• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Blocking website

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Blocking website Page: [1]
Login
Message << Older Topic   Newer Topic >>
Blocking website - 26.Jun.2006 2:49:59 PM   
drumtrav

 

Posts: 9
Joined: 26.Jun.2006
Status: offline 		Greetings.  I am new to ISA server 2004 and I have been given a task to allow and deny certain websites and internet access to certain users.

I have successfully configured denying http traffic to the internet for a group called support users.  However I need to add an exception to the rule that support users can access a site call factor.webex.com.  I created the rule to allow access to the URL and the ISA is denying access to it.  This is configured as a back firewall.  ISA is loaded on a Windows 2003 server and is not a memnber of the AD.  DNS is configured and pointed to the DC.  here are the log files:

FCTRISA    - -  - - - - 1 4513 238 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  0x4 Web Proxy Filter 

6/26/2006 7:35:28 AM 10.0.0.33 8080 http Denied Connection Support Allow webex 10.0.5.1 anonymous Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0x800
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 536 338 5  0x4 Web Proxy Filter 

6/26/2006 7:35:28 AM 10.0.0.33 8080 http Failed Connection Attempt Support Allow Webex 10.0.5.1 anonymous Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0x880
10.0.5.1   FCTRISA - -         0 0 0  0x0 Firewall 

6/26/2006 7:35:29 AM 10.0.0.33 8080 Unidentified IP Traffic Initiated Connection  10.0.5.1  Internal Local Host - -   TCP - 4086 0x0  0x0
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA   Internet - -  - - - - 20950 4248 482 10065  0x4 Web Proxy Filter 

6/26/2006 7:35:49 AM 64.68.120.155 80 http Failed Connection Attempt Support Allow Webex 10.0.5.1 FACTOR\isauser Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0xc0
10.0.5.1   FCTRISA - -         0 0 0  0x0 Firewall 

1 4513 381 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  0x0 Web Proxy Filter 

6/26/2006 7:36:56 AM 10.0.0.33 8080 http Denied Connection Support Allow Webex 10.0.5.1 anonymous Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0x800
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 536 481 5  0x0 Web Proxy Filter 

6/26/2006 7:36:56 AM 10.0.0.33 8080 http Failed Connection Attempt Support Allow Webex 10.0.5.1 anonymous Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0x880
10.0.5.1   FCTRISA - -         0 0 0  0x0 Firewall 

6/26/2006 7:36:57 AM 10.0.0.33 8080 Unidentified IP Traffic Initiated Connection  10.0.5.1  Internal Local Host - -   TCP - 4087 0x0  0x0
10.0.5.1   FCTRISA - -         88126 1506 9785  0x0 Firewall 

6/26/2006 7:36:57 AM 10.0.0.33 8080 Unidentified IP Traffic Closed Connection  10.0.5.1  Internal Local Host - -   TCP - 4086 0x80074e20  0x0
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA   Internet - -  - - - - 21030 4248 625 10065  0x0 Web Proxy Filter 

6/26/2006 7:37:17 AM 64.68.120.155 80 http Failed Connection Attempt Support Allow Webex 10.0.5.1 FACTOR\isauser Internal Webex Site GET http://factor.webex.com/ Proxy factor.webex.com TCP  0  0xc0
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA    - -  - - - - 1 4306 456 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 FACTOR\isauser Internal External GET http://sea.search.msn.com/dnserror.aspx?FORM=DNSAS&q=factor.webex.com Proxy sea.search.msn.com TCP  0  0x880
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA   Internet - -  - - - - 180 577 751 302  0x40020000 Web Proxy Filter 

6/26/2006 7:37:18 AM 63.218.23.153 80 http Allowed Connection Support Allow Webex 10.0.5.1 FACTOR\isauser Internal External GET http://auto.search.msn.com/response.asp?MT=factor.webex.com&srch=3&prov=&utf8 Proxy auto.search.msn.com TCP  0  0xc80
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 536 607 5  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Failed Connection Attempt Support Allow Webex 10.0.5.1 anonymous Internal External GET http://auto.search.msn.com/response.asp?MT=factor.webex.com&srch=3&prov=&utf8 Proxy auto.search.msn.com TCP  0  0x880
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 4513 507 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Allow Webex 10.0.5.1 anonymous Internal External GET http://auto.search.msn.com/response.asp?MT=factor.webex.com&srch=3&prov=&utf8 Proxy auto.search.msn.com TCP  0  0x800
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA    - -  - - - - 1 4306 641 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 FACTOR\isauser Internal External GET http://www.factor.webex.com.edu/ Proxy www.factor.webex.com.edu TCP  0  0x80
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 536 497 5  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Failed Connection Attempt Support Deny 10.0.5.1 anonymous Internal External GET http://www.factor.webex.com.edu/ Proxy www.factor.webex.com.edu TCP  0  0x80
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 60 4513 397 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 anonymous Internal External GET http://www.factor.webex.com.edu/ Proxy www.factor.webex.com.edu TCP  0  0x0
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA    - -  - - - - 1 4306 641 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 FACTOR\isauser Internal External GET http://www.factor.webex.com.net/ Proxy www.factor.webex.com.net TCP  0  0x80
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 10 536 497 5  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Failed Connection Attempt Support Deny 10.0.5.1 anonymous Internal External GET http://www.factor.webex.com.net/ Proxy www.factor.webex.com.net TCP  0  0x80
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 100 4513 397 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 anonymous Internal External GET http://www.factor.webex.com.net/ Proxy www.factor.webex.com.net TCP  0  0x0
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Yes FCTRISA    - -  - - - - 1 4306 641 12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 Web Proxy Filter 

6/26/2006 7:37:18 AM 10.0.0.33 8080 http Denied Connection Support Deny 10.0.5.1 FACTOR\isauser Internal External GET http://www.factor.webex.com.org/ Proxy www.factor.webex.com.org TCP  0  0x880
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) No FCTRISA    - -  - - - - 1 536 497 5  0x0 Web Proxy Filter 

Post #: 1
RE: Blocking website - 27.Jun.2006 2:45:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Drum,

Join the ISA firewall to the AD.

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drumtrav)
Post #: 2
RE: Blocking website - 27.Jun.2006 2:16:44 PM   
drumtrav

 

Posts: 9
Joined: 26.Jun.2006
Status: offline 		ISA server already is a domain member. 

After playing around with the configuration yesterday, I noticed that I keep getting the 10065 error message consistantly.  Why would I get the host is unreachable message?  If I disable the firewall service on the ISA server, I can connect the the URL fine.  What really drives me crazy is that other exceptions to like google and cnn's URL works fine.  There is just something weird about factor.webex.com.

Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The host server is unreachable. (10065)
IP Address: 64.68.120.155
Date: 6/26/2006 9:00:16 PM
Server: fctrisa.factor.local
Source: proxy

(in reply to tshinder)
Post #: 3
RE: Blocking website - 27.Jun.2006 3:36:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Drum,

WHOA! If you disable the firewall service on the ISA firewall you shouldn't be able to reach anything.

This may be a significant clue to what the problem is.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drumtrav)
Post #: 4
RE: Blocking website - 27.Jun.2006 4:01:28 PM   
drumtrav

 

Posts: 9
Joined: 26.Jun.2006
Status: offline 		Sorry I should have explained how this is setup.  We are trying to "test" the ISA server in our enviroment.  We currently have a a CISCO PIX firewall doing NAT that all the PC's are using for the defauly gateway.  The ISA server is configured as a "back firewall" using a single NIC.  As everything is, we can go to the webex site and start out support sessions.  With the ISA server acting as a firewall/proxy, I am getting the host unreachable error. 

(in reply to tshinder)
Post #: 5
RE: Blocking website - 4.Jul.2006 4:22:31 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Drum,

OK, so the basic design is broken. How can the ISA firewall be a firewall with a single NIC?

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to drumtrav)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Blocking website Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts