RE: Restrict group to two web sites.
- From: Mark <fastzrex@xxxxxxxxxxxxxxxx>
- Date: Fri, 7 Apr 2006 12:38:02 -0700
Jenny, I have applied and tested your solution and during my abbreviated
sessions on several workstations have found it is a success. It works as
anticipated. My initial problem with companyweb, when using my prior
misconceived Access Rule, may have been due to me using a workstation with IE
7.0 Beta 2 installed for testing; 95% of my workstations are still using IE
6.0 until a later date.
I have one question. On your Item III.1 (Web Proxy Authentication), I have
the "Require all users to authenticate" option unchecked. Is there any reason
why I should leave this option in the disabled condition? I wish all users to
use the proxy server; I am currently making sure all users have the ISA2004
firewall client installed.
Currently, on my "Deny Malicious Users" group, I have a Group Policy to
prevent this group from seeing or modifying the "Connections" tab in IE, and
have hidden the firewall client from view to prevent 'tinkering' by these
users. If I can turn on the "Require all users to authenticate" option as
described above, it appears I won't have to worry about users turning off
the firewall client; if the users disable the firewall client, they will not
receive any Internet access at all, and I will be notified, I am sure! Is
that assumption correct?
Again, thanks for your accurate answer and support. You have saved me much
frustration and experimentation! I look forward to a comment on my question
above.
--
Best Regards,
Mark
""Jenny wu [MSFT]"" wrote:
Hi Mark,.
Thanks for using the SBS newsgroup.
From your description, I understand the issue to be: you want to create a
rule to restrict a group of users who can not access two web sites. If I am
off base, please don't hesitate to let me know.
Let us follow below steps to trouble shoot the issue:
I. Based on my research, the rule you created that can not affect
companyweb site access. After you disable the rule, can all users access
the companyweb site properly? If not, please let me know which users can
not access the companyweb. Also please let me know which URL you used to
access the companyweb site. Please respectively use http://companyweb,
http://servername, https://FQDN:444 to test and let me know the result.
II. The function of the rule you created is that Allow the group of users
to access the specific web sites. And we already have rule to allow users
to access all internet web sites. So the rule does not work. Please delete
the rule, and refer to the following steps to create a rule to meet your
needs:
Please open the ISA management console, navigate to Firewall Policy, right
click "Firewall Policy" and click New->Access Rule, then follow the wizard
to create a new access rule as following:
Rule name: Deny Malicious Users (you can change as your needs)
Rule Action: Deny
Protocols: HTTP/HTTPS
Sources: Internal
Destination: External (Exception: the URL Set that you want to the users to
access)
User Sets: The Users that you want to restrict access
The exception can not be set with the wizard, after finished the wizard,
double the new rule to open its Properties page, under To tab, in Exception
region, please click Add button to open Add Network Entities page. Please
click New menu to choose "URL set" item, then input URL you want to let the
users to access.
Then move this rule to the top and click Apply to save all the settings.
Also please navigate to node Configuration->Networks. Under "Networks
panel", double click "Internal". Switch to "Web Proxy" panel, click
"Authentication¡" and then uncheck the "Require all users to authenticate"
option. Then click the Apply button to save the changes.
III. Please ensure that all client users to use web proxy to access
internet. You can refer to the following steps to check:
1. Logon to client workstations, open IE, click Tools -> Internet Options
-> Connections -> LAN settings
2. Please ensure the option "Use a proxy server for your LAN¡ " is
checked. And input correct ISA server information here.
3. Then click OK to finish the change.
Then please test the issue again, what is the result?
If the issue persists, please reproduced the issue and collect the ISA
server firewall log for analyze.
1. If the companyweb can not be accessed, please reproduced the issue and
help me collect a firewall log.
2. If the new rule does not work, please try to log on client workstation
with the user and try to access other web sites to reproduce the issue. and
then collect another log file again for me to analyze.
Enable the full Web Proxy/firewall logging option:
a. Open ISA 2004 management console.
b. Expand the server node and highlight ''Monitoring''.
c. In the right pane, switch to the ''Logging'' tab, make sure the ''Task
Pane'' is showed there.
d. In the ''Task Pane'', click ''Configure Web Proxy Logging'' under
''Logging Tasks'', and then switch the ''log storage format'' from ''MSDE
database'' (default) to ''File''.
e. Switch to the ''Fields'' tab, and then click ''Select All''.
f. Click OK, and then click ''Apply'' to save changes and update the
configuration.
g. Click ''Configure Firewall Logging''. Do step d~f to enable the full
logging options for firewall logging.
Prepare to take the trace:
a. Temporarily stop the Firewall service to clear the current existing W3C
logs: Monitoring->Services tab, and then right click ''Microsoft Firewall''
to choose ''Stop''.
b. Go to the log saving directory and clean any existing .W3C logs. By
default, the logs will be saved to ''C:\Program Files\Microsoft ISA
Server\ISALogs''. (Some MDF may not be able to deleted, that''s normal.)
c. Go back to the ISA 2004 management console, and then Start the stopped
''Microsoft Firewall'' service.
Reproduce the problem:
a. Go to the external client computer. Try to access one web site you want
to access.
b. Go back to the ISA server. Stop the ''Microsoft Firewall'' service. Open
Windows Explorer, navigate to the ISA log file folder. Collect the recent
w3c files. Save them to a zip package as ''isalogs.zip''. Start the
''Microsoft Firewall'' Service.
c. Send the zip packages to me at v-yanniw@xxxxxxxxxxxxx
Hope above information helps! I am happy to be of assistance to you and
look forward to your reply.
Have a nice weekend!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Restrict group to two web sites.work.
thread-index: AcZZwJEihSxklHbMTfWHFbhIj58weA==
X-WBNR-Posting-Host: 216.201.192.166
From: =?Utf-8?B?TWFyaw==?= <fastzrex@xxxxxxxxxxxxxxxx>
Subject: Restrict group to two web sites.
Date: Thu, 6 Apr 2006 14:25:03 -0700
Lines: 30
Message-ID: <12185D3E-DC16-4302-8A02-4E6627321194@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:258649
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs
Hello! I have SBS2003 SP1 Premium with ISA2004 installed and working well.
I have a group of users who are abusing their Internet priveledges
(downloading all kinds of software from who knows where!). I would like to
restrict this group to just two web sites, which they need to do their
entered
I imlemented the following rule in ISA by using this procedure:
1. Create a New Access Rule from the Tasks list and gave it a name
'Allowed Sites' then clicked Next.
2. Selected 'Allow', then Next.
3. Select 'All Outbound Traffic', then Next.
4. Clicked Add and from 'Networks' item select 'Internal' and click Add,
Close and Next.
5. Clicked Add and click New -> URL Sets
6. Give the URL Set a name like 'Work Sites', then clicked 'New' and
a website like "http://*.microsoft.com"; to allow access to.Next
7. Selected the item just created in URL Sets and clicked Add, Close then
8. Selected the user set to apply the rule to. Removed All Users.users
I placed this rule at the top of the list and found that the 'normal'
were not able to access companyweb, so I disabled this new rule I just
created. I was not able to see if this rule worked for restricting the
particular users to just the web sites they needed for work.
Any help would be appreciated!
--
Best Regards,
Mark
- Follow-Ups:
- RE: Restrict group to two web sites.
- From: "Jenny wu [MSFT]"
- RE: Restrict group to two web sites.
- References:
- RE: Restrict group to two web sites.
- From: "Jenny wu [MSFT]"
- RE: Restrict group to two web sites.
- Prev by Date: RE: SBS sp1 upgrade failed
- Next by Date: Re: Companyweb - Vacation Calendar - Link to Outlook missing
- Previous by thread: RE: Restrict group to two web sites.
- Next by thread: RE: Restrict group to two web sites.
- Index(es):
Relevant Pages
|
