RE: Deny List working too well!!!
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 21 Feb 2005 08:37:04 -0800
ISA Hotfixes and service packs DO NOT apply customer registry keys -
never have; never will.
Did you restart the ISA web proxy service?
"12209" is pretty specific - the client failed to satisfy authentication
requirements.
Try adding "Rule#1" and "Rule#2" to the web proxy logs and retry the
connections.
The log will tell you what rule (if any) fired.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
<http://isaserver.org/Jim_Harrison/>
http://isatools.org <http://isatools.org/>
Read the help / books / articles!
-------------------------------------------------------
________________________________
From: Steve Lunn [mailto:Steve.Lunn@xxxxxxxxxxxxxxxx]
Sent: Monday, February 21, 2005 00:24
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deny List working too well!!!
http://www.ISAserver.org
Jim,
Thanks, but I've already seem this post. The post states
"This problem was first corrected in Internet Security and Acceleration
Server 2000 Service Pack 1"
And I'm running SP2. I have tried removing SP2 and re-applying SP1 and
SP2 again, but no joy.
I've tried adding the Registry key in, but with no luck.
The exact error I'm getting is
"HTTP 407 Proxy Authentication Required - The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is
denied. (12209)
Internet Security and Acceleration Server"
Regards,
Steve
Steve Lunn - PC & Network Support
Microsoft MCP
DDI: 01423 855101
Fax: 01423 855181
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: 19 February 2005 02:05
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Deny List working too well!!!
http://www.ISAserver.org
Here y'go:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297324
-----Original Message-----
From: Steve Lunn [mailto:Steve.Lunn@xxxxxxxxxxxxxxxx]
Sent: Friday, February 18, 2005 7:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Deny List working too well!!!
http://www.ISAserver.org
Hey Folks,
I was wondering if someone could help me?
We used to have ISA Server 2000 in a separate win2k domain in front of
out NT4 domain and all worked well. There was a one way trust between
them, so that an NT4 internet users user group was allowed access. While
the group was allowed all HTTP access, there was a specific deny rule
that blocked things like hotmail, e-bay and the more prolific
ad-vendors.
This worked fine and without a hitch. Back end of last year, we upgraded
our NT4 domain to a win2k3 domain. All the trusts and everything were
migrated and still everything worked fine.
We decided to do away with the separate domain and rebuild the ISA
server into our 2k3 domain. I installed Win2k3 on the box, did all the
appropriate patching and installed and patched ISA server. This all
seemed to go fine.
When the users started using the server, some complained that they were
being prompted for authentication. Being a frequent reader of the
ISAServer.org forums and an ISA Server MCP, I set about trying to find
the problem.
After a seriously long time, I tracked the problem down, but I can't
find a cure.
When the user hits a site that has a blocked item in it (usually an
advert), the server prompts for authentication if the user presses
cancel three of four times the prompt goes away and the page displays as
normal.
Force authentication is off, and support never get prompted which I
think is because we have FW Client on, but I don't want to roll out FW
client to the organization unless I really have to.
There are Content and Protocol rules that allow Internet Users out, and
a Content rule that blocks specific URL's. This is identical to our old
config, yet I can't get it to stop prompting for authentication when it
hits a blocked site.
Have I missed something blatantly obvious?
When I contacted out third line support provider after a few days of try
this and try that, they asked us to tick the box saying "If HTTP
request, Redirect to this URL", which seems to have stopped it
requesting the users for a logon, but it displays the redirected "Access
Denied" page in the place of the blocked image.
This seems to really confuse the users as they get a legitimate web page
with half a dozen blocked pictures replaced by Access Denied messages.
Please put me out of my misery and help me fix this annoying 'feature'.
Regards,
Steve
Steve Lunn - PC & Network Support
Microsoft MCP
DDI: 01423 855101
Fax: 01423 855181
Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg.
No. 964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No.
3224780, Homeowners Financial Administration Limited (HFAL), Reg. No.
4301736, Homeowners Membership Services Limited (HMSL), Reg. No. 3091667
and UK Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162,
all registered at Hornbeam Park Avenue, Harrogate. HG2 8XE. Tel: 01423
855000 Web: http://www.homeowners.co.uk
HFSL and HIFML are both authorised and regulated by the Financial
Services Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA
Register no. is 181487. You can check this on the FSA's Register by
visiting the FSA's website http://www.fsa.gov.uk/register or by
contacting the FSA on 0845 606 1234
HFAL, HMSL and UKFISL are non-regulated limited companies.
United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited
This e-mail is intended only for the person named as recipient. The
contents are confidential. If you are not the intended recipient of this
e-mail, please notify us as soon as possible and delete it. If you are
not the intended recipient of the e-mail, any use by you is prohibited.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
