• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Domain Sets

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Domain Sets Page: [1]
Login
Message << Older Topic   Newer Topic >>
Domain Sets - 15.Oct.2006 10:14:08 AM   
accordnh

 

Posts: 1
Joined: 15.Oct.2006
Status: offline
I'm setting up domain sets to block access to certain sites and have one problem.  According to some of the articles I have see on this web site as well as others if I want to block access to an entire domain I should list it with the *.

For exanmple to block any access to 1-800onlinecasino.com I should enter the domain as *.1-800onlinecasino.com

This does work if the user goes to www.1-800onlinecasino.com but does not prevent them from going to 1-800onlinecasino.com

If I want to block that I need to enter another domain in my ISA domain set as 1-800onlinecasino.com without the *.

It appears that Microsoft says the same thing in one of their tech tips:
Using URL and Domain Name Sets in ISA Server 2004
http://www.microsoft.com/technet/isa/2004/plan/faq-urldomainnamesets.mspx
Domain Sets
When you create a domain with a wildcard character, such as *.microsoft.com, this only includes host computers at the domain, for example www.microsoft.com, ftp.microsoft.com. Note that if the domain name points to a host, *.microsoft.com will have no effect on the URL http://Microsoft.com.

So my question is, do I really need to be entering the name in twice with and without the * or am I missing something?

Thanks in advance,

Dan
Post #: 1
RE: Domain Sets - 15.Oct.2006 10:57:40 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

So my question is, do I really need to be entering the name in twice with and without the * or am I missing something?


Try *microsoft.com  only



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to accordnh)
Post #: 2
RE: Domain Sets - 24.Oct.2006 10:41:51 AM   
itadmin

 

Posts: 30
Joined: 21.Jul.2006
Status: offline
Thanks for post ing this.  I went back and cleaned up my access lists.  I have had similar issues in the past. 

One question.... Doesn't this leave an opening for a malware writer to use ihatemicrosoft.com or something like that to circumvent the web filtering on ISA?  *.microsoft.com at least guarantees that it will cover only the Microsoft domain.  I guess you would be forced to put *.domain.com and domain.com for every domain if you wanted to be really careful. 

(in reply to elmajdal)
Post #: 3
RE: Domain Sets - 24.Oct.2006 1:18:12 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

Doesn't this leave an opening for a malware writer to use ihatemicrosoft.com or something like that to circumvent the web filtering on ISA?

Yes , this somtimes occur.
i do in my block rules, an exception list, and i include it in the sites that were blocked because their domain name is part of other illegal website.
ex. *microsoft.com get blocked becuz ihatemicrosoft.com.

So create a domain name set, name it Trusted_sites for example, and include in it the sites that got blocked.





_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to itadmin)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Domain Sets Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts