Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Block browsing by typing IP in browser
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Block browsing by typing IP in browser - 28.Jan.2008 11:03:59 AM
|
|
|
skisiel77
Posts: 5
Joined: 28.Jan.2008
Status: offline
|
I have created few deny/allow rules and this part is working fine, but they can obey them typing IP addresses in their browsers.
I don't want to deny acces to specific IP.
Is there any way to block users browsing internet by typing IP address (instead of URL) directly into their browsers.
ISA 2006
|
|
|
|
RE: Block browsing by typing IP in browser - 28.Jan.2008 12:50:52 PM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
Do you want to block one specific IP, many IP's or all IP's?
|
|
|
|
|
RE: Block browsing by typing IP in browser - 28.Jan.2008 2:19:00 PM
|
|
|
skisiel77
Posts: 5
Joined: 28.Jan.2008
Status: offline
|
Generally I would like to block an ability to browse any website by typing its IP address in address bar. I don't want to blocking any urls.
For example: I have created a rule allowing access to specific website for specific domain group. Users who doesn't belong to this DG, cannot browse this website by typing its URL. Unfortunately when they do ping or nslookup command they get the ip address for this site. When they paste this IP to their browser, they can navigate to this site.
|
|
|
|
|
RE: Block browsing by typing IP in browser - 28.Jan.2008 10:52:01 PM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
have you tried creating a URL Set with "approved" FDQN's of the sites you want to allow and then denying external so that no other FQDN or IP based HOST requests via HTTP web proxy are permitted?
|
|
|
|
|
RE: Block browsing by typing IP in browser - 29.Jan.2008 5:29:25 AM
|
|
|
skisiel77
Posts: 5
Joined: 28.Jan.2008
Status: offline
|
I have created a subset of allow/deny rules with specific "approved" FDQN's. As I understand ISA 2006 PROXY, last Default Rule blocks all other traffic witch doesn't "fit" in those rules. I didn't create deny rule for traffic to external network.
|
|
|
|
|
RE: Block browsing by typing IP in browser - 29.Jan.2008 8:42:02 AM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests?
How is that rule configured?
Additionally what destination objects are your allow/deny rules based upon?
URL Set
Domain Name Set
Network
Computer Set
etc....
|
|
|
|
|
RE: Block browsing by typing IP in browser - 30.Jan.2008 7:02:05 AM
|
|
|
skisiel77
Posts: 5
Joined: 28.Jan.2008
Status: offline
|
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests?
Yes I did.
How is that rule configured?
In this case trafic is shaped by 2 rules, one on Enterprise level (deny), and one on Firewall level (Allow).
Enterprise - Deny rule for all users, denying access from All Protected Networks, to certain URLset, containing few domains/hosts - for egzample: poczta.onet.pl
Firewall Allow rule for certain users (in domain group), from All Protected Networks, to certain URLset, containing root domains - for egzample *.pl, *.com, etc.
When i do nslookup
c:\>nslookup poczta.onet.pl
Non-authoritative answer:
Name: poczta.onet.pl
Address: 213.180.130.206
When i type in browser
http://poczta.onet.pl Enterprise rule denies access to this website
http://213.180.130.206 Enterpise rule doesn't work, and Firewall rule allow access to this website
I got realy confused
< Message edited by skisiel77 -- 30.Jan.2008 7:08:42 AM >
|
|
|
|
|
RE: Block browsing by typing IP in browser - 30.Jan.2008 10:08:22 AM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
I don't think that your going to have consistent success while implementing this type of scenario. And it does not have much to do with your ISA Server configuration, rather it's related to DNS.
Let's stick with the specific host your trying to block:
nslookup poczta.onet.pl
Name: poczta.onet.pl
Address: 213.180.130.206
You can create an DENY rule in ISA including poczta.onet.pl as part of a URLSet or a Domain Name Set, and all requests to that fqdn should yield the desired result. (the user is not able to access)
However the user is able to perform a nslookup on the FQDN in question, and obtain the IP. Retry the request with the IP rather than the FQDN and it ISA allows it through. In the case with the host mentioned above, doing a reverse lookup on the IP, yields the following result:
nslookup 213.180.130.206
Name: f8virt.onet.pl
Address: 213.180.130.206
You'll notice that the DNS record associated with the IP (is not the host your trying to block, therefore ISA's rules are working as expected. This is just one scenario, but if you try to perform reverse lookup's on IP's to see if they match the FQDN you would normally send in an HTTP request, more often than not, the reverse lookup will not match to the FQDN. There are many reasons for this. Virtual hosted web environments, DNS mis-administration, etc...
You may want to re-think your strategy and purchase a 3rd party URL filtering plugin to ISA.
|
|
|
|
|
RE: Block browsing by typing IP in browser - 31.Jan.2008 3:47:17 AM
|
|
|
skisiel77
Posts: 5
Joined: 28.Jan.2008
Status: offline
|
OK. Thanks a lot.
I assume this can happen with a number of hosts.
I understand now this is a DNS issue.
I can nslookup all disallowed IP and put them into blocking rule, but it may be not efficient. Is there any other way to solve this problem with ISA ?
Which 3rd party utility you have on your mind ?
< Message edited by skisiel77 -- 31.Jan.2008 3:48:43 AM >
|
|
|
|
|
RE: Block browsing by typing IP in browser - 31.Jan.2008 8:44:22 AM
|
|
|
abqtech
Posts: 216
Joined: 9.Mar.2004
Status: offline
|
as far as third party filters go.... I'm most familiar with websense. But there are others, such as surfcontrol and gfi webmonitor.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
