spacer search

After Hours Information Technology -
The small IT business for your small business.

Main Menu
Web Hosting
Domain Lookup
Speed Test
Contact Us
Privacy Policy
News Feeds
Microsoft ISA Server

Order of rule processing PDF Print E-mail
Frequently Asked Questions - Microsoft ISA Server

Microsoft's ISA Server provides excellent granularity or "stepped access" in its rulesets based on things like the destination of the request or who is making the request.

In this article we take a look the order that rules are applied.

First, up let's see the order that the rules are applied:

1) Deny rules applying to any request (anonymous).
2) Allow rules applying to any request (anonymous).
3) Deny rules applying to client address sets or users and groups (authenticated).
4) Allow rules applying to client address sets or users and groups (authenticated).

So the anonymous rules are processed 1st and then ISA will work on authenticated rules.

All too often we see that clients make statements like "I've created an allow all access rule but my deny rule for a particular user doesn't work". Let's take a look at why the deny for UserX doesnt work.

Image for a moment that ISA is a bouncer at a nightclub (Hmm.. my imagination is stretching a bit here)

No, let's say management says "Hey, bouncerguy! I want you to let absolutely everybody in tonight. Stand there looking imposing but dont look at anybody's face or check anybody's ID - it frightens away the patrons."

So, Bouncerguy stands at the door happily smiling and lets anybody at all in the door.

Everything is going sweetly for a few weeks until after a brawl one friday night management says "Hey Bouncerguy, here's a photo of the dude that started the fight. I want you to keep doing what you've been doing so far, but don't let this guy here in the photo in the door".

So now bouncer guy has 2 "rules" to apply to people coming in the door.

  1.  Let anybody in and dont look at their faces or check their ID.
  2.  Don't let this partcular guy in whose face matches this photo.

So, the nightclub opens up its doors the nextnight and bouncerguy stands at the door freely letting everybody in. The "troublemaker" from the previous Friday comes in, causes another fight and then afterwards bouncerguy gets called into managements office.

"I thought I told you not to let this guy in" yells managemetn at our friendly bouncer. Bouncerguy now starts to get a little defensive as he was doing exactly as he was told.

Management now starts screaming that he distinctly said that bouncerguy should do exactly what he's been doing except, dont let in this troublemaker guy (Inventive with names aren't I!!)

Again, bouncerguy protests his innocence. He explains it to the boss.

"First you told me to let everyone in the door and not to look at their faces or check ID's. Then you tell me not to let a particular guy in. How can I possibly recognise troublemakerguy unless I look at the face of every person who tries to walk in the door? If I don't check any ID's then there's no opportunity to spot the one guy I'm looking for"

Management scratches his head for a moment and stares blankly at bouncerguy.

Bouncerguy carries on - "If you want me to stop the troublemaker getting in, I have to check the ID of evey single person as they walk in. Only then will I have the opportunity to catch the one we're looking for."

Management hangs his head ashamed that this 350 pound meathead of a guy understands such a basic concept that he himself could not.

Now, back in the real world. If you have a "allow access to all" rule then there's no way you can possibly have access control.

"But I have to give access to certain sites to all of my users regardless of where they are" I hear you cry. Easy, create destination set of the sites you need to give access to and then allow "all" access to that destination set. For my clients I usually set this "freeforall" destination set with sites like * (Any Australain Govenment site), * (Any Aussie education site), *, *, and any websites that relate to the company themselves - perhaps their own and also any of the suppliers that they regularly deal with (like me at !), banks, the website of the antivirus vendor used etc.

Now you've defined the few sites that ALL of your users must be able to get to, you can create more specific rules.

  1. Create a destination set with the site you want to deny access to a dn then create a S&C (Site & Content) rule applying to UserX DENYING access to the certain destination set. Now, that user cant get to the set.
  2. Create another rule allowing access to all of your users allowing access to everything.

Hang on, isn' t that 2nd rule the same as the the "allow access to all" we have before? No! In this case we're using the NT active directory with a group that contains all of our users and the rule is applied to that group. Now we're insisting that for sites otherthan those if the "freeforall" destination set, we must get authentication from EVERYONE... and UserX is denied access to the specified site.


Get the picture?

< Prev
Who's Online
We have 22 guests online
Locations of visitors to this page
I plan on installing Microsoft Vista:


Copyright 2004 2005 After Hours Information Technology