[isalist] Re: Access Rule Issue...
- From: Raj.Periyasamy@xxxxxxxxxxxxxx
- To: isalist@xxxxxxxxxxxxx
- Date: Mon, 2 Feb 2009 10:33:48 -0500
What do you see in the log monitor when the user gets rejected? Which
rule is denying the user? In addition to these two rules what other
rules do you have?
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx>
Sent: Monday, February 02, 2009 10:28 AM
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
My Allow rule is before the Deny.
Tom Rogers
Systems Administrator
Schneider Packaging Equipment
________________________________
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or
entity to whom they are addressed.If you have received this email in
error please notify the system manager.
This message contains confidential information and is intended only for
the individual named. If you are not the
named addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the
contents of this information is strictly prohibited.
P Please consider the environment before printing this email.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Raj.Periyasamy@xxxxxxxxxxxxxx
Sent: Monday, February 02, 2009 10:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Access Rule Issue...
Have you checked if the rules are in the right order? Allow rule should
come before deny rules.
Regards,
Raj
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers <trogers@xxxxxxxxxxxxxxxxxx>
Sent: Monday, February 02, 2009 10:19 AM
To: <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Access Rule Issue...
http://www.ISAserver.org
-------------------------------------------------------
Ok, here is what I did.
I created a URL set of the sites that I need to allow.
I created Rule 1 as follows:
ACTION: Allow (and log)
PROTOCOLS: HTTP/HTTPS
FROM: Internal
TO: (my URL Set)
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
I created Rule 2 as follows:
ACTION: Deny (redirect to custom page and log)
PROTOCOLS: All Outbound
FROM: Internal
TO: External
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type
SSL sites are still not allowed, so what do I need to change to allow
this user to access the necessary SSL sites?
-Tom
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, January 30, 2009 8:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> A1 - you must not use name-based destination in a rule that includes
"all
> protocols". Name-based rules are ONLY for HTTP and HTTPS.
> A2 - you cannot use URL sets for SSL connections because unlike CERN
HTTP
> and CERN FTP traffic, ISA never has access to the entire URL for HTTPS
> tunnels.
>
> You can create two rules:
> 1. allow HTTP/HTTPS from to specific destinations
> 2. deny all
>
> JimmyJoeBob Alooba
> Office 2007 on Win7 Beta
>
>
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, January 30, 2009 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Access Rule Issue...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I am using ISA 2006 SP-1 on a W2K3 SP1 server.
>
> I created an access rule for a specific user that denies all traffic
> from internal to external, except a list of a few websites that I put
> into a URL Set. This works just fine, except when it comes to
accessing
> https websites and I cannot figure it out.
>
> If the user tries to go to any website outsite of the URL Set
contents,
> I redirect to a custom page stating that the website is not allowed
from
> this computer. For example, if the user tries to go to cnn.com, my
> custom denial page displays.
>
> But with the HTTPS sites failure for the allowed sites, it does not go
> to my custom page, but just tells me IE cannot display the webpage.
>
> For example - in my URL Set I have a website
> HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it
> changes to https://www.excellusbcbs.com/wps/portal/xl in a web
browser.
> So then I put that new address into my URL Set as well. I don't get
the
> redirect page, but I just get an error stating IE cannot display the
> webpage.
>
> Why is this? I have allowed that specific URL in my URL Set.
>
> TIA,
>
> -Tom Rogers
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
