• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Deny FWC but allow anonymous certain sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny FWC but allow anonymous certain sites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Deny FWC but allow anonymous certain sites - 9.Mar.2004 6:23:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
I am trying to create a rule that allows anonymouse access ( secure NAT ) certain website without authentication. Basically they need windowsupdate and a couple other sites.

I currently have a deny rule for a certain group with access to a URL set wich is working fine. These are all firewall clients.

Is it possible to create a rule for anonymous only?

Right now any new computer we test you get an auth dialog, I am trying to get rid of this just for certain sites.
Post #: 1
RE: Deny FWC but allow anonymous certain sites - 10.Mar.2004 11:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kenny,

You can create exceptions to your deny rule, which will allow you to allow all users access to sites that are on the exceptions list (as long a there is a rule that allows users to access the site).

HTH,
Tom

(in reply to crshjnke)
Post #: 2
RE: Deny FWC but allow anonymous certain sites - 10.Mar.2004 4:10:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
I figured out my problem.
The proxy clients without firewall installed showed up as anonymous, although in the default user list anonymous is not an option. Had to add that to the list.

My deny rule now has blocked group / anonymous - then site rules works great.

(in reply to crshjnke)
Post #: 3
RE: Deny FWC but allow anonymous certain sites - 10.Mar.2004 10:18:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
Nevermind another tech over here had already typed in domain user/pass and clicked save on that pc.

So my anonymous NT rule is not working.
Exactly how can I create a rule for anonymous proxy clients?

(in reply to crshjnke)
Post #: 4
RE: Deny FWC but allow anonymous certain sites - 11.Mar.2004 1:14:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kenny,

Any rule that applies to "all users" allows for anonymous access.

HTH,
Tom

(in reply to crshjnke)
Post #: 5
RE: Deny FWC but allow anonymous certain sites - 11.Mar.2004 3:49:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
I guess thats where the problem starts becuase all users is too broad for example.
In my rules I have
deny - http/s - except url list - group (which worked fine )
then
allow - http - all users ( this let all authenticated users not in denied group full web access)

Then lets say I changed the rule with blocked group to all users ( now all users are denied except access to my url list )

In this example my rules will not work they way I would like.

If I am understanding the blocked web access rule correctly it should be a deny/ except list / right?

Right now I have moved all blocked users to a range of IP's so I can allow anonymous proxy access to the others.

Do you see any way to create a rule like that
anonymous - sites
blocked group - sites
authenticated - all acess

Thanks

(in reply to crshjnke)
Post #: 6
RE: Deny FWC but allow anonymous certain sites - 12.Mar.2004 1:44:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kenny,

The first rule blocks all users access to all sites except for those sites in the exceptions list.

The second rule will allow all users access to the sites in the exceptions list, but will not allow them access to all sites, because the first rule blocked all sites except those that were excepted.

HTH,
Tom

(in reply to crshjnke)
Post #: 7
RE: Deny FWC but allow anonymous certain sites - 12.Mar.2004 6:28:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
So right now there is no way to do what I am needing becuase the all user ( anonymous ) rule would kill access except to the first url list.

Maybe a feature needs to be added so that you can really make a rule for anonymous only instead of all users.

(in reply to crshjnke)
Post #: 8
RE: Deny FWC but allow anonymous certain sites - 12.Mar.2004 6:36:00 PM   
crshjnke

 

Posts: 10
Joined: 23.Feb.2004
From: OKC
Status: offline
After thinking about this a little more I think I may have a work around.
How about
Deny / http / allusers - except auth users / url list
Then
Allow / http / auth users / all

Do you think this would work?

I am going to test this tomorrow since too many people complain when I test rules during the day.

(in reply to crshjnke)
Post #: 9
RE: Deny FWC but allow anonymous certain sites - 15.Mar.2004 3:45:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kenny,

Might work. Give it a go and let us know what happens.

Thanks!
Tom

(in reply to crshjnke)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny FWC but allow anonymous certain sites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts