• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Authorization & Deny by IPs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Authorization & Deny by IPs Page: [1]
Login
Message << Older Topic   Newer Topic >>
Authorization & Deny by IPs - 21.Aug.2008 4:28:27 AM   
yehya

 

Posts: 7
Joined: 21.Aug.2008
Status: offline
Hello everybody..

I'm using windows server 2003 SP2 and ISA Server 2004.. I want to give specific users in my organization full authorization for downloading and accessing website, and other people deny this authorization for others.. how can I do that by IPs? 

Regards

_____________________________

Yehya
Post #: 1
RE: Authorization & Deny by IPs - 21.Aug.2008 12:20:41 PM   
noddles

 

Posts: 47
Joined: 21.Apr.2008
Status: offline
Hi,
First create domain name sets that contain the websites that you want the selected users to have full access (you can call it DENY SITES). Then Do this:
Right click Firewall policy, navigate to new > Access rule; give the access rule a name, click next, rule action must be DENY > all outbound traffic > source will be INTERNAL > destination will be DENY SITES > then user set will be ALL USERS. After that double click the new access rule go to the FRON / DESTINATION tab and create exceptions, add a new computer set which contains the IP addresses of the computer that you want to give full access, add the computer set to the exceptions tab. and that should do the trick.....
Please note that when this is done, nobody except those in the exceptions tab can go to those sites but they can all browse the internet except those sites.....
Now if you want nobody to browse you can use the same process but this time it will be from INTERNAL > EXTERNAL, with the computers you want to browse in the exceptions tab....

Goodluck......

(in reply to yehya)
Post #: 2
RE: Authorization & Deny by IPs - 23.Aug.2008 4:21:56 AM   
yehya

 

Posts: 7
Joined: 21.Aug.2008
Status: offline
Thank you noddles for your reply.
I already have the rule access for internet, and I created a rule for deny websites, but this rule deny for all users, but I want to allow this websites for specific users.. So I think I have to create some sets for exceptions first to can do what u asked me.. maybe by creating domain name sets, but I don’t know how to do it.
And my other question is how to deny some users to download some extensions of files like mp3, exe,flv… etc.., and I know how to deny this command for everyone but I want specific users to can download this extensions of files and others not. So what can I do to make this rule?
Notes: I want to make this by users IP`s.
Please if you can explain more to can get it..
Thanks again and best regards  

_____________________________

Yehya

(in reply to noddles)
Post #: 3
RE: Authorization & Deny by IPs - 23.Aug.2008 6:40:00 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi Yehya.

Just checked my email and found that you have posted your issue here, so iam going to reply to you here.

If you need to control machines by names, and not authenticating by usernames, then you will need to create address range or computer objects and put it in the Source Network, under From

 
You will need 3 rules, the first one is a deny rule and the second one is an allow rule.

1-Deny Website Rule ( Read Tom article : http://www.isaserver.org/articles/2004domainnamesets.html)
Deny > Protocols > From Computer List 1 > To Domain Name Set > All Users

2- Deny Download rule ( read my article here  : Blocking Desired Extensions & Content Types)
Allow > Protocols > From Computer list 2 > To External > ALL Users


3- Allow Download Rule
Allow > Protocols > From Computer List 3 > To External > ALL Users

and regarding the computer list :

On the Access Rule Sources page, we need to create a Computer Object/Set to include the IP(s) of our Apple Macintosh machine(s), click on the Add button, click on Computer Set so that we can include in it multiple IPs for different machines
               
Enter a name for the new Computer Set,  click on the Add button, then click on Computer, enter the name of the Mac machine, the IP Address and then click on OK, repeat these steps for every machine you want to add.
    

Once you finish adding all the machines inside the Computer Set, click on OK, and from the Add Network Entities page, expand Computer Sets folder, and you will see the new computer set that we created, click on it and then click Add. The MACINTOSH MACHINES computer set will be added in the Access Rule Sources page, Click Close to close the Add Network Entities page then click Next





Steps taken from : Connecting Macintosh Machines Behind ISA Server
 
 
HTH,
Tarek

< Message edited by elmajdal -- 23.Aug.2008 6:45:20 AM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to yehya)
Post #: 4
RE: Authorization & Deny by IPs - 23.Aug.2008 6:55:24 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Tarek,
Cool article the one with Macs!
Very useful.
Thanks!

(in reply to elmajdal)
Post #: 5
RE: Authorization & Deny by IPs - 8.Oct.2008 3:54:30 AM   
yehya

 

Posts: 7
Joined: 21.Aug.2008
Status: offline
Hi Tarek

First of all i would like to thank you for your reply and explaining..

I already did everything you wrote except the important thing i would like to know which is how to stop some users in my organization for downloading .. i know how to stop everyone trhough the network to download any extension i add and that for sure will stop me also to make download, but what i want that how to stop some of users ( By IP Address ) to download the extensions i add like vedio and audio. I want only me and some users to have this access to download all the extensions, and other users only can download doc. extensions. 

The Rules I have ...
Internet Access Rule , Deny Website Rules

Thanks & Regards,
Yehya

(in reply to elmajdal)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Authorization & Deny by IPs Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts