Re: access only to one external site

From: Mohammed A. Raslan (m_raslan_at_link.net.removethis)
Date: 12/19/04 

Date: Sun, 19 Dec 2004 11:42:37 +0300

Dear Asya

Look I feel there is something missing or that we are going in circles.

Try to do the following just as a test

  1.. Disable all "Site & Content Rules" and "Protocol Rules" you have, to
do so, double click any rule and uncheck the "Enable" checkbox
  2.. Make sure that the "Ask unauthenticated users for identification is
checked"
  3.. In the same page that contains the checkbox above, make sure that ISA
is using the same configuration for all listeners, press the edit button (or
whatever button there) and make sure that "Integrated Authentication" is the
only method selected.
  4.. Create a new Protocol Rule that allows HTTP protocol to any request,
not to any group (the first option)
  5.. Create a new Site & Content Rule that allows all destinations to
Domain Users, and add the test user as an exception
  6.. Open administrative tools > services, restart the ISA Server Control
service, this will restart all ISA services, and the restart make sure that
Microsoft Firewall service and Microsoft Web Proxy service are started.
  7.. On a test client, login using the test user account, make sure that IE
is using the ISA server as a proxy. And try to access any site, the user
should be getting a dialog box requesting for a user name and password, and
at the end you will be getting error 407 Proxy Authorization Required. If
this didn't happen, then there is something wrong
  8.. If the above succeeds, then try to login using any other user account,
and try to access any site, you should be able to access the internet
normally, again if this didn't happen, then there is something wrong
  9.. If the above step works, then create another Site & Content Rule that
allows the destination set you created to the test user
  10.. Restart the ISA Server Control service
  11.. Login using the test user account and try to access the sites in the
destination set, he should access them normally, any other sites should
bring up again the username and password dialog box and the end error 407
Proxy Authorization Required error will be returned

This is the base line configuration that should work, if it do work then you
can start adding to it other things you need, if it didn't work tell me
which step didn't work and what exactly happens

At any time if you want to revert to your original configuration, disable
the rules you made now, and enable your old rules

I tried to send you an email but the address was wrong, if thigs didn't also
work, you can contact me by me email shown down in my signature, just remove
the ".removethis" part 

-- 
Yours truly,
Mohammed A. Raslan
Systems Engineer / Consultant
MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
Mobile: +20 (12) 36 26 112 / +965 978 1969
E-Mail: m_raslan@link.net.removethis
"Asya" <asya@fu.ru> wrote in message
news:uJgPKF24EHA.4004@tk2msftngp13.phx.gbl...
> Hello Mohammed,
> "Allow rule_user accounts" includes "Domain Users" built-in group and my
> test user are the member of this group (by default)
> I use russian edition of my servers but I don't thik that some language
may
> affect on behaviour of the ISA and others not because all my deny rules
are
> works perfectly.
>
> So, I have no ideas what I have to do to solve this problem
>
> my test user
> "Mohammed A. Raslan" <m_raslan@link.net.removethis> wrote in message
> news:%23MxmTUh4EHA.2196@TK2MSFTNGP14.phx.gbl...
> > Dear Asya,
> > It seems that the user named "test" is not member of the group you have
> > for
> > the rule "Allow rule_user accounts", double check it. if my guess was
> > righ,
> > a pop up windows asking for the user name and password will keep comming
> > up
> > or you will finally have an error page with error 407
> >
> > Make sure "test" is member of the group, or replace the group with the
> > "Domain Users" built-in group, i having a strange feeling that the
> > language
> > you use as the group name might have an effect.
> >
> > try and tell me
> >
> > -- 
> > Yours truly,
> > Mohammed A. Raslan
> > Systems Engineer / Consultant
> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> > E-Mail: m_raslan@link.net.removethis
> >
> >
> > "Asya" <asya@fu.ru> wrote in message
> > news:O5T4jdb4EHA.2572@tk2msftngp13.phx.gbl...
> >> Hello Mohammed,
> >> 1-  firewall client installed on the client
> >> 2- clients browser configured to use a proxy
> >> 3- client has no access to any www (enter usr name&password). This
occurs
> >> when I have 2 Site & Content Rules (1 for all - allow everything, 2 -
for
> >> current user - deny everything except www.google.com
> >> 4 - client uses IE 6.0
> >> 5 - user is logged on using his user account in AD
> >>
> >> I have sent a zipped print screen to your e-mail
> >>
> >> "Mohammed A. Raslan" <m_raslan@link.net.removethis> сообщил/сообщила в
> >> новостях следующее: news:u9FRhIs3EHA.708@TK2MSFTNGP11.phx.gbl...
> >> > umm, thats strange,
> >> > Ok please answer these quetions:-
> >> > 1. Is the firewall client installed on the client?
> >> > 2. Is the browser configured to use a proxy or not?
> >> > 3. What is the error returned to the client?
> >> > 4. What is the browser your client uses (IE or Netscape or Firefox)
and
> >> > which version?
> >> >
> >> > Make sure that the user is logged on useing his user account in AD,
not
> > to
> >> > the local machine
> >> >
> >> > If you can send a zipped print screen of the Destination Set
definition
> > it
> >> > might help. make sure that you type www.google.com not google.com
only,
> >> and
> >> > try to add other sites such as microsoft for example, add
> >> "*.microsoft.com"
> >> > to the destination set you created and try again
> >> > also configure the web browser to user ISA as a proxy and tell me
what
> >> > heppens
> >> >
> >> > --
> >> > Yours truly,
> >> > Mohammed A. Raslan
> >> > Systems Engineer / Consultant
> >> > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> >> > Mobile: +20 (12) 36 26 112 / +965 978 1969
> >> > E-Mail: m_raslan@link.net.removethis
> >> >
> >> >
> >> > "Asya" <asya@fu.ru> wrote in message
> >> > news:eH5Z2ad3EHA.1392@tk2msftngp13.phx.gbl...
> >> > > Hi Mohammed
> >> > > Thanks for help
> >> > >
> >> > > I have read the message posted by Michael Bayly. As I understood we
> > have
> >> > the
> >> > > same problem.
> >> > > I would like to clarify my problem: I have to give ALL WWW access
to
> > 99
> >> of
> >> > > my users and access only to google.com for my one user.
> >> > > To perform this I made next:
> >> > > 1. Made a Destination Set containing www.google.com
> >> > > 2. Made a  Site and Content rule to allow anyone access to all
sites
> >> > > anytime, except my restricted user
> >> > > 3. Made a Site and Content rule allowin access to selected
> >> > > destination
> >> > sets
> >> > > for my restricted user
> >> > > 4. "Ask unauthenticated users for identification" is checked
> >> > >
> >> > > after this user has no access to any www
> >> > >
> >> > > Any assistance
> >> > > would be greatly appreciated.
> >> > >
> >> > >
> >> > > "Mohammed A. Raslan" <m_raslan@link.net.removethis>
сообщил/сообщила
> >> > > в
> >> > > новостях следующее: news:eQBABdU3EHA.3336@TK2MSFTNGP11.phx.gbl...
> >> > > > Okay, this is how it should be, he should be now able to access
> >> > > > www.google.com?
> >> > > >
> >> > > > Look i'm going to explain it, alothough it will be long. When a
> >> WebProxy
> >> > > > client (that is a browser configured to use a proxy server)
> >> > > > requests
> > a
> >> > web
> >> > > > page from ISA, and you have ANY rule that allows the destination
to
> >> "Any
> >> > > > request" (not specific destination set, not Everyone as a group).
> >> > > > No
> >> > > matter
> >> > > > how many rules you configure to deny that your specificly they
> >> > > > won't
> >> > take
> >> > > > effect, because the browser doesn't send who is the user that is
> >> trying
> >> > to
> >> > > > access that destination, so he is considered "anybody". So ISA
> >> > > > finds
> > a
> >> > > rule
> >> > > > (Any request) that allows the destination to "anybody", and that
> >> > "anybody"
> >> > > > doesn't have a rule that denies him (your rules deny "user x" not
> >> > > > "anybody"), ISA will pass his request.
> >> > > >
> >> > > > So the solution is to force ISA to know who is using the browser
on
> >> the
> >> > > > client machine, this is done by several ways, you can change ALL
> > your
> >> > > "Site
> >> > > > & Content" rules so it doen't apply to "any request", this way,
ISA
> >> > won't
> >> > > > find any rule that applies to that "anybody" so it request
> >> authorization
> >> > > > (HTTP status code 407) from the browser as a last resort, or you
> >> > > > can
> >> > leave
> >> > > > your rules as they are but check the "Ask unauthorized user for
> >> > > > identification" to force ISA to refuse anonymous connections and
> >> > insistes
> >> > > to
> >> > > > know who is that user. There is another way, that is not to
> > configure
> >> > the
> >> > > > browser to user proxy, and install the firewall client and
> >> > > > configure
> >> > > > something called the HTTP Redirector to send requests to
> >> > > > destination
> >> web
> >> > > > server directly, anyway its a stuiped way.
> >> > > > --
> >> > > > Yours truly,
> >> > > > Mohammed A. Raslan
> >> > > > Systems Engineer / Consultant
> >> > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> >> > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> >> > > > E-Mail: m_raslan@link.net.removethis
> >> > > >
> >> > > >
> >> > > > "Asya" <asya@fu.ru> wrote in message
> >> > > > news:exU6QjS3EHA.1144@TK2MSFTNGP09.phx.gbl...
> >> > > > > Thanks for help Mahammed !
> >> > > > > 1 - yes
> >> > > > > 2 - I specify a group from Active Directory except my specific
> > user
> >> > > > > 3 - for this user I create allow rule for selected destination
> >> > > > > set
> >> and
> >> > > > > choose defined rule from Destination sets
> >> > > > > 4 - "Ask unauthenticated users for identification" are
unchecked?
> >> > > > >
> >> > > > > So I have 2 rules in Site & Content Rules (1 for all, 2 - for
> > user)
> >> > and
> >> > > 1
> >> > > > > rule in Protocol Rule - rule that allows the HTTP protocol to
any
> >> > > request
> >> > > > in
> >> > > > > any time for all users.
> >> > > > >
> >> > > > > In this case this user has no access to any sites and get error
> > 407
> >> > > proxy
> >> > > > > authentication required
> >> > > > >
> >> > > > >
> >> > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis>
> > сообщил/сообщила
> >> в
> >> > > > > новостях следующее:
news:uigrJVS3EHA.3472@TK2MSFTNGP09.phx.gbl...
> >> > > > > > Ok i have some questions to get the picture clear in my mind
> >> > > > > >
> >> > > > > > 1. Is the browser on the client machines configured to use
ISA
> > and
> >> a
> >> > > > proxy
> >> > > > > > server?
> >> > > > > >
> >> > > > > > 2. For the site and content rule for all users (the first
rule
> > you
> >> > > > > > mentioned), did you choose "Any request" or did you specify a
> >> group
> >> > > from
> >> > > > > > Active Directory containing your domain users?
> >> > > > > >
> >> > > > > > 3. Are these the only rules you have or there are other
rules.
> >> > > > > >
> >> > > > > > 4. On the ISA server, right click on the server, click
> > properites,
> >> > > click
> >> > > > > on
> >> > > > > > the outgoing web requests tab, is the "Ask unauthenticated
> >> > > > > > users
> >> for
> >> > > > > > identification" checkbox checked or unchecked?
> >> > > > > >
> >> > > > > > --
> >> > > > > > Yours truly,
> >> > > > > > Mohammed A. Raslan
> >> > > > > > Systems Engineer / Consultant
> >> > > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> >> > > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> >> > > > > > E-Mail: m_raslan@link.net.removethis
> >> > > > > >
> >> > > > > >
> >> > > > > > "Asya" <asya@fu.ru> wrote in message
> >> > > > > > news:OR4ll4P3EHA.1144@TK2MSFTNGP09.phx.gbl...
> >> > > > > > Thanks for tip.
> >> > > > > > In my case I have 100 users (firewall clients) with different
> >> access
> >> > > to
> >> > > > > > Internet. I have to give to one of them specific access (only
> >> > > > > > to
> >> one
> >> > > > > site).
> >> > > > > > So, to perform this I have:
> >> > > > > >
> >> > > > > > for all users
> >> > > > > >
> >> > > > > > 1 - Site & Content Rules - Allow everything (for all users) -
> >> > default
> >> > > > > rule.
> >> > > > > > From this rule I except my specific user (domain
verification)
> >> > > > > > 2 - Protocol Rule - Allow some protocols (for all users).
From
> >> this
> >> > > rule
> >> > > > I
> >> > > > > > except my specific user (domain verification).
> >> > > > > >
> >> > > > > > for this specific user
> >> > > > > >
> >> > > > > > 3 - Destination Set  - rule name "google" and site
> > www.google.com
> >> > > > > > 4 - Site & Content Rules - rule that allows "Specific
> >> Destination" -
> >> > > > > google
> >> > > > > > destination - only for my specific user (domain verification)
> >> > > > > > 5 - Protocol Rule - rule that allows the HTTP protocol to any
> >> > request
> >> > > in
> >> > > > > any
> >> > > > > > time - only for my specific user (domain verification).
> >> > > > > >
> >> > > > > > But after this rules my user has access to all Internet
sites.
> >> > > > > >
> >> > > > > > Whats wrong?
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > "Mohammed A. Raslan" <m_raslan@link.net.removethis>
> >> сообщил/сообщила
> >> > в
> >> > > > > > новостях следующее:
> > news:OPO9mmK3EHA.3120@TK2MSFTNGP12.phx.gbl...
> >> > > > > > > Sure you can
> >> > > > > > > 1. In ISA 2000 console, create a "Destination Set " under
> >> "Policy
> >> > > > > > Elements",
> >> > > > > > > in the set, add the site you want.
> >> > > > > > > 2. Under Access Policy, open "Site & Rontent Rules" and
> >> > > > > > > delete
> >> the
> >> > > > > default
> >> > > > > > > rule there
> >> > > > > > > 3. Create a new rule that allows "Specific Destination" and
> >> choose
> >> > > the
> >> > > > > > > Destination Set you created, and allow the rule to any
> >> > > > > > > request
> >> at
> >> > > any
> >> > > > > time
> >> > > > > > > 4. Under Access Policy, Create a "Protocol Rule" that
allows
> > the
> >> > > HTTP
> >> > > > > > > Protocol to any request in any time.
> >> > > > > > > 5. Wait about 2 min for the rules to take effect.
> >> > > > > > >
> >> > > > > > > Thats it.
> >> > > > > > >
> >> > > > > > > HTH
> >> > > > > > > --
> >> > > > > > > Yours truly,
> >> > > > > > > Mohammed A. Raslan
> >> > > > > > > Systems Engineer / Consultant
> >> > > > > > > MCSE+I NT4, MCSA: Security , MCSE: Security, MCDBA, CCNA
> >> > > > > > > Mobile: +20 (12) 36 26 112 / +965 978 1969
> >> > > > > > > E-Mail: m_raslan@link.net.removethis
> >> > > > > > >
> >> > > > > > >
> >> > > > > > > "Asya" <asya@fu.ru> wrote in message
> >> > > > > > > news:#M$jaKD3EHA.3376@TK2MSFTNGP12.phx.gbl...
> >> > > > > > > > Hi
> >> > > > > > > > Thanks for help
> >> > > > > > > >
> >> > > > > > > > As I understood from your tip you have ISA 2004.
> >> > > > > > > > But I have ISA 2000 and have no possibility to perform
your
> >> tip.
> >> > > > > > > >
> >> > > > > > > > I think that ISA 2000 has no ways to create access only
to
> > one
> >> > > > > external
> >> > > > > > > > site.
> >> > > > > > > >
> >> > > > > > > > "Cyskon" <cyskon@msn.com> сообщил/сообщила в новостях
> >> следующее:
> >> > > > > > > > news:Ozvn#W82EHA.4004@tk2msftngp13.phx.gbl...
> >> > > > > > > > > Sure create a Domain Set in the Network Object of the
> >> Toolbox
> >> > > that
> >> > > > > > will
> >> > > > > > > > deny
> >> > > > > > > > > any HTTP access, and then create another rule that has
> >> > > > > > > > > the
> >> URL
> >> > > of
> >> > > > > the
> >> > > > > > > site
> >> > > > > > > > > that you wish to allow, and then in the Task tab,
create
> >> > > > > > > > > a
> >> new
> >> > > > > access
> >> > > > > > > rule
> >> > > > > > > > > that denies all access to the restricted domain set,
> > except
> >> > the
> >> > > > > > allowed
> >> > > > > > > > > domain set.
> >> > > > > > > > >
> >> > > > > > > > > That should work. I did something like that and it
seems
> > to
> >> be
> >> > > > > > working.
> >> > > > > > > > >
> >> > > > > > > > >
> >> > > > > > > > > "Asya" <asya@fu.ru> wrote in message
> >> > > > > > > > > news:uOhtah62EHA.2192@TK2MSFTNGP14.phx.gbl...
> >> > > > > > > > > > Hi !
> >> > > > > > > > > >
> >> > > > > > > > > > Can I permit access only to one external site?
> >> > > > > > > > > >
> >> > > > > > > > > >
> >> > > > > > > > >
> >> > > > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > >
> >> > > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > >
> >> > >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Loading