• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion of the Using ISA Domain Name Sets for Internet Access Control

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Discussion of the Using ISA Domain Name Sets for Internet Access Control Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion of the Using ISA Domain Name Sets for Intern... - 9.Jul.2004 5:58:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article Using ISA 2004 Firewall Domain Name Sets to Control Internet Access at http://isaserver.org/articles/2004domainnamesets.html.

Thanks!
Tom

[ July 09, 2004, 06:09 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion of the Using ISA Domain Name Sets for In... - 12.Jul.2004 4:36:00 AM   
josue_rojas

 

Posts: 4
Joined: 9.Jul.2004
From: Colombia, South America
Status: offline
Tom:

Thank you so much for this article.

I can finnaly understand a lot of things happenning to my configuration, thanks to your explanation about the unauthenticated users' issues.

[Smile]

(in reply to tshinder)
Post #: 2
RE: Discussion of the Using ISA Domain Name Sets for In... - 12.Jul.2004 4:23:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Josue,

Thanks! Yes, it is a very confusing issue and not documented at all.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion of the Using ISA Domain Name Sets for In... - 14.Jul.2004 9:00:00 PM   
mmapplebeck

 

Posts: 4
Joined: 14.Jul.2004
From: Fredericton, New Brunswick, Canada
Status: offline
I was wondering if ISA 2004 allows for multiple wildcards in the domain name sets. I have a problem right now with staff members accessing inappropriate websites. Easy to create destination sets, however some of these sites use multiple domains such as *.com *.org etc. This is hard to keep up with. I would like to be able to block *.bad.* TIA for info.

(in reply to tshinder)
Post #: 4
RE: Discussion of the Using ISA Domain Name Sets for In... - 15.Jul.2004 10:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Since you're using Web protocols, you would use URL sets for this. You can use multiple wildcards with URL sets.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion of the Using ISA Domain Name Sets for In... - 15.Jul.2004 6:55:00 PM   
mmapplebeck

 

Posts: 4
Joined: 14.Jul.2004
From: Fredericton, New Brunswick, Canada
Status: offline
I am guessing that URL sets are a new feature of ISA 2004 as I am currently not able to do this with ISA 2000. Thanks for your help. I'll have to seriously look into pushing for an upgrade.

quote:
Originally posted by tshinder:
Hi Mark,

Since you're using Web protocols, you would use URL sets for this. You can use multiple wildcards with URL sets.

HTH,
Tom


(in reply to tshinder)
Post #: 6
RE: Discussion of the Using ISA Domain Name Sets for In... - 16.Jul.2004 8:50:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Marc,

Yes, URL Sets are included with ISA 2004 firewalls only. There are a lot of great reasons to upgrade! That's just one of them.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion of the Using ISA Domain Name Sets for In... - 17.Nov.2004 3:30:00 PM   
paulmh_79

 

Posts: 2
Joined: 17.Nov.2004
Status: offline
Hi, I have recently implemented ISA2k4 in a school and have a URL set for banned urls. This works fine apart from the kids have found a way around it.
I have banned images.google.com but they can get around it by entering
images..google.com
or images.google..com
or images.google.com..

Any ideas?

(in reply to tshinder)
Post #: 8
RE: Discussion of the Using ISA Domain Name Sets for In... - 17.Nov.2004 5:26:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Just ban:

*.google.com

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion of the Using ISA Domain Name Sets for In... - 19.Nov.2004 3:01:00 AM   
TalonTSi

 

Posts: 1
Joined: 19.Nov.2004
Status: offline
quote:
Originally posted by tshinder:
Hi Mark,
Since you're using Web protocols, you would use URL sets for this. You can use multiple wildcards with URL sets.

HTH,
Tom

I'm having trouble with wildcards in URL Sets. It seems I can only use wildcards in front of words, not behind them. For example:

http://*camper.com will block www.happycamper.com
http://*happy*.com will NOT block www.happycamper.com

The wildcards aren't working the way I thought they would.

Any ideas/suggestions? [Confused]

--Darren.

(in reply to tshinder)
Post #: 10
RE: Discussion of the Using ISA Domain Name Sets for In... - 23.Nov.2004 3:10:00 PM   
paulmh_79

 

Posts: 2
Joined: 17.Nov.2004
Status: offline
Hi Tom Thanks for your reply.
the problem is that i do not want to ban google altogether, just the images section. Is this problem a bug in the isa server software?

(in reply to tshinder)
Post #: 11
RE: Discussion of the Using ISA Domain Name Sets for In... - 5.Oct.2005 12:34:00 PM   
Guest
hi, i have recently set up an isa 2004 firewall, and i am having the opposite problem to what is defined in this article. I keep getting the 502 error message whenever i go to any site. What i want to be able to do is block any access to users not using the proxy server, but allow users with the proxy defined in their browser. I currently have no rule to allow outgoing access from the internal network - so that all outgoing access should go through the proxy server - but i keep getting the 502 error. there are no domain block rules, and i have even disabled the system rule to only allow access to windows update etc. the server can see the internet fine.
i get 8080 - unidentified traffic - initiated connection errors in the log, as well as
8080 - http - denied...
Any help greatly appreciated!
Alex.

(in reply to tshinder)
  Post #: 12
RE: Discussion of the Using ISA Domain Name Sets for In... - 11.Jan.2006 6:37:37 PM   
KyleKartan

 

Posts: 59
Joined: 21.Oct.2003
From: New Hampshire
Status: offline
I believe you could set up an exception to the rule, ie block *.google.com EXCEPT for www. (etc)

I haven't done this personally, hopefully someone could tell me if I'm way off.

I also work for a school, I wish there was a way that I could enforce google safesearch. I wish that Google had a special site just for that.

(in reply to paulmh_79)
Post #: 13
RE: Discussion of the Using ISA Domain Name Sets for In... - 20.Apr.2006 2:54:19 PM   
maiqbal

 

Posts: 8
Joined: 12.Sep.2002
From: Karachi, Pakistan
Status: offline
Hi,

I have 10 remote destinations where my users need to access RDP and FTP. Nothing else is required to be configured on my ISA 2004. Is it possible that I create a destination set and allow all users to access it without any ports definition and deny all other destinations?

I understand the concept, but unfortunately I have destination IPs not the URLs or domain names. Even though I tried to allow these destinations using Computer Sets, URLs, as well as Domain sets but couldnt get any success. I think I need to create a Network for these destination IPs, what you say?

Thanks in advance.

Regards,
Muhammad Asif Iqbal

(in reply to tshinder)
Post #: 14
RE: Discussion of the Using ISA Domain Name Sets for In... - 21.Jun.2006 9:40:10 PM   
dephcon5

 

Posts: 1
Joined: 21.Jun.2006
Status: offline
Excelent Article. My question/concern is how do I apply Limiting a Group of Users to a Collection of Sites if my ISA server is of the single network adapter setup. Im new to ISA however there seemds to be an issue here in that I must have the firewall rule that alows everyone from/to internal network set. But as soon as I define any exceptions the server allows NO access to anyone. Help!

(in reply to tshinder)
Post #: 15
RE: Discussion of the Using ISA Domain Name Sets for In... - 30.Aug.2006 9:46:44 AM   
srbaja

 

Posts: 6
Joined: 29.Aug.2006
Status: offline
Huh, many thanks for this article! I spent all weekend trying to figure out what is going on with my simple ISA 2004 configuration! Is this wierd denying of unauthenticated users corrected in 2006 version?  Or someone in MS thinks this is the way things should work?

(in reply to dephcon5)
Post #: 16
RE: Discussion of the Using ISA Domain Name Sets for In... - 30.Aug.2006 4:27:12 PM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline
Hi All

I'm returning to ISA after like over a year (ok, I've been hibernating ) and after today's 2 hours of messing about with my ISA 2004 installation, I'm totally convinced my ISA (2000) skills have gotten a little rusty so I need a bit of help here.

First things first. This is my first experience with ISA 2004. I knew 2000 very well.. or so I think.

  •  - Can somebody tell me why my client machines that are configured as web proxy as well as firewall clients are being DENIED access as they're coming up as anonymous requests? Firewall clients AND web proxy client were supposed to pass user credentials implicitly and without a hitch ever, weren't they?


  •  - I've read Tom's article this discussion topic is about. I don't remember having to create an ALLOW DNS TO EVERYONE rule for web proxy and firewall clients (for NAT clients, of course yes) back in ISA 2000 days. ISA server resolves names for these clients, doesn't it?


I'm having a ball of a time doing a simple configuration here that involves:

  • Allowing some users OPEN access to the Internet
  • Allowing all users OPEN using in their lunch hours (lunch hours are different for different people)
  • Allow different user groups access to different sites they require (depending on their work department) at all times (including lunch hours)


This should be a pretty simple configuration to set up. However, the funny bit is the anonymous requests even though all my machines are set up as webproxy AND firewall clients. Another thing for the facts, some machines use the older ISA 2000 firewall client and some use the new 2004. I have absolutely no idea of the implications of this so please feel free to enlighten me.

I'll give an example of the funny bits.

FUNNY BIT 1:
For example, if I set up a rule that DENIES access to ALL protocols from INTERNAL network to (ALL sites EXCEPT *.google.com) for a user group that includes ONLY ME, why is someone logged in as PAUL denied access because of this rule even though his machine is configured as firewall client as well as webproxy client? ISA logs show it as an anonymous request and he is denied access to bbc.co.uk.

FUNNY BIT 2:
Another funny bit for those love to solve tricky ones. There's a group of users that is denied access to all sites except *.cclondon.com. These users are logged on to the domain and are configured as firewall as well as webproxy clients. When someone from this group opens www.cclondon.com, the website opens up but they are also presented with a user login prompt that asks for user name, password and domain. They put in their login details, it doesn't go away so they simply cancel it.

Then on, if they click any link on the website (I've made sure these are not links pointing to other sites) they same annoying login prompt comes up and doesn't accept anything to go away except the Cancel button which leaves the users where they were, the home page. They can't go any further.

I tried another funny thing. I right clicked the links and selected "Open in New Window". The target document opened up in the new window and the annoying login prompt also came back laughing in my face. I got rid of it by clicking cancel and could see the page I was initially unable to get to by simply left clicking the hyperlink.

Can anyone please explain this funny behaviour. Obviously ISA is not denying access to these pages as they open up when "opened in new window" so why can't we just open them by left clicking them without having that annoying login prompt coming up and smiling at me.

Thanks for reading through the log post. Any help will be appreciated very much. :)

Cheers

RedBull
Digital Dominance.

(in reply to srbaja)
Post #: 17
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 2:52:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi RB,

This is either a consulting gig or an article

I'll put the solution to this problem in an article that I'll get out in the next week or two. There's too much basic ISA 2004 knowledge to be covered here for a Web boards post. Have you read the book yet?

BTW -- you never need to allow outbound DNS for everyone, just your DNS server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mohsindabomb)
Post #: 18
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 9:40:29 AM   
srbaja

 

Posts: 6
Joined: 29.Aug.2006
Status: offline
Hello T.

I believe now (thanks to your articles mostly) I have my ISA2004 setup runnig properly (although I still have some users complaining why they can't listen internet radio any more): installed FW clents, tuned automatic configuration, have usernames in my logs, don't have authentication pop-ups... But I need help (or pointer to an article) on one more issue: I need to allow unauthenticated http outbound access but still have usernames of authenticated users in my logs for all kinds of traffic. I tried putting 'http allow authenticated' rule first and 'http allow all' rule next, but (now) we all know how that ended; if I leave only 'allow unauthenticated' I have IP addresses in logs.... Any advice?

(in reply to tshinder)
Post #: 19
RE: Discussion of the Using ISA Domain Name Sets for In... - 31.Aug.2006 1:06:57 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Sr,

Why do you need unauthenticated access?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to srbaja)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Discussion of the Using ISA Domain Name Sets for Internet Access Control Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts