• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow anonymous access based on user-agent string

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> Allow anonymous access based on user-agent string Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow anonymous access based on user-agent string - 17.Sep.2008 1:22:04 PM   
rl1

 

Posts: 5
Joined: 7.Apr.2008
Status: offline
Hi All,

I was wondering if anyone knows of a way to allow anonymous HTTP access based on a user-agent string?

Our general policy is to allow HTTP access to all destinations if the user/client authenticates.

The exception to this rule is to allow anoymous access based on the destination Domain Name Sets or URL sets.

That's all very well and good if the destinations are fixed.

However when a user-agent that doesn't support proxy authentication attempts to access the web over HTTP (for example Apple OSX 'CFNetwork/129.22' agent) then ISA blocks it as our rules require that either the agent provides credentials or is going to an allowed non authentication destination.

In this case the destination can be anywhere.

So how can I allow anonymous HTTP access to anywhere for just this agent whilst still forcing other agents to authenticate!?

There's a block option in ISA for signatures. If only there was a negate rule for signatures too.

Any help would be very much appreciated as our MAC users are going crazy.

No. I don't want to allow all Mac's based on IP address anonymous access, and yes I would love to get rid of all our Mac's but that's not going to happen!

Thanks
Post #: 1
RE: Allow anonymous access based on user-agent string - 17.Sep.2008 6:15:49 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
My gut feeling is that this is not possible without defining policies based upon source IP addresses which allow anonymous web access. However, you say you want to avoid this approach (understandably).

I don't think you can use the HTTP filters the way you describe without writing a custom web filter.

Maybe one of the other guys will have a better idea

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rl1)
Post #: 2
RE: Allow anonymous access based on user-agent string - 17.Sep.2008 7:21:37 PM   
rl1

 

Posts: 5
Joined: 7.Apr.2008
Status: offline
Thanks Jason.

I've sent the same question to collectivesoftware. Hopefully these guys can come up with something.

Interesting. - I was looking at Silversands only a few months ago. You guys are highly ranked in the UK for ISA

;)

(in reply to Jason Jones)
Post #: 3
RE: Allow anonymous access based on user-agent string - 17.Sep.2008 7:27:14 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi,

Yeah, Greg @ CS has some great products and is an ideal conact for what you need...funnily enough, I nearly mentioned them as a good custom filter developer.

Thanks for the kind feedback, we are slways happy to find new customers!

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rl1)
Post #: 4
RE: Allow anonymous access based on user-agent string - 17.Sep.2008 7:33:25 PM   
rl1

 

Posts: 5
Joined: 7.Apr.2008
Status: offline
Thanks Jason.

Another late night owl I see. I have also sent the same custom filter question to winfrasoft.com.

Nothing like a good bit of competition!

Yes. I might just be in touch with Silversands very soon.

Before I get shot for plugging too many companies I think it's time to sign out and hit the problem again tomorrow.

I will update this post when I find a solution. (Not often when something beats me)




(in reply to Jason Jones)
Post #: 5
RE: Allow anonymous access based on user-agent string - 17.Sep.2008 7:39:47 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I would also strongly recommend Steve @ Winfrasoft too  but I am biased as he is a good friend. He also has the added advantage of being this side of the pond

Be interested in your findings...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rl1)
Post #: 6
RE: Allow anonymous access based on user-agent string - 18.Sep.2008 7:32:27 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I think this is a perfect fit for IsaScript actually.  Emailed you with details.

(in reply to rl1)
Post #: 7
RE: Allow anonymous access based on user-agent string - 18.Sep.2008 7:56:21 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: ferrix

I think this is a perfect fit for IsaScript actually.  Emailed you with details.


Cool tool

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ferrix)
Post #: 8
RE: Allow anonymous access based on user-agent string - 23.Sep.2008 2:46:21 PM   
rl1

 

Posts: 5
Joined: 7.Apr.2008
Status: offline
RESOLVED with the fantasic work from the guys at Collective Software.

The ISAscript ISA filter (http://www.collectivesoftware.com/Products/IsaScript) in conjuction with a perfect script from them worked like a charm!

I couldn't be happier. - ISAscript really has pushed the ISA boundries!

...I'm now getting Proxy Client Agents that do not support Proxy authentication to authenticate!

Simply AMAZING and so simple!

-----------------------------------------------
Thanks to Winfrasoft who offered to jump in and help in the unlikely event that Collective were unable to create a filter which worked. Next on the list is Backup for ISA Server.(http://www.winfrasoft.com/BackupForISA.htm)
-----------------------------------------------
Finally. I've called Silver Sands and will be using you guys for our ISA Server audit soon hopefully!
-----------------------------------------------

That's enough plugging for the day. Thanks again all!

(in reply to Jason Jones)
Post #: 9
RE: Allow anonymous access based on user-agent string - 23.Sep.2008 4:29:37 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Sounds like a good result all round!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rl1)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> Allow anonymous access based on user-agent string Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts