i have never thought i would ask for this but i want some domain groups to have no access to internet at all here are my rules
site and content
allow rule, enterprise scope, applies to any request,schedule always, all destination, all contnet deny rule , enterprise scope, applies to domain\restricted grou, schedule always, all destination, all contnet
protocol rules allow rule, enterprise scope, applies to any request,
however when i add myself to the restriced domain group i can still browse
this has to do smth with the anonymous rules, though i have put a check in the outgoing listeners tab to ask unauthneticated users
how to solve this? i think isa is not checking the username as any request option is used, is this right?
what decision do yuo offer? may be use domain users instead of any requests?
always keep in mind that ISA processes the rules in the following order:
1) Deny rules applying to any request (anonymous). 2) Allow rules applying to any request (anonymous). 3) Deny rules applying to client address sets or users and groups (authenticated). 4) Allow rules applying to client address sets or users and groups (authenticated).
Because the allow rule is anonymous (any request) it will be processed before the authenticated deny rule. Therefore you should change the apply tab on the allow rule to a client address set (whole internal network) or all domain users (recommended).
keep in mind that if authentication is required on the rule (recommended setup) and not on the outgoing Web Proxy listener, all request will be sent anonymously initially. When the rule requires authentication, the Web Proxy service will ask the Web Proxy client to authenticate first before allowing access. So, in the logs you will see anonymous request with sc-status=12209 if authentication is required.
ok i understand this, but the authentication is on the outgoing tab.
i got it i think the first time when they try to open a web page they are authenticated and the deny rule is applied. but this rule has a forwarding to the intrenet and when they are forwarded the outgoing listener ask for authentication again, beacuase this is treated as a new connection attempt, is that right?