• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 647
  • Last Modified:

restricting internet access with ISA 2006

we are running ISA 2006 on a windows 2003 server

I am trying to restrict some users to access certain websites only.
i have created access rules for this, but it is not working:

order    name              action            protocols           from/listener        to                   condition
1          block               allow            all outbound       internal                websites        locked users
            restricted                             traffic                 CPN Clients          allowed
            users

2           block               deny           all outbound       internal                 External       locked  users
           restricted                             traffic                 CPN Clients          
            users



users can still go to any other website.  please let me know how i can fix this
0
winperez
Asked:
winperez
1 Solution
 
BembiCEOCommented:
I assume, that "locked users" is a domain group with your locked down users?

This work as long as you have put ISA as proxy into your brwoser proxy setting. Therefore your clients acts as web-proxy client. If no browser proxy settings are set, the clients acts as secure Nat client and take no notice of the user group setting.
0
 
Raj-GTSystems EngineerCommented:
Also, you can disable Rule 1 and just use Rule 2 with "websites allowed" added under the exceptions list in the To tab.
0
 
bategCommented:
Can you please explain your infrastructure:

-Is your ISA working as a unihomed with one NIC card or 2 NIC cards in which one is internal and the other is external ) connected to internet )

- Is Isa joined to the domain or working on workgroup?

Regards,
bateg

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
winperezAuthor Commented:
thanks guys,

I was able to correct the problem.  I just needed to create an extra protocol for port 8080 and deny users
0
 
BembiCEOCommented:
Port 8080 is usually used for the web proxy client.
The default deny rule will usually block all traffic by default as long there is no rule which allows it again.

Note that rules are accessed on their order. The first rule, which allows access will handle the traffic.
0
 
bategCommented:
also, be carefull from the deny and allow rules arrangement.

i.e : if you give all user allow access to browse facebook.com and under it another rule say that user X cannot access firewall.

The result is that user x will access facebook, That is because isa server read the rules one by one and when it find a rule that meet its category it stop reading the others.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now