Re: ISA 2004 - Redirect HTTP Requests to different web page

---

• From: "Steve Foster [SBS MVP]" <steve.foster@xxxxxxxxxxxxx>
• Date: Wed, 14 Dec 2005 15:27:16 -0800

---

Kevin wrote:

Thank you very much for your help:

The end result I need is a few users to have unrestricted internet access
(with out having to type a password) to the internet and the rest of my users
limited access. When a user requests a restricted Url the user is redirected
to a page that instructs them to contact the System Admin if they have a
business need for the requested site.

I have accomplish restricting the sites by:
1. In Windows 2003 SBS I created a Window Security Group in Active Directory
called “Limited Internet Access” and put my test user in it.
2. I removed the test user from the Active Directory “Internet Users” Group
3. In ISA 2004 Firewall Policies > Toolbox > Network Objects > URL Sets I
created a Set called “Site Access” and entered all acceptable site for
example *.edu, *.gov, *.net, cisco.com, etc…
4. In ISA 2004 Firewall Policies > Tasks > Create Access Rules “Limited
Internet Access Rule”. This Rule sets the “limited Internet Access” Group to
Deny all Internet access with the Exception of the “Site Access” URL Set.
5. I put the “Limited Internet Access” Rule above the “SBS Internet Access”
Rule.
6. In the “Limited Internet Access” Rule Properties Action Tab I chose Deny
and Redirect this HTTP requests to this website.

I log on to a workstation as member of the Windows “limited Internet Access”
Group I can get to all the allowed sites. When I attempt to go to a
restricted site I get the “The Page Can Not Displayed” message with a “Error
Code: 403. The ISA Server denied the specified Uniform Resource Locater
(Url). (12202)” message at the bottom of the page.

I have create a simple webpage in word “test02.htm” and save it to
C:\inetpub\wwwroot and verified that I could open it with the client
(http://<sbs>/test02.htm). I also cut and pasted other urls that I knew the
client can access but it will not redirect to any url.

Note: The SBS Internet Access Rule under users has “SBS Internet Users” and
“All Users”. I believe it should be just the “SBS Internet Users”. This is
the default setting so I have not modified it. Could something like this be
effecting my redirect?

Thank you again for your assistance.

I don't think you've got the rules right for this scenario.

The problem is that I don't think the Deny rule is working as you expect.

I think you need 3 rules to get this right (one of which is the standard SBS Internet Access Rule). Oh, and btw, you've definitely modified the SBS Internet Access Rule, since by default it only applies to the "SBS Internet Users" group.

a) reset the SBS Internet Access Rule to only apply to SBS Internet Users.
b) create an Allow Access Rule that applies to your Restricted Internet Users group, and only allow HTTP(S) traffic to your good sites URL Set.
c) create a Deny Rule that applies to all outbound traffic to any destination for the Restricted Internet Users group and put the Redirect on that.

The order of the rules is that (b) must be above (c). (a) can be anywhere in relation to (b) and (c), assuming mutually exclusive group membership. If you want to make sure that a member of the Restricted Internet group gets clobbered regardless of whether they're in the SBS Internet Users group, put (a) below both (b) and (c).

Note also that unless you know that you'd like to allow additional protocols (eg FTP) for the Restricted Users, I'd keep rule (b) to only HTTP(S).

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.

---

• References:
  • Re: ISA 2004 - Redirect HTTP Requests to different web page
    • From: Steve Foster [SBS MVP]
  • Re: ISA 2004 - Redirect HTTP Requests to different web page
    • From: Kevin

• Prev by Date: how to configure SBS2003 to accept WIFI clients
• Next by Date: RE: Newbie General Security Question
• Previous by thread: Re: ISA 2004 - Redirect HTTP Requests to different web page
• Next by thread: RE: Emails queuing up, ndr messages. Event id 10009
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Group Policy - Restrict Internet Access by OU? ... you could not find ISA on SBS 2003, you can use SBS premium technology disk ... to install ISA server. ... restrict internet access on special user group. ... (microsoft.public.windows.server.sbs) RE: ISA 2004 - Internet Access without using Firewall Client ... you can not install ISA firewall client on mobile laptops but meanwhile ... we can make the laptops to access Internet without ... ISA server on SBS only allows domain user access Internet. ... How to configure Internet access in Windows Small Business Server 2003 ... (microsoft.public.windows.server.sbs) Re: SBS ISA2004 allows all users internet access, why? ... > Did you try making a new rule in ISA 2004 after the upgrade? ... > changes the users that I put in that group could not access the Internet. ... >>> internet access what difference does it make whether All User or SBS ... (microsoft.public.windows.server.sbs) Re: SBS ISA2004 allows all users internet access, why? ... allowed in the SBS Internet Access Rule in ISA2004? ... >> internet access what difference does it make whether All User or SBS ... (microsoft.public.windows.server.sbs) Re: ISA 2004 - Redirect HTTP Requests to different web page ... The end result I need is a few users to have unrestricted internet access ... In Windows 2003 SBS I created a Window Security Group in Active Directory ... client can access but it will not redirect to any url. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)