I was wondering if ISA 2004 allows for multiple wildcards in the domain name sets. I have a problem right now with staff members accessing inappropriate websites. Easy to create destination sets, however some of these sites use multiple domains such as *.com *.org etc. This is hard to keep up with. I would like to be able to block *.bad.* TIA for info.
Hi, I have recently implemented ISA2k4 in a school and have a URL set for banned urls. This works fine apart from the kids have found a way around it. I have banned images.google.com but they can get around it by entering images..google.com or images.google..com or images.google.com..
RE: Discussion of the Using ISA Domain Name Sets for In... - 5.Oct.2005 12:34:00 PM
hi, i have recently set up an isa 2004 firewall, and i am having the opposite problem to what is defined in this article. I keep getting the 502 error message whenever i go to any site. What i want to be able to do is block any access to users not using the proxy server, but allow users with the proxy defined in their browser. I currently have no rule to allow outgoing access from the internal network - so that all outgoing access should go through the proxy server - but i keep getting the 502 error. there are no domain block rules, and i have even disabled the system rule to only allow access to windows update etc. the server can see the internet fine. i get 8080 - unidentified traffic - initiated connection errors in the log, as well as 8080 - http - denied... Any help greatly appreciated! Alex.
I have 10 remote destinations where my users need to access RDP and FTP. Nothing else is required to be configured on my ISA 2004. Is it possible that I create a destination set and allow all users to access it without any ports definition and deny all other destinations?
I understand the concept, but unfortunately I have destination IPs not the URLs or domain names. Even though I tried to allow these destinations using Computer Sets, URLs, as well as Domain sets but couldnt get any success. I think I need to create a Network for these destination IPs, what you say?
Excelent Article. My question/concern is how do I apply Limiting a Group of Users to a Collection of Sites if my ISA server is of the single network adapter setup. Im new to ISA however there seemds to be an issue here in that I must have the firewall rule that alows everyone from/to internal network set. But as soon as I define any exceptions the server allows NO access to anyone. Help!
Huh, many thanks for this article! I spent all weekend trying to figure out what is going on with my simple ISA 2004 configuration! Is this wierd denying of unauthenticated users corrected in 2006 version? Or someone in MS thinks this is the way things should work?
I'm returning to ISA after like over a year (ok, I've been hibernating ) and after today's 2 hours of messing about with my ISA 2004 installation, I'm totally convinced my ISA (2000) skills have gotten a little rusty so I need a bit of help here.
First things first. This is my first experience with ISA 2004. I knew 2000 very well.. or so I think.
- Can somebody tell me why my client machines that are configured as web proxy as well as firewall clients are being DENIED access as they're coming up as anonymous requests? Firewall clients AND web proxy client were supposed to pass user credentials implicitly and without a hitch ever, weren't they?
- I've read Tom's article this discussion topic is about. I don't remember having to create an ALLOW DNS TO EVERYONE rule for web proxy and firewall clients (for NAT clients, of course yes) back in ISA 2000 days. ISA server resolves names for these clients, doesn't it?
I'm having a ball of a time doing a simple configuration here that involves:
Allowing some users OPEN access to the Internet
Allowing all users OPEN using in their lunch hours (lunch hours are different for different people)
Allow different user groups access to different sites they require (depending on their work department) at all times (including lunch hours)
This should be a pretty simple configuration to set up. However, the funny bit is the anonymous requests even though all my machines are set up as webproxy AND firewall clients. Another thing for the facts, some machines use the older ISA 2000 firewall client and some use the new 2004. I have absolutely no idea of the implications of this so please feel free to enlighten me.
I'll give an example of the funny bits.
FUNNY BIT 1: For example, if I set up a rule that DENIES access to ALL protocols from INTERNAL network to (ALL sites EXCEPT *.google.com) for a user group that includes ONLY ME, why is someone logged in as PAUL denied access because of this rule even though his machine is configured as firewall client as well as webproxy client? ISA logs show it as an anonymous request and he is denied access to bbc.co.uk.
FUNNY BIT 2: Another funny bit for those love to solve tricky ones. There's a group of users that is denied access to all sites except *.cclondon.com. These users are logged on to the domain and are configured as firewall as well as webproxy clients. When someone from this group opens www.cclondon.com, the website opens up but they are also presented with a user login prompt that asks for user name, password and domain. They put in their login details, it doesn't go away so they simply cancel it.
Then on, if they click any link on the website (I've made sure these are not links pointing to other sites) they same annoying login prompt comes up and doesn't accept anything to go away except the Cancel button which leaves the users where they were, the home page. They can't go any further.
I tried another funny thing. I right clicked the links and selected "Open in New Window". The target document opened up in the new window and the annoying login prompt also came back laughing in my face. I got rid of it by clicking cancel and could see the page I was initially unable to get to by simply left clicking the hyperlink.
Can anyone please explain this funny behaviour. Obviously ISA is not denying access to these pages as they open up when "opened in new window" so why can't we just open them by left clicking them without having that annoying login prompt coming up and smiling at me.
Thanks for reading through the log post. Any help will be appreciated very much. :)
I'll put the solution to this problem in an article that I'll get out in the next week or two. There's too much basic ISA 2004 knowledge to be covered here for a Web boards post. Have you read the book yet?
BTW -- you never need to allow outbound DNS for everyone, just your DNS server.
I believe now (thanks to your articles mostly) I have my ISA2004 setup runnig properly (although I still have some users complaining why they can't listen internet radio any more): installed FW clents, tuned automatic configuration, have usernames in my logs, don't have authentication pop-ups... But I need help (or pointer to an article) on one more issue: I need to allow unauthenticated http outbound access but still have usernames of authenticated users in my logs for all kinds of traffic. I tried putting 'http allow authenticated' rule first and 'http allow all' rule next, but (now) we all know how that ended; if I leave only 'allow unauthenticated' I have IP addresses in logs.... Any advice?