Re: SBS ISA2004 allows all users internet access, why?

hmm, i think i've seen what's happened, i'm not sure why it would happen
though, maybe a flaw in the upgrade procedure.

the ISA 2000 server used to be a 2 network config, it became a single
network config, and was then reinstalled using the reinstalloption to run in
chache mode only.

but, when ISA2004 went on, it seems to have upgraded back into a dual
adapter config, edge firewall template to be specific.

the rule causing my problem is this:
"Allow traffic from Internal network to local host" which does this as far
as i can tell:

which looks to do this: ALLOW all outbound FROM internal network set TO
internal network set. ALL CONTENT ALWAYS All Users.

now, the currenty plan is to have it as a cache/proxy only as per ISA2000
cache mode.

we are planning a transistion from sbs t full suite, and i'll then use
ISA2004 as a full firewall. but this is a few months off and cannot be
brought forward.

am i right in saying that edge firewall mode is NOT suitable on my single
adapter server? and this is why it's confused. it's important to get all this
sorted out in case others have similar issues and refer to this newsgroup.

when i switch to single adapter template, it scrubs all the settings, i know
SBS needs some specific ones to function properly, perhaps these are
documents somewhere (say in case they were ever deleted)?

cheers






"Jeff Teel" wrote:

> Did you try making a new rule in ISA 2004 after the upgrade? I don't know
> how many people you don't want to have access to the Internet or how many
> are in the group that you do want to have access. I just tried making a new
> rule on my SBS (ISA 2004). I named the rule "No Internet Access" and
> followed the wizard. When I got towards the end of making the new rule I
> still had not found where I could add just the usernames that I wanted to
> not have access but I found that under Tools/Users on the right side of the
> ISA interface. After putting a few names in a new group and applying the
> changes the users that I put in that group could not access the Internet.
> ISA brought a log on screen up but those users names that were being denied
> could not browse.
>
> Jeff
>
> "Rich R" <RichR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:1A62214F-855D-45D1-948F-39D44AEC70C8@xxxxxxxxxxxxxxxx
> > no, see, that's the point. ;)
> >
> > i HAD rules in place, SBS 2000 out of the box only allows members of the
> > Internet Users to have access to the web proxy. that's the way i kept it,
> > only senior members of staff were put into the INternet Users group, to
> > stop
> > marketing staff and part time staff browsing instead of selling.
> >
> > after the upgrade (done as per the MS instructions) it's now allowing
> > everyone access, seemingly regardless of what rules i play with.
> >
> > the is just the web proxy i'm referring to, we dont use the firewall
> > client,
> > all other traffic from the workstations is blocked.
> >
> > does that explain my problem better? i know i rambled a bit!
> >
> > "AllenM" wrote:
> >
> >> Kind of a redundant question but if you have no rules applied to limit
> >> internet access what difference does it make whether All User or SBS
> >> Internet Users have internet access?
> >> I had some issues with internet access after my ISA 2004 upgrade. I could
> >> not get to the newsgroup via OE so I had to put All Users and remove
> >> internet users from my SBS Internet Access Rule. I do not have limited
> >> internet access applied to anyone so it didn't make a difference to me.
> >> Check your users for the SBS Internet Access Rule.
> >>
> >>
> >> "Rich R" <RichR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:0BE9D7E3-3C36-4ECA-A693-5D6F68C7AACE@xxxxxxxxxxxxxxxx
> >> > hi,
> >> >
> >> > i've upgraded our SBS 2003 premium with SP1 using the disks purchased
> >> > from
> >> > microsoft.
> >> >
> >> > after removing the 40 connections limit which created carnage with our
> >> > network, why this is default on SBS i'll never know, i've found that
> >> > now
> >> > all
> >> > users of the network can browse the internet, as opposed to the SBS
> >> > Internet
> >> > users only as it was before the upgrade.
> >> >
> >> > i consider myself very knowledgable on these things, but for the life
> >> > of
> >> > me
> >> > i can identify what's causing this to happen.
> >> >
> >> > weird things i've noticed - all my custom rules got amened to TCP
> >> > 0-65534,
> >> > applied to all users. not a successful conversion! anyhow, i've tried
> >> > disabling them and then removing them to no avail, still everyone has
> >> > access.
> >> >
> >> > since i didnt install this from scratch (i.e it's an SBS upgrade) then
> >> > i'm
> >> > not familiar with the "start locked down and open from there". this
> >> > interface
> >> > doesnt make much sense to me at this time, and its a live system where
> >> > (relevent) people need access to the internet pretty much all the time.
> >> >
> >> > so, what's the method /rule / policy that would allow only "SBS
> >> > Internet
> >> > Users" access to the web proxy?
> >> >
> >> > points to note: ISA server is on a single network adapter. currently an
> >> > external firewall is in place to block access out. please dont lecture
> >> > me
> >> > about using ISA as a full firewall, i know, and i will change it after
> >> > i've
> >> > migrated from SBS. which wont happen until everything is stable.
> >> >
> >> > so to be clear, i'm only using it for controlled web proxy access and
> >> > caching!
> >> >
> >> > i've not found anything on the web or support or help that documents
> >> > this
> >> > simple feature request.
> >> >
> >> > here's hoping someone can help here!
> >> >
> >> > cheers
> >> > Rich R
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • RE: Group Policy - Restrict Internet Access by OU?
    ... you could not find ISA on SBS 2003, you can use SBS premium technology disk ... to install ISA server. ... restrict internet access on special user group. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW - Cant login
    ... Modify Internet Access Rule in ISA server ... In the Microsoft Internet Security and Acceleration Server 2004 console, ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS ISA2004 allows all users internet access, why?
    ... Sounds like a good time to re-run the CEICW and let it configure ISA the way ... SBS needs to be to function correctly. ... maybe a flaw in the upgrade procedure. ... >> changes the users that I put in that group could not access the Internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Proxy Event Error
    ... Dan ... > are members of the SBS Internet Users security group. ... Open the ISA Management Console, ... Internet Access Protocol Rule" ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS ISA2004 allows all users internet access, why?
    ... Did you try making a new rule in ISA 2004 after the upgrade? ... changes the users that I put in that group could not access the Internet. ... >> internet access what difference does it make whether All User or SBS ...
    (microsoft.public.windows.server.sbs)