• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Block browsing by typing IP in browser

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Block browsing by typing IP in browser Page: [1]
Login
Message << Older Topic   Newer Topic >>
Block browsing by typing IP in browser - 28.Jan.2008 11:03:59 AM   
skisiel77

 

Posts: 5
Joined: 28.Jan.2008
Status: offline
I have created few deny/allow rules and this part is working fine, but they can obey them typing IP addresses in their browsers.
I don't want to deny acces to specific IP.
Is there any way to block users browsing internet by typing IP address (instead of URL) directly into their browsers.
ISA 2006
Post #: 1
RE: Block browsing by typing IP in browser - 28.Jan.2008 12:50:52 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Do you want to block one specific IP, many IP's or all IP's?

(in reply to skisiel77)
Post #: 2
RE: Block browsing by typing IP in browser - 28.Jan.2008 2:19:00 PM   
skisiel77

 

Posts: 5
Joined: 28.Jan.2008
Status: offline
Generally I would like to block an ability to browse any website by typing its IP address in address bar. I don't want to blocking any urls.
For example: I have created a rule allowing access to specific website for specific domain group. Users who doesn't belong to this DG, cannot browse this website by typing its URL. Unfortunately when they do ping or nslookup command they get the ip address for this site. When they paste this IP to their browser, they can navigate to this site.

(in reply to abqtech)
Post #: 3
RE: Block browsing by typing IP in browser - 28.Jan.2008 10:52:01 PM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
have you tried creating a URL Set with "approved" FDQN's of the sites you want to allow and then denying external so that no other FQDN or IP based HOST requests via HTTP web proxy are permitted?

(in reply to skisiel77)
Post #: 4
RE: Block browsing by typing IP in browser - 29.Jan.2008 5:29:25 AM   
skisiel77

 

Posts: 5
Joined: 28.Jan.2008
Status: offline
I have created a subset of allow/deny rules with specific "approved" FDQN's. As I understand ISA 2006 PROXY, last Default Rule blocks all other traffic witch doesn't "fit" in those rules. I didn't create deny rule for traffic to external network.

(in reply to abqtech)
Post #: 5
RE: Block browsing by typing IP in browser - 29.Jan.2008 8:42:02 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests?

How is that rule configured?

Additionally what destination objects are your allow/deny rules based upon?
URL Set
Domain Name Set
Network
Computer Set
etc....

(in reply to skisiel77)
Post #: 6
RE: Block browsing by typing IP in browser - 30.Jan.2008 7:02:05 AM   
skisiel77

 

Posts: 5
Joined: 28.Jan.2008
Status: offline
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests? 
Yes I did.

How is that rule configured?
In this case trafic is shaped by 2 rules, one on Enterprise level (deny), and one on Firewall level (Allow).
Enterprise - Deny rule for all users, denying access from All Protected Networks, to certain URLset, containing few domains/hosts - for egzample: poczta.onet.pl
Firewall Allow rule for certain users (in domain group), from All Protected Networks, to certain URLset, containing root domains - for egzample *.pl, *.com, etc.

When i do nslookup
c:\>nslookup poczta.onet.pl
Non-authoritative answer:
Name:    poczta.onet.pl
Address:  213.180.130.206

When i type in browser
http://poczta.onet.pl  Enterprise rule denies access to this website
http://213.180.130.206 Enterpise rule doesn't work, and Firewall rule allow access to this website

I got realy confused

< Message edited by skisiel77 -- 30.Jan.2008 7:08:42 AM >

(in reply to abqtech)
Post #: 7
RE: Block browsing by typing IP in browser - 30.Jan.2008 10:08:22 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
I don't think that your going to have consistent success while implementing this type of scenario. And it does not have much to do with your ISA Server configuration, rather it's related to DNS.

Let's stick with the specific host your trying to block:

nslookup poczta.onet.pl
Name:    poczta.onet.pl
Address:  213.180.130.206

You can create an DENY rule in ISA including poczta.onet.pl as part of a URLSet or a Domain Name Set, and all requests to that fqdn should yield the desired result.  (the user is not able to access)

However the user is able to perform a nslookup on the FQDN in question, and obtain the IP.  Retry the request with the IP rather than the FQDN and it ISA allows it through.  In the case with the host mentioned above, doing a reverse lookup on the IP, yields the following result:

nslookup 213.180.130.206
Name:    f8virt.onet.pl
Address:  213.180.130.206
You'll notice that the DNS record associated with the IP (is not the host your trying to block, therefore ISA's rules are working as expected.  This is just one scenario, but if you try to perform reverse lookup's on IP's to see if they match the FQDN you would normally send in an HTTP request, more often than not, the reverse lookup will not match to the FQDN. There are many reasons for this. Virtual hosted web environments, DNS mis-administration, etc...

You may want to re-think your strategy and purchase a 3rd party URL filtering plugin to ISA.

(in reply to skisiel77)
Post #: 8
RE: Block browsing by typing IP in browser - 31.Jan.2008 3:47:17 AM   
skisiel77

 

Posts: 5
Joined: 28.Jan.2008
Status: offline
OK. Thanks a lot.
I assume this can happen with a number of hosts.
I understand now this is a DNS issue.
I can nslookup all disallowed IP and put them into blocking rule, but it may be not efficient. Is there any other way to solve this problem with ISA ?
Which 3rd party utility you have on your mind ?

< Message edited by skisiel77 -- 31.Jan.2008 3:48:43 AM >

(in reply to abqtech)
Post #: 9
RE: Block browsing by typing IP in browser - 31.Jan.2008 8:44:22 AM   
abqtech

 

Posts: 216
Joined: 9.Mar.2004
Status: offline
as far as third party filters go.... I'm most familiar with websense.  But there are others, such as surfcontrol and gfi webmonitor. 

(in reply to skisiel77)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> Block browsing by typing IP in browser Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts