Re: Site and Content Rules - Not working
From: Mohammed A. Raslan (m_raslan_at_link.net.removethis)
Date: 12/10/04
- Next message: Grant Collingwood: "Re: network cards in ISA"
- Previous message: Mohammed A. Raslan: "Re: access only to one external site"
- In reply to: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
- Next in thread: Michael Bayly: "Re: Site and Content Rules - Not working"
- Reply: Michael Bayly: "Re: Site and Content Rules - Not working"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 10 Dec 2004 17:16:48 +0300
Michael
Sorry i didn't read your last post right, if you want to redirect users to
an error page that describes the error, you can either edit the Site &
Content rule that denies banned sites and you will find a checkbox that
redirect the clients to a specific page. You can create a page and put it on
an internal web server and type its URL in the rule.
Another solution is to Edit ISA error pages check the following URL for how
to do it
http://www.isaserver.org/tutorials/Custom_error_pages_within_ISA.html
-- Yours truly, Mohammed A. Raslan Systems Engineer / Consultant MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA Mobile: +20 (12) 36 26 112 / +965 978 1969 E-Mail: m_raslan@link.net.removethis "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message news:OM3Risb3EHA.1152@TK2MSFTNGP14.phx.gbl... > ok if this is annoying then you have to change somethings. > 1. On the clients, make sure that the browser is *not* using a proxy server, > just like normal, and no automatic discovery or anything. > 2. In the ISA server, go to "Extensions" as i remember, then "Application > Filters", search there for the "HTTP Redirector" double click on it, then > choose "send request to destination web server directly" (the second option) > instead of send to WebProxy service. > 3. Make sure that the "Firewall Client" is installed and working properly on > the client machines. > > wait for about 3 min, or restart the ISA Server Control service from > services, then try accessing sites again from the client. > > Try and tell me > > -- > Yours truly, > Mohammed A. Raslan > Systems Engineer / Consultant > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA > Mobile: +20 (12) 36 26 112 / +965 978 1969 > E-Mail: m_raslan@link.net.removethis > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message > news:OAtWhXZ3EHA.4008@TK2MSFTNGP15.phx.gbl... > > Thanks again Mohammed, this seems to work in principle, but I now have the > > issue where a user trying to access a non-work site gets the "enter > network > > password" dialog (ie, ISA authentication). Or a user trying to access a > > work-related site that includes 2 images linked to a non-work related site > > gets the same dialog box. > > > > Any suggestions here? I'd really like to be able to redirect the users to > a > > site that tells them why they can't get where they're trying to go, rather > > than the authentication dialog, . > > > > > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message > > news:%23ExcLVS3EHA.3472@TK2MSFTNGP09.phx.gbl... > > > Hi Michael, > > > Look restricting access using Active Directory groups in usually > > confusing, > > > and have many cases. From what you said, i would suggest the following > > setup > > > > > > - Create a Site and Content Rule that allows the Work Destination Set to > > > Domain Users (not any request). > > > - Create a Site and Content Rule that allows "All Destinations" for > Domain > > > Users, and add grpLimitedBrowsing to the list of exceptions. > > > - Create a Site and Content Rule that denies "Banned" Destination Set to > > > Domain Users > > > - Make sure that either the browser is configured to use ISA an a Proxy > > > server or install the firewall client. > > > > > > The Problem with ISA and Active Directory accounts is that there are > many > > > options and cases that require different configurations. Any way try > this > > > and tell me if it works. > > > > > > -- > > > Yours truly, > > > Mohammed A. Raslan > > > Systems Engineer / Consultant > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA > > > Mobile: +20 (12) 36 26 112 / +965 978 1969 > > > E-Mail: m_raslan@link.net.removethis > > > > > > > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message > > > news:uuUpunL3EHA.1564@TK2MSFTNGP09.phx.gbl... > > > > Thanks Mohammed > > > > > > > > I think I should have been more specific: I only want to restrict > access > > > to > > > > the work-related destination set for a specific Active Directory group > > > (low > > > > level users). The rest of the domain users need to have unrestricted > > > access, > > > > except for porn/virus etc sites. The users in grpLimitedBrowsing are > > also > > > > members of Domain Users. > > > > > > > > So at the moment I have 2 AD groups: Domain Users (all users needing > > > > unrestricted access except porn) and grpLimitedBrowsing (low level > users > > > > needing restricted access). > > > > There are 2 destination sets: Banned Sites (porn) and Work Related > Sites > > > > (Work Related Sites) > > > > There are 3 site and content rules: > > > > 1. Anyone > > > > Destinations: all destinations. > > > > Action: Allowed. > > > > Applies to: Domain Users (all users) > > > > Exceptions: grpLimitedBroswing > > > > 2. Banned Sites > > > > Destinations: Banned Sites destination set > > > > Action: Denied - redirect to internal URL > > > > Applies to: Domain Users > > > > 3. Work Sites > > > > Destinations: All destinations except Work Related Sites > destination > > > set > > > > Action: Denied - redirect to internal URL > > > > Applies to: grpLimitedBrowsing > > > > > > > > I place myself in the AD group grpLimitedBrowsing and enable the rules > > and > > > > get the following: > > > > > > > > Accessing Work Related Site: - redirected to internal URL > > > > Accessing Non-Work Related Site - seems to alternate between prompting > > me > > > > for my network username and password, or redirecting me to the > internal > > > URL. > > > > > > > > It's totally confused me because it seems like it should be so simple, > > so > > > > any further help would be greatly appreciated. > > > > > > > > Thanks, Mike > > > > > > > > > > > > > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message > > > > news:uM8IosK3EHA.1452@TK2MSFTNGP11.phx.gbl... > > > > > No its not that way, Delete the 2 site and content rules you have > and > > > > create > > > > > only one that allows only your destination set. wait for 2 or 3 min > > and > > > > try > > > > > again > > > > > > > > > > -- > > > > > Yours truly, > > > > > Mohammed A. Raslan > > > > > Systems Engineer / Consultant > > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA > > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969 > > > > > E-Mail: m_raslan@link.net.removethis > > > > > > > > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message > > > > > news:e4KlEpz2EHA.4072@TK2MSFTNGP10.phx.gbl... > > > > > > Hi all > > > > > > > > > > > > I'm trying to limit access to work-related sites using ISA Server > > 2000 > > > > > Site > > > > > > and Content Rules. So far I have done the following: > > > > > > > > > > > > 1. Made a Destination Set containing the work-related sites > > > > > > 2. Made a Site and Content rule to allow anyone access to all > sites > > > > > > anytime. > > > > > > 3. Made a Site and Content rule denying access to all sites except > > the > > > > > > work-related sites. > > > > > > > > > > > > When I enable rule 3, all sites are blocked, including the ones > > listed > > > > in > > > > > > the work-related destination set, which seems illogical. I read > > > > somewhere > > > > > > that you need to allow access to sites and then deny access to > > > specific > > > > > > users, which I thought was covered by step 2 above. Out of > > > desperation, > > > > I > > > > > > created a rule allowing access to the work-related sites as well, > > but > > > > this > > > > > > still didn't work. Then I added an entry to the work-related > > > destination > > > > > set > > > > > > which was the IP of a site to see if that made a difference, but > no > > > > change > > > > > > when I tried to access that site by its IP. > > > > > > > > > > > > I then set rule 3 to deny access to that destination set only, and > > the > > > > > rule > > > > > > seemed to be applied OK (ie changed it from "all destinations > > except" > > > to > > > > > > "selected destination set". > > > > > > > > > > > > I have another destination set (porn sites etc) and another rule > > that > > > > > blocks > > > > > > access to that destination set, and that works fine, so I know > this > > > > thing > > > > > > should work. It just seems like ISA can't work out how to apply a > > rule > > > > > when > > > > > > it's an "all sites except" scenario. > > > > > > > > > > > > Does anyone else have this problem, or hopefully a solution. Any > > > > > assistance > > > > > > would be greatly appreciated. > > > > > > > > > > > > Mike > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Grant Collingwood: "Re: network cards in ISA"
- Previous message: Mohammed A. Raslan: "Re: access only to one external site"
- In reply to: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
- Next in thread: Michael Bayly: "Re: Site and Content Rules - Not working"
- Reply: Michael Bayly: "Re: Site and Content Rules - Not working"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
