RE: Deny List working too well!!!

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 18 Feb 2005 18:05:08 -0800

Here y'go:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297324 

-----Original Message-----
From: Steve Lunn [mailto:Steve.Lunn@xxxxxxxxxxxxxxxx] 
Sent: Friday, February 18, 2005 7:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Deny List working too well!!!

http://www.ISAserver.org


Hey Folks,
I was wondering if someone could help me?

We used to have ISA Server 2000 in a separate win2k domain in front of
out NT4 domain and all worked well. There was a one way trust between
them, so that an NT4 internet users user group was allowed access. While
the group was allowed all HTTP access, there was a specific deny rule
that blocked things like hotmail, e-bay and the more prolific
ad-vendors.

This worked fine and without a hitch. Back end of last year, we upgraded
our NT4 domain to a win2k3 domain. All the trusts and everything were
migrated and still everything worked fine.

We decided to do away with the separate domain and rebuild the ISA
server into our 2k3 domain. I installed Win2k3 on the box, did all the
appropriate patching and installed and patched ISA server. This all
seemed to go fine.

When the users started using the server, some complained that they were
being prompted for authentication. Being a frequent reader of the
ISAServer.org forums and an ISA Server MCP, I set about trying to find
the problem.

After a seriously long time, I tracked the problem down, but I can't
find a cure.

When the user hits a site that has a blocked item in it (usually an
advert), the server prompts for authentication if the user presses
cancel three of four times the prompt goes away and the page displays as
normal.

Force authentication is off, and support never get prompted which I
think is because we have FW Client on, but I don't want to roll out FW
client to the organization unless I really have to.

There are Content and Protocol rules that allow Internet Users out, and
a Content rule that blocks specific URL's. This is identical to our old
config, yet I can't get it to stop prompting for authentication when it
hits a blocked site.

Have I missed something blatantly obvious?

When I contacted out third line support provider after a few days of try
this and try that, they asked us to tick the box saying "If HTTP
request, Redirect to this URL", which seems to have stopped it
requesting the users for a logon, but it displays the redirected "Access
Denied" page in the place of the blocked image.

This seems to really confuse the users as they get a legitimate web page
with half a dozen blocked pictures replaced by Access Denied messages.


Please put me out of my misery and help me fix this annoying 'feature'.

Regards, 
  
Steve 
  
Steve Lunn - PC & Network Support
Microsoft MCP
DDI: 01423 855101
Fax: 01423 855181




Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg.
No. 964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No.
3224780, Homeowners Financial Administration Limited (HFAL), Reg. No.
4301736, Homeowners Membership Services Limited (HMSL), Reg. No. 3091667
and UK Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162,
all registered at Hornbeam Park Avenue, Harrogate. HG2  8XE. Tel: 01423
855000    Web: http://www.homeowners.co.uk 

HFSL and HIFML are both authorised and regulated by the Financial
Services Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA
Register no. is 181487. You can check this on the FSA's Register by
visiting the FSA's website http://www.fsa.gov.uk/register or by
contacting the FSA on 0845 606 1234 

HFAL, HMSL and UKFISL are non-regulated limited companies. 

United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited 

This e-mail is intended only for the person named as recipient. The
contents are confidential. If you are not the intended recipient of this
e-mail, please notify us as soon as possible and delete it. If you are
not the intended recipient of the e-mail, any use by you is prohibited.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » Deny List working too well!!!
• » RE: Deny List working too well!!!
• » RE: Deny List working too well!!!
• » RE: Deny List working too well!!!

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---