• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Block all websites except some approval websites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Block all websites except some approval websites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Block all websites except some approval websites - 19.Dec.2005 7:32:37 PM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
Dear All,

I installed ISA2004 and I would like to block all user to access http except some of the approval websites.

For example
block all websites except *.yahoo.com
Either I "URL Sets" or "Domain Name Sets", it is not successfully.

However, if I change it to allow all http except some of the denial websites

For example
allow all websites except *.yahoo.com
It is work and successfully to block yahoo.com

Now, I am wondering what 's wrong on this. In fact, the principle is the same. Why I cannot block all websites except some websites I allow to access.

I am new in ISA2004, Please explain what are the problems in this case and did I need to do something to make it work. Please detail the procedure.

Thanks everyone to reply in advance
Post #: 1
RE: Block all websites except some approval websites - 19.Dec.2005 8:04:02 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
The answer is simple.  Rather than block all with exceptions, you need only allow specific sites.  By default, in absense of an allow rule, the last default rule denies.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jordan.pippen)
Post #: 2
RE: Block all websites except some approval websites - 20.Dec.2005 7:53:15 AM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
I know you mean, but that is what my question. I only allow yahoo.com, but it dont work. That why I ask this question.
Is it need to configure other parts that I miss?(I only set "URL Sets" and "Domain Name Sets")

Thanks and Regards

(in reply to LLigetfa)
Post #: 3
RE: Block all websites except some approval websites - 20.Dec.2005 2:44:47 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
If you only allow yahoo.com, it won't work.  What about DNS?  How are your clients supposed to resolve DNS?  You need rules to allow your internal DNS to forward to the external DNS.  You need to allow ISA to access DNS.

As I said, in absense of an allow rule,the default deny rule denies.  Watch the live log to see what is being denied and reason out your rules.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jordan.pippen)
Post #: 4
RE: Block all websites except some approval websites - 20.Dec.2005 6:17:55 PM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
In fact, I dont configure DNS at this moment. My purpose is to use ISA to do Web Proxy function.

Also, I found that my default rule block client to access some websites even I set the exception. Now I am wondering it is possible to set what I need?(Block all websites except some websites I allow to access) 

(in reply to LLigetfa)
Post #: 5
RE: Block all websites except some approval websites - 20.Dec.2005 7:22:19 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I don't get it.  What exception?  Are you creating allow rules or deny rules?

If you have the needed allow rules before the last default (deny) rule, it will never reach the deny rule.  If it is denying then obviously your rules are not crafted properly.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jordan.pippen)
Post #: 6
RE: Block all websites except some approval websites - 21.Dec.2005 2:16:50 AM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
The default rule is created by default. I mean I create a new deny rule with exception ( block all websites except *.yahoo.com as example), however, I found in the logging that the default rule block my proxy client to access yahoo.com


That being the case, I wonder why my new deny rule is not work and turn to the default rule????

(in reply to LLigetfa)
Post #: 7
RE: Block all websites except some approval websites - 21.Dec.2005 6:35:26 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I still don't get it.  Are you trying to allow with a deny rule?  Where is the allow rule?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jordan.pippen)
Post #: 8
RE: Block all websites except some approval websites - 21.Dec.2005 2:44:42 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Here is essentually what you are doing in human talk.

<ISA Rule Engine Begin>
OK...hmmm...not many requests for Internet access today....think I'll take a nap
zzzz.....
Oh?! Here's a HTTP request for www.yahoo.com
Let me check my rules
OK - I have one rule - let's see if the rule applies to this request
Protocol? HTTP - that's a match for this rule
Users? All Users - that's a match
Destination? External - that's a match
Hmmm - this rule has an exception for the Destination - *.yahoo.com. I'll skip this rule since that URL must be handled in a different rule
Next Rule - Hmmm... Default Deny?
o...k... Block the request
zzzzz........


You can see that it doesn't even check the Allow/Block condition - it doesn't matter - the Destination has been placed in the exceptions in this Deny rule so the rule doens't match. Implicit in that statement is that there is another rule in place to allow access to *.yahoo.com.

(in reply to LLigetfa)
Post #: 9
RE: Block all websites except some approval websites - 21.Dec.2005 6:19:26 PM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
To be simply, in fact, I just want block all proxy client to access all websites except yahoo.com, Can I do that? IF yes, how can I do?
Thanks

(in reply to ClintD)
Post #: 10
RE: Block all websites except some approval websites - 21.Dec.2005 6:27:35 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Simply create an allow rule just for yahoo.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jordan.pippen)
Post #: 11
RE: Block all websites except some approval websites - 22.Dec.2005 3:39:04 PM   
jordan.pippen

 

Posts: 8
Joined: 19.Dec.2005
Status: offline
oh, thanks, I get you mean

(in reply to LLigetfa)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Block all websites except some approval websites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts