Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Website Restrictions
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Website Restrictions - 24.Jun.2008 12:07:39 PM
|
|
|
Chadwick24
Posts: 8
Joined: 24.Jun.2008
Status: offline
|
Hi,
Would anyone be kind enough to point me in the right direction to restrict certain Active Directory groups from viewing all but a few selected websites?
I found these instructions: http://www.sbs-rocks.com/sbs2k3/restrict/RestrictInetUse.htm, unfortunately I couldn’t find any here. but I followed these instructions and created a rule that only applies to my test user in AD. However, every time I enable the policy, it blocks all website for ALL users even though the "All Users" group was removed from the policy's conditions.
I would appreciate any help. Thanks.
|
|
|
|
|
RE: Website Restrictions - 24.Jun.2008 12:49:56 PM
|
|
|
pwindell
Posts: 638
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
1. Make sure the users are not included in the normal HTTP/HTTPS Rule you are using.
2. Create a second HTTP/HTTPS Rule that includes the users. Include in the Rule a Domain Name Set that lists the Sites they are allowed to access. But if you want them redirected when they go to a un-allowed site then make the Rule a "deny rule" and place the allowed Domain Name Set in the "Exceptions" box in the "TO:" Tab.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Website Restrictions - 24.Jun.2008 1:29:55 PM
|
|
|
Chadwick24
Posts: 8
Joined: 24.Jun.2008
Status: offline
|
Thanks for the advice. However, I think I may have a larger problem. And it may be due to my lack to experience with ISA. But, the problem is I only have one rule active right now and it's the default "Unrestricted Internet Access” rule with "All Users” as the condition. If I change that rule from "All Users” to the User set I created that includes only Domain Users from Active Directory, then all HTTP traffic is suddenly block for everyone. Including everyone in the Domain Users group in active directory. I've tried creating a user set using other security groups from AD and when I apply the "Unrestricted Internet Access” policy to them it again blocks ALL users. It only works if "All Users” is the condition.
This is the default rule I have:
Access Rule
Name: Unrestricted Internet access
Action: Allow
Protocols: All Outbound Traffic
From: Internal, VPN Clients
To: External
Condition: All Users
Now, I have a security group in active directory called "RestrictedInternetUsers”. I placed that group into a user set with the same name. in ISA. Then created a rule called "RestrictedInternetPolicy” I then created a URL Set called "testint” using all microsoft websites as a test. Then created the following:
Access Rule
Name: RestrictedInternetPolicy
Action: Allow
Protocols: HTTP
From: Internal
To: testint
Condition: RestrictedInternet
When that rule is enabled, all Internet access for everyone is blocked. (except for the Microsoft websites) Even if I removed "All Users” from the default "Unrestricted Internet Access” policy and just use "DomainUsers” in its place.
Could the problem be that in AD, all useres are in the Domain Users group including the restricted group? I would like to think the AD groups wouldent mean that much to the ISA. wouldn't that be the job of the user sets?
< Message edited by Chadwick24 -- 24.Jun.2008 1:41:41 PM >
|
|
|
|
|
RE: Website Restrictions - 24.Jun.2008 1:45:27 PM
|
|
|
pwindell
Posts: 638
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Unrestricted Internet Access” rule with “All Users” as the condition.
Disable that Rule. You can leave it at the top for "emergency use", but keep it disabled. Then create more specific Rules.
Create two AD Groups. One for regular Internet Access and one for Restricted Access. Do not have any overlap in the membership of those groups. Use these Groups when creating User Sets for the Rules.
As long as there is no overlap between the Rules the order they appear in with respect to each other won't matter, but you may have to experiment.
Your Protocol should be HTTP and HTTPS, not just HTTP. The same web site can switch between the two while navigating.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Website Restrictions - 24.Jun.2008 3:32:11 PM
|
|
|
Chadwick24
Posts: 8
Joined: 24.Jun.2008
Status: offline
|
I suppose I will have to do some playing around. I created two Security groups in AD. one "RestrictedInternet" and the other "UnrestrictedInternet" then created their respective user sets in ISA. All users in the domain are part of "UnrestrictedInternet" except for "testuser" who is the only member of "RestrictedInternet". When I enable them and disable the original default rule I still have no connection. Not even to the approved websites.
Even if I only have "UnrestrictedInternet" enabled and leave "RestrictedInternet" and the original default policy disabled, I still get no internet connection. it seems like ISA is not authenticating the users from AD.
The ISA is a back-end firewall and is part of the domain. AD is also running on the ISA. I never setup the ISA as it was already done when I started working. I did notice the ISA's domain is WAPISASTORE.WHITEANDPIERCE.COM and the rest of the domain is just WHITEANDPIERCE.COM.
AD is appears to be replicating properly from the Primary DCs to the ISA
|
|
|
|
|
RE: Website Restrictions - 30.Jun.2008 9:42:07 AM
|
|
|
Chadwick24
Posts: 8
Joined: 24.Jun.2008
Status: offline
|
Sorry for the delay in getting back with an update.
To shed some new light on the issue. I’ve noticed that the guys who set it up created it in a sub domain. It can view AD from the domain without issue, but it is not a full member of the domain. Do you think that even though it can access Active Directory without issue, that this could be the cause of the firewall clients not authenticating properly?
|
|
|
|
|
RE: Website Restrictions - 30.Jun.2008 9:56:59 AM
|
|
|
pwindell
Posts: 638
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Probably is.
I would have one domain and forget it.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Website Restrictions - 30.Jun.2008 11:12:44 AM
|
|
|
Chadwick24
Posts: 8
Joined: 24.Jun.2008
Status: offline
|
I'll hold of on any more changes until I get that corrected.
And thanks again. Its not easy walking into a network that 5 other guys worked on a different times before I came in, unfortunately none of them are available to help me figure out where they left off.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
