Posts: 7
Joined: 27.Mar.2006
From: the Netherlands
Status: offline
Hello,
I’ve a problem with ISA 2004, if I configure an access rule to block video content. ISA server ignores this rule and allows video most of the time.
I use ISA as a proxy solution and the only thing this server must do is control the outbound web and ftp access for or domain user. Everyone who is a member of the Users_WWW is permitted to use HTTP and HTTPS, but nobody is permitted to use video content.
I use 3 rules to accomplish this:
deny video to all allow HTTP & HTTPS for Users_WWW deny HTTP, HTTPS & FTP for all default deny
The rules have the following configuration.
1. Name: Deny Video for All Action: Deny Protocols: HTTP From: all Networks To: all Networks Condition: All users Video
2. Name: Allow HTTP & HTTPS for Users_WWW Action: Allow Protocols: HTTP & HTTPS From: all Networks To: all Networks Condition: Users_WWW
3. Name: deny HTTP, HTTPS & FTP for all Action: deny Protocols: HTTP, HTTPS & FTP From: all Networks To: all Networks Condition: All users
When I use the windows media player I can open video streams most of the time. If I look in logging I see the following happens. First I see an allow from rule 2 then two denies from rule 1 and then an allow from rule 2. And the media player starts playing the video.
If I change the content types in the Allow HTTP & HTTPS for Users_WWW Rule to selected content types with al content types selected except video. It is not possible to watch video streams any more. But there is another problem, OWA isn’t working anymore. And some sites like gmail are also broken.
So I have now the choice between watching video and breaking OWA.
Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:
deny video to all allow HTTP & HTTPS for Users_WWW deny HTTP, HTTPS & FTP for all default deny
first if all , u dont need the 2nd rule cuz the first rule is for a specified group of users , all the users that are not included in this group will get to the last defualt rule, so remove Rule # 2.
now to deny video and audio, create a Deny rule above the first allow Rule.
Action : Deny Protocols :All Outbound Protocols From : Internal To : External Condition: All Users Content Type : Audio Video
to make sure that ur audio and video is block , on ur Allow Rule , right click it > Configure Http > Extension Tab > then add the extension u want to block , like .wmv and .rm and so on.
Posts: 7
Joined: 27.Mar.2006
From: the Netherlands
Status: offline
I need the 2nd rule because that’s the only allow rule. It is also the only rule with a specific group on it. And I know that the 3rd rule isn’t necessary in this scenario because the 4th rule is the default deny rule. But I need to allow some additional things if this is working.
And the rule you suggested to create is the same as my first rule. The only difference is that I don’t block audio and I use all networks, because this server is unihomed. I have tested this with the internal- external combination without result.
I has already added the .wmv extension to the video content list. And I test with a .wmv file from channel9.msdn.com
So effective I have this rules.
deny video to all allow http & https for Users_WWW deny all
Posts: 7
Joined: 27.Mar.2006
From: the Netherlands
Status: offline
I don't need to benefit from 100% of the firewall functionality's this server is only a proxy server. There are other firewall's that protect the network from the outside. This server only needs to enforce or usage policy's for the users and give some benefit from the caching.
So these are the rules we use:
1. Name: Deny Video for All Action: Deny Protocols: HTTP From: all Networks To: all Networks Condition: All users Content Type: Video
2. Name: Allow HTTP & HTTPS for Users_WWW Action: Allow Protocols: HTTP & HTTPS From: all Networks To: all Networks Condition: Users_WWW
3. Name: deny HTTP, HTTPS & FTP for all Action: deny Protocols: HTTP, HTTPS & FTP From: all Networks To: all Networks Condition: All users
4. The default deny rule.
And this is the log entry from this action.
Log Time Destination IP Destination Port Protocol Action Rule Client IP 3/27/2006 11:23:45 AM IP-ISAServer 80 http Failed Connection Attempt Client-IP 3/27/2006 11:23:45 AM 207.46.249.94 80 http Allowed Connection Allow HTTP & HTTPS for ProxyUsers_WWW Client-IP 3/27/2006 11:23:45 AM 207.46.249.94 80 http Denied Connection Deny Video for All Client-IP 3/27/2006 11:23:46 AM 207.46.131.136 80 http Denied Connection Deny Video for All Client-IP 3/27/2006 11:23:46 AM IP-ISAServer 80 http Denied Connection Client-IP 3/27/2006 11:23:46 AM IP-ISAServer 80 http Failed Connection Attempt Client-IP 3/27/2006 11:23:52 AM IP-ISAServer 80 http Denied Connection Client-IP 3/27/2006 11:23:52 AM 207.46.249.94 80 http Failed Connection Attempt Allow HTTP & HTTPS for ProxyUsers_WWW Client-IP 3/27/2006 11:23:33 AM IP-ISAServer 80 http Denied Connection Client-IP 3/27/2006 11:23:52 AM IP-ISAServer 80 http Failed Connection Attempt Client-IP
You see some allows and some denies but the video is still running.
(i can send you the complete log, because it doesn't fit in this window.)
I hope you would be fine. I need ur help in an issue for blocking specific website VIDEO content in ISA SERVER 2006. When i Use Http Filter the whole video streaming is blocked. I want to block just specific website video content to be blocked; like youtube or facebook.
I have made rules to block youtube of users on my network; when i apply the selected content rule' it conflicts with the main rule of "ALLOW"
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Problem with blocking video content 
Problem with blocking video content - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread