General Question....Hopefully basic - 3.Dec.2004 5:07:00 PM
Currently i have a few site and content rules setup on my ISA box.
Rules i have setup.... 1. Allow Rule allows internet access allows Int...acess for everyone..
2. Deny websites..Denied certain websites to our users. this works, even have them redirected to another site if a blacklisted site has been reached.
3. The thrid rule i just created is what i am having a problem with. I want to deny access to all external destinations and i specifed the according user accts. I logged on as each of those users and they are still able to log onto the internet...I have stopped and started the ISA services, and also logged off and logged back on the users.
ISA server processes rules in the following order:
1) Deny rules applying to any request (anonymous). 2) Allow rules applying to any request (anonymous). 3) Deny rules applying to client address sets or users and groups (authenticated). 4) Allow rules applying to client address sets or users and groups (authenticated).
So, if you have any anonymous allow rule it will take precedence on any authenticated rule.
RE: General Question....Hopefully basic - 8.Dec.2004 5:09:00 PM
Ok i followed the above policy rules... I removed my allow rules applying to any request. Here are the the steps i took in applying two new rules.
1st i created a new secuirty group in Active directory called "approved Internet users" i added everyone in my AD only about 120 users to that group.
2nd i created a new security group in Active Directory called "denied Internt users". I only added about 5 people to this list.
step 3. I then logged onto my ISA server and created a rule called. 'approved Internet users' I set it to approve fro all destinations, and speciefed the group "approved internet users"
step 4. I created a rule on ISA called Deny internet users, i specified Deny in my isa rule, and picked the group "denied Internt users" and placed them into that policy..
The outcome... The rules seemed ot work correctly, the denied group got a message stating that a policy has blocked them from viewing the internet site "great no problmes here seemed to work."
My approved users is a different story, I was able to bring up a page but i swear it was at a crawl. Bringing up MSN.com was 300 times slower than dial up. I dont understand what is decreasing my performance. Does the ISA rule not like that fact that it is a group? do i need to add them as users insteade (very time consuming). Is each item on each web page attempting to be validated on my isa server? Has anyone had this type of problem?