• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

General Question....Hopefully basic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> General Question....Hopefully basic Page: [1]
Message << Older Topic   Newer Topic >>
General Question....Hopefully basic - 3.Dec.2004 5:07:00 PM   
Currently i have a few site and content rules setup on my ISA box.

Rules i have setup....
1. Allow Rule allows internet access allows Int...acess for everyone..

2. Deny websites..Denied certain websites to our users. this works, even have them redirected to another site if a blacklisted site has been reached.

3. The thrid rule i just created is what i am having a problem with. I want to deny access to all external destinations and i specifed the according user accts. I logged on as each of those users and they are still able to log onto the internet...I have stopped and started the ISA services, and also logged off and logged back on the users.

any suggestions would greatly be appreicated.
  Post #: 1
RE: General Question....Hopefully basic - 4.Dec.2004 11:31:00 PM   


Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi randy,

ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.


(in reply to Guest)
Post #: 2
RE: General Question....Hopefully basic - 8.Dec.2004 5:09:00 PM   
Ok i followed the above policy rules... I removed my allow rules applying to any request. Here are the the steps i took in applying two new rules.

1st i created a new secuirty group in Active directory called "approved Internet users" i added everyone in my AD only about 120 users to that group.

2nd i created a new security group in Active Directory called "denied Internt users". I only added about 5 people to this list.

step 3. I then logged onto my ISA server and created a rule called. 'approved Internet users' I set it to approve fro all destinations, and speciefed the group "approved internet users"

step 4. I created a rule on ISA called Deny internet users, i specified Deny in my isa rule, and picked the group "denied Internt users" and placed them into that policy..

The outcome...
The rules seemed ot work correctly, the denied group got a message stating that a policy has blocked them from viewing the internet site "great no problmes here seemed to work."

My approved users is a different story, I was able to bring up a page but i swear it was at a crawl. Bringing up MSN.com was 300 times slower than dial up. I dont understand what is decreasing my performance. Does the ISA rule not like that fact that it is a group? do i need to add them as users insteade (very time consuming). Is each item on each web page attempting to be validated on my isa server? Has anyone had this type of problem?

(in reply to Guest)
  Post #: 3
RE: General Question....Hopefully basic - 9.Dec.2004 4:06:00 PM   
Anyone seen the dramatic decrease in performance like i mentioned above when creating access policies for the internet?

(in reply to Guest)
  Post #: 4
RE: General Question....Hopefully basic - 10.Dec.2004 2:20:00 PM   

(in reply to Guest)
  Post #: 5
RE: General Question....Hopefully basic - 10.Dec.2004 11:05:00 PM   


Posts: 259
Joined: 21.Oct.2004
Status: offline
Processing rules needs decent processor and memory. Do you have a good machine? How many users?

(in reply to Guest)
Post #: 6
RE: General Question....Hopefully basic - 15.Dec.2004 5:57:00 PM   
Isa has a 1.2ghz processor with 1gig of ram... about 60 users are on this. Also handles our VPN, about 10 users at a given time.

(in reply to Guest)
  Post #: 7
RE: General Question....Hopefully basic - 15.Dec.2004 5:58:00 PM   
It is a dell poweredge 1550.

(in reply to Guest)
  Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> General Question....Hopefully basic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts