• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

problem with denying access - help me pls

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> problem with denying access - help me pls Page: [1]
Login
Message << Older Topic   Newer Topic >>
problem with denying access - help me pls - 6.Oct.2004 2:26:00 PM   
isa_dude

 

Posts: 152
Joined: 1.Jun.2004
From: Bulgaria
Status: offline
i have never thought i would ask for this but
i want some domain groups to have no access to internet at all
here are my rules

site and content

allow rule, enterprise scope, applies to any request,schedule always, all destination, all contnet
deny rule , enterprise scope, applies to domain\restricted grou, schedule always, all destination, all contnet

protocol rules
allow rule, enterprise scope, applies to any request,

however when i add myself to the restriced domain group i can still browse

this has to do smth with the anonymous rules, though i have put a check in the outgoing listeners tab to ask unauthneticated users

how to solve this?
i think isa is not checking the username as any request option is used, is this right?

what decision do yuo offer?
may be use domain users instead of any requests?
Post #: 1
RE: problem with denying access - help me pls - 6.Oct.2004 9:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi isa_dude,

always keep in mind that ISA processes the rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

Because the allow rule is anonymous (any request) it will be processed before the authenticated deny rule. Therefore you should change the apply tab on the allow rule to a client address set (whole internal network) or all domain users (recommended).

HTH,
Stefaan

(in reply to isa_dude)
Post #: 2
RE: problem with denying access - help me pls - 7.Oct.2004 8:32:00 AM   
isa_dude

 

Posts: 152
Joined: 1.Jun.2004
From: Bulgaria
Status: offline
well i did the way you suggested
domain users instead of any request

still no change

the restricted users group contains some of the Doamin users
i add myself to all groups that are denied, still i can browse

could it be that the authentication is made on the outgoing listeners but not on the rule itself

(in reply to isa_dude)
Post #: 3
RE: problem with denying access - help me pls - 7.Oct.2004 9:46:00 AM   
isa_dude

 

Posts: 152
Joined: 1.Jun.2004
From: Bulgaria
Status: offline
ok i restarted the isa service on one of the array
then it started to work

the deny is based on group membership
so how come the deny rule is processed, but it says anonymous?
if it was anonymous how come it denied me?
to deny me it needs to know my group ?

could it be that i redirect he denied requests to an intranet site? and when redirecting to be anonimous

i mean in the log i see the following

10.212.x.x anonymous Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) 2004-10-07 07:18:23 ISA2 - - - - - 594 - - GET http://intranet.mydomain.com/ - 12209 www Deny rule for functional groups

but the original request is to other sites

(in reply to isa_dude)
Post #: 4
RE: problem with denying access - help me pls - 7.Oct.2004 9:40:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi isa_dude,

keep in mind that if authentication is required on the rule (recommended setup) and not on the outgoing Web Proxy listener, all request will be sent anonymously initially. When the rule requires authentication, the Web Proxy service will ask the Web Proxy client to authenticate first before allowing access. So, in the logs you will see anonymous request with sc-status=12209 if authentication is required.

HTH,
Stefaan

(in reply to isa_dude)
Post #: 5
RE: problem with denying access - help me pls - 8.Oct.2004 1:07:00 PM   
isa_dude

 

Posts: 152
Joined: 1.Jun.2004
From: Bulgaria
Status: offline
ok i understand this, but the authentication is on the outgoing tab.

i got it i think
the first time when they try to open a web page they are authenticated and the deny rule is applied. but this rule has a forwarding to the intrenet and when they are forwarded the outgoing listener ask for authentication again, beacuase this is treated as a new connection attempt, is that right?

(in reply to isa_dude)
Post #: 6
RE: problem with denying access - help me pls - 8.Oct.2004 2:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi isa_dude,

are you asking for authentication on the Outgoing Web Proxy listener? You shouldn't do that, it's not recommended by Tom! Just require authentication on the rules instead.

HTH,
Stefaan

(in reply to isa_dude)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> problem with denying access - help me pls Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts