ISA 2006 + blocking internet for AD group

[Paid_Peanuts]

Hi,
I might be missing a trick here but all the students go through one ISA.
installed is ISA 2006, it has the normal outbound rules etc.

What i have created in AD is a security group where i can add students, so for example the group is: No-Internet.
A student tester account (y8tester) is added to the above group.

Then i have created an access rule in ISA to deny and redirect traffic for the AD group. The rule is as follows:
deny http, https, from internal to external for No-Internet.

I apply the settings however this doesnt block the internet for this y8tester account - am i missing somehting there becasue all the websites i visit say it is this easy to setup.

Any help greatly appriated.

[mullet_man]

Is the block rule above the allow rule?

[Paid_Peanuts]

The rules are as follows:
1) Outbound allow all outbound from internal and local host to external for all users
2) Ping allow ping from internal to all networks including local host for all users
3) Inbound RDP allow RDP from external and internal to xxx.xxx.xxx.xxx for all users
4) No-Internet deny http and https from internal to external for no-Internet

[mullet_man]

Your no internet rule is after your allow rule so its not gonna stop them am guessing.

Our ISA box was setup by someone else, but we have it setup

Banned Sites (deny)
Banned Users (deny)
Pupil Internet (allow)

Try creating new rules in that kind of order, it should work. You just need to make sure you add the right pupil groups to the allow, and create a new group called Banned Internet something along those lines.

[Paid_Peanuts]

I have moved the no-Internet(Deny) rule to number 1 and its made no difference.
Just applying the settings in ISA should be enought right - i dont have to restart a service or anything in order for the changes to the rules to apply?

[Paid_Peanuts]

We have another ISA 2006 box which is for admin use - this wouldn't be interfering would it?

[sahmeepee]

As a starting point I would go into the monitoring section of ISA, tell it only to monitor stuff from the IP addy of the computer your test user is logged on to, then make some page requests and see which rule is being applied.

[Paid_Peanuts]

ah right - after further digging it appears as though the students are not getting their ISA settings.

When the admin isa is rebooted none of the students get the internet so they must be going through the wrong ISA. I have checked AD and the students get their own policy which sets the proxy settings. However the only other place proxy settings are enabled is at the default domain policy level which points to the admin isa - so could they be picking the settings up from there? if i remove the proxy settings from the default domain policy not even staff get the internet even though they have their own policy pointing them at the admin isa!?!?!

i have tested with a staff acount and the proxy settings are in IE7 but the tick box isnt enabled so IE doenst use the proxy.

Can any one shed any light on why these proxy settings are not being enabled? i can bl**dy find it!

[spc-rocket]

Hi,

The best thing to do is to install the Microsoft Firwall client that comes with isa and then confirm the proxy for automatic script setting (sorry don't know what exactly its called). The firewall client will automatically setup IE proxy to automatic script URL.

You should find that then this will allow you to do authentication for not just web proxy and FTP but for other protocols as well.

Ash.