Re: ISAPI - Knowing if rule accepted or deny the request on POLICY_CHECK_COMPLETED

"Evgeny" <anonymous@xxxxxxxxxxxxx> wrote in message
news:uWhTgEnbIHA.5900@xxxxxxxxxxxxxxxxxxxxxxx

An Allow based Rule cannot "deny",...it can either allow or ignore.

Actually this is not right. Allowing rule can deny connections. For
example if connection conforms to allowing rule in all except user
identity (rule allows access to authenticated users, but connection is
anonymous), then connection will be denied. Other rules are not even
checked in this case.

Can you demonstrate that? In such a case the connection would be past down
the list until it hit the Default Rule where it would then be denied. Watch
your Monitoring log to see what rule actually is associated with the
resulting "deny".

If you put a second identical rule under that one and include the "missing"
user, then it would catch the traffic after the first rule ignored it and
the user would be allowed.

I'm willing to be wrong,...but what you describe doesn't fit with what I
know about the rule behavor. An allow can only allow and not anything else,
and a deny rule can only deny and nothing else.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: ISAPI - Knowing if rule accepted or deny the request on POLICY_CHECK_COMPLETED
    ... if connection conforms to allowing rule in all except user identity (rule ... A Deny based Rule cannot "allow",...it can either deny or ignore. ... Microsoft ISA Server Partners: Partner Hardware Solutions ... after the ISA Server policy check has been completed, and the request ...
    (microsoft.public.isa)
  • Re: Access one ftp site problem
    ... "Connection Refused" means it most likely came from their FTP Server,...that ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa)
  • Re: VPN problem
    ... a glorified "dialup connection". ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.windows.server.networking)
  • Everybody biweekly attempt double and means our industrial, managing motors outside a grave.
    ... You won't deny me ... settling other than your abysmal photograph. ... She might protect as usual if Osama's connection isn't minimum. ...
    (sci.crypt)
  • Re: Internet Explorer cannot open up Internet Site Http://www.google.com
    ... this connection" field if I want it to resolve things without using FQDN. ... DNS suffix for this connection: ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa)
Loading