Problem with blocking video content (Full Version)

All Forums >> [ISA Server 2004 Cache] >> General



Message


mklomp -> Problem with blocking video content (27.Mar.2006 1:58:00 PM)

Hello,
 
Iíve a problem with ISA 2004, if I configure an access rule to block video content. ISA server ignores this rule and allows video most of the time.
 
I use ISA as a proxy solution and the only thing this server must do is control the outbound web and ftp access for or domain user. Everyone who is a member of the Users_WWW is permitted to use HTTP and HTTPS, but nobody is permitted to use video content.
 
I use 3 rules to accomplish this:
 

deny video to all
allow HTTP & HTTPS for Users_WWW
deny HTTP, HTTPS & FTP for all
default deny
 
The rules have the following configuration.
 
1.
Name: Deny Video for All
Action: Deny
Protocols: HTTP
From: all Networks
To: all Networks
Condition: All users
                  Video
 
2.
Name: Allow HTTP & HTTPS for Users_WWW
Action: Allow
Protocols: HTTP & HTTPS
From: all Networks
To: all Networks
Condition: Users_WWW
 
3.
Name: deny HTTP, HTTPS & FTP for all
Action: deny
Protocols: HTTP, HTTPS & FTP
From: all Networks
To: all Networks
Condition: All users
 
 
 
When I use the windows media player I can open video streams most of the time. If I look in logging I see the following happens. First I see an allow from rule 2 then two denies from rule 1 and then an allow from rule 2.
And the media player starts playing the video.
 
If I change the content types in the Allow HTTP & HTTPS for Users_WWW
Rule to selected content types with al content types selected except video. It is not possible to watch video streams any more. But there is another problem, OWA isnít working anymore. And some sites like gmail are also broken.
 
So I have now the choice between watching video and breaking OWA.
 




elmajdal -> RE: Problem with blocking video content (27.Mar.2006 5:29:01 PM)

quote:

deny video to all
allow HTTP & HTTPS for Users_WWW
deny HTTP, HTTPS & FTP for all
default deny


first if all , u dont need the 2nd rule cuz the first rule is for a specified group of users , all the users that are not included in this group will get to the last defualt rule, so remove Rule # 2.

now to deny video and audio, create a Deny rule above the first allow Rule.

Action : Deny
Protocols :All Outbound Protocols
From : Internal
To : External
Condition: All Users
Content Type : Audio Video


to make sure that ur audio and video is block , on ur Allow Rule , right click it > Configure Http > Extension Tab > then add the extension u want to block , like .wmv and .rm and so on.


HTH




mklomp -> RE: Problem with blocking video content (28.Mar.2006 9:17:13 AM)

I need the 2nd rule because thatís the only allow rule. It is also the only rule with a specific group on it.
And I know that the 3rd rule isnít necessary in this scenario because the 4th rule is the default deny rule. But I need to allow some additional things if this is working.
 
And the rule you suggested to create is the same as my first rule.  The only difference is that I donít block audio and I use all networks, because this server is unihomed. I have tested this with the internal- external combination without result.
 
I has already added the .wmv extension to the video content list. And I test with a .wmv file from channel9.msdn.com
 
So effective I have this rules.

deny video to all
allow http & https for Users_WWW
deny all
 




elmajdal -> RE: Problem with blocking video content (28.Mar.2006 9:44:29 AM)

quote:

deny video to all
allow HTTP & HTTPS for Users_WWW
deny HTTP, HTTPS & FTP for all
default deny


i was pointing to the above red line as ur 2nd rule . i didnt understand what is made in the green line.

in the end
quote:

because this server is unihomed
, no effective firewall can be with one NIC , install 2 second NIC to you ISA to benefit from its Firewall Functionality 100%




mklomp -> RE: Problem with blocking video content (28.Mar.2006 10:18:01 AM)

I don't need to benefit from 100% of the firewall functionality's this server is only a proxy server. There are other firewall's that protect the network from the outside. This server only needs to enforce or usage policy's for the users and give some benefit from the caching.
 
So these are the rules we use:
 
1.
Name: Deny Video for All
Action: Deny
Protocols: HTTP
From: all Networks
To: all Networks
Condition: All users
Content Type: Video
 
2.
Name: Allow HTTP & HTTPS for Users_WWW
Action: Allow
Protocols: HTTP & HTTPS
From: all Networks
To: all Networks
Condition: Users_WWW
 
3.
Name: deny HTTP, HTTPS & FTP for all
Action: deny
Protocols: HTTP, HTTPS & FTP
From: all Networks
To: all Networks
Condition: All users
 
4.
The default deny rule.
 
 
And this is the log entry from this action.
 

Log Time Destination IP Destination Port Protocol Action Rule Client IP 
3/27/2006 11:23:45 AM IP-ISAServer   80   http   Failed Connection Attempt      Client-IP
3/27/2006 11:23:45 AM 207.46.249.94   80   http   Allowed Connection Allow   HTTP & HTTPS for ProxyUsers_WWW   Client-IP
3/27/2006 11:23:45 AM 207.46.249.94   80   http   Denied Connection   Deny Video for All   Client-IP
3/27/2006 11:23:46 AM 207.46.131.136   80   http   Denied Connection   Deny Video for All   Client-IP
3/27/2006 11:23:46 AM IP-ISAServer    80    http    Denied Connection     Client-IP
3/27/2006 11:23:46 AM IP-ISAServer    80    http    Failed Connection Attempt     Client-IP
3/27/2006 11:23:52 AM IP-ISAServer    80    http    Denied Connection        Client-IP
3/27/2006 11:23:52 AM 207.46.249.94    80    http    Failed Connection Attempt    Allow HTTP & HTTPS for ProxyUsers_WWW   Client-IP
3/27/2006 11:23:33 AM IP-ISAServer    80    http    Denied Connection        Client-IP
3/27/2006 11:23:52 AM IP-ISAServer    80    http    Failed Connection Attempt        Client-IP

You see some allows and some denies but the video is still running.
 
(i can send you the complete log, because it doesn't fit in this window.)




mklomp -> RE: Problem with blocking video content (6.Apr.2006 10:40:40 AM)

I know pretty sure the rules are right, and still it doesnít work. Is this a bug in ISA or is it a hidden feature?????[:(]




kmanig -> RE: Problem with blocking video content (3.May2007 3:58:35 AM)

MKLOMP

there is a bug in ISA 2004. try as below and it should work

1.
Name: Deny Video for All
Action: Deny
Protocols: HTTP
From: all Networks
To: all Networks
Condition: All users
content : Text , Video

Yes Content should be Text and video Both. It must work this worked for top10virals(dot)com. Tried with youtube , metacafe also. worked fine
-Kmanig




nafeeskhan -> RE: Problem with blocking video content (26.Jul.2010 8:20:32 AM)

Dear Sir,

I hope you would be fine.
I need ur help in an issue for blocking specific website VIDEO content in ISA SERVER 2006. When i Use Http Filter the whole video streaming is blocked. I want to block just specific website video content to be blocked; like youtube or facebook.

I have made rules to block youtube of users on my network; when i apply the selected content rule' it conflicts with the main rule of "ALLOW"

Waiting for ur response

Regards,




Page: [1]