• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow All HTTP (For CRL Downloads)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Allow All HTTP (For CRL Downloads) Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow All HTTP (For CRL Downloads) - 2.Apr.2008 9:43:15 AM   
create_share

 

Posts: 269
Joined: 4.May2005
Status: offline
I can access any website on ISA itself through the rule "Allow all http traffice from ISA Server to all Networks (For CRL Downloads). Is it enabled by default and can it create any problem if i disable it from System Policy?

Thanks!
Post #: 1
RE: Allow All HTTP (For CRL Downloads) - 3.Apr.2008 12:17:25 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
It's not enabled by default.  You need it if your ISA has to validate SSL certificates (otherwise it can't check for revocation, and it will cause slowness and insecurity)

I have thought about making a filter to allow CRL download but block general HTTP from localhost.  I'm just not convinced whether this is an issue that many people encounter.

(in reply to create_share)
Post #: 2
RE: Allow All HTTP (For CRL Downloads) - 6.Apr.2008 1:20:31 PM   
create_share

 

Posts: 269
Joined: 4.May2005
Status: offline
So can i leave it like this?

(in reply to create_share)
Post #: 3
RE: Allow All HTTP (For CRL Downloads) - 22.Apr.2008 11:48:34 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I usually leave it enabled, because it can slow down things if you disable it if CRL download is required.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to create_share)
Post #: 4
RE: Allow All HTTP (For CRL Downloads) - 1.Sep.2010 1:04:46 PM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
I'm discovering more what I think of as 'leaky' rules like the CRL download system rule described here.

It is troubling to me because if you look at the logs (had to filter on text for system rules) you see none of the proper rules being used since the CRL HTTP to all network rule trumps all of them.

In response to a request we run Forefront Client Security on ISA 2006 I found this post from Tom that makes sense to me - but I also wanted to verify ISA is indeed protecting itself and found the CRL rule issue.

http://blogs.isaserver.org/shinder/2006/05/05/should-you-install-anti-virus-software-on-your-isa-firewall/

I'm also looking at the system policy allowed sites rules - to *.microsoft.com. I realize it probably takes some privledges to abuse hosts file or corrupt DNS resolution but if we have wsus I think I can disable this and make sure we have WSUS.

Dr. Watson - error reporting rule already disabled.

Thinking of other ways, like restricting iexplore.exe via GPO but don't know what else will break yet.

Thanks in advance for your replies!

(in reply to tshinder)
Post #: 5
RE: Allow All HTTP (For CRL Downloads) - 1.Sep.2010 2:58:02 PM   
karlf

 

Posts: 14
Joined: 29.Jun.2006
Status: offline
Reply to myself :)

Created an Enterprise rule to handle CRL downloads so I could disable the default one. The manual created rule allows for HTTP filtering set like this:

Methods: GET
Extensions: .crl (and .crt possibly for renewing certs)

Destination is still all networks (and localhost).
Source is localhost.

Any other filtering we might do here?
Verify normalization, Block responses with Executables, and some filtering from the default baseline policy at http://technet.microsoft.com/en-us/library/bb794781.aspx

Might want a copy for authenticated VPN users still in quarantine to be able to get CRLs. (saw some drops to microsoft sites after making the first change).

Thanks to Steffan for his article http://www.isaserver.org/articles/ISA2004_AccessRules.html

(in reply to karlf)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Allow All HTTP (For CRL Downloads) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts