I have created few deny/allow rules and this part is working fine, but they can obey them typing IP addresses in their browsers. I don't want to deny acces to specific IP. Is there any way to block users browsing internet by typing IP address (instead of URL) directly into their browsers. ISA 2006
Generally I would like to block an ability to browse any website by typing its IP address in address bar. I don't want to blocking any urls. For example: I have created a rule allowing access to specific website for specific domain group. Users who doesn't belong to this DG, cannot browse this website by typing its URL. Unfortunately when they do ping or nslookup command they get the ip address for this site. When they paste this IP to their browser, they can navigate to this site.
have you tried creating a URL Set with "approved" FDQN's of the sites you want to allow and then denying external so that no other FQDN or IP based HOST requests via HTTP web proxy are permitted?
I have created a subset of allow/deny rules with specific "approved" FDQN's. As I understand ISA 2006 PROXY, last Default Rule blocks all other traffic witch doesn't "fit" in those rules. I didn't create deny rule for traffic to external network.
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests? Yes I did.
How is that rule configured? In this case trafic is shaped by 2 rules, one on Enterprise level (deny), and one on Firewall level (Allow). Enterprise - Deny rule for all users, denying access from All Protected Networks, to certain URLset, containing few domains/hosts - for egzample: poczta.onet.pl Firewall Allow rule for certain users (in domain group), from All Protected Networks, to certain URLset, containing root domains - for egzample *.pl, *.com, etc.
When i do nslookup c:\>nslookup poczta.onet.pl Non-authoritative answer: Name: poczta.onet.pl Address: 213.180.130.206
When i type in browser http://poczta.onet.pl Enterprise rule denies access to this website http://213.180.130.206 Enterpise rule doesn't work, and Firewall rule allow access to this website
I got realy confused
< Message edited by skisiel77 -- 30.Jan.2008 7:08:42 AM >
I don't think that your going to have consistent success while implementing this type of scenario. And it does not have much to do with your ISA Server configuration, rather it's related to DNS.
Let's stick with the specific host your trying to block:
You can create an DENY rule in ISA including poczta.onet.pl as part of a URLSet or a Domain Name Set, and all requests to that fqdn should yield the desired result. (the user is not able to access)
However the user is able to perform a nslookup on the FQDN in question, and obtain the IP. Retry the request with the IP rather than the FQDN and it ISA allows it through. In the case with the host mentioned above, doing a reverse lookup on the IP, yields the following result:
nslookup 213.180.130.206 Name: f8virt.onet.pl Address: 213.180.130.206 You'll notice that the DNS record associated with the IP (is not the host your trying to block, therefore ISA's rules are working as expected. This is just one scenario, but if you try to perform reverse lookup's on IP's to see if they match the FQDN you would normally send in an HTTP request, more often than not, the reverse lookup will not match to the FQDN. There are many reasons for this. Virtual hosted web environments, DNS mis-administration, etc...
You may want to re-think your strategy and purchase a 3rd party URL filtering plugin to ISA.
OK. Thanks a lot. I assume this can happen with a number of hosts. I understand now this is a DNS issue. I can nslookup all disallowed IP and put them into blocking rule, but it may be not efficient. Is there any other way to solve this problem with ISA ? Which 3rd party utility you have on your mind ?
< Message edited by skisiel77 -- 31.Jan.2008 3:48:43 AM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Block browsing by typing IP in browser 
Block browsing by typing IP in browser - 
RE: Block browsing by typing IP in browser - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread