Solved

restricting internet access with ISA 2006

Posted on 2009-05-20
6
637 Views
Last Modified: 2012-05-07
we are running ISA 2006 on a windows 2003 server

I am trying to restrict some users to access certain websites only.
i have created access rules for this, but it is not working:

order    name              action            protocols           from/listener        to                   condition
1          block               allow            all outbound       internal                websites        locked users
            restricted                             traffic                 CPN Clients          allowed
            users

2           block               deny           all outbound       internal                 External       locked  users
           restricted                             traffic                 CPN Clients          
            users



users can still go to any other website.  please let me know how i can fix this
0
Comment
Question by:winperez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24436916
I assume, that "locked users" is a domain group with your locked down users?

This work as long as you have put ISA as proxy into your brwoser proxy setting. Therefore your clients acts as web-proxy client. If no browser proxy settings are set, the clients acts as secure Nat client and take no notice of the user group setting.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24449531
Also, you can disable Rule 1 and just use Rule 2 with "websites allowed" added under the exceptions list in the To tab.
0
 

Expert Comment

by:bateg
ID: 24449572
Can you please explain your infrastructure:

-Is your ISA working as a unihomed with one NIC card or 2 NIC cards in which one is internal and the other is external ) connected to internet )

- Is Isa joined to the domain or working on workgroup?

Regards,
bateg

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:winperez
ID: 24453084
thanks guys,

I was able to correct the problem.  I just needed to create an extra protocol for port 8080 and deny users
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24453255
Port 8080 is usually used for the web proxy client.
The default deny rule will usually block all traffic by default as long there is no rule which allows it again.

Note that rules are accessed on their order. The first rule, which allows access will handle the traffic.
0
 

Accepted Solution

by:
bateg earned 500 total points
ID: 24457991
also, be carefull from the deny and allow rules arrangement.

i.e : if you give all user allow access to browse facebook.com and under it another rule say that user X cannot access firewall.

The result is that user x will access facebook, That is because isa server read the rules one by one and when it find a rule that meet its category it stop reading the others.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question