Re: ISA 2004 - policy applied to user but not to security group user is a member of....

Tech-Archive recommends: Fix windows errors by optimizing your registry

You are right - sorry every once in a while I am thinking about earlier
versions of isa.

"Terry Cole" <terry@xxxxxxxxxx> wrote in message
news:1168447116.916870.227770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I don't see how to do what you suggest. ISA only allows me to add a
User object that represents an AD user or security group. I can't add
the AD group directly to the rule. Please advise if I'm overlooking
something.

Note that the ISA User object works as expected when an AD user is it's
member, but not when an AD Security Group is its member. This makes me
believe the ISA User object is not at fault. Would you agree?


Kevin Longley wrote:
Try adding the group (group1) directly in the rule instead of using the
User
object in ISA called "No Internet Allowed".

"Terry Cole" <terry@xxxxxxxxxx> wrote in message
news:1168438888.979009.146210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All,
I'm setting up a shiny new SBS R2 with ISA 2004 (SP2). I'm testing
some internet access policies and have observed an issue that I can't
resolve and need some help.

User1 is a 'standard' domain user. He is a member of security group
"group1".
I have a User object in ISA called "No Internet Allowed" that consists
of the Windows "group1" .

All of the rules in the ISA setup are the default rules created by the
SBS setup, except one.
The exception is the first rule in the list and there are 2 variances
in it which is the core of my problem. Consider this...

If the rule says "Disallow all traffic from Protected Networks (and
localhost) to External for Users 'No Internet Allowed'", the user
logged into a domain workstation (XP) can do anything he wants on the
internet.
I modify the ISA User "No Internet Allowed" by removing the "group1"
and adding "user1" in its place. Apply changes. The user on the XP
machine (can now not access the internet at all...gets the default ISA
page).

Question:
Why does the policy apply to a user but not to a group the user is a
member of?

Thanks,
Terry




.

Relevant Pages

  • RE: Restrictions on internet access
    ... which means the ISA server is used as the Proxy server in Web ... Service of ISA and benefit from the Caching function of the Web Proxy ... Enter a name for this Access rule, for example: 'deny specific internet ... In addition, to add a security group, we can use the SBS Server Management ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 - policy applied to user but not to security group user is a member of....
    ... User object that represents an AD user or security group. ... Note that the ISA User object works as expected when an AD user is it's ... object in ISA called "No Internet Allowed". ...
    (microsoft.public.isa)
  • Re: Active Directory Integration
    ... > something,...like confusing local accounts with domain accounts. ... > through all those "hoops" to get ISA to do something so simple. ... > me like you didn't create the User Object properly. ... > Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isa.configuration)
  • Re: Passthrough for ISA Proxy - passthrough
    ... Greate AD Group and added Users to it ... Added the User Object to the Rule via the Users Tab ... I haven't used an ISA as a single-nic Caching Server before, ...
    (microsoft.public.isa)
  • Re: RWW - Cant login
    ... Premium and ISA. ... In the Microsoft Internet Security and Acceleration Server 2004 ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)