Re: access only to one external site

From: Asya (asya_at_fu.ru)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 12:06:13 +0200

Hi Mohammed
Thanks for help

I have read the message posted by Michael Bayly. As I understood we have the
same problem.
I would like to clarify my problem: I have to give ALL WWW access to 99 of
my users and access only to google.com for my one user.
To perform this I made next:
1. Made a Destination Set containing www.google.com
2. Made a Site and Content rule to allow anyone access to all sites
anytime, except my restricted user
3. Made a Site and Content rule allowin access to selected destination sets
for my restricted user
4. "Ask unauthenticated users for identification" is checked

after this user has no access to any www

Any assistance
would be greatly appreciated.

"Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
новостях следующее: news:eQBABdU3EHA.3336@TK2MSFTNGP11.phx.gbl...
> Okay, this is how it should be, he should be now able to access
> www.google.com?
>
> Look i'm going to explain it, alothough it will be long. When a WebProxy
> client (that is a browser configured to use a proxy server) requests a web
> page from ISA, and you have ANY rule that allows the destination to "Any
> request" (not specific destination set, not Everyone as a group). No
matter
> how many rules you configure to deny that your specificly they won't take
> effect, because the browser doesn't send who is the user that is trying to
> access that destination, so he is considered "anybody". So ISA finds a
rule
> (Any request) that allows the destination to "anybody", and that "anybody"
> doesn't have a rule that denies him (your rules deny "user x" not
> "anybody"), ISA will pass his request.
>
> So the solution is to force ISA to know who is using the browser on the
> client machine, this is done by several ways, you can change ALL your
"Site
> & Content" rules so it doen't apply to "any request", this way, ISA won't
> find any rule that applies to that "anybody" so it request authorization
> (HTTP status code 407) from the browser as a last resort, or you can leave
> your rules as they are but check the "Ask unauthorized user for
> identification" to force ISA to refuse anonymous connections and insistes
to
> know who is that user. There is another way, that is not to configure the
> browser to user proxy, and install the firewall client and configure
> something called the HTTP Redirector to send requests to destination web
> server directly, anyway its a stuiped way.
> --
> Yours truly,
> Mohammed A. Raslan
> Systems Engineer / Consultant
> MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> Mobile: +20 (12) 36 26 112 / +965 978 1969
> E-Mail: m_raslan@link.net.removethis
>
>
> "Asya" <asya@fu.ru> wrote in message
> news:exU6QjS3EHA.1144@TK2MSFTNGP09.phx.gbl...
> > Thanks for help Mahammed !
> > 1 - yes
> > 2 - I specify a group from Active Directory except my specific user
> > 3 - for this user I create allow rule for selected destination set and
> > choose defined rule from Destination sets
> > 4 - "Ask unauthenticated users for identification" are unchecked?
> >
> > So I have 2 rules in Site & Content Rules (1 for all, 2 - for user) and
1
> > rule in Protocol Rule - rule that allows the HTTP protocol to any
request
> in
> > any time for all users.
> >
> > In this case this user has no access to any sites and get error 407
proxy
> > authentication required
> >
> >
> > "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
> > новостях следующее: news:uigrJVS3EHA.3472@TK2MSFTNGP09.phx.gbl...
> > > Ok i have some questions to get the picture clear in my mind
> > >
> > > 1. Is the browser on the client machines configured to use ISA and a
> proxy
> > > server?
> > >
> > > 2. For the site and content rule for all users (the first rule you
> > > mentioned), did you choose "Any request" or did you specify a group
from
> > > Active Directory containing your domain users?
> > >
> > > 3. Are these the only rules you have or there are other rules.
> > >
> > > 4. On the ISA server, right click on the server, click properites,
click
> > on
> > > the outgoing web requests tab, is the "Ask unauthenticated users for
> > > identification" checkbox checked or unchecked?
> > >
> > > --
> > > Yours truly,
> > > Mohammed A. Raslan
> > > Systems Engineer / Consultant
> > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > E-Mail: m_raslan@link.net.removethis
> > >
> > >
> > > "Asya" <asya@fu.ru> wrote in message
> > > news:OR4ll4P3EHA.1144@TK2MSFTNGP09.phx.gbl...
> > > Thanks for tip.
> > > In my case I have 100 users (firewall clients) with different access
to
> > > Internet. I have to give to one of them specific access (only to one
> > site).
> > > So, to perform this I have:
> > >
> > > for all users
> > >
> > > 1 - Site & Content Rules - Allow everything (for all users) - default
> > rule.
> > > From this rule I except my specific user (domain verification)
> > > 2 - Protocol Rule - Allow some protocols (for all users). From this
rule
> I
> > > except my specific user (domain verification).
> > >
> > > for this specific user
> > >
> > > 3 - Destination Set - rule name "google" and site www.google.com
> > > 4 - Site & Content Rules - rule that allows "Specific Destination" -
> > google
> > > destination - only for my specific user (domain verification)
> > > 5 - Protocol Rule - rule that allows the HTTP protocol to any request
in
> > any
> > > time - only for my specific user (domain verification).
> > >
> > > But after this rules my user has access to all Internet sites.
> > >
> > > Whats wrong?
> > >
> > >
> > >
> > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
> > > новостях следующее: news:OPO9mmK3EHA.3120@TK2MSFTNGP12.phx.gbl...
> > > > Sure you can
> > > > 1. In ISA 2000 console, create a "Destination Set " under "Policy
> > > Elements",
> > > > in the set, add the site you want.
> > > > 2. Under Access Policy, open "Site & Rontent Rules" and delete the
> > default
> > > > rule there
> > > > 3. Create a new rule that allows "Specific Destination" and choose
the
> > > > Destination Set you created, and allow the rule to any request at
any
> > time
> > > > 4. Under Access Policy, Create a "Protocol Rule" that allows the
HTTP
> > > > Protocol to any request in any time.
> > > > 5. Wait about 2 min for the rules to take effect.
> > > >
> > > > Thats it.
> > > >
> > > > HTH
> > > > --
> > > > Yours truly,
> > > > Mohammed A. Raslan
> > > > Systems Engineer / Consultant
> > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > E-Mail: m_raslan@link.net.removethis
> > > >
> > > >
> > > > "Asya" <asya@fu.ru> wrote in message
> > > > news:#M$jaKD3EHA.3376@TK2MSFTNGP12.phx.gbl...
> > > > > Hi
> > > > > Thanks for help
> > > > >
> > > > > As I understood from your tip you have ISA 2004.
> > > > > But I have ISA 2000 and have no possibility to perform your tip.
> > > > >
> > > > > I think that ISA 2000 has no ways to create access only to one
> > external
> > > > > site.
> > > > >
> > > > > "Cyskon" <cyskon@msn.com> сообщил/сообщила в новостях следующее:
> > > > > news:Ozvn#W82EHA.4004@tk2msftngp13.phx.gbl...
> > > > > > Sure create a Domain Set in the Network Object of the Toolbox
that
> > > will
> > > > > deny
> > > > > > any HTTP access, and then create another rule that has the URL
of
> > the
> > > > site
> > > > > > that you wish to allow, and then in the Task tab, create a new
> > access
> > > > rule
> > > > > > that denies all access to the restricted domain set, except the
> > > allowed
> > > > > > domain set.
> > > > > >
> > > > > > That should work. I did something like that and it seems to be
> > > working.
> > > > > >
> > > > > >
> > > > > > "Asya" <asya@fu.ru> wrote in message
> > > > > > news:uOhtah62EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > > > > > Hi !
> > > > > > >
> > > > > > > Can I permit access only to one external site?
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: access only to one external site
    ... Is the firewall client installed on the client? ... Is the browser configured to use a proxy or not? ... If you can send a zipped print screen of the Destination Set definition it ...
    (microsoft.public.isa.configuration)
  • Re: Iptables Transparent Proxy and Browser on localhost
    ... > I would like the proxy to be transparent so that my browser's requests ... > the connection originally established by the browser. ... > connections originating from the browser and the proxy. ...
    (comp.os.linux.networking)
  • Re: Iptables Transparent Proxy and Browser on localhost
    ... > I would like the proxy to be transparent so that my browser's requests ... > the connection originally established by the browser. ... > connections originating from the browser and the proxy. ...
    (comp.os.linux.networking)
  • Re: Communication with a colony on the Moon
    ... copy on the moon would be almost exactly the same as what your browser ... Earthside browser. ... Even a caching proxy could easily be extended to have this kind of functionality. ... When that request finally comes back, then the proxy processes the content that came back, which then makes supplementary requests for everything directly referenced in that page, then perhaps supplementary requests for everything directly referenced in _those_ pages, to whatever extent you want. ...
    (rec.arts.sf.science)
  • Re: access only to one external site
    ... In the same page that contains the checkbox above, make sure that ISA ... Microsoft Firewall service and Microsoft Web Proxy service are started. ... On a test client, login using the test user account, make sure that IE ... destination set, he should access them normally, any other sites should ...
    (microsoft.public.isa.configuration)