Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
URL Set <> DNS problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
URL Set <> DNS problem - 6.Dec.2005 11:00:27 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
Hi,
Here is my network situation
----internet----cable modem-----router------isa 2004 server-----gigabit switch connected with fileserver and clients
My isa 2004 server has 2 nics
1 connected with the router
1 connected with the gigabit switch
The clients can all perfectly browse the internet. DNS Server has the forwarders of oure ISP.
Now i want to block some website's. I created a new URL set with the sites i wanted to block. After that i created a new access rule with the URL set.
Then i tried a client which all have the Firewall Client installed and i could reach the website specified in the URL set. (bad)
When i enter the IP address in the URL set the client cannot reach the website what is i want to accomplish.
When i run a command prompt on the client and execute a nslookup to a domain i get the correct ip.
I don't want to enter the IP of the site i want to block in the URL set offcourse.
Anyone any suggestions? What do i have to check first? I'm pretty sure my dns server works. The nslookup proves this??
Thanks
|
|
|
|
|
RE: URL Set <> DNS problem - 7.Dec.2005 12:05:35 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
HMMmmm
Can you write out what your rule looks like please.
Should look like...
example:
Action=Deny, Protocols=http,https, From/listener=internal, To=*.spyware.com , Condition=all users
|
|
|
|
|
RE: URL Set <> DNS problem - 7.Dec.2005 8:09:41 AM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: Sunny.C
HMMmmm
Can you write out what your rule looks like please.
Should look like...
example:
Action=Deny, Protocols=http,https, From/listener=internal, To=*.spyware.com , Condition=all users
My rule is on top and is exactly like the rule above. Except the "all users" is replaced with "authenticated users".
When i enter the IP address in the URL set it works, if i set the full domain name it doesn't work.
|
|
|
|
|
RE: URL Set <> DNS problem - 12.Dec.2005 6:25:53 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Can you ping the sites using the full name???
How is your dns configured on your clients end???
Try set the rules to all users instead of authenticated users.
|
|
|
|
|
RE: URL Set <> DNS problem - 12.Dec.2005 10:28:57 AM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: Sunny.C
Can you ping the sites using the full name???
How is your dns configured on your clients end???
Try set the rules to all users instead of authenticated users.
i cannot ping the full name cause the ping command is blocked in the router.
when i try to ping for example www.google.be it resolves directly the dns name to 64.233.183.104
oure Domaincontroller is also the DNS server. The clients have the ip from the DC as first DNS
I changed the rule to all users instead of auth. users but with the same result.
|
|
|
|
|
RE: URL Set <> DNS problem - 13.Dec.2005 12:10:46 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
So if you block 64.233.183.104 it works???? but not if you use www.google.be????
Do you have a rule for your internal dns server access out to external???
Do you get any errors in the logs?
|
|
|
|
|
RE: URL Set <> DNS problem - 13.Dec.2005 12:35:19 AM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
You need to use the web proxy client to allow this type of rule to work - this way, ISA will do the DNS lookup and hence be able to match the URL set correctly.
I am guessing at the moment that you are just pointing your default gateway to the ISA firewall and hence you only have SNAT client. Therefore, if the client does the DNS request on its own, it will then ask ISA to connect to the IP and hence your ruleset will need to have IP's not names.
Configure your IE settings to use a proxy server and then test the URL sets again - it should now work!
Check out the articles on this website about different client types and the best ones to use...
HTH
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: URL Set <> DNS problem - 18.Dec.2005 2:34:07 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: Sunny.C
So if you block 64.233.183.104 it works???? but not if you use www.google.be????
Do you have a rule for your internal dns server access out to external???
Do you get any errors in the logs?
If i block 64.233.183.104 it works, if i block www.google.be it doesn't
I have a rule for my internal dns server to access out to external:
rule: allow dns query server > allow > dns & http > from/listener (computer: internal dns server) > to external > condition (administrators, all users, authenticated users)
don't see any errors at this moment
|
|
|
|
|
RE: URL Set <> DNS problem - 18.Dec.2005 2:42:27 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: Jasonjo
You need to use the web proxy client to allow this type of rule to work - this way, ISA will do the DNS lookup and hence be able to match the URL set correctly.
I am guessing at the moment that you are just pointing your default gateway to the ISA firewall and hence you only have SNAT client. Therefore, if the client does the DNS request on its own, it will then ask ISA to connect to the IP and hence your ruleset will need to have IP's not names.
Configure your IE settings to use a proxy server and then test the URL sets again - it should now work!
Check out the articles on this website about different client types and the best ones to use...
HTH
JJ
Thanks for the information.
IP configuration
f.e.
DNS Server:
IP:192.168.1.1
Smask: 255.255.255.0
GW: 192.168.1.4
1st DNS: 192.168.1.1
And forwarders installed @ DNS conf.
ISA Server:
IP: 192.168.1.4
Smask: 255.255.255.0
no gateway
1st DNS: 192.168.1.1
Client Computers:
IP: 192.168.1.100
Smask: 255.255.255.0
no gateway
1st DNS: 192.168.1.1
All the client computers have the Firewall Client installed.
Configuration Internet Explorer:
The Use of a proxy server: 192.168.1.4 port 8080 is checked
Do not use proxy server for internal addresses is checked
|
|
|
|
|
RE: URL Set <> DNS problem - 18.Dec.2005 11:34:57 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
I discovered something new:
I looked at the logging feature in ISA2K4
I entered www.google.be on a client and looked at the log.
The connection was allowed but in the last column where the URL is stated i see:
http://66.249.93.104/
So i doesn't show http://www.google.be
Right under that rule i get 2 DNS requests
1 from the ISA server to the internal DNS server
1 from the Internal DNS server to External
both are allowed
|
|
|
|
|
RE: URL Set <> DNS problem - 19.Dec.2005 10:18:41 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: hellie_vti_1979
I discovered something new:
I looked at the logging feature in ISA2K4
I entered www.google.be on a client and looked at the log.
The connection was allowed but in the last column where the URL is stated i see:
http://66.249.93.104/
So i doesn't show http://www.google.be
Right under that rule i get 2 DNS requests
1 from the ISA server to the internal DNS server
1 from the Internal DNS server to External
both are allowed
looks like this is resolved
|
|
|
|
|
RE: URL Set <> DNS problem - 20.Dec.2005 4:51:47 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
quote:
ORIGINAL: Jasonjo
and the solution was???...
i don't have a solution for the main problem.
i quoted another problem that has been resolved.
But i still can't block url's. Only IP addresses.
|
|
|
|
|
RE: URL Set <> DNS problem - 20.Dec.2005 9:17:05 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
i noticed some "dnsapi" errors in the system log of the isa server
The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : {adapter_ID} Host Name : < host_name> Adapter-specific Domain Suffix : DNS server list : 192.168.1.1 Sent update to server : 255.255.255.255 IP Address : 192.168.1.4 The system could not remove these PTR RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone that requires update is not running.
maybe this is a possible reason.
i keep searching
|
|
|
|
|
RE: URL Set <> DNS problem - 20.Dec.2005 10:51:54 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
i'm really freaking out now:
i created a new URL Set
i add a website to the URL set >> http://vtm.be
i try it on a client and the ISA server blocks the site perfectly.
I monitor it on the ISA machine and the rule is working perfect.
i add another website to the URL set >> http://vrt.be
i try it on a client and it doesn't block the site.
so what the hell?
|
|
|
|
|
RE: URL Set <> DNS problem - 20.Dec.2005 10:56:30 PM
|
|
|
hellie_vti_1979
Posts: 22
Joined: 27.Nov.2004
From: Belgium
Status: offline
|
ok it works if i enter
http://*.vrt.be
so problem resolved
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
