colepc
asked on
ISA 2004 - streaming video
Hi All,
I've got an ISA rule that is intended to block stremaing media (audio and video). It appears to work almost correctly. When a user tries to launch a video on the web (in a web page for instance), the user is prompted for his/her authentication. If they enter their username and password, it allows the video.
Question: How can I stop the video/audio from prompting for permission to play?
Thanks,
Terry
I've got an ISA rule that is intended to block stremaing media (audio and video). It appears to work almost correctly. When a user tries to launch a video on the web (in a web page for instance), the user is prompted for his/her authentication. If they enter their username and password, it allows the video.
Question: How can I stop the video/audio from prompting for permission to play?
Thanks,
Terry
ASKER
Clue #1 has appeared...there is no option for 'configure http' on the rule I've created. The selected protocols used on this rule include MMS, PNM, and RTSP. I initially had HTTP in there as well (it was in the "Streaming Media" protocol group), but all http was blocked (not just video). I removed http from it then and general web content was accessible again.
Are you operating in proxy mode only? ie only one NIC?
ASKER
Nope. 2 nics. one outside one inside.
Oh, ok. Just reread your other post; you have removed http from the list of protocols.... lol
So how have you set the rules?
Allow all outgoing except for these protocols?
Deny these protocols for all users?
Allow all outgoing except for these protocols?
Deny these protocols for all users?
ASKER
My base question needs to change based on what I've observed today. The behavior of the video feeds (and audio) prompting a user for credentials in order to see it is slightly off from what you are thinking of (in this case anyway). Check this out...
I've observed that on the terminal server (where all users will access the internet...completely RDP network), if the user is a member of the local Administrators group (for the TS box), the behvior is different for the video feed. The text of the credentials dialog is different when the user is an Administrator (again, local to the TS) than when the users is just an "internet user" on the SBS (or Domain User). To illustrate better than a description, check these 2 pictures, one of each dialog box:
As Administrator on the TS: http://www.colepc.com/As_administrator_image.gif
Not as the administrator on the TS: http://www.colepc.com/not_as_administrator_image.gif
The other thing that's come to light, is that the login shown in the 2nd image is a nuisance; that is, it pesters the snot out of the "non local admin" user whenever they attempt to browse the internet. If the user visits a blocked page (due to an ISA rule, say "www.match.com", for example), they are prompted with the same login screen. Providing valid credentials does not satisfy the login...it returns incessantly. I didn't realize this behaviour was happening as I've been logged into the TS for testing as a Domain Admin (including membership as a local Admin on the TS). I finally saw it from a user's point of view which leads me to here.
I've tried to isolate this behavior to possibly other less priviledged local users on the TS, but the appropriate behaviour only occurs when the user is an admin. Of course, this is bad news for other local security on the actual TS box!
Does that ring any bells?
Thanks,
Terry
I've observed that on the terminal server (where all users will access the internet...completely RDP network), if the user is a member of the local Administrators group (for the TS box), the behvior is different for the video feed. The text of the credentials dialog is different when the user is an Administrator (again, local to the TS) than when the users is just an "internet user" on the SBS (or Domain User). To illustrate better than a description, check these 2 pictures, one of each dialog box:
As Administrator on the TS: http://www.colepc.com/As_administrator_image.gif
Not as the administrator on the TS: http://www.colepc.com/not_as_administrator_image.gif
The other thing that's come to light, is that the login shown in the 2nd image is a nuisance; that is, it pesters the snot out of the "non local admin" user whenever they attempt to browse the internet. If the user visits a blocked page (due to an ISA rule, say "www.match.com", for example), they are prompted with the same login screen. Providing valid credentials does not satisfy the login...it returns incessantly. I didn't realize this behaviour was happening as I've been logged into the TS for testing as a Domain Admin (including membership as a local Admin on the TS). I finally saw it from a user's point of view which leads me to here.
I've tried to isolate this behavior to possibly other less priviledged local users on the TS, but the appropriate behaviour only occurs when the user is an admin. Of course, this is bad news for other local security on the actual TS box!
Does that ring any bells?
Thanks,
Terry
ASKER
Here's the answer...
The problem was not with ISA permissions, but rather the redirect page I had entered whenever a "deny" rule was encountered. Although I put the "custom_denied.htm" page in \inetpub\wwwroot, the parent folder's permissions were not inherited by the page resulting in only allowing Administrators to view the page.
Manually inheriting permissions on the redirect page(s) solved the issue.
Duh.
The problem was not with ISA permissions, but rather the redirect page I had entered whenever a "deny" rule was encountered. Although I put the "custom_denied.htm" page in \inetpub\wwwroot, the parent folder's permissions were not inherited by the page resulting in only allowing Administrators to view the page.
Manually inheriting permissions on the redirect page(s) solved the issue.
Duh.
Is this a duplicate question to this one or did the one answer fit both questions?
https://www.experts-exchange.com/questions/21926953/SBS-2003-ISA-2004-and-a-terminal-server-permissions-for-blocked-pages.html#17168873
Nice one Terry.
https://www.experts-exchange.com/questions/21926953/SBS-2003-ISA-2004-and-a-terminal-server-permissions-for-blocked-pages.html#17168873
Nice one Terry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Right-click the allow rule and select configure http
Block the downloads from