[isalist] Re: Access Rule Issue...

  • From: Raj.Periyasamy@xxxxxxxxxxxxxx
  • To: isalist@xxxxxxxxxxxxx
  • Date: Mon, 2 Feb 2009 10:26:44 -0500

Have you checked if the rules are in the right order? Allow rule should
come before deny rules.

 

Regards, 

Raj

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx>
Sent: Monday, February 02, 2009 10:19 AM
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...

 

http://www.ISAserver.org 
------------------------------------------------------- 

Ok, here is what I did. 

I created a URL set of the sites that I need to allow. 

I created Rule 1 as follows: 

ACTION: Allow (and log) 
PROTOCOLS: HTTP/HTTPS 
FROM: Internal 
TO: (my URL Set) 
USERS: (my specific user) 
SCHEDULE: Always 
CONTENT TYPES: All content type 

I created Rule 2 as follows: 

ACTION: Deny (redirect to custom page and log) 
PROTOCOLS: All Outbound 
FROM: Internal 
TO: External 
USERS: (my specific user) 
SCHEDULE: Always 
CONTENT TYPES: All content type 

SSL sites are still not allowed, so what do I need to change to allow 
this user to access the necessary SSL sites? 

-Tom 


> -----Original Message----- 
> From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Jim Harrison 
> Sent: Friday, January 30, 2009 8:18 PM 
> To: isalist@xxxxxxxxxxxxx 
> Subject: [isalist] Re: Access Rule Issue... 
> 
> http://www.ISAserver.org 
> ------------------------------------------------------- 
> 
> A1 - you must not use name-based destination in a rule that includes 
"all 
> protocols". Name-based rules are ONLY for HTTP and HTTPS. 
> A2 - you cannot use URL sets for SSL connections because unlike CERN 
HTTP 
> and CERN FTP traffic, ISA never has access to the entire URL for HTTPS
> tunnels. 
> 
> You can create two rules: 
> 1. allow HTTP/HTTPS from to specific destinations 
> 2. deny all 
> 
> JimmyJoeBob Alooba 
> Office 2007 on Win7 Beta 
> 
> 
> 
> 
> -----Original Message----- 
> From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Tom Rogers 
> Sent: Friday, January 30, 2009 9:12 AM 
> To: isalist@xxxxxxxxxxxxx 
> Subject: [isalist] Access Rule Issue... 
> 
> http://www.ISAserver.org 
> ------------------------------------------------------- 
> 
> I am using ISA 2006 SP-1 on a W2K3 SP1 server. 
> 
> I created an access rule for a specific user that denies all traffic 
> from internal to external, except a list of a few websites that I put 
> into a URL Set. This works just fine, except when it comes to 
accessing 
> https websites and I cannot figure it out. 
> 
> If the user tries to go to any website outsite of the URL Set 
contents, 
> I redirect to a custom page stating that the website is not allowed 
from 
> this computer. For example, if the user tries to go to cnn.com, my 
> custom denial page displays. 
> 
> But with the HTTPS sites failure for the allowed sites, it does not go
> to my custom page, but just tells me IE cannot display the webpage. 
> 
> For example - in my URL Set I have a website 
> HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it 
> changes to https://www.excellusbcbs.com/wps/portal/xl in a web 
browser. 
> So then I put that new address into my URL Set as well. I don't get 
the 
> redirect page, but I just get an error stating IE cannot display the 
> webpage. 
> 
> Why is this? I have allowed that specific URL in my URL Set. 
> 
> TIA, 
> 
> -Tom Rogers 
> 
> 
> ------------------------------------------------------ 
> List Archives: //www.freelists.org/archives/isalist/ 
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------ 
> Visit TechGenix.com for more information about our other sites: 
> http://www.techgenix.com 
> ------------------------------------------------------ 
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> ------------------------------------------------------ 
> List Archives: //www.freelists.org/archives/isalist/ 
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------ 
> Visit TechGenix.com for more information about our other sites: 
> http://www.techgenix.com 
> ------------------------------------------------------ 
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 


------------------------------------------------------ 
List Archives: //www.freelists.org/archives/isalist/ 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------ 
Visit TechGenix.com for more information about our other sites: 
http://www.techgenix.com 
------------------------------------------------------ 
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2009