I have created few deny/allow rules and this part is working fine, but they can obey them typing IP addresses in their browsers. I don't want to deny acces to specific IP. Is there any way to block users browsing internet by typing IP address (instead of URL) directly into their browsers. ISA 2006
Generally I would like to block an ability to browse any website by typing its IP address in address bar. I don't want to blocking any urls. For example: I have created a rule allowing access to specific website for specific domain group. Users who doesn't belong to this DG, cannot browse this website by typing its URL. Unfortunately when they do ping or nslookup command they get the ip address for this site. When they paste this IP to their browser, they can navigate to this site.
I have created a subset of allow/deny rules with specific "approved" FDQN's. As I understand ISA 2006 PROXY, last Default Rule blocks all other traffic witch doesn't "fit" in those rules. I didn't create deny rule for traffic to external network.
Have you identifed which Access Rule on your ISA Server that your users are being allowed access fo their IP Based HTTP requests? Yes I did.
How is that rule configured? In this case trafic is shaped by 2 rules, one on Enterprise level (deny), and one on Firewall level (Allow). Enterprise - Deny rule for all users, denying access from All Protected Networks, to certain URLset, containing few domains/hosts - for egzample: poczta.onet.pl Firewall Allow rule for certain users (in domain group), from All Protected Networks, to certain URLset, containing root domains - for egzample *.pl, *.com, etc.
When i do nslookup c:\>nslookup poczta.onet.pl Non-authoritative answer: Name: poczta.onet.pl Address: 188.8.131.52
You can create an DENY rule in ISA including poczta.onet.pl as part of a URLSet or a Domain Name Set, and all requests to that fqdn should yield the desired result. (the user is not able to access)
However the user is able to perform a nslookup on the FQDN in question, and obtain the IP. Retry the request with the IP rather than the FQDN and it ISA allows it through. In the case with the host mentioned above, doing a reverse lookup on the IP, yields the following result:
nslookup 184.108.40.206 Name: f8virt.onet.pl Address: 220.127.116.11 You'll notice that the DNS record associated with the IP (is not the host your trying to block, therefore ISA's rules are working as expected. This is just one scenario, but if you try to perform reverse lookup's on IP's to see if they match the FQDN you would normally send in an HTTP request, more often than not, the reverse lookup will not match to the FQDN. There are many reasons for this. Virtual hosted web environments, DNS mis-administration, etc...
You may want to re-think your strategy and purchase a 3rd party URL filtering plugin to ISA.
OK. Thanks a lot. I assume this can happen with a number of hosts. I understand now this is a DNS issue. I can nslookup all disallowed IP and put them into blocking rule, but it may be not efficient. Is there any other way to solve this problem with ISA ? Which 3rd party utility you have on your mind ?
< Message edited by skisiel77 -- 31.Jan.2008 3:48:43 AM >