This what's called a bad rule design. The default rule applies to anything not allowed before it, so creating a "deny all" is redundant. Better that you have only the "allow for user to URL set" and let the default rule do its job. JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx Sent: Monday, February 02, 2009 11:05 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Access Rule Issue... Rule 1: Deny User A - All out bound protocols Rule 2: Allow User A - Only access to allowed URL set. In that order, what happens to user A when accessing a site in the allowed URL set? The user matches Rule 1, will ISA now deny the traffic and stop processing further rules? Or will Rule 2 be processed and user allowed access? Regards, Raj From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison <Jim@xxxxxxxxxxxx> Sent: Monday, February 02, 2009 1:22 PM To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Access Rule Issue... ISA will trigger the rule based on the destination as well. If you use the same criteria in the allow and deny rules, you're not thinking it through clearly. JimmyJoeBob Alooba Office 2007 on Win7 Beta From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx Sent: Monday, February 02, 2009 8:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Access Rule Issue... In his case he has created a User specific allow rule and a Users specific deny rule. If the user ID matches the criteria for the deny rule, will ISA go to the next rule? Regards, Raj From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison <Jim@xxxxxxxxxxxx> Sent: Monday, February 02, 2009 11:22 AM To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Access Rule Issue... Not true; nor is it that simple. In general, you want your rules configured as: Anonymous Deny Allow Authenticaticated Deny Allow JimmyJoeBob Alooba Office 2007 on Win7 Beta [cid:image001.jpg@01C9852A.AEDF7310] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx Sent: Monday, February 02, 2009 7:27 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Access Rule Issue... Have you checked if the rules are in the right order? Allow rule should come before deny rules. Regards, Raj From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx> Sent: Monday, February 02, 2009 10:19 AM To: <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Access Rule Issue... http://www.ISAserver.org ------------------------------------------------------- Ok, here is what I did. I created a URL set of the sites that I need to allow. I created Rule 1 as follows: ACTION: Allow (and log) PROTOCOLS: HTTP/HTTPS FROM: Internal TO: (my URL Set) USERS: (my specific user) SCHEDULE: Always CONTENT TYPES: All content type I created Rule 2 as follows: ACTION: Deny (redirect to custom page and log) PROTOCOLS: All Outbound FROM: Internal TO: External USERS: (my specific user) SCHEDULE: Always CONTENT TYPES: All content type SSL sites are still not allowed, so what do I need to change to allow this user to access the necessary SSL sites? -Tom > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Friday, January 30, 2009 8:18 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Access Rule Issue... > > http://www.ISAserver.org > ------------------------------------------------------- > > A1 - you must not use name-based destination in a rule that includes "all > protocols". Name-based rules are ONLY for HTTP and HTTPS. > A2 - you cannot use URL sets for SSL connections because unlike CERN HTTP > and CERN FTP traffic, ISA never has access to the entire URL for HTTPS > tunnels. > > You can create two rules: > 1. allow HTTP/HTTPS from to specific destinations > 2. deny all > > JimmyJoeBob Alooba > Office 2007 on Win7 Beta > > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Tom Rogers > Sent: Friday, January 30, 2009 9:12 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Access Rule Issue... > > http://www.ISAserver.org > ------------------------------------------------------- > > I am using ISA 2006 SP-1 on a W2K3 SP1 server. > > I created an access rule for a specific user that denies all traffic > from internal to external, except a list of a few websites that I put > into a URL Set. This works just fine, except when it comes to accessing > https websites and I cannot figure it out. > > If the user tries to go to any website outsite of the URL Set contents, > I redirect to a custom page stating that the website is not allowed from > this computer. For example, if the user tries to go to cnn.com, my > custom denial page displays. > > But with the HTTPS sites failure for the allowed sites, it does not go > to my custom page, but just tells me IE cannot display the webpage. > > For example - in my URL Set I have a website > HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it > changes to https://www.excellusbcbs.com/wps/portal/xl in a web browser. > So then I put that new address into my URL Set as well. I don't get the > redirect page, but I just get an error stating IE cannot display the > webpage. > > Why is this? I have allowed that specific URL in my URL Set. > > TIA, > > -Tom Rogers > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx