[isalist] Re: Access Rule Issue...
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 2 Feb 2009 11:37:52 -0800
This what's called a bad rule design.
The default rule applies to anything not allowed before it, so creating a "deny
all" is redundant.
Better that you have only the "allow for user to URL set" and let the default
rule do its job.
JimmyJoeBob Alooba
Office 2007 on Win7 Beta
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx
Sent: Monday, February 02, 2009 11:05 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Access Rule Issue...
Rule 1: Deny User A - All out bound protocols
Rule 2: Allow User A - Only access to allowed URL set.
In that order, what happens to user A when accessing a site in the allowed URL
set? The user matches Rule 1, will ISA now deny the traffic and stop processing
further rules? Or will Rule 2 be processed and user allowed access?
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison <Jim@xxxxxxxxxxxx>
Sent: Monday, February 02, 2009 1:22 PM
To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
ISA will trigger the rule based on the destination as well.
If you use the same criteria in the allow and deny rules, you're not thinking
it through clearly.
JimmyJoeBob Alooba
Office 2007 on Win7 Beta
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx
Sent: Monday, February 02, 2009 8:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Access Rule Issue...
In his case he has created a User specific allow rule and a Users specific
deny rule. If the user ID matches the criteria for the deny rule, will ISA go
to the next rule?
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison <Jim@xxxxxxxxxxxx>
Sent: Monday, February 02, 2009 11:22 AM
To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
Not true; nor is it that simple.
In general, you want your rules configured as:
Anonymous
Deny
Allow
Authenticaticated
Deny
Allow
JimmyJoeBob Alooba
Office 2007 on Win7 Beta
[cid:image001.jpg@01C9852A.AEDF7310]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx
Sent: Monday, February 02, 2009 7:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Access Rule Issue...
Have you checked if the rules are in the right order? Allow rule should come
before deny rules.
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx>
Sent: Monday, February 02, 2009 10:19 AM
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
http://www.ISAserver.org
-------------------------------------------------------
Ok, here is what I did.
I created a URL set of the sites that I need to allow.
I created Rule 1 as follows:
ACTION: Allow (and log)
PROTOCOLS: HTTP/HTTPS
FROM: Internal
TO: (my URL Set)
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
I created Rule 2 as follows:
ACTION: Deny (redirect to custom page and log)
PROTOCOLS: All Outbound
FROM: Internal
TO: External
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
SSL sites are still not allowed, so what do I need to change to allow
this user to access the necessary SSL sites?
-Tom
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, January 30, 2009 8:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> A1 - you must not use name-based destination in a rule that includes
"all
> protocols". Name-based rules are ONLY for HTTP and HTTPS.
> A2 - you cannot use URL sets for SSL connections because unlike CERN
HTTP
> and CERN FTP traffic, ISA never has access to the entire URL for HTTPS
> tunnels.
>
> You can create two rules:
> 1. allow HTTP/HTTPS from to specific destinations
> 2. deny all
>
> JimmyJoeBob Alooba
> Office 2007 on Win7 Beta
>
>
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, January 30, 2009 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I am using ISA 2006 SP-1 on a W2K3 SP1 server.
>
> I created an access rule for a specific user that denies all traffic
> from internal to external, except a list of a few websites that I put
> into a URL Set. This works just fine, except when it comes to
accessing
> https websites and I cannot figure it out.
>
> If the user tries to go to any website outsite of the URL Set
contents,
> I redirect to a custom page stating that the website is not allowed
from
> this computer. For example, if the user tries to go to cnn.com, my
> custom denial page displays.
>
> But with the HTTPS sites failure for the allowed sites, it does not go
> to my custom page, but just tells me IE cannot display the webpage.
>
> For example - in my URL Set I have a website
> HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it
> changes to https://www.excellusbcbs.com/wps/portal/xl in a web
browser.
> So then I put that new address into my URL Set as well. I don't get
the
> redirect page, but I just get an error stating IE cannot display the
> webpage.
>
> Why is this? I have allowed that specific URL in my URL Set.
>
> TIA,
>
> -Tom Rogers
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
