Re: ISAPI - Knowing if rule accepted or deny the request on POLICY_CHECK_COMPLETED


"Evgeny" <anonymous@xxxxxxxxxxxxx> wrote in message
news:e8tXlcnbIHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
I'm willing to be wrong,...but what you describe doesn't fit with what I
know about the rule behavor. An allow can only allow and not anything
else, and a deny rule can only deny and nothing else.

I afraid you are wrong. There is a good article about this. Here, just
found: http://www.isaserver.org/articles/ISA2004_AccessRules.html
Quote:
"When you configure access rules that apply to users and the user can not
authenticate themselves for any reason, then the request will be denied by
the rule requiring authentication, even if it is an allow rule."

That is not always the case, there is a little more to it than that. Read
futher down in the article. This only applies if the User in question was
included in the rule,...but failed to authenticate for some reason or if it
is a SecureNAT Client. If the user was not included in the rule (hence, not
a match to the rule) then the attempt is ignored by the rule and the next
rule in the list takes over.

Rule #1 Allow (user Jeff)
Rule #2 Allow (allow all auth users)
Default Rule Deny

Jeff is allowed by Rule #1 unless he fails to authenticate
User Joe is ignored by Rule #1 and is allowed by Rule #2 unless he fails
authenticate

If the users fail to authenticate they are denied immediately

So the conclusion:
Yes an "allow" rule can possibly "deny", but only under the correct
conditions. Other times it will ignore the attempt which lets it pass to the
next rule.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


.

Relevant Pages
Loading