Re: ISA 2004 - policy applied to user but not to security group user is a member of....

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I don't see how to do what you suggest. ISA only allows me to add a
User object that represents an AD user or security group. I can't add
the AD group directly to the rule. Please advise if I'm overlooking
something.

Note that the ISA User object works as expected when an AD user is it's
member, but not when an AD Security Group is its member. This makes me
believe the ISA User object is not at fault. Would you agree?


Kevin Longley wrote:
Try adding the group (group1) directly in the rule instead of using the User
object in ISA called "No Internet Allowed".

"Terry Cole" <terry@xxxxxxxxxx> wrote in message
news:1168438888.979009.146210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All,
I'm setting up a shiny new SBS R2 with ISA 2004 (SP2). I'm testing
some internet access policies and have observed an issue that I can't
resolve and need some help.

User1 is a 'standard' domain user. He is a member of security group
"group1".
I have a User object in ISA called "No Internet Allowed" that consists
of the Windows "group1" .

All of the rules in the ISA setup are the default rules created by the
SBS setup, except one.
The exception is the first rule in the list and there are 2 variances
in it which is the core of my problem. Consider this...

If the rule says "Disallow all traffic from Protected Networks (and
localhost) to External for Users 'No Internet Allowed'", the user
logged into a domain workstation (XP) can do anything he wants on the
internet.
I modify the ISA User "No Internet Allowed" by removing the "group1"
and adding "user1" in its place. Apply changes. The user on the XP
machine (can now not access the internet at all...gets the default ISA
page).

Question:
Why does the policy apply to a user but not to a group the user is a
member of?

Thanks,
Terry


.

Relevant Pages

  • RE: Restrictions on internet access
    ... which means the ISA server is used as the Proxy server in Web ... Service of ISA and benefit from the Caching function of the Web Proxy ... Enter a name for this Access rule, for example: 'deny specific internet ... In addition, to add a security group, we can use the SBS Server Management ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 - policy applied to user but not to security group user is a member of....
    ... User object that represents an AD user or security group. ... Note that the ISA User object works as expected when an AD user is it's ... object in ISA called "No Internet Allowed". ...
    (microsoft.public.isa)
  • Re: RWW - Cant login
    ... Premium and ISA. ... In the Microsoft Internet Security and Acceleration Server 2004 ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW - Cant login
    ... MVPs do not work for Microsoft ... Must be a difference between Standard and Premium and ISA. ... In the Microsoft Internet Security and Acceleration Server 2004 console, ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW - Cant login
    ... Modify Internet Access Rule in ISA server ... In the Microsoft Internet Security and Acceleration Server 2004 console, ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)