ISA site and content rules

[doakwolf]

Hello all,

I'm using ISA 2000 and have it configured to allow all clients (determined by IP client address set) to browse all websites at all times. For selected 'bad' sites, I've got a site rule to block all clients from browsing websites in a 'blocked sites' destination set and this works just fine.

Now, here's my issue... I've been asked to create a rule that will block just selected users from a secondary desination set. So I created the destination set, created a rule to 'deny access' to the destination set and chose to apply the rule to 'Users and Groups\*username*' but it doesn't work.

That is, it still allows *username* to browse to *blocked sites* from the secondary destination set.

I've also tried creating a new client address set containing just the IP of my workstation (for testing) and it doesn't seem to work via IP either.

Does anyone have any ideas?

Cheers,

Doak.

To elucidate:

The only difference between the rule that works and the rule that doesn't work is the 'Applies to' choice:

'This rule applies to'

'Any request' - (works)

'Users and groups specified below' (domain\username) - (doesn't work)

[tain]

Have you tried saving the configuration that you want and then rebooting the server? Shot in the dark, but it generally solves lots of weird MS problems

[doakwolf]

Well I might have found the answer.. In 'help' of all places

Example

Suppose you configure ISA Server with the following rules:

A protocol rule that allows everyone to use all protocols.

A site and content rule that allows everyone access to all sites.

A site and content rule that denies access to user John.

The first two rules allow access to all requests from anonymous users. The third rule will be enforced—that is, John's request will be denied—only if ISA Server requires that John authenticate himself. For example, consider the following scenarios:

John's computer has Firewall client installed. Jon requests non-HTTP content. John's request will be denied because the ISA Server Firewall service requires authentication; the third rule is therefore enforced.

John's computer is configured as a Web Proxy client. John requests HTTP content, John's requests will be allowed because ISA Server does not require authentication; the third rule is therefore not enforced.

John's computer has Firewall client installed. Jon requests HTTP content. John's request will be allowed because ISA Server does not require authentication; the third rule is therefore not enforced.

To enforce the third rule for all Web requests, configure the server's option to ask unauthenticated users for identification. John's request will be denied in all the scenarios previously listed.

So since my clients are not required to authenticate to ISA, this will not work...

Oh well,

Thanks for the tip though, TAiN.

Doak.