Strange ISA 2k issue

Tech-Archive recommends: Fix windows errors by optimizing your registry

We have an ISA 2000 server that's running in Web Proxy mode only. We have the
following requirements:

1) Group 1 should only be able to access a specific list of web sites.
2) Group 2 should be able to access most of the internet, save for a
specified destination set.
3) Group 3 should have unrestricted access to the internet.
4) Group 4 should be the only ones able to access a certain destination set.
5) One particular destination set should be denied to everyone, regardless
of group membership.
6) No anonymous access is allowed.
7) All denied requests must be redirected to a custom web page.

I've constructed the following rules based on my knowledge of rule
processing (anonymous deny, anonymous allow, specific deny, specific allow):

All denied requests are redirected to a custom web page.
Deny all requests to specified destination set with no exceptions. (#5 above)
Deny group 2 access to specified destination set. (#2 above)
Deny all requests to a specified destination set with the exception of
certain users. (#4 above)
Allow Group 2 access to all destinations. (#2 above)
Allow Group 3 access to all destinations (#3 above)
Deny Group 1 access to all destinations but the selected set. (#1 above)

Everything works fine except for the last rule outlined above. If Group 1
attempts to access any site, even those that should be allowed, they receive
the following error:

HTTP 502 Proxy Error - The ISA Server denies the specified Uniform Resource
Locator (URL). (12202)
Internet Security and Acceleration Server

If I change the rule to allow Group 1 access to the specified destination
set, they can get there fine. This would satisfy our needs except for the
page redirection when they attempt to access a site not in the destination
set.

I located KB article 295089 "You Are Denied Access to a Destination Set When
You Use Site and Content Rule". I verified that we have no IP addresses
listed in the destination sets as described in the KB article. I also
verified that we're running ISA 2k SP2.

I'm sorry that this is so complicated but I'm stumped and need some help.

Thanks!

.

Relevant Pages

  • Re: permit user access one web site
    ... ISA follows this pattern when evaluating ... Authenticated Deny ... > HTTP 407 Proxy Authentication Required - The ISA Server requires ... >>>> i set destination set to this web site and content rule ...
    (microsoft.public.isa)
  • Re: permit user access one web site
    ... create your Site & Content Rule to "Deny all but ... the specified Destination Set" ... >> I have installed isa server 2000. ... >> i set destination set to this web site and content rule ...
    (microsoft.public.isa)
  • Re: Deny Sites using Domain Name vice IP
    ... you can deny the sites by making a destination set and then a site and ... on the destination sets you can enter the IP addressf of the ... > Was configuring my ISA server to deny access to specific ... I know I can deny access to sites using the IP ...
    (microsoft.public.isa.configuration)
  • ISA server, "site and content rule" problems, does not deny enough!
    ... I'm running ISA2000 server, on W2K3. ... The site and content rules i have made, does not deny enough. ... I start making a destination set. ... Lasse I. ...
    (microsoft.public.isa.configuration)
  • Re: Slow web sites
    ... when you create the destination set and the ... >'use a proxy server'. ... If you accesses the specific web site by using the IP address, ...
    (microsoft.public.backoffice.smallbiz2000)