i have never thought i would ask for this but i want some domain groups to have no access to internet at all here are my rules
site and content
allow rule, enterprise scope, applies to any request,schedule always, all destination, all contnet deny rule , enterprise scope, applies to domain\restricted grou, schedule always, all destination, all contnet
protocol rules allow rule, enterprise scope, applies to any request,
however when i add myself to the restriced domain group i can still browse
this has to do smth with the anonymous rules, though i have put a check in the outgoing listeners tab to ask unauthneticated users
how to solve this? i think isa is not checking the username as any request option is used, is this right?
what decision do yuo offer? may be use domain users instead of any requests?
always keep in mind that ISA processes the rules in the following order:
1) Deny rules applying to any request (anonymous). 2) Allow rules applying to any request (anonymous). 3) Deny rules applying to client address sets or users and groups (authenticated). 4) Allow rules applying to client address sets or users and groups (authenticated).
Because the allow rule is anonymous (any request) it will be processed before the authenticated deny rule. Therefore you should change the apply tab on the allow rule to a client address set (whole internal network) or all domain users (recommended).
ok i restarted the isa service on one of the array then it started to work
the deny is based on group membership so how come the deny rule is processed, but it says anonymous? if it was anonymous how come it denied me? to deny me it needs to know my group ?
could it be that i redirect he denied requests to an intranet site? and when redirecting to be anonimous
i mean in the log i see the following
10.212.x.x anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 2004-10-07 07:18:23 ISA2 - - - - - 594 - - GET http://intranet.mydomain.com/ - 12209 www Deny rule for functional groups
keep in mind that if authentication is required on the rule (recommended setup) and not on the outgoing Web Proxy listener, all request will be sent anonymously initially. When the rule requires authentication, the Web Proxy service will ask the Web Proxy client to authenticate first before allowing access. So, in the logs you will see anonymous request with sc-status=12209 if authentication is required.
ok i understand this, but the authentication is on the outgoing tab.
i got it i think the first time when they try to open a web page they are authenticated and the deny rule is applied. but this rule has a forwarding to the intrenet and when they are forwarded the outgoing listener ask for authentication again, beacuase this is treated as a new connection attempt, is that right?
are you asking for authentication on the Outgoing Web Proxy listener? You shouldn't do that, it's not recommended by Tom! Just require authentication on the rules instead.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 General] >> General >> problem with denying access - help me pls 
problem with denying access - help me pls - 
RE: problem with denying access - help me pls - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread