I have exactly the same issue but with 2 Site and Content Rules. 1st rule for a group of users allowed to any URL. 2nd rule for a group of users allowed only to a list of URLs approved by management. I applied the reg fix mentioned http://support.microsoft.com/support/kb/articles/Q297/3/24.ASP as once you run hf68 ( I think ) for ISA is uodates the w3proxy.dll to the required version mentioned and all is working well now. ( b.t.w all users IE 5.5 and up as web proxy clients on a 2k domain ) BUT ... here is my problem the limited user group can't get to HTTPS URLs although they are allowed by protocol rules, site and content and destination sets. The ISA server is chaining to an upstream ISA server that accepts any connection ( downstream - auth by domain groups ---> upstream any connection, destination or protocol with firewall chaining and default routing rule pointing at upstream ISA) Any assistance will help Thanks -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 04 September 2001 18:53 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Help!!! Problems with Web Proxy/Firewall Clients Authentication http://www.ISAserver.org It sounds like you have this issue: http://support.microsoft.com/support/kb/articles/Q297/3/24.ASP Call MS PSS and they'll point you to the hotfix for free. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Carlos Mauricio Perez Cortes" <mauriciop@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, September 04, 2001 09:03 Subject: [isalist] Help!!! Problems with Web Proxy/Firewall Clients Authentication http://www.ISAserver.org This is a multi-part message in MIME format. ---------------------------------------------------------------------------- ---- Hello Friends, I'm needing your valuable help with te following problem. I hope you can give me some clues: I have ISA Server working in integrated mode (stand-alone) with 2 NIC's (LAN and Internet). I'ts a member server of our Windows 2000 domain. During initial configuration we created Client Address Sets and then applied rules to that objects. Everything was working good until our boss said us we had to restrict Internet access on a per-user/group basis. We had to modify all rules and apply them to Windows 2000 domain groups. Then we deleted all Client Address Sets. The outgoing web requests listener is configured to use Integrated Authentication. There is only one Site and Content Rule (default) allowing all destinations to any request. The problem we're having is that when a Web Proxy or Firewall client (even with both) tries to access HTTP content from the browser it always get an authentication dialog box even though the user is already logged on at the Windows 2000 domain. When user provides his account information, the authentication dialog box appears again and again. Firewall clients also have problems to open sockets sessions (FTP, Telnet, etc..) even though that protocols are allowed in a rule applied to the right group of users.I don't know what else to do. It seems that browser is not passing logon credentials to ISA Server. All clients are using IE 5.0. I found the following information in ISA Server's Help: When a Web Proxy or Firewall client requests HTTP content, ISA Server checks the rules to determine if a specific rule allows anonymous users access (either because it applies to all users or it applies to a client address set that includes the IP address of the client). If so, then the request will be allowed. Otherwise, if no rule has been configured to allow anonymous users access, ISA Server will require that the client authenticate itself, to determine if a rule applies to the specific, authenticated user. In other words, when a client requests HTTP content, authentication information is not passed to the ISA Server computer, unless ISA Server requires it. This happens when the Web Proxy service must identify the user in order to allow the request. Ok...In our case ISA Server requires authentication information because Web Proxy Service must identify the user to validate the request. My question is...........Can the browser pass authentication information to ISA Server automatically ?? Because It would be terrible to provide that information manually each time a user opens the web browser. Please I'd be grateful if you can send me some information as soon as possible... CARLOS MAURICIO PEREZ C. Technical Support s: mauriciop@xxxxxxxxxxxx http://www.solosoft.com <http://www.solosoft.com/> SoloSoft Ltda. ---------------------------------------------------------------------------- ---- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: hugh.roberts@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Engen Petroleum Limited disclaim all liability for any loss, damage or expense however caused, arising from the sending, receipt, or use of this e-mail communication and on any reliance placed upon the information provided through this service and does not guarantee the completeness or accuracy of the information.