What do you see in the log monitor when the user gets rejected? Which rule is denying the user? In addition to these two rules what other rules do you have? Regards, Raj From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx> Sent: Monday, February 02, 2009 10:28 AM To: <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Access Rule Issue... My Allow rule is before the Deny. Tom Rogers Systems Administrator Schneider Packaging Equipment ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. P Please consider the environment before printing this email. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx Sent: Monday, February 02, 2009 10:27 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Access Rule Issue... Have you checked if the rules are in the right order? Allow rule should come before deny rules. Regards, Raj From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx> Sent: Monday, February 02, 2009 10:19 AM To: <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Access Rule Issue... http://www.ISAserver.org ------------------------------------------------------- Ok, here is what I did. I created a URL set of the sites that I need to allow. I created Rule 1 as follows: ACTION: Allow (and log) PROTOCOLS: HTTP/HTTPS FROM: Internal TO: (my URL Set) USERS: (my specific user) SCHEDULE: Always CONTENT TYPES: All content type I created Rule 2 as follows: ACTION: Deny (redirect to custom page and log) PROTOCOLS: All Outbound FROM: Internal TO: External USERS: (my specific user) SCHEDULE: Always CONTENT TYPES: All content type SSL sites are still not allowed, so what do I need to change to allow this user to access the necessary SSL sites? -Tom > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Friday, January 30, 2009 8:18 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Access Rule Issue... > > http://www.ISAserver.org > ------------------------------------------------------- > > A1 - you must not use name-based destination in a rule that includes "all > protocols". Name-based rules are ONLY for HTTP and HTTPS. > A2 - you cannot use URL sets for SSL connections because unlike CERN HTTP > and CERN FTP traffic, ISA never has access to the entire URL for HTTPS > tunnels. > > You can create two rules: > 1. allow HTTP/HTTPS from to specific destinations > 2. deny all > > JimmyJoeBob Alooba > Office 2007 on Win7 Beta > > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Tom Rogers > Sent: Friday, January 30, 2009 9:12 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Access Rule Issue... > > http://www.ISAserver.org > ------------------------------------------------------- > > I am using ISA 2006 SP-1 on a W2K3 SP1 server. > > I created an access rule for a specific user that denies all traffic > from internal to external, except a list of a few websites that I put > into a URL Set. This works just fine, except when it comes to accessing > https websites and I cannot figure it out. > > If the user tries to go to any website outsite of the URL Set contents, > I redirect to a custom page stating that the website is not allowed from > this computer. For example, if the user tries to go to cnn.com, my > custom denial page displays. > > But with the HTTPS sites failure for the allowed sites, it does not go > to my custom page, but just tells me IE cannot display the webpage. > > For example - in my URL Set I have a website > HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it > changes to https://www.excellusbcbs.com/wps/portal/xl in a web browser. > So then I put that new address into my URL Set as well. I don't get the > redirect page, but I just get an error stating IE cannot display the > webpage. > > Why is this? I have allowed that specific URL in my URL Set. > > TIA, > > -Tom Rogers > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx