• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Restrict http access to port 80 only.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Restrict http access to port 80 only. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Restrict http access to port 80 only. - 18.Feb.2008 10:51:14 AM   
ajonkers

 

Posts: 3
Joined: 18.Feb.2008
Status: offline
Hi,

I've a regular HTTP access rule like the one below:
  • Action: Allow
  • Protocols: HTTP (Application Filters: Web Proxy Filter)
  • From: Internal
  • To: External
  • Users: InternetWWW (linked to an AD global group)
  • Schedule: Always
  • Content Types: All content types

Internet Explorer 7 is configured manually to use my ISA as a proxy. I can browse any website, which is a normal and required functionality. But I can also browse websites listening on any port (f.e.: http://URL:8081).

I think the ISA web proxy service is responsible for this behaviour. But can anyone tell me why, and how to deny all http traffic except the one destined for destination port 80.

Thanks and regards,
A. Jonkers

Post #: 1
RE: Restrict http access to port 80 only. - 19.Feb.2008 9:16:30 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi, ajonkers,

In order to control the wan trafic, you have to install at least two network cards in Isa server, Then , define External interface to the network card conected to Isa gateway , and the other will be the internal interface.

See:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html 

On  the external nic you have to assign one ip and a default gateway address to the external network card  that  is connect to an upstream NAT router . On the Internal nic, you have not  default gateway assigned and have to configure your DNS settings to point to an Internal DNS server which is also configured to resolve and forward requests to the Internet, then any packets being sent from the Internal network will traverse through ISAs external network card, and Isa server can control the trafic.
On the  Internal Network properties put the IP address ranges that are reachable from the network adapter that is bound to the Internal network object. The External network object represents the connection to the internet and is consider being all networks not associated with the internal network or the protected network.
Then for Pcs in your internal network in order to access Internet, you can use SecureNAT ( Pc.s with default GW to the internal inteface of ISA); the ISA Firewall Client or configure the client as an Web Proxy client; configuring the proxy settings IE to use the ISA server as its proxy.
If you want to authenticate clients access you have to use the Isa firewall client or Web Proxy.
If you only use Web proxy client you cannot control wan traffic. http://msdn2.microsoft.com/en-us/library/ms812546.aspx

Hector

(in reply to ajonkers)
Post #: 2
RE: Restrict http access to port 80 only. - 19.Feb.2008 10:39:51 AM   
ajonkers

 

Posts: 3
Joined: 18.Feb.2008
Status: offline
Hi Hector,

I've a two NIC setup exactly as you explained. However, Mr. Shinder told me:

Remember, it's still the HTTP protocol, so the ISA Firewall realizes
that protocol security is what matters, so whether the HTTP protocol is
an an alternate port isn't an issue.

The application layer inspection mechanisms will work for the HTTP
protocol. Remember, port numbers aren't really an issue, it's the
protocol that is.

You can block sites as required using Computer and URL sets.

This is by design.

 
The answer of Mr. Shinder satisfies me because this is what I thought before posting my question.

Thank you and regards,
A. Jonkers

(in reply to ajonkers)
Post #: 3
RE: Restrict http access to port 80 only. - 19.Feb.2008 11:36:19 AM   
hrsanchez

 

Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
ok, excellent;  anyway , if you install firewall client, or use secure nat you can block others ports.

Thanks for your comments.

Hector

(in reply to ajonkers)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> Restrict http access to port 80 only. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts