• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Deny content rule & authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny content rule & authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
Deny content rule & authentication - 26.Feb.2005 10:14:00 AM   
rogozinskiy

 

Posts: 17
Joined: 16.Jul.2004
From: Kazakhstan
Status: offline
Hello

I want disble download audio & video by HTTP&FTP.
I make all as on http://www.msfirewall.org/testing/contentcontrol.htm but
1) Rule #2 - only for HTTP&FTP protocol
2) Rule #3(from link) - it's my rule #4 apply on User group "Internet Users"
3) Rule #3 - Allow anonymous proxy for servers

Rule #3
NAME: Allow anonymous proxy for servers
ACTION: Allow
PROTOCOLS: HTTP, HTTPS, FTP
FROM/LISTENER: Anonymous Servers Set
TO: External
CONDITIONS: All users
SCHEDULE: all enable

If I disable rule #2 - all OK (but users can download audio & video). If enable rule #2 - users can't go to Web sites (monitoring say all users access rule #4 as anonymous and action - "Deny connection")

If I apply rule #2 to "All authentication users" - all OK (users can go to Internet and can't download audio & video) but my rule #3 "Allow anonymous proxy for servers" don't work - for users request user&password.

Why rule #4 don't request authentication when rule #2 apply to "All users" ?
Post #: 1
RE: Deny content rule & authentication - 26.Feb.2005 8:11:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Dmitriy,

check out http://www.isaserver.org/articles/ISA2004_AccessRules.html .

HTH,
Stefaan

(in reply to rogozinskiy)
Post #: 2
RE: Deny content rule & authentication - 27.Feb.2005 4:17:00 PM   
rogozinskiy

 

Posts: 17
Joined: 16.Jul.2004
From: Kazakhstan
Status: offline
All right - I checked all rules.

But if rule applyes to user set then web proxy client will authenticated always (if network configured for authentication)! It don't work in this case - ISA come to rule with user set and don't authenticate users. At least monitoring show it.

(in reply to rogozinskiy)
Post #: 3
RE: Deny content rule & authentication - 27.Feb.2005 4:36:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Dmitriy,

I've a hard time to figure out what you want to achieve and what *exact* rules are in place. Please, can you better describe your problem?

Thanks,
Stefaan

(in reply to rogozinskiy)
Post #: 4
RE: Deny content rule & authentication - 1.Mar.2005 6:29:00 AM   
rogozinskiy

 

Posts: 17
Joined: 16.Jul.2004
From: Kazakhstan
Status: offline
I became simpler problem in my first post. Now I show full config:

Rule #1
NAME: All From/To Local - Private
ACTION: Allow
PROTOCOLS: ALL
FROM/LISTENER: All Protected Networks, Multicat Networks, Local Host
TO: All Protected Networks, Multicat Networks, Local Host
CONDITIONS: All users

Rule #2
NAME: ISA 2004 (OUT)
ACTION: Allow
PROTOCOLS: ALL
FROM/LISTENER: Local Host
TO: External
CONDITIONS: All users

Rule #3
NAME: ISA 2004 (IN)
ACTION: Allow
PROTOCOLS: DNS, POP3, RADIUS(CISCO), RADIUS(CISCO) accounting, SMTP
FROM/LISTENER: All networks
TO: Local Host
CONDITIONS: All users

Rule #4
NAME: Allowed for All
ACTION: Allow
PROTOCOLS: HTTP, HTTPS
FROM/LISTENER: Internal
TO: Intranet URL set
CONDITIONS: All users

Rule #5
NAME: Allow Branches to Internet
ACTION: Allow
PROTOCOLS: HTTP, HTTPS, FTP
FROM/LISTENER: Cascade Proxy servers set
TO: External
CONDITIONS: All users

Rule #6
NAME: Deny CD, Audio & Video
ACTION: Deny
PROTOCOLS: HTTP, FTP
FROM/LISTENER: Internal
TO: External
CONDITIONS: All authenticated users
CONTENT: Audio, Video, CD/DVD

Rule #7
NAME: Allowed FTP (Allowed users)
ACTION: Allow
PROTOCOLS: FTP
FROM/LISTENER: Internal
TO: External
CONDITIONS: FTP Users

Rule #8
NAME: Allowed WEB (Allowed users)
ACTION: Allow
PROTOCOLS: HTTP, HTTPS
FROM/LISTENER: Internal
TO: External
CONDITIONS: Internet Users

If I apply rule #6 to "All Users" then rules #7&8 don't work - monitoring show users as anonymous and action deny connection, users see error "Can't find server or DNS error". Why ?

If I move rule up for deny download audio,video,cd images by cascade proxies then proxies don't work - isa send request for authentication.

I need move rule #6 up and apply to "All users".


[ March 01, 2005, 06:35 AM: Message edited by: Rogozinskiy Dmitriy ]

(in reply to rogozinskiy)
Post #: 5
RE: Deny content rule & authentication - 1.Mar.2005 10:12:00 AM   
rogozinskiy

 

Posts: 17
Joined: 16.Jul.2004
From: Kazakhstan
Status: offline
PS: W3proxy log (after apply deny rule to all users) - no authenticated sessions

172.16.5.6 anonymous N 2005-03-01 09:04:43 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 435 4584 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied
172.16.5.6 anonymous N 2005-03-01 09:04:43 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 531 555 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied
172.16.5.6 anonymous N 2005-03-01 09:04:43 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 435 4584 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied
172.16.5.6 anonymous N 2005-03-01 09:04:43 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 531 555 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied
172.16.5.6 anonymous N 2005-03-01 09:08:09 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 435 4584 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied
172.16.5.6 anonymous N 2005-03-01 09:08:09 w3proxy PROXY-SRV1 - www.microsoft.com 172.16.0.1 80 1 531 555 http TCP GET http://www.microsoft.com/ text/html - 12209 0x0 Allowed to internet (Allowed users) - Internal External 0x800 Denied

[ March 01, 2005, 10:17 AM: Message edited by: Rogozinskiy Dmitriy ]

(in reply to rogozinskiy)
Post #: 6
RE: Deny content rule & authentication - 1.Mar.2005 9:25:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Dmitriy,

I've just implemented your rules 6, 7 and 8 on my ISA lab and they are working as described in my article.

Moreover, according to the posted log excerpt, the rule 'Allowed to internet (Allowed users)' denied the request with the reason '12209'. First, you didn't telling us anything about that rule. Second, 12209 means 'The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.

So, your information doesn't seem to be consistent and you might have an authentication problem instead. Remember if a rule requires authentication and the client can't present credentials to the ISA server, then that rule will deny the request.

HTH,
Stefaan

(in reply to rogozinskiy)
Post #: 7
RE: Deny content rule & authentication - 3.Mar.2005 10:39:00 AM   
rogozinskiy

 

Posts: 17
Joined: 16.Jul.2004
From: Kazakhstan
Status: offline
Hello spouseele!

Allowed to internet (Allowed users) - it's Rule #8
Allowed WEB (Allowed users). I wrote previous post by hands and reduced name.

I don't contradict this situation but if you say You have working config ... I will test it on vmware.

12209 means 'The ISA Server requires authorization to fulfill the request but ISA don't request authorization (if Rule #6 apply to all users).

(in reply to rogozinskiy)
Post #: 8
RE: Deny content rule & authentication - 3.Mar.2005 8:38:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Dmitriy,

if 'Allowed to internet (Allowed users)' is Rule #8, then it is Rule #8 that denies the request because the user can't present credentials. Remember that only Web Proxy and Firewall clients can authenticate to the ISA server.

HTH,
Stefaan

(in reply to rogozinskiy)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Deny content rule & authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts