• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Blocking a Website for one user

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Cache] >> General >> Blocking a Website for one user Page: [1]
Login
Message << Older Topic   Newer Topic >>
Blocking a Website for one user - 10.Dec.2004 1:01:00 AM   
scruby

 

Posts: 5
Joined: 9.Dec.2004
From: San Bernardino, ca
Status: offline
I have configured a Site and Content Rule to deny access based on destination and choose to apply this rule to: Specified destination set, This policy Apply to: a user I have crated call: testuser, I am also including all content types. I have the destination set setup to block //www.msn.com/* on one computer to for testing purposes. But it is not blocking this user from the website. Can anyone help me out with this problem?

Thanks, Scruby
Post #: 1
RE: Blocking a Website for one user - 10.Dec.2004 1:39:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
Your simplest method to find out how/why the site is allowed is to ensure tha logging of all fields is turned on, and then look at teh webdyyyymmdd.log file and at teh end of the line for teh request in question will show you the rules that allowed it!

Remember, ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.

(Thanks Stefaan/Spouseele for the copy/paste!)

(in reply to scruby)
Post #: 2
RE: Blocking a Website for one user - 10.Dec.2004 8:10:00 PM   
scruby

 

Posts: 5
Joined: 9.Dec.2004
From: San Bernardino, ca
Status: offline
quote:
Originally posted by Tolk:
Your simplest method to find out how/why the site is allowed is to ensure tha logging of all fields is turned on, and then look at teh webdyyyymmdd.log file and at teh end of the line for teh request in question will show you the rules that allowed it!

Remember, ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.

(Thanks Stefaan/Spouseele for the copy/paste!)


(in reply to scruby)
Post #: 3
RE: Blocking a Website for one user - 10.Dec.2004 8:19:00 PM   
scruby

 

Posts: 5
Joined: 9.Dec.2004
From: San Bernardino, ca
Status: offline
Thank you, Tolk

I followed your instructions and found out that the rule (1) I have to allow internet access is over riding the deny rule (2). I only have two rules.

1. Rule 1 allows internet access to all thru port 80.
2. Rule 2 I have setup to deny access to one URL to one user. ( not working)

Do you know how I would set up the deny rule to block users from a website? And still keep the allow rule?

(in reply to scruby)
Post #: 4
RE: Blocking a Website for one user - 11.Dec.2004 10:04:00 PM   
Taz69

 

Posts: 15
Joined: 28.Oct.2004
From: Manchester, UK
Status: offline
Instead of denying access to a user just try denying access to an IP and test to see if you can gain access to msn from the machine with IP that you configured. I have a gut feeling that the deny rule might not be being applied because the connection attempt is being allowed through an unauthenticated/annonymous request which won't take username into account.
Remember that in ISA 2000 SecureNAT & Firewall client requests are annonymous as far as the web proxy goes (Firewall clients lose client info at the http redirector)

(in reply to scruby)
Post #: 5
RE: Blocking a Website for one user - 13.Dec.2004 7:42:00 PM   
scruby

 

Posts: 5
Joined: 9.Dec.2004
From: San Bernardino, ca
Status: offline
Hi Taz69,
I just tried this. I can still access the blocked site. How long does it take for these policies to take effect? Do you have any other suggestions?

Scruby
[Frown]

(in reply to scruby)
Post #: 6
RE: Blocking a Website for one user - 14.Dec.2004 5:30:00 AM   
Taz69

 

Posts: 15
Joined: 28.Oct.2004
From: Manchester, UK
Status: offline
At worst you should only get a few mins lag before changes are applied. If you can find a quiet moment you could stop & start the ISA services just to make sure that they have been applied.

I've started looking at ISA2004 at the min so I don't have ISA 2K installed otherwise I'd have run a quick test myself to see if I'd forgotten to mention anything. If you are still having problems and if one of the experts doesn't pop along PM me and I'll throw ISA 2K onto a virtual server and test, this won't be until later in the week/weekend i'm afraid though.

(in reply to scruby)
Post #: 7
RE: Blocking a Website for one user - 30.Dec.2004 12:49:00 AM   
gws

 

Posts: 104
Joined: 27.Dec.2004
From: pakistan
Status: offline
hi dear
its not a big task, i m telling u through points ok

1)goto policy elements>client address set>and make its a/c by user name or by ip (its upto ur server config)
2)then goto policy elements>destination set>and make a rule
NAME === MSN
ADD RANAGE=== *.MSN.COM
or if u want to block throgh ip then write msn ip address,but u block by domain name
3)then goto access policy>SITE AND CONTENT rule>
SITE NAME === BLOCK MSN
RULE ACTION== DENY(only deny not select lower part of deny )
RULE CONFIGURATION===CUSTOM >THEN CLICK NEXT
DESTINATION SET======SPECIFIED DESTINATION SET> AND THEN SELECT MSN
SCHEDULE========ALWAYS
CLIENT TYPE======SPECIFIC COMPUTER>THEN CLICK ADD> CLICK DOUBLE CLICK UR CLIENT
CONTENT GROUPS==ANY CONTENT TYPE
THEN FINISH.

IF U R runing domain network then
client type=======specific users and group

cheers

(in reply to scruby)
Post #: 8
RE: Blocking a Website for one user - 4.Jan.2005 2:42:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
quote:
Originally posted by scruby:
1. Rule 1 allows internet access to all thru port 80.
2. Rule 2 I have setup to deny access to one URL to one user. ( not working)

Do you know how I would set up the deny rule to block users from a website? And still keep the allow rule?

What your basically saying is, I have a rule that says allow access to averywhere for everyone which means ISA doesn't ask for credentials nor care about the destiantion - it doesn't ever "look" for the purpose of the rules, it just says "I have to let everything through for everyone, don't check any credentials"
Then you have rule 2 saying "Don't allow this specific dude access to this specific site".

but given the order the rules are checked (1-4 in my 1st post), the user is denied access if they're authenticated, but then they're let throguh anonymously!.

If you alter your 1st rule to allow access to all destinations to Xusergroup (say a domain group) then the request is authenticated and hence your rule 2 "deny" will get processed BEFORE your "allow" rule 1.

(in reply to scruby)
Post #: 9
RE: Blocking a Website for one user - 7.Jan.2005 7:26:00 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
It just occured to me I'm rehashing an article I wrote a while back to try and describe this so even ISA newbies could understand. Go to http://www.ahit.com.au/content/view/48/74/ to take a look.

(in reply to scruby)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Cache] >> General >> Blocking a Website for one user Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts