I've a regular HTTP access rule like the one below:
Action: Allow
Protocols: HTTP (Application Filters: Web Proxy Filter)
From: Internal
To: External
Users: InternetWWW (linked to an AD global group)
Schedule: Always
Content Types: All content types
Internet Explorer 7 is configured manually to use my ISA as a proxy. I can browse any website, which is a normal and required functionality. But I can also browse websites listening on any port (f.e.: http://URL:8081).
I think the ISA web proxy service is responsible for this behaviour. But can anyone tell me why, and how to deny all http traffic except the one destined for destination port 80.
Posts: 146
Joined: 30.Nov.2007
From: Argentina
Status: offline
Hi, ajonkers,
In order to control the wan trafic, you have to install at least two network cards in Isa server, Then , define External interface to the network card conected to Isa gateway , and the other will be the internal interface.
On the external nic you have to assign one ip and a default gateway address to the external network card that is connect to an upstream NAT router . On the Internal nic, you have not default gateway assigned and have to configure your DNS settings to point to an Internal DNS server which is also configured to resolve and forward requests to the Internet, then any packets being sent from the Internal network will traverse through ISA’s external network card, and Isa server can control the trafic. On the Internal Network properties put the IP address ranges that are reachable from the network adapter that is bound to the Internal network object. The External network object represents the connection to the internet and is consider being all networks not associated with the internal network or the protected network. Then for Pc´s in your internal network in order to access Internet, you can use SecureNAT ( Pc.s with default GW to the internal inteface of ISA); the ISA Firewall Client or configure the client as an Web Proxy client; configuring the proxy settings IE to use the ISA server as it’s proxy. If you want to authenticate clients access you have to use the Isa firewall client or Web Proxy. If you only use Web proxy client you cannot control wan traffic. http://msdn2.microsoft.com/en-us/library/ms812546.aspx
I've a two NIC setup exactly as you explained. However, Mr. Shinder told me:
Remember, it's still the HTTP protocol, so the ISA Firewall realizes that protocol security is what matters, so whether the HTTP protocol is an an alternate port isn't an issue.
The application layer inspection mechanisms will work for the HTTP protocol. Remember, port numbers aren't really an issue, it's the protocol that is.
You can block sites as required using Computer and URL sets.
This is by design.
The answer of Mr. Shinder satisfies me because this is what I thought before posting my question.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Restrict http access to port 80 only. 
Restrict http access to port 80 only. - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread