Website Restrictions

Website Restrictions (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Firewall Client

Message

Chadwick24 -> Website Restrictions (24.Jun.2008 12:07:39 PM)
Hi, Would anyone be kind enough to point me in the right direction to restrict certain Active Directory groups from viewing all but a few selected websites? I found these instructions: http://www.sbs-rocks.com/sbs2k3/restrict/RestrictInetUse.htm, unfortunately I couldn’t find any here. but I followed these instructions and created a rule that only applies to my test user in AD. However, every time I enable the policy, it blocks all website for ALL users even though the "All Users" group was removed from the policy's conditions. I would appreciate any help. Thanks.

pwindell -> RE: Website Restrictions (24.Jun.2008 12:49:56 PM)
1. Make sure the users are not included in the normal HTTP/HTTPS Rule you are using. 2. Create a second HTTP/HTTPS Rule that includes the users. Include in the Rule a Domain Name Set that lists the Sites they are allowed to access. But if you want them redirected when they go to a un-allowed site then make the Rule a "deny rule" and place the allowed Domain Name Set in the "Exceptions" box in the "TO:" Tab.

Chadwick24 -> RE: Website Restrictions (24.Jun.2008 1:29:55 PM)
Thanks for the advice. However, I think I may have a larger problem. And it may be due to my lack to experience with ISA. But, the problem is I only have one rule active right now and it's the default "Unrestricted Internet Access” rule with "All Users” as the condition. If I change that rule from "All Users” to the User set I created that includes only Domain Users from Active Directory, then all HTTP traffic is suddenly block for everyone. Including everyone in the Domain Users group in active directory. I've tried creating a user set using other security groups from AD and when I apply the "Unrestricted Internet Access” policy to them it again blocks ALL users. It only works if "All Users” is the condition. This is the default rule I have: Access Rule Name: Unrestricted Internet access Action: Allow Protocols: All Outbound Traffic From: Internal, VPN Clients To: External Condition: All Users Now, I have a security group in active directory called "RestrictedInternetUsers”. I placed that group into a user set with the same name. in ISA. Then created a rule called "RestrictedInternetPolicy” I then created a URL Set called "testint” using all microsoft websites as a test. Then created the following: Access Rule Name: RestrictedInternetPolicy Action: Allow Protocols: HTTP From: Internal To: testint Condition: RestrictedInternet When that rule is enabled, all Internet access for everyone is blocked. (except for the Microsoft websites) Even if I removed "All Users” from the default "Unrestricted Internet Access” policy and just use "DomainUsers” in its place. Could the problem be that in AD, all useres are in the Domain Users group including the restricted group? I would like to think the AD groups wouldent mean that much to the ISA. wouldn't that be the job of the user sets?

pwindell -> RE: Website Restrictions (24.Jun.2008 1:45:27 PM)
Unrestricted Internet Access” rule with “All Users” as the condition. Disable that Rule. You can leave it at the top for "emergency use", but keep it disabled. Then create more specific Rules. Create two AD Groups. One for regular Internet Access and one for Restricted Access. Do not have any overlap in the membership of those groups. Use these Groups when creating User Sets for the Rules. As long as there is no overlap between the Rules the order they appear in with respect to each other won't matter, but you may have to experiment. Your Protocol should be HTTP and HTTPS, not just HTTP. The same web site can switch between the two while navigating.

Chadwick24 -> RE: Website Restrictions (24.Jun.2008 3:32:11 PM)
I suppose I will have to do some playing around. I created two Security groups in AD. one "RestrictedInternet" and the other "UnrestrictedInternet" then created their respective user sets in ISA. All users in the domain are part of "UnrestrictedInternet" except for "testuser" who is the only member of "RestrictedInternet". When I enable them and disable the original default rule I still have no connection. Not even to the approved websites. Even if I only have "UnrestrictedInternet" enabled and leave "RestrictedInternet" and the original default policy disabled, I still get no internet connection. it seems like ISA is not authenticating the users from AD. The ISA is a back-end firewall and is part of the domain. AD is also running on the ISA. I never setup the ISA as it was already done when I started working. I did notice the ISA's domain is WAPISASTORE.WHITEANDPIERCE.COM and the rest of the domain is just WHITEANDPIERCE.COM. AD is appears to be replicating properly from the Primary DCs to the ISA

pwindell -> RE: Website Restrictions (24.Jun.2008 4:23:41 PM)
The ISA is a back-end firewall and is part of the domain. AD is also running on the ISA ............ AD is appears to be replicating properly from the Primary DCs to the ISA Be specific on what you are saying there. AD cannot be "on" the ISA and Replication only occurs between Domain Controllers. Microsoft does not support ISA running on a Domain Controller unless it is SBS. Thomas Shinder Blog » Blog Archive » ISA Firewall Freedom Day Declared http://blogs.isaserver.org/shinder/2007/09/09/isa-firewall-freedom-day-declared/ Troubleshoot the Rule behavor with these two articles: Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/ISA2004_AccessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Chadwick24 -> RE: Website Restrictions (30.Jun.2008 9:42:07 AM)
Sorry for the delay in getting back with an update. To shed some new light on the issue. I’ve noticed that the guys who set it up created it in a sub domain. It can view AD from the domain without issue, but it is not a full member of the domain. Do you think that even though it can access Active Directory without issue, that this could be the cause of the firewall clients not authenticating properly?

pwindell -> RE: Website Restrictions (30.Jun.2008 9:56:59 AM)
Probably is. I would have one domain and forget it.

Chadwick24 -> RE: Website Restrictions (30.Jun.2008 11:12:44 AM)
I'll hold of on any more changes until I get that corrected. And thanks again. Its not easy walking into a network that 5 other guys worked on a different times before I came in, unfortunately none of them are available to help me figure out where they left off.

Page: [1]