Hi, I have configure the rule on my ISA server 2004 to block the user that already leave from my organization. I have configure the following rule:
General ab: Rule Name: Block Access to Internet Enable: Yes Action tab: Deny Protocol tab: Selected Protocol (HTTP, HTTPS) From tab: Internal To tab: External Content type tab: All content type Schedule tab: Always User tab: (Group of user whose already leave my organization)
The problem is one of my user which is not join to domain (anonymous user) with an IP address: 192.168.1.226 could not access to an internet to update his Kaspersky anti-virus program.
When I check with ISA log file, I found that this user faced with the above rule. I really wonder why it met with the above rule? Because I have configure only for the user that already leave my office. Not All users group.
If anyone know what is the cause of the problem and the solution please let me know.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
That is silly,...sorry, but it is. You don't create firewall rule to block people that don't work there anymore.
When someone leaves you do one of the following:
1. Delete their account
OR
2. Disable the account. Create a Group called Disabled Users. Add the account to that group and make that group their Default Group. Remove them from all other groups (including Domain Users). Remove the Dialin Right from their account if it was set.
That is all. There is no monkeying around with the Firewall.
The situation in here could not allow me to do that. Whether the staff, leave from work the management require the computer to automatic logon with the former staff credential when they need to check their working document. That is the reason that I can't delete or disable his account.
On the other hand, the former staff also visit his computer during working hour if his former team leader need him to show some file. That is why management just ask me to restrict them from access the internet only.
So, with the above situation could you please let me know which rule configuration that suitable to this requirement?
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
General ab: Rule Name: Block Access to Internet Enable: Yes Action tab: Deny Protocol tab: Selected Protocol (HTTP, HTTPS) From tab: Internal To tab: External Content type tab: All content type Schedule tab: Always User tab: (Group of user whose already leave my organization)
The Rule is correct for what it needs to do. There is nothing wrong with it.
The problem is one of my user which is not join to domain (anonymous user) with an IP address: 192.168.1.226 could not access to an internet to update his Kaspersky anti-virus program.
One has nothing to do with the other. Your "Deny Old Users" rule only effects specific users (the ones in the Group). It has nothing to do with anonymous users.
You have to create a separate Rule for anonymous users.
Thank you for your reply. Now I have the solution. I just add an exception to the computer that is not join to the domain and now they could use it as before.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Unexpected rule apply to other user 
Unexpected rule apply to other user - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread