session is authenticated on ISA2004, and ISA2004 is NOT authenticated on ISA2000.
On ISA2000, I can see traffic from ISA2004 with IP adress of ISA2004.
ItĘs worked ok.
But if I create deny rule to specific sites with redirection to "deny page", I see prompt to enter the login and password.
It's my big problem.
With ISA2000 in this network and software configuration, i had good work.

I am sorry for my bad English.

(in reply to Guest)
  Post #: 12
RE: Restrict access to some sites - 10.Feb.2004 2:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

Your English is fine!

OK, I understand the situation now. You're getting prompted when the users should have a redirect.

On which machine did you configure the Deny rule? On the ISA2004 or the ISA2000 machine?

Thanks!
Tom

(in reply to Guest)
Post #: 13
RE: Restrict access to some sites - 11.Feb.2004 4:21:00 AM   
Guest
On the ISA2004.

(in reply to Guest)
  Post #: 14
RE: Restrict access to some sites - 12.Feb.2004 12:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

I know that there are some Registry entries that you can configure on the upstream ISA2000 machine that might help prevent this. Have you seen them in the KB?

Thanks!
Tom

(in reply to Guest)
Post #: 15
RE: Restrict access to some sites - 13.Feb.2004 5:03:00 AM   
Guest
Thank you Tom for your answers.
Yes, i know this KB for ISA2000.
But when I connected ISA2004 directly to internet without ISA2000, I had this problem too.
I am assured, that my problems are bonded with ISA2004 and authentication.
Have you this problem in your configurations?

(in reply to Guest)
  Post #: 16
RE: Restrict access to some sites - 13.Feb.2004 5:12:00 AM   
Guest
I am sorry Tom,
but when I change content groups in "deny rule" from "All content types" to "Selected content groups" an check ALL content groups (Application, video, etc.) and apply the changes, my problem is disappears.
Why?

(in reply to Guest)
  Post #: 17
RE: Restrict access to some sites - 14.Feb.2004 1:27:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dmitry,

It could be that only Web Proxy clients can evaluate content groups.

If firewall or Web Proxy clients attempt a connection, they are initially denied.

HTH,
Tom

(in reply to Guest)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Restrict access to some sites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts