I want disble download audio & video by HTTP&FTP. I make all as on http://www.msfirewall.org/testing/contentcontrol.htm but 1) Rule #2 - only for HTTP&FTP protocol 2) Rule #3(from link) - it's my rule #4 apply on User group "Internet Users" 3) Rule #3 - Allow anonymous proxy for servers
Rule #3 NAME: Allow anonymous proxy for servers ACTION: Allow PROTOCOLS: HTTP, HTTPS, FTP FROM/LISTENER: Anonymous Servers Set TO: External CONDITIONS: All users SCHEDULE: all enable
If I disable rule #2 - all OK (but users can download audio & video). If enable rule #2 - users can't go to Web sites (monitoring say all users access rule #4 as anonymous and action - "Deny connection")
If I apply rule #2 to "All authentication users" - all OK (users can go to Internet and can't download audio & video) but my rule #3 "Allow anonymous proxy for servers" don't work - for users request user&password.
Why rule #4 don't request authentication when rule #2 apply to "All users" ?
But if rule applyes to user set then web proxy client will authenticated always (if network configured for authentication)! It don't work in this case - ISA come to rule with user set and don't authenticate users. At least monitoring show it.
I became simpler problem in my first post. Now I show full config:
Rule #1 NAME: All From/To Local - Private ACTION: Allow PROTOCOLS: ALL FROM/LISTENER: All Protected Networks, Multicat Networks, Local Host TO: All Protected Networks, Multicat Networks, Local Host CONDITIONS: All users
Rule #2 NAME: ISA 2004 (OUT) ACTION: Allow PROTOCOLS: ALL FROM/LISTENER: Local Host TO: External CONDITIONS: All users
Rule #3 NAME: ISA 2004 (IN) ACTION: Allow PROTOCOLS: DNS, POP3, RADIUS(CISCO), RADIUS(CISCO) accounting, SMTP FROM/LISTENER: All networks TO: Local Host CONDITIONS: All users
Rule #4 NAME: Allowed for All ACTION: Allow PROTOCOLS: HTTP, HTTPS FROM/LISTENER: Internal TO: Intranet URL set CONDITIONS: All users
Rule #5 NAME: Allow Branches to Internet ACTION: Allow PROTOCOLS: HTTP, HTTPS, FTP FROM/LISTENER: Cascade Proxy servers set TO: External CONDITIONS: All users
Rule #6 NAME: Deny CD, Audio & Video ACTION: Deny PROTOCOLS: HTTP, FTP FROM/LISTENER: Internal TO: External CONDITIONS: All authenticated users CONTENT: Audio, Video, CD/DVD
I've just implemented your rules 6, 7 and 8 on my ISA lab and they are working as described in my article.
Moreover, according to the posted log excerpt, the rule 'Allowed to internet (Allowed users)' denied the request with the reason '12209'. First, you didn't telling us anything about that rule. Second, 12209 means 'The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.
So, your information doesn't seem to be consistent and you might have an authentication problem instead. Remember if a rule requires authentication and the client can't present credentials to the ISA server, then that rule will deny the request.
if 'Allowed to internet (Allowed users)' is Rule #8, then it is Rule #8 that denies the request because the user can't present credentials. Remember that only Web Proxy and Firewall clients can authenticate to the ISA server.