Re: ISA Server Proxy Issue with blocking websites

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Chad Austin <ChadAustin@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 27 Oct 2006 16:51:01 -0700

---

Thanks for the reply, here are the rules and the details of the rules:

Rule #1
Full Internet access (AD Controlled) - Allows HTTP and HTTPS traffic from
internal to external for Full_Access AD group

Rule #2
Limited Internet Access (AD Controlled) - Allows HTTP and HTTPS traffic from
internal to a URL SET (that has 325 or so defined sites) for Limited_Access
AD Group

Rule #3
No Internet Access (AD Controlled) - Denies all outbound traffic from
internal to external for No_Access AD Group

Rule #4
FTP Access (AD Controlled) - Allow FTP traffic from internal to external for
Ftp_Access AD Group

Rule #5
Default Rule - Deny all traffic from all networks and local host to all
networks and local host.

This is the complete rule set. I know there is no need for the No Internet
access rule but management insisted that they see that rule, plus it doesnt
hurt anything.

Thank you for any help,

Chad Austin


"Phillip Windell" wrote:

We need to see what Access Rules you created and the exact "specs" of those
Rules,...and need to know the order they appear in the Rule list. The first
link in my signature may also be useful.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------



"Chad Austin" <ChadAustin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:76713094-96A1-4060-8CE7-B563E855BD19@xxxxxxxxxxxxxxxx

I have an ISA Server 2006 server that is currently setup as a web proxy and
a
publishing server.

Current setup there are three groups defined in AD, they are full,
limited,
no access respectively.

All users are running Windows XP SP2 with IE6 (which is our image base)
and
these users function fine, they get the respective access to the internet
that is provided to their group.

The full access group is completely functional. The No access group is
completely functional but this group is still seeing this issue (but with
no
access they still get denied).

If a limited access or no access user logs in and tries to access a
website
that they do not have access to by typing the following:
http://www.notapprovedsite.com they will receive the proxy error stating
that the ISA Server denied access to this URL.

If the limited access or no access user types the following:
www.notapprovedsite.com they will not receive the ISA Server denied access
page but they will receive the MSN Search page (the default search engine)
and this is NOT an approved site. The request is redirected to port 80 and
approved through my ISA Server. If you change the default search page to
anything else the request gets denied but not on the original URL but the
search page URL.

This problem is completely reproducable. I have the screen shot to show
the
redirection of anyone would like to see what I am talking about.

I am looking for a solution to keep my users from getting this unapproved
Microsoft Search site.

Any suggestions or comments are appreciated.

Thank you for your time,

Chad Austin

.

---

• Prev by Date: Re: ISA on DMZ
• Next by Date: Re: Error on initiating SSL/TLS FTP connection behind ISA server 2004 Standard. SSL handshake made but connection times out.....
• Previous by thread: Re: ISA on DMZ
• Next by thread: Remote Desktop not working
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Intermittent Firewall 15108 Events on SBS2003/ISA2004 ... This newsgroup only focuses on SBS technical issues. ... of |> the internal network object). ... If the ISA server receives a package with an |> internal IP as source address from the external port, the package would be |> treated as a spoof attack. ... |> 825763 How to configure Internet access in Windows Small Business ... (microsoft.public.windows.server.sbs) Re: Eventid 15108... spoof address ???? ... This newsgroup only focuses on SBS technical issues. ... the ISA server identifies the spoof attacking according to ... |> the internal network object). ... |> server could receive some spoof attacks from the internet. ... (microsoft.public.windows.server.sbs) Re: Eventid 15108... spoof address ???? ... Microsoft CSS Online Newsgroup Support ... the ISA server identifies the spoof attacking according to ... |> the internal network object). ... |> server could receive some spoof attacks from the internet. ... (microsoft.public.windows.server.sbs) Re: Internet Intermittent Connection ... "Mohammed A. Raslan" wrote: ... Internal Network: 192.168.100.1 - 192.168.100.255 ... "ISA Server detected a proxy chain loop. ... internet. ... (microsoft.public.isa) Re: Internet Intermittent Connection ... Internal Network: 192.168.100.1 - 192.168.100.255 ... any other networks and remove any additional ranges if they are added. ... "ISA Server detected a proxy chain loop. ... I have an intermittent Internet connection that has been going on ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.configuration  > 2006-10