Re: Site and Content Rules - Not working

From: Mohammed A. Raslan (m_raslan_at_link.net.removethis)
Date: 12/14/04

  • Next message: Jack Pea***: "Re: Problem with Outgoing SMTP and ISA 2004" 
    Date: Tue, 14 Dec 2004 22:50:52 +0300

    Dear Micael,
    As i said before, dealing with ISA restricting access by accounts is not an
    easy job. You can achive what you want by allowing all users and denying
    some sites, however dealing with what type of client and what software they
    use and other factors needs specific solutions.

    Regarding that you don't want the pop up window asking for user name and
    password to appear, did you read my post on 9th december?, it contains the
    answer to how to achive this, you can mix it with my previous port to return
    to the user a page containing an explaination on why the destination they
    requested was denied without prompting them for asking for authentication
    again.

    Tell me if you tried it, and waether it worked with you or not 

    -- 
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: m_raslan@link.net.removethis
"Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
news:#cd669L4EHA.208@TK2MSFTNGP12.phx.gbl...
> Thanks Mohammed
>
> I have the redirection working for the banned sites OK. My problem is that
> when a user requests a page that is not in the Work Sites group, they get
a
> dialog box asking them to enter username, password and domain. Generally
> this means they'll ring support and ask why which will take a lot of time.
> What I was after is some option to redirect those requests to some other
> internal page that would explain that the site is not approved.
>
> In theory it should be possible by giving all users access to all sites,
and
> then denying grpLimitedBrowsing access to all sites except those in the
Work
> Sites destination set. It seems that ISA can't work out the "all sites
> except" bit though. If this worked, I could then set up a redirection to a
> "Not a Work Related Site" message, since you can only redirect on a Deny
> rule, not an Allow rule.
>
> Do you know why the Deny all except rule doesn't work?
>
> Thanks again.
>
> Mike
>
>
> "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> news:%238cTmLs3EHA.3504@TK2MSFTNGP12.phx.gbl...
> > Michael
> > Sorry i didn't read your last post right, if you want to redirect users
to
> > an error page that describes the error, you can either edit the Site &
> > Content rule that denies banned sites and you will find a checkbox that
> > redirect the clients to a specific page. You can create a page and put
it
> on
> > an internal web server and type its URL in the rule.
> >
> > Another solution is to Edit ISA error pages check the following URL for
> how
> > to do it
> > http://www.isaserver.org/tutorials/Custom_error_pages_within_ISA.html
> >
> > -- 
> > Yours truly,
> > Mohammed A. Raslan
> > Systems Engineer / Consultant
> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > E-Mail: m_raslan@link.net.removethis
> >
> >
> > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> > news:OM3Risb3EHA.1152@TK2MSFTNGP14.phx.gbl...
> > > ok if this is annoying then you have to change somethings.
> > > 1. On the clients, make sure that the browser is *not* using a proxy
> > server,
> > > just like normal, and no automatic discovery or anything.
> > > 2. In the ISA server, go to "Extensions" as i remember, then
> "Application
> > > Filters", search there for the "HTTP Redirector" double click on it,
> then
> > > choose "send request to destination web server directly" (the second
> > option)
> > > instead of send to WebProxy service.
> > > 3. Make sure that the "Firewall Client" is installed and working
> properly
> > on
> > > the client machines.
> > >
> > > wait for about 3 min, or restart the ISA Server Control service from
> > > services, then try accessing sites again from the client.
> > >
> > > Try and tell me
> > >
> > > -- 
> > > Yours truly,
> > > Mohammed A. Raslan
> > > Systems Engineer / Consultant
> > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > E-Mail: m_raslan@link.net.removethis
> > >
> > >
> > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > > news:OAtWhXZ3EHA.4008@TK2MSFTNGP15.phx.gbl...
> > > > Thanks again Mohammed, this seems to work in principle, but I now
have
> > the
> > > > issue where a user trying to access a non-work site gets the "enter
> > > network
> > > > password" dialog (ie, ISA authentication). Or a user trying to
access
> a
> > > > work-related site that includes 2 images linked to a non-work
related
> > site
> > > > gets the same dialog box.
> > > >
> > > > Any suggestions here? I'd really like to be able to redirect the
users
> > to
> > > a
> > > > site that tells them why they can't get where they're trying to go,
> > rather
> > > > than the authentication dialog, .
> > > >
> > > >
> > > >
> > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> > > > news:%23ExcLVS3EHA.3472@TK2MSFTNGP09.phx.gbl...
> > > > > Hi Michael,
> > > > > Look restricting access using Active Directory groups in usually
> > > > confusing,
> > > > > and have many cases. From what you said, i would suggest the
> following
> > > > setup
> > > > >
> > > > > - Create a Site and Content Rule that allows the Work Destination
> Set
> > to
> > > > > Domain Users (not any request).
> > > > > - Create a Site and Content Rule that allows "All Destinations"
for
> > > Domain
> > > > > Users, and add grpLimitedBrowsing to the list of exceptions.
> > > > > - Create a Site and Content Rule that denies "Banned" Destination
> Set
> > to
> > > > > Domain Users
> > > > > - Make sure that either the browser is configured to use ISA an a
> > Proxy
> > > > > server or install the firewall client.
> > > > >
> > > > > The Problem with ISA and Active Directory accounts is that there
are
> > > many
> > > > > options and cases that require different configurations. Any way
try
> > > this
> > > > > and tell me if it works.
> > > > >
> > > > > -- 
> > > > > Yours truly,
> > > > > Mohammed A. Raslan
> > > > > Systems Engineer / Consultant
> > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > > E-Mail: m_raslan@link.net.removethis
> > > > >
> > > > >
> > > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > > > > news:uuUpunL3EHA.1564@TK2MSFTNGP09.phx.gbl...
> > > > > > Thanks Mohammed
> > > > > >
> > > > > > I think I should have been more specific: I only want to
restrict
> > > access
> > > > > to
> > > > > > the work-related destination set for a specific Active Directory
> > group
> > > > > (low
> > > > > > level users). The rest of the domain users need to have
> unrestricted
> > > > > access,
> > > > > > except for porn/virus etc sites. The users in grpLimitedBrowsing
> are
> > > > also
> > > > > > members of Domain Users.
> > > > > >
> > > > > > So at the moment I have 2 AD groups: Domain Users (all users
> needing
> > > > > > unrestricted access except porn) and grpLimitedBrowsing (low
level
> > > users
> > > > > > needing restricted access).
> > > > > > There are 2 destination sets: Banned Sites (porn) and Work
Related
> > > Sites
> > > > > > (Work Related Sites)
> > > > > > There are 3 site and content rules:
> > > > > > 1. Anyone
> > > > > >     Destinations: all destinations.
> > > > > >     Action: Allowed.
> > > > > >     Applies to: Domain Users (all users)
> > > > > >     Exceptions: grpLimitedBroswing
> > > > > > 2. Banned Sites
> > > > > >     Destinations: Banned Sites destination set
> > > > > >     Action: Denied - redirect to internal URL
> > > > > >     Applies to: Domain Users
> > > > > > 3. Work Sites
> > > > > >     Destinations: All destinations except Work Related Sites
> > > destination
> > > > > set
> > > > > >     Action: Denied - redirect to internal URL
> > > > > >     Applies to: grpLimitedBrowsing
> > > > > >
> > > > > > I place myself in the AD group grpLimitedBrowsing and enable the
> > rules
> > > > and
> > > > > > get the following:
> > > > > >
> > > > > > Accessing Work Related Site: - redirected to internal URL
> > > > > > Accessing Non-Work Related Site - seems to alternate between
> > prompting
> > > > me
> > > > > > for my network username and password, or redirecting me to the
> > > internal
> > > > > URL.
> > > > > >
> > > > > > It's totally confused me because it seems like it should be so
> > simple,
> > > > so
> > > > > > any further help would be greatly appreciated.
> > > > > >
> > > > > > Thanks, Mike
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in
> message
> > > > > > news:uM8IosK3EHA.1452@TK2MSFTNGP11.phx.gbl...
> > > > > > > No its not that way, Delete the 2 site and content rules you
> have
> > > and
> > > > > > create
> > > > > > > only one that allows only your destination set. wait for 2 or
3
> > min
> > > > and
> > > > > > try
> > > > > > > again
> > > > > > >
> > > > > > > -- 
> > > > > > > Yours truly,
> > > > > > > Mohammed A. Raslan
> > > > > > > Systems Engineer / Consultant
> > > > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > > > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > > > > > > E-Mail: m_raslan@link.net.removethis
> > > > > > >
> > > > > > > "Michael Bayly" <mbayly@nospam.ncml.com.au> wrote in message
> > > > > > > news:e4KlEpz2EHA.4072@TK2MSFTNGP10.phx.gbl...
> > > > > > > > Hi all
> > > > > > > >
> > > > > > > > I'm trying to limit access to work-related sites using ISA
> > Server
> > > > 2000
> > > > > > > Site
> > > > > > > > and Content Rules. So far I have done the following:
> > > > > > > >
> > > > > > > > 1. Made a Destination Set containing the work-related sites
> > > > > > > > 2. Made a  Site and Content rule to allow anyone access to
all
> > > sites
> > > > > > > > anytime.
> > > > > > > > 3. Made a Site and Content rule denying access to all sites
> > except
> > > > the
> > > > > > > > work-related sites.
> > > > > > > >
> > > > > > > > When I enable rule 3, all sites are blocked, including the
> ones
> > > > listed
> > > > > > in
> > > > > > > > the work-related destination set, which seems illogical. I
> read
> > > > > > somewhere
> > > > > > > > that you need to allow access to sites and then deny access
to
> > > > > specific
> > > > > > > > users, which I thought was covered by step 2 above. Out of
> > > > > desperation,
> > > > > > I
> > > > > > > > created a rule allowing access to the work-related sites as
> > well,
> > > > but
> > > > > > this
> > > > > > > > still didn't work. Then I added an entry to the work-related
> > > > > destination
> > > > > > > set
> > > > > > > > which was the IP of a site to see if that made a difference,
> but
> > > no
> > > > > > change
> > > > > > > > when I tried to access that site by its IP.
> > > > > > > >
> > > > > > > > I then set rule 3 to deny access to that destination set
only,
> > and
> > > > the
> > > > > > > rule
> > > > > > > > seemed to be applied OK (ie changed it from "all
destinations
> > > > except"
> > > > > to
> > > > > > > > "selected destination set".
> > > > > > > >
> > > > > > > > I have another destination set (porn sites etc) and another
> rule
> > > > that
> > > > > > > blocks
> > > > > > > > access to that destination set, and that works fine, so I
know
> > > this
> > > > > > thing
> > > > > > > > should work. It just seems like ISA can't work out how to
> apply
> > a
> > > > rule
> > > > > > > when
> > > > > > > > it's an "all sites except" scenario.
> > > > > > > >
> > > > > > > > Does anyone else have this problem, or hopefully a solution.
> Any
> > > > > > > assistance
> > > > > > > > would be greatly appreciated.
> > > > > > > >
> > > > > > > > Mike
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
  • Next message: Jack Pea***: "Re: Problem with Outgoing SMTP and ISA 2004"