Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Denied by an Allow rule
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Denied by an Allow rule - 15.Aug.2005 1:48:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
quote:
It is my belief that a piece of software should work the way that it APPEARS that it will work
We can quibble on this one all day, but nothing would come of it.
I'll admit the registry entry is the best option here - at the very least some COM property that could be set per rule instead of a global setting. I don't know if I'd want to have a global setting for this.
I imagine you didn't get much traction on the Design Change Request case with PSS - it takes a lot to move that mountain.
And yeah - I admit the spelling correction was over the top and irrelevant. However, I won't apologize for correcting someone when they spell a word incorrectly though. Additionally, the hyphenation "thingy" is far from unanimous in the word-smith community. Even they can't come to some sort of consensus.
I'm just glad you didn't pull the "could of" instead of "could have" thrashing - "I could of been more tactful when responding" instead of the correct "I could have been more tactful when responding". That really makes a person sound like a hick.
And now, I'm off my soap box.
[ August 15, 2005, 01:52 PM: Message edited by: ClintD ]
|
|
|
|
RE: Denied by an Allow rule - 17.Aug.2005 10:10:00 AM
|
|
|
ISAServerTools
Posts: 41
Joined: 22.Jul.2005
Status: offline
|
I now have at least a partial solution to this "bug" or "design flaw" or "quality design"... whatever you choose to call it.
It is possible to modify the MyAuthFilter example web filter to provide domain authentication to SNAT requests to the web proxy (using the SetADAuthenticatedUser callback) when they encounter a rule which requires authentication, thus causing the rules engine to fall through to the next rule when the username of the request does not match. When using this filter, you only see the username "anonymous" whenever traffic is allowed by a rule which does not require authentication.
What I currently have running is a 20 minute hack-job which has the domain\username and password hardcoded in the program. If you never want to see the username anonymous, simply change the reference to "All Users" in your rules which control web proxy traffic to whatever domain\username is compiled into the program.
This approach only works for traffic handled by the web proxy, so it doesn't address the original problem which started this thread, but I find it quite useful for my purposes.
Of course, since this apparently isn't really a problem for anyone else, I doubt anyone would be interested in this code... LOL...
|
|
|
|
|
RE: Denied by an Allow rule - 22.Mar.2006 3:42:22 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: LLigetfa
Don't like to hijaak this topic from JSH but looks like he left anyway...
How are "To Exceptions" in Allow rules supposed to be handled? I thought they would work like Deny rules but obviously I am wrong as rules beneath them are parsed.
Hi Les,
Check out my recent article on this topic.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
