RE: ISA 2003 access policy
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Fri, 18 Nov 2005 07:15:15 GMT
Hi AKG,
Thank you for posting in SBS newsgroup.
>From the description, I understand that you want to restrict users to
access particular websites and you have created a destination set and a
"Deny" site and content rule, however, only few of these sites has been
denied. If I have misunderstood your concerns, please do not hesitate to
let me know.
To narrow down the problem, would you please help me confirm the following
information?
I. Double confirm if you have followed the steps to create the rule:
1. Open ISA Management console, navigate to ''Access Policy''\''Site and
Content Rules''. Right-click it and choose ''New''->''Rule''.
2. Input a name for the new rule->Select ''Deny''->Select ''Deny access
based on destination''->Select ''Specified destinations set'', select the
set which includes the not allowed web sites you have created->Click
''Finish'' button.
3. In the console, you will see the newly created rule. Double-click the
rule, click ''Applies To'' tab. In the tab, select ''Users and groups
specified below''. Click ''Add'' button and add the SBS Internet Users or
particular security group into the list.
4. Navigate to Monitoring\Services. Restart the Web proxy service.
II. If you have done so, please try to check if the web proxy is used on
client computer:
1. Open IE and then select Tools and Internet Options.
2. On Connections tab, click LAN Settings.
3. Check Use a proxy server for your LAN and type your SBS server.
4. Try to see if the problem still occurs.
If the issue occurs again, please try to temporarily disable all other Site
and Content Rules as following to see how thing goes:
1. Double-click every rule, in General tab, and uncheck Enable.
2. Click OK.
3. Restart ISA service.
4. Try again.
More information:
In ISA, the server controls the requests as the following:
First, ISA Server checks the protocol rules. ISA Server allows the request
only if a protocol rule specifically allows the request and if no protocol
rule specifically denies it.
Next, ISA Server checks the site and content rules. ISA Server allows the
request only if a site and content rule specifically allows the request and
if no site and content rule specifically denies it.
If the problem still occurs, please help me collect the following
information:
1. Gather the ISA Info:
1) Download the file from the following URL:
http://isatools.org/ISAInfo.vbe
2) Copy the file ISAInfo.vbe into ISA server, and then double click it.
This will generate a file <computer-name>_ISAInfo.txt file in C:\Program
Files\Microsoft ISA Server.
3) Please paste the content of the file to the newsgroup.
2. ISA Logs:
1) Open ISA Management, and then point to Monitoring Configuration | Logs
2) Double click ISA Server Firewall Service in the right pane, click to
select Enable Logging for this service, click Fields tab, click Select All,
and then click OK.
3) Please repeat Step 2) to enable logging IP Packet Filter and Web Proxy
Services.
4) Run command "net stop isactrl" (without the quotation marks) to stop all
ISA Services.
5) Backup all files in the folder C:\Program Files\Microsoft ISA
Server\ISALogs, and then delete them.
6) In ISA Management | <server name> | Monitoring | Services, start all ISA
services.
7) Reproduce the issue.
8) Wait for about 3 minutes, and then paste the content of that day's
firewall, web proxy and IP Packet filter log below in C:\Program
Files\Microsoft ISA Server\ISALogs:
Firewall log: FWSEXTDyyyymmdd.log
Web Proxy log: WEBEXTDyyyymmdd.log
IP Packet Filter log: IPPEXTDyyyymmdd.log
9) Please also let me know the IP address of the testing client so that I
can filter the data.
I hope the above information helps. If you have any questions, please feel
free to let me know.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA 2003 access policy
|| From: =?Utf-8?B?QUtH?= <AKG@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: ISA 2003 access policy
| Date: Wed, 16 Nov 2005 22:56:05 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| Hello everyone!
|
| I have created a "Deny" Rule under Site and Content Rules for denying
access
| to certain websites. Similarly a destination set has been created under
| "Policy elements" and name of websites has been entered there for denying
| access to those sites.
|
| But only few of these sites are denied access to clients and some of
these
| are accessible to clients.
|
| Can anyone explain and suggest remedy.
|
| Thanks in advance
|
| AKG
|
.
- Prev by Date: RE: Dialing rules not being applied for address book entries
- Next by Date: RE: Certificate Services Error when testing site using RPC over HTTPS
- Previous by thread: RE: SBS2k3 network faxing
- Next by thread: RE: Certificate Services Error when testing site using RPC over HTTPS
- Index(es):
Relevant Pages
|
