Re: Site and Content Rules - Not working

• Previous message: Ramadan: "net2phone behind ISA 2000"
• In reply to: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Next in thread: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Reply: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 13 Dec 2004 13:22:15 +1030

Thanks Mohammed

I have the redirection working for the banned sites OK. My problem is that
when a user requests a page that is not in the Work Sites group, they get a
dialog box asking them to enter username, password and domain. Generally
this means they'll ring support and ask why which will take a lot of time.
What I was after is some option to redirect those requests to some other
internal page that would explain that the site is not approved.

In theory it should be possible by giving all users access to all sites, and
then denying grpLimitedBrowsing access to all sites except those in the Work
Sites destination set. It seems that ISA can't work out the "all sites
except" bit though. If this worked, I could then set up a redirection to a
"Not a Work Related Site" message, since you can only redirect on a Deny
rule, not an Allow rule.

Do you know why the Deny all except rule doesn't work?

Thanks again.

Mike

"Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
news:%238cTmLs3EHA.3504@TK2MSFTNGP12.phx.gbl...
> Michael
> Sorry i didn't read your last post right, if you want to redirect users to
> an error page that describes the error, you can either edit the Site &
> Content rule that denies banned sites and you will find a checkbox that
> redirect the clients to a specific page. You can create a page and put it
on
> an internal web server and type its URL in the rule.
>
> Another solution is to Edit ISA error pages check the following URL for
how
> to do it
> http://www.isaserver.org/tutorials/Custom_error_pages_within_ISA.html
>
> --
> Yours truly,
> Mohammed A. Raslan
> Systems Engineer / Consultant
> MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> Mobile: +20 (12) 36 26 112 / +965 978 1969
> E-Mail: m_raslan@link.net.removethis
>
>
> "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> news:OM3Risb3EHA.1152@TK2MSFTNGP14.phx.gbl...
> > ok if this is annoying then you have to change somethings.
> > 1. On the clients, make sure that the browser is *not* using a proxy
> server,
> > just like normal, and no automatic discovery or anything.
> > 2. In the ISA server, go to "Extensions" as i remember, then
"Application
> > Filters", search there for the "HTTP Redirector" double click on it,
then
> > choose "send request to destination web server directly" (the second
> option)
> > instead of send to WebProxy service.
> > 3. Make sure that the "Firewall Client" is installed and working
properly
> on
> > the client machines.
> >
> > wait for about 3 min, or restart the ISA Server Control service from
> > services, then try accessing sites again from the client.
> >
> > Try and tell me
> >
> > --
> > Yours truly,
> > Mohammed A. Raslan
> > Systems Engineer / Consultant
> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > E-Mail: m_raslan@link.net.removethis
> >
> >
> > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > news:OAtWhXZ3EHA.4008@TK2MSFTNGP15.phx.gbl...
> > > Thanks again Mohammed, this seems to work in principle, but I now have
> the
> > > issue where a user trying to access a non-work site gets the "enter
> > network
> > > password" dialog (ie, ISA authentication). Or a user trying to access
a
> > > work-related site that includes 2 images linked to a non-work related
> site
> > > gets the same dialog box.
> > >
> > > Any suggestions here? I'd really like to be able to redirect the users
> to
> > a
> > > site that tells them why they can't get where they're trying to go,
> rather
> > > than the authentication dialog, .
> > >
> > >
> > >
> > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> > > news:%23ExcLVS3EHA.3472@TK2MSFTNGP09.phx.gbl...
> > > > Hi Michael,
> > > > Look restricting access using Active Directory groups in usually
> > > confusing,
> > > > and have many cases. From what you said, i would suggest the
following
> > > setup
> > > >
> > > > - Create a Site and Content Rule that allows the Work Destination
Set
> to
> > > > Domain Users (not any request).
> > > > - Create a Site and Content Rule that allows "All Destinations" for
> > Domain
> > > > Users, and add grpLimitedBrowsing to the list of exceptions.
> > > > - Create a Site and Content Rule that denies "Banned" Destination
Set
> to
> > > > Domain Users
> > > > - Make sure that either the browser is configured to use ISA an a
> Proxy
> > > > server or install the firewall client.
> > > >
> > > > The Problem with ISA and Active Directory accounts is that there are
> > many
> > > > options and cases that require different configurations. Any way try
> > this
> > > > and tell me if it works.
> > > >
> > > > --
> > > > Yours truly,
> > > > Mohammed A. Raslan
> > > > Systems Engineer / Consultant
> > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > E-Mail: m_raslan@link.net.removethis
> > > >
> > > >
> > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > > > news:uuUpunL3EHA.1564@TK2MSFTNGP09.phx.gbl...
> > > > > Thanks Mohammed
> > > > >
> > > > > I think I should have been more specific: I only want to restrict
> > access
> > > > to
> > > > > the work-related destination set for a specific Active Directory
> group
> > > > (low
> > > > > level users). The rest of the domain users need to have
unrestricted
> > > > access,
> > > > > except for porn/virus etc sites. The users in grpLimitedBrowsing
are
> > > also
> > > > > members of Domain Users.
> > > > >
> > > > > So at the moment I have 2 AD groups: Domain Users (all users
needing
> > > > > unrestricted access except porn) and grpLimitedBrowsing (low level
> > users
> > > > > needing restricted access).
> > > > > There are 2 destination sets: Banned Sites (porn) and Work Related
> > Sites
> > > > > (Work Related Sites)
> > > > > There are 3 site and content rules:
> > > > > 1. Anyone
> > > > > Destinations: all destinations.
> > > > > Action: Allowed.
> > > > > Applies to: Domain Users (all users)
> > > > > Exceptions: grpLimitedBroswing
> > > > > 2. Banned Sites
> > > > > Destinations: Banned Sites destination set
> > > > > Action: Denied - redirect to internal URL
> > > > > Applies to: Domain Users
> > > > > 3. Work Sites
> > > > > Destinations: All destinations except Work Related Sites
> > destination
> > > > set
> > > > > Action: Denied - redirect to internal URL
> > > > > Applies to: grpLimitedBrowsing
> > > > >
> > > > > I place myself in the AD group grpLimitedBrowsing and enable the
> rules
> > > and
> > > > > get the following:
> > > > >
> > > > > Accessing Work Related Site: - redirected to internal URL
> > > > > Accessing Non-Work Related Site - seems to alternate between
> prompting
> > > me
> > > > > for my network username and password, or redirecting me to the
> > internal
> > > > URL.
> > > > >
> > > > > It's totally confused me because it seems like it should be so
> simple,
> > > so
> > > > > any further help would be greatly appreciated.
> > > > >
> > > > > Thanks, Mike
> > > > >
> > > > >
> > > > >
> > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in
message
> > > > > news:uM8IosK3EHA.1452@TK2MSFTNGP11.phx.gbl...
> > > > > > No its not that way, Delete the 2 site and content rules you
have
> > and
> > > > > create
> > > > > > only one that allows only your destination set. wait for 2 or 3
> min
> > > and
> > > > > try
> > > > > > again
> > > > > >
> > > > > > --
> > > > > > Yours truly,
> > > > > > Mohammed A. Raslan
> > > > > > Systems Engineer / Consultant
> > > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > > > E-Mail: m_raslan@link.net.removethis
> > > > > >
> > > > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > > > > > news:e4KlEpz2EHA.4072@TK2MSFTNGP10.phx.gbl...
> > > > > > > Hi all
> > > > > > >
> > > > > > > I'm trying to limit access to work-related sites using ISA
> Server
> > > 2000
> > > > > > Site
> > > > > > > and Content Rules. So far I have done the following:
> > > > > > >
> > > > > > > 1. Made a Destination Set containing the work-related sites
> > > > > > > 2. Made a Site and Content rule to allow anyone access to all
> > sites
> > > > > > > anytime.
> > > > > > > 3. Made a Site and Content rule denying access to all sites
> except
> > > the
> > > > > > > work-related sites.
> > > > > > >
> > > > > > > When I enable rule 3, all sites are blocked, including the
ones
> > > listed
> > > > > in
> > > > > > > the work-related destination set, which seems illogical. I
read
> > > > > somewhere
> > > > > > > that you need to allow access to sites and then deny access to
> > > > specific
> > > > > > > users, which I thought was covered by step 2 above. Out of
> > > > desperation,
> > > > > I
> > > > > > > created a rule allowing access to the work-related sites as
> well,
> > > but
> > > > > this
> > > > > > > still didn't work. Then I added an entry to the work-related
> > > > destination
> > > > > > set
> > > > > > > which was the IP of a site to see if that made a difference,
but
> > no
> > > > > change
> > > > > > > when I tried to access that site by its IP.
> > > > > > >
> > > > > > > I then set rule 3 to deny access to that destination set only,
> and
> > > the
> > > > > > rule
> > > > > > > seemed to be applied OK (ie changed it from "all destinations
> > > except"
> > > > to
> > > > > > > "selected destination set".
> > > > > > >
> > > > > > > I have another destination set (porn sites etc) and another
rule
> > > that
> > > > > > blocks
> > > > > > > access to that destination set, and that works fine, so I know
> > this
> > > > > thing
> > > > > > > should work. It just seems like ISA can't work out how to
apply
> a
> > > rule
> > > > > > when
> > > > > > > it's an "all sites except" scenario.
> > > > > > >
> > > > > > > Does anyone else have this problem, or hopefully a solution.
Any
> > > > > > assistance
> > > > > > > would be greatly appreciated.
> > > > > > >
> > > > > > > Mike
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Previous message: Ramadan: "net2phone behind ISA 2000"
• In reply to: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Next in thread: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Reply: Mohammed A. Raslan: "Re: Site and Content Rules - Not working"
• Messages sorted by: [ date ] [ thread ]