Posts: 78
Joined: 23.Jan.2004
From: Yavapai County Arizona
Status: offline
I'm running ISA 2K with SP2 installed on Win2k Server. I have several site and content rules going. All access is controled through domain security groups or user accounts. We have a permanent users site and contenet rule which allows a specific domain user group all access all the time. Then we have a a site and content rule that allows everyone access to a specific destination set at all times. This destination set includes a few specific websites that all employees need to get to. This is where the problem seems to lie.
All users can get to all the websites in this destination set but one site in particular causes a problem. When they go to access the secured part of this site, our proxy server prompts them for a username and password. If they hit cancel, the site still loads. No one in our agency should even be prompted in the first place since everyone is allowed access. This is the site: https://scertsrv.ahcccs.state.az.us/Home.asp
In the destination set, I've allowed just about everything I can think of: https://scertsrv.ahcccs.state.az.us/Home.asp *.scertsrv.ahcccs.state.az.us *.ahcccs.state.az.us *.state.az.us ahcccs.state.az.us
As you can see, I've been fairly thouroug.
Permament users can access this site without being prompted. They aren't limited by destination sets or anything else excpet maybe protocols. I checked and made sure that the Site&Content rule for 'Any Request' has the same protocol access as the Permament Users Site&Content rule. Actually, the 'Any Request' S&C rules has more protocols available.
I can't find a reason why the proxy server would be prompting employees for this one website.
hi i think its a problem of that website hosting some websites r not host with his original domain name,plzz chk ur website where it has upload for example if u blocked or not allowed *.akami.net then many mobile company website is not opening well plzz chk ur website housting domain name and add that address also cheers
Posts: 78
Joined: 23.Jan.2004
From: Yavapai County Arizona
Status: offline
This isn't a problem with blocking a site, I don't think. I believe it's a problem of allowing a site properly. Try out the site yourself and see if you get a similar problem.
On the destination set, I've also tried adding the IP addresses for this website; one for the normal IP and one for the secured portion of the website.
I've hit a brick wall on this one. It's been a problem for a long time and I've ran test after test with no luck. It is an anomaly of some kind.
Posts: 78
Joined: 23.Jan.2004
From: Yavapai County Arizona
Status: offline
Thanks Rob.
I'm going to try removing all the site/content rules and destination sets and try rebuilding from the ground up. Maybe that will fix my glitch but somehow logic tells me it will not. I'm wondering if it isn't some kind of active directory authentication scenario.
After I've done me little experiment and it fails to give me the results I'm hoping for, I will be back!
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
G'day Jim,
Of interest, have you tried entering the credentials of a user that does have "full access" when prompted on this page? Give this a go and then check the webproxy log to see what that userid accessed. I'll put $5 it's an image that comes from a different site.
Unfortuantely because the site is SSL you can't "view source" and "save page" in IE has links to local images and not the originals. I routinely use telnet webservername.com 80 and "get /" etc to check websites but cant get this to work with SSL.. I guess simply because I cant do the Secure Sockets in a telnet session!
In fact, I suggest that the cause of your problem is the verisign seal. Try adding seal.verisign.com to your list of "OK" sites and I suspect your problem will go away. This is a killer for us trying to create "allowed destination lists" when the site-admins pull images from all over the place. Try creating a rule to allow access to "*.ebay.com" and still manage to browse listings. The images come from all over the place including the posters own ISP provided webspace!
Posts: 78
Joined: 23.Jan.2004
From: Yavapai County Arizona
Status: offline
Well Tolk, I guess I owe ya $5. My thank-you's are actually worth $7 when I give 'em but I'll forget about the $2.
I added *.verisign.com and *.microsoft.com to the list, just to make sure. I then used a normal user account and I didn't get prompted at all.
It's always something simple isn't it!
Thanks A LOT for your help, Tolk! (the 'A LOT' adds an additional buck to the tally ) That's some good information to know. I never would have thought of that; at least not anytime this year.
Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
Thanks for theupdate and glad to hear it all worked for you Tom.
pardon the pun but.... Hopefully with this new information you can "break on through to the other side"..
OK, sorry... I should keep the lame name jokes (Jim Morrison from "The Doors") to myself. I'm not a funny guy... and of course you've never had someone say stuff like that to you before... Hmmn.. back to my hidey hole..
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Proxy Promting for specific website 
Proxy Promting for specific website - 
RE: Proxy Promting for specific website - 
RE: Proxy Promting for specific website - 
RE: Proxy Promting for specific website - ![[Smile]](/image/smiles/smile.gif)
RE: Proxy Promting for specific website - ![[Wink]](/image/smiles/wink.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
