The Enterprise or Array Policies Restricting Internet Access Do Not Seem to Work (262366)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q262366

SUMMARY

Internet Security and Acceleration (ISA) Server processes any rules that deny access before processing rules that enable access in the Access policy. However, you may observe that if you create a Site and Content rule in the applicable Access policy (Array policy or Enterprise policy) that applies to a specific user identification (for example, User A or Group A), that user or group is still able to access the denied site or sites.

This behavior can occur if you also have a Site and Content rule in the applicable Access policy (Array policy or Enterprise Policy) that applies to "All Destinations" and applies to "Any Request".

MORE INFORMATION

This behavior is expected because standard Hypertext Transfer Protocol (HTTP) protocol always attempts to first use anonymous access.

This problem can be corrected by forcing all HTTP proxy users to authenticate with the ISA Server.

By default, ISA Server does not authenticate outbound Web requests which means that a user can anonymously access the Web if the rules are configured as previously discussed.

To force users to authenticate with the Web Proxy service, use either of the following methods:
  • Create all Site and Content rules so that they do not apply to all destinations and any user. You can select specific destinations and enable access to any user, or to all destinations and a specific user or group. -or-

  • In ISA Management, right-click the Server/Array node, and then click Properties. On the Outgoing Web requests tab, click the Ask un authenticated users for authentication option.
Both of the preceding changes make ISA Server require a Web proxy user to provide a user identification before the user can access any Web resource.

NOTE: All Web requests that pass through ISA Server also pass through the Web Proxy service, by default. Any clients that are configured only for secure-Network Address Translation (S-NAT) with browsers that are not configured to use Web proxy, are unable to access any Web site. This occurs because the clients are using ISA Server strictly as a NAT device, and, therefore, there is no mechanism for them to provide any credentials. Clients should configure their browsers to use Web Proxy service on ISA Server; or, you should create Site and Content rules for those users based on client sets.

For information on specific steps on how to create Site and Content rules or how to modify settings, refer to the Help file.
Modification Type:MinorLast Reviewed:1/15/2006
Keywords:kbenv kbinfo kbnetwork KB262366
©2004 Microsoft Corporation. All rights reserved.