Deny List working too well!!!
- From: Steve Lunn <Steve.Lunn@xxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 18 Feb 2005 15:55:40 -0000
Hey Folks,
I was wondering if someone could help me?
We used to have ISA Server 2000 in a separate win2k domain in front of out
NT4 domain and all worked well. There was a one way trust between them, so
that an NT4 internet users user group was allowed access. While the group
was allowed all HTTP access, there was a specific deny rule that blocked
things like hotmail, e-bay and the more prolific ad-vendors.
This worked fine and without a hitch. Back end of last year, we upgraded our
NT4 domain to a win2k3 domain. All the trusts and everything were migrated
and still everything worked fine.
We decided to do away with the separate domain and rebuild the ISA server
into our 2k3 domain. I installed Win2k3 on the box, did all the appropriate
patching and installed and patched ISA server. This all seemed to go fine.
When the users started using the server, some complained that they were
being prompted for authentication. Being a frequent reader of the
ISAServer.org forums and an ISA Server MCP, I set about trying to find the
problem.
After a seriously long time, I tracked the problem down, but I can't find a
cure.
When the user hits a site that has a blocked item in it (usually an advert),
the server prompts for authentication if the user presses cancel three of
four times the prompt goes away and the page displays as normal.
Force authentication is off, and support never get prompted which I think is
because we have FW Client on, but I don't want to roll out FW client to the
organization unless I really have to.
There are Content and Protocol rules that allow Internet Users out, and a
Content rule that blocks specific URL's. This is identical to our old
config, yet I can't get it to stop prompting for authentication when it hits
a blocked site.
Have I missed something blatantly obvious?
When I contacted out third line support provider after a few days of try
this and try that, they asked us to tick the box saying "If HTTP request,
Redirect to this URL", which seems to have stopped it requesting the users
for a logon, but it displays the redirected "Access Denied" page in the
place of the blocked image.
This seems to really confuse the users as they get a legitimate web page
with half a dozen blocked pictures replaced by Access Denied messages.
Please put me out of my misery and help me fix this annoying 'feature'.
Regards,
Steve
Steve Lunn - PC & Network Support
Microsoft MCP
DDI: 01423 855101
Fax: 01423 855181
Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg. No.
964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No. 3224780,
Homeowners Financial Administration Limited (HFAL), Reg. No. 4301736,
Homeowners Membership Services Limited (HMSL), Reg. No. 3091667 and UK
Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162, all
registered at Hornbeam Park Avenue, Harrogate. HG2 8XE. Tel: 01423 855000
Web: http://www.homeowners.co.uk
HFSL and HIFML are both authorised and regulated by the Financial Services
Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA Register no.
is 181487. You can check this on the FSA's Register by visiting the FSA's
website http://www.fsa.gov.uk/register or by contacting the FSA on 0845 606
1234
HFAL, HMSL and UKFISL are non-regulated limited companies.
United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited
This e-mail is intended only for the person named as recipient. The contents
are confidential. If you are not the intended recipient of this e-mail,
please notify us as soon as possible and delete it. If you are not the
intended recipient of the e-mail, any use by you is prohibited.
Other related posts:
