Re: Suggested ISA rules
- From: "Rayhaan" <Rayhaan@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 08:17:03 -0800
I got it!!!!
My error: I created the deny rule for the Restricted Users group from
internal to "advert", but I didn't create the allow rule for the Restricted
Users group from internal to external which has to be under the deny rule.
Thank you all for the help
Regards
Rayhaan.
"Steve Foster [SBS MVP]" wrote:
> Rayhaan wrote:
>
> >Hi Steve
> >
> >I understood and tried exactly as you described but the outcome wasn't
> >expected. I couldn't browse at all in the end. Even though my Domain Name
> >Set
> >only contained hotmail.com, I was unable to browse any website. I tried the
> >restriction on both All Users and Restricted Internet group. I even tried
> >ordering the rule differently, once above SBS Internet Access rule and the
> >other below.
> >
> >Could you please advise what I might be doing wrong?
> >
>
> Rule processing is in order. So Deny rules generally need to come before
> Allow rules. Rules are also evaluated by specificity - so tightly-defined
> rules should also come before more general rules (eg a Rule that is to
> only appy to a select group ought to have a higher priority than a rule
> that affects All Users). Once ISA has applied a rule to a request, no
> other rule will be applied to that request.
>
> So, in the example of wishing to block selected sites for selected users
> who are also members of the SBS Internet Users group, that rule needs to
> be higher priority than the "SBS Internet Access" rule or it will never be
> applied.
>
> Here's the Advert blocking rule I use again, only this time more clearly
> defined:
>
> New Access Rule wizard:
>
> Name: "Advert Blocking", NEXT
> Action: Deny, NEXT
> Applies To: All oubtound traffic, NEXT
> From source: [Add] [Network] Internal, NEXT
> To Destination: [Add] [Domain Name Sets] Advertisers (if pre-created, or
> use the ability to create a new D.N. set there and then), NEXT
> Applies To: All Users, NEXT
> FINISH
>
> Then you can (optionally) open the new rule Properties, and modify the
> following:
>
> * on the Action tab, tick the Redirect HTTP Requests and enter a local URL
> for a page you've created to explain AUP and that access has been block.
>
> My Domain Name Set "Advertisers" contains entries that look like this:
>
> *.doubleclick.net
> *.247realmedia.com
>
> If you were just trying to block hotmail, I'd make the following changes:
>
> a) call it Hotmail Blocking
> b) call my Domain Name Set Hotmail, and
> c) put *.hotmail.com as the domain name list
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.
>
.
- Follow-Ups:
- Re: Suggested ISA rules
- From: Steve Foster [SBS MVP]
- Re: Suggested ISA rules
- References:
- Suggested ISA rules
- From: Dave Taylor
- Re: Suggested ISA rules
- From: Steve Foster [SBS MVP]
- Re: Suggested ISA rules
- From: Steve Foster [SBS MVP]
- Re: Suggested ISA rules
- From: Steve Foster [SBS MVP]
- Re: Suggested ISA rules
- From: Steve Foster [SBS MVP]
- Suggested ISA rules
- Prev by Date: Re: WSUS service not listed
- Next by Date: Re: Can't Upgrade From SBS 2000 To SBS 2003 Because Of ISA 2000
- Previous by thread: Re: Suggested ISA rules
- Next by thread: Re: Suggested ISA rules
- Index(es):
Relevant Pages
|
