General Question....Hopefully basic (Full Version)

All Forums >> [ISA Server 2000 General] >> General


Guest -> General Question....Hopefully basic (3.Dec.2004 5:07:00 PM)

Currently i have a few site and content rules setup on my ISA box.

Rules i have setup....
1. Allow Rule allows internet access allows Int...acess for everyone..

2. Deny websites..Denied certain websites to our users. this works, even have them redirected to another site if a blacklisted site has been reached.

3. The thrid rule i just created is what i am having a problem with. I want to deny access to all external destinations and i specifed the according user accts. I logged on as each of those users and they are still able to log onto the internet...I have stopped and started the ISA services, and also logged off and logged back on the users.

any suggestions would greatly be appreicated.

spouseele -> RE: General Question....Hopefully basic (4.Dec.2004 11:31:00 PM)

Hi randy,

ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.


Guest -> RE: General Question....Hopefully basic (8.Dec.2004 5:09:00 PM)

Ok i followed the above policy rules... I removed my allow rules applying to any request. Here are the the steps i took in applying two new rules.

1st i created a new secuirty group in Active directory called "approved Internet users" i added everyone in my AD only about 120 users to that group.

2nd i created a new security group in Active Directory called "denied Internt users". I only added about 5 people to this list.

step 3. I then logged onto my ISA server and created a rule called. 'approved Internet users' I set it to approve fro all destinations, and speciefed the group "approved internet users"

step 4. I created a rule on ISA called Deny internet users, i specified Deny in my isa rule, and picked the group "denied Internt users" and placed them into that policy..

The outcome...
The rules seemed ot work correctly, the denied group got a message stating that a policy has blocked them from viewing the internet site "great no problmes here seemed to work."

My approved users is a different story, I was able to bring up a page but i swear it was at a crawl. Bringing up was 300 times slower than dial up. I dont understand what is decreasing my performance. Does the ISA rule not like that fact that it is a group? do i need to add them as users insteade (very time consuming). Is each item on each web page attempting to be validated on my isa server? Has anyone had this type of problem?

Guest -> RE: General Question....Hopefully basic (9.Dec.2004 4:06:00 PM)

Anyone seen the dramatic decrease in performance like i mentioned above when creating access policies for the internet?

Guest -> RE: General Question....Hopefully basic (10.Dec.2004 2:20:00 PM)


Ara.A -> RE: General Question....Hopefully basic (10.Dec.2004 11:05:00 PM)

Processing rules needs decent processor and memory. Do you have a good machine? How many users?

Guest -> RE: General Question....Hopefully basic (15.Dec.2004 5:57:00 PM)

Isa has a 1.2ghz processor with 1gig of ram... about 60 users are on this. Also handles our VPN, about 10 users at a given time.

Guest -> RE: General Question....Hopefully basic (15.Dec.2004 5:58:00 PM)

It is a dell poweredge 1550.

Page: [1]