[isalist] Re: Access Rule Issue...
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 2 Feb 2009 08:21:43 -0800
Not true; nor is it that simple.
In general, you want your rules configured as:
Anonymous
Deny
Allow
Authenticaticated
Deny
Allow
JimmyJoeBob Alooba
Office 2007 on Win7 Beta
[cid:image001.jpg@01C9850F.480E9A50]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx
Sent: Monday, February 02, 2009 7:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Access Rule Issue...
Have you checked if the rules are in the right order? Allow rule should come
before deny rules.
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx>
Sent: Monday, February 02, 2009 10:19 AM
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
http://www.ISAserver.org
-------------------------------------------------------
Ok, here is what I did.
I created a URL set of the sites that I need to allow.
I created Rule 1 as follows:
ACTION: Allow (and log)
PROTOCOLS: HTTP/HTTPS
FROM: Internal
TO: (my URL Set)
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
I created Rule 2 as follows:
ACTION: Deny (redirect to custom page and log)
PROTOCOLS: All Outbound
FROM: Internal
TO: External
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
SSL sites are still not allowed, so what do I need to change to allow
this user to access the necessary SSL sites?
-Tom
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, January 30, 2009 8:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> A1 - you must not use name-based destination in a rule that includes
"all
> protocols". Name-based rules are ONLY for HTTP and HTTPS.
> A2 - you cannot use URL sets for SSL connections because unlike CERN
HTTP
> and CERN FTP traffic, ISA never has access to the entire URL for HTTPS
> tunnels.
>
> You can create two rules:
> 1. allow HTTP/HTTPS from to specific destinations
> 2. deny all
>
> JimmyJoeBob Alooba
> Office 2007 on Win7 Beta
>
>
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, January 30, 2009 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I am using ISA 2006 SP-1 on a W2K3 SP1 server.
>
> I created an access rule for a specific user that denies all traffic
> from internal to external, except a list of a few websites that I put
> into a URL Set. This works just fine, except when it comes to
accessing
> https websites and I cannot figure it out.
>
> If the user tries to go to any website outsite of the URL Set
contents,
> I redirect to a custom page stating that the website is not allowed
from
> this computer. For example, if the user tries to go to cnn.com, my
> custom denial page displays.
>
> But with the HTTPS sites failure for the allowed sites, it does not go
> to my custom page, but just tells me IE cannot display the webpage.
>
> For example - in my URL Set I have a website
> HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it
> changes to https://www.excellusbcbs.com/wps/portal/xl in a web
browser.
> So then I put that new address into my URL Set as well. I don't get
the
> redirect page, but I just get an error stating IE cannot display the
> webpage.
>
> Why is this? I have allowed that specific URL in my URL Set.
>
> TIA,
>
> -Tom Rogers
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
