Re: access only to one external site

From: Mohammed A. Raslan (m_raslan_at_link.net.removethis)
Date: 12/10/04

• Next message: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Previous message: Simona: "Secure mail wizard please help me!!!!!!"
• In reply to: Asya: "Re: access only to one external site"
• Next in thread: Asya: "Re: access only to one external site"
• Reply: Asya: "Re: access only to one external site"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 10 Dec 2004 17:11:21 +0300

umm, thats strange,
Ok please answer these quetions:-
1. Is the firewall client installed on the client?
2. Is the browser configured to use a proxy or not?
3. What is the error returned to the client?
4. What is the browser your client uses (IE or Netscape or Firefox) and
which version?

Make sure that the user is logged on useing his user account in AD, not to
the local machine

If you can send a zipped print screen of the Destination Set definition it
might help. make sure that you type www.google.com not google.com only, and
try to add other sites such as microsoft for example, add "*.microsoft.com"
to the destination set you created and try again
also configure the web browser to user ISA as a proxy and tell me what
heppens

-- 
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: m_raslan@link.net.removethis
"Asya" <asya@fu.ru> wrote in message
news:eH5Z2ad3EHA.1392@tk2msftngp13.phx.gbl...
> Hi Mohammed
> Thanks for help
>
> I have read the message posted by Michael Bayly. As I understood we have
the
> same problem.
> I would like to clarify my problem: I have to give ALL WWW access to 99 of
> my users and access only to google.com for my one user.
> To perform this I made next:
> 1. Made a Destination Set containing www.google.com
> 2. Made a  Site and Content rule to allow anyone access to all sites
> anytime, except my restricted user
> 3. Made a Site and Content rule allowin access to selected destination
sets
> for my restricted user
> 4. "Ask unauthenticated users for identification" is checked
>
> after this user has no access to any www
>
> Any assistance
> would be greatly appreciated.
>
>
> "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
> новостях следующее: news:eQBABdU3EHA.3336@TK2MSFTNGP11.phx.gbl...
> > Okay, this is how it should be, he should be now able to access
> > www.google.com?
> >
> > Look i'm going to explain it, alothough it will be long. When a WebProxy
> > client (that is a browser configured to use a proxy server) requests a
web
> > page from ISA, and you have ANY rule that allows the destination to "Any
> > request" (not specific destination set, not Everyone as a group). No
> matter
> > how many rules you configure to deny that your specificly they won't
take
> > effect, because the browser doesn't send who is the user that is trying
to
> > access that destination, so he is considered "anybody". So ISA finds a
> rule
> > (Any request) that allows the destination to "anybody", and that
"anybody"
> > doesn't have a rule that denies him (your rules deny "user x" not
> > "anybody"), ISA will pass his request.
> >
> > So the solution is to force ISA to know who is using the browser on the
> > client machine, this is done by several ways, you can change ALL your
> "Site
> > & Content" rules so it doen't apply to "any request", this way, ISA
won't
> > find any rule that applies to that "anybody" so it request authorization
> > (HTTP status code 407) from the browser as a last resort, or you can
leave
> > your rules as they are but check the "Ask unauthorized user for
> > identification" to force ISA to refuse anonymous connections and
insistes
> to
> > know who is that user. There is another way, that is not to configure
the
> > browser to user proxy, and install the firewall client and configure
> > something called the HTTP Redirector to send requests to destination web
> > server directly, anyway its a stuiped way.
> > --
> > Yours truly,
> > Mohammed A. Raslan
> > Systems Engineer / Consultant
> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > E-Mail: m_raslan@link.net.removethis
> >
> >
> > "Asya" <asya@fu.ru> wrote in message
> > news:exU6QjS3EHA.1144@TK2MSFTNGP09.phx.gbl...
> > > Thanks for help Mahammed !
> > > 1 - yes
> > > 2 - I specify a group from Active Directory except my specific user
> > > 3 - for this user I create allow rule for selected destination set and
> > > choose defined rule from Destination sets
> > > 4 - "Ask unauthenticated users for identification" are unchecked?
> > >
> > > So I have 2 rules in Site & Content Rules (1 for all, 2 - for user)
and
> 1
> > > rule in Protocol Rule - rule that allows the HTTP protocol to any
> request
> > in
> > > any time for all users.
> > >
> > > In this case this user has no access to any sites and get error 407
> proxy
> > > authentication required
> > >
> > >
> > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
> > > новостях следующее: news:uigrJVS3EHA.3472@TK2MSFTNGP09.phx.gbl...
> > > > Ok i have some questions to get the picture clear in my mind
> > > >
> > > > 1. Is the browser on the client machines configured to use ISA and a
> > proxy
> > > > server?
> > > >
> > > > 2. For the site and content rule for all users (the first rule you
> > > > mentioned), did you choose "Any request" or did you specify a group
> from
> > > > Active Directory containing your domain users?
> > > >
> > > > 3. Are these the only rules you have or there are other rules.
> > > >
> > > > 4. On the ISA server, right click on the server, click properites,
> click
> > > on
> > > > the outgoing web requests tab, is the "Ask unauthenticated users for
> > > > identification" checkbox checked or unchecked?
> > > >
> > > > --
> > > > Yours truly,
> > > > Mohammed A. Raslan
> > > > Systems Engineer / Consultant
> > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > E-Mail: m_raslan@link.net.removethis
> > > >
> > > >
> > > > "Asya" <asya@fu.ru> wrote in message
> > > > news:OR4ll4P3EHA.1144@TK2MSFTNGP09.phx.gbl...
> > > > Thanks for tip.
> > > > In my case I have 100 users (firewall clients) with different access
> to
> > > > Internet. I have to give to one of them specific access (only to one
> > > site).
> > > > So, to perform this I have:
> > > >
> > > > for all users
> > > >
> > > > 1 - Site & Content Rules - Allow everything (for all users) -
default
> > > rule.
> > > > From this rule I except my specific user (domain verification)
> > > > 2 - Protocol Rule - Allow some protocols (for all users). From this
> rule
> > I
> > > > except my specific user (domain verification).
> > > >
> > > > for this specific user
> > > >
> > > > 3 - Destination Set  - rule name "google" and site www.google.com
> > > > 4 - Site & Content Rules - rule that allows "Specific Destination" -
> > > google
> > > > destination - only for my specific user (domain verification)
> > > > 5 - Protocol Rule - rule that allows the HTTP protocol to any
request
> in
> > > any
> > > > time - only for my specific user (domain verification).
> > > >
> > > > But after this rules my user has access to all Internet sites.
> > > >
> > > > Whats wrong?
> > > >
> > > >
> > > >
> > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила
в
> > > > новостях следующее: news:OPO9mmK3EHA.3120@TK2MSFTNGP12.phx.gbl...
> > > > > Sure you can
> > > > > 1. In ISA 2000 console, create a "Destination Set " under "Policy
> > > > Elements",
> > > > > in the set, add the site you want.
> > > > > 2. Under Access Policy, open "Site & Rontent Rules" and delete the
> > > default
> > > > > rule there
> > > > > 3. Create a new rule that allows "Specific Destination" and choose
> the
> > > > > Destination Set you created, and allow the rule to any request at
> any
> > > time
> > > > > 4. Under Access Policy, Create a "Protocol Rule" that allows the
> HTTP
> > > > > Protocol to any request in any time.
> > > > > 5. Wait about 2 min for the rules to take effect.
> > > > >
> > > > > Thats it.
> > > > >
> > > > > HTH
> > > > > --
> > > > > Yours truly,
> > > > > Mohammed A. Raslan
> > > > > Systems Engineer / Consultant
> > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > > E-Mail: m_raslan@link.net.removethis
> > > > >
> > > > >
> > > > > "Asya" <asya@fu.ru> wrote in message
> > > > > news:#M$jaKD3EHA.3376@TK2MSFTNGP12.phx.gbl...
> > > > > > Hi
> > > > > > Thanks for help
> > > > > >
> > > > > > As I understood from your tip you have ISA 2004.
> > > > > > But I have ISA 2000 and have no possibility to perform your tip.
> > > > > >
> > > > > > I think that ISA 2000 has no ways to create access only to one
> > > external
> > > > > > site.
> > > > > >
> > > > > > "Cyskon" <cyskon@msn.com> сообщил/сообщила в новостях следующее:
> > > > > > news:Ozvn#W82EHA.4004@tk2msftngp13.phx.gbl...
> > > > > > > Sure create a Domain Set in the Network Object of the Toolbox
> that
> > > > will
> > > > > > deny
> > > > > > > any HTTP access, and then create another rule that has the URL
> of
> > > the
> > > > > site
> > > > > > > that you wish to allow, and then in the Task tab, create a new
> > > access
> > > > > rule
> > > > > > > that denies all access to the restricted domain set, except
the
> > > > allowed
> > > > > > > domain set.
> > > > > > >
> > > > > > > That should work. I did something like that and it seems to be
> > > > working.
> > > > > > >
> > > > > > >
> > > > > > > "Asya" <asya@fu.ru> wrote in message
> > > > > > > news:uOhtah62EHA.2192@TK2MSFTNGP14.phx.gbl...
> > > > > > > > Hi !
> > > > > > > >
> > > > > > > > Can I permit access only to one external site?
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Next message: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Previous message: Simona: "Secure mail wizard please help me!!!!!!"
• In reply to: Asya: "Re: access only to one external site"
• Next in thread: Asya: "Re: access only to one external site"
• Reply: Asya: "Re: access only to one external site"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint