Blocking a Website for one user (Full Version)

All Forums >> [ISA Server 2000 Cache] >> General



Message


scruby -> Blocking a Website for one user (10.Dec.2004 1:01:00 AM)

I have configured a Site and Content Rule to deny access based on destination and choose to apply this rule to: Specified destination set, This policy Apply to: a user I have crated call: testuser, I am also including all content types. I have the destination set setup to block //www.msn.com/* on one computer to for testing purposes. But it is not blocking this user from the website. Can anyone help me out with this problem?

Thanks, Scruby




AHIT -> RE: Blocking a Website for one user (10.Dec.2004 1:39:00 AM)

Your simplest method to find out how/why the site is allowed is to ensure tha logging of all fields is turned on, and then look at teh webdyyyymmdd.log file and at teh end of the line for teh request in question will show you the rules that allowed it!

Remember, ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.

(Thanks Stefaan/Spouseele for the copy/paste!)




scruby -> RE: Blocking a Website for one user (10.Dec.2004 8:10:00 PM)

quote:
Originally posted by Tolk:
Your simplest method to find out how/why the site is allowed is to ensure tha logging of all fields is turned on, and then look at teh webdyyyymmdd.log file and at teh end of the line for teh request in question will show you the rules that allowed it!

Remember, ISA server processes rules in the following order:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So, if you have any anonymous allow rule it will take precedence on any authenticated rule.

(Thanks Stefaan/Spouseele for the copy/paste!)





scruby -> RE: Blocking a Website for one user (10.Dec.2004 8:19:00 PM)

Thank you, Tolk

I followed your instructions and found out that the rule (1) I have to allow internet access is over riding the deny rule (2). I only have two rules.

1. Rule 1 allows internet access to all thru port 80.
2. Rule 2 I have setup to deny access to one URL to one user. ( not working)

Do you know how I would set up the deny rule to block users from a website? And still keep the allow rule?




Taz69 -> RE: Blocking a Website for one user (11.Dec.2004 10:04:00 PM)

Instead of denying access to a user just try denying access to an IP and test to see if you can gain access to msn from the machine with IP that you configured. I have a gut feeling that the deny rule might not be being applied because the connection attempt is being allowed through an unauthenticated/annonymous request which won't take username into account.
Remember that in ISA 2000 SecureNAT & Firewall client requests are annonymous as far as the web proxy goes (Firewall clients lose client info at the http redirector)




scruby -> RE: Blocking a Website for one user (13.Dec.2004 7:42:00 PM)

Hi Taz69,
I just tried this. I can still access the blocked site. How long does it take for these policies to take effect? Do you have any other suggestions?

Scruby
[Frown]




Taz69 -> RE: Blocking a Website for one user (14.Dec.2004 5:30:00 AM)

At worst you should only get a few mins lag before changes are applied. If you can find a quiet moment you could stop & start the ISA services just to make sure that they have been applied.

I've started looking at ISA2004 at the min so I don't have ISA 2K installed otherwise I'd have run a quick test myself to see if I'd forgotten to mention anything. If you are still having problems and if one of the experts doesn't pop along PM me and I'll throw ISA 2K onto a virtual server and test, this won't be until later in the week/weekend i'm afraid though.




gws -> RE: Blocking a Website for one user (30.Dec.2004 12:49:00 AM)

hi dear
its not a big task, i m telling u through points ok

1)goto policy elements>client address set>and make its a/c by user name or by ip (its upto ur server config)
2)then goto policy elements>destination set>and make a rule
NAME === MSN
ADD RANAGE=== *.MSN.COM
or if u want to block throgh ip then write msn ip address,but u block by domain name
3)then goto access policy>SITE AND CONTENT rule>
SITE NAME === BLOCK MSN
RULE ACTION== DENY(only deny not select lower part of deny )
RULE CONFIGURATION===CUSTOM >THEN CLICK NEXT
DESTINATION SET======SPECIFIED DESTINATION SET> AND THEN SELECT MSN
SCHEDULE========ALWAYS
CLIENT TYPE======SPECIFIC COMPUTER>THEN CLICK ADD> CLICK DOUBLE CLICK UR CLIENT
CONTENT GROUPS==ANY CONTENT TYPE
THEN FINISH.

IF U R runing domain network then
client type=======specific users and group

cheers




AHIT -> RE: Blocking a Website for one user (4.Jan.2005 2:42:00 AM)

quote:
Originally posted by scruby:
1. Rule 1 allows internet access to all thru port 80.
2. Rule 2 I have setup to deny access to one URL to one user. ( not working)

Do you know how I would set up the deny rule to block users from a website? And still keep the allow rule?

What your basically saying is, I have a rule that says allow access to averywhere for everyone which means ISA doesn't ask for credentials nor care about the destiantion - it doesn't ever "look" for the purpose of the rules, it just says "I have to let everything through for everyone, don't check any credentials"
Then you have rule 2 saying "Don't allow this specific dude access to this specific site".

but given the order the rules are checked (1-4 in my 1st post), the user is denied access if they're authenticated, but then they're let throguh anonymously!.

If you alter your 1st rule to allow access to all destinations to Xusergroup (say a domain group) then the request is authenticated and hence your rule 2 "deny" will get processed BEFORE your "allow" rule 1.




AHIT -> RE: Blocking a Website for one user (7.Jan.2005 7:26:00 AM)

It just occured to me I'm rehashing an article I wrote a while back to try and describe this so even ISA newbies could understand. Go to http://www.ahit.com.au/content/view/48/74/ to take a look.




Page: [1]