• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IP VS. URL

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> IP VS. URL Page: [1]
Login
Message << Older Topic   Newer Topic >>
IP VS. URL - 30.Jan.2009 1:00:02 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
I'm trying to create a rule to an external site, but it only works when the "To" is the sites IP address.  Typically I use a URL(http://www.google.com), and I want to use the URL, but I can't get that to work.  I set the rule the way I want it, Allow, HTTPS, Internal, To, yadda yadda and using the URL for the "To" it won't connect.  Leaving everything else the same, if I substitute the IP address of the site, it now works.  I can replicate with multiple sites.  Is it SSL?  Is it DNS?  Is there a redirect?  What am I missing?

Thanks in advance...

JB
Post #: 1
RE: IP VS. URL - 30.Jan.2009 2:47:28 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

the most probably is DNS. Check your DNS and ISA NICs configurations first.

You can also try to create a URL like this http://www.google.com/*
Or, a domain name set like this: *.google.com

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 2
RE: IP VS. URL - 30.Jan.2009 2:54:54 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
I have DNS settings in my external NIC configuration.  From the ISA server I can ping the address from a command prompt and it resolves the IP correctly.  What specifically in regards to DNS do you recommend I verify or configure?

Thanks.

JB

(in reply to paulo.oliveira)
Post #: 3
RE: IP VS. URL - 30.Jan.2009 3:20:29 PM   
Dumber

 

Posts: 278
Joined: 21.Mar.2008
Status: offline
The way to configure it is setting the DNS configuration to the Internal DNS servers and let the internal DNS servers query on the internet by using forwarders or roothints.

So how to configure the nics:

Internal:
IP, subnet, DNS

External
IP, subnet, Gateway.

_____________________________

Marcel
Netherlands

MCTS, MCITP (SA,EA) MCP, MCSA:Security, MCSE:Security, CCNA, CCSA, CCSE, CCSE+
No matter how secure, there is always the human factor.
http://www.phetios.com/

(in reply to WIDOC)
Post #: 4
RE: IP VS. URL - 30.Jan.2009 3:35:20 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
That is different than how I have it now.  As it is, I an DNS entries for the external pointing to external DNS servers and on the internal I have it pointing to the Domain DNS server.

I've changed the DNS settings as you mentioned an it did not resolve my issue.

Thanks.

JB

(in reply to Dumber)
Post #: 5
RE: IP VS. URL - 30.Jan.2009 3:40:05 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

Marcel is right. You can also check this article about how to configure your ISA NICs: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 6
RE: IP VS. URL - 30.Jan.2009 3:42:10 PM   
Dumber

 

Posts: 278
Joined: 21.Mar.2008
Status: offline
Are the internal DNS servers resolving the external DNS hostnames correctly?

_____________________________

Marcel
Netherlands

MCTS, MCITP (SA,EA) MCP, MCSA:Security, MCSE:Security, CCNA, CCSA, CCSE, CCSE+
No matter how secure, there is always the human factor.
http://www.phetios.com/

(in reply to paulo.oliveira)
Post #: 7
RE: IP VS. URL - 30.Jan.2009 3:59:40 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
Beside the DNS settings on the External NIC (which I have since removed), my settings match up with the settings in the article.  Pings from other internal domain servers resolve addresses correctly.

Can it be something with SSL?  I don't get the default ISA smackdown page, I get the message below on the empty white page:

Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.27
Date: 1/30/2009 8:55:58 PM [GMT]
Server:
Source: proxy 

(in reply to Dumber)
Post #: 8
RE: IP VS. URL - 30.Jan.2009 4:15:13 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

but this ainīt a SSL web site, is it?

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 9
RE: IP VS. URL - 30.Jan.2009 4:19:06 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
Yes, the site I'm trying to control access to is HTTPS.

I'm sorry.  Looking back my original post didn't emphasize that more.

I used http://www.google.com in my example just to show the format that I was generally using.

(in reply to paulo.oliveira)
Post #: 10
RE: IP VS. URL - 31.Jan.2009 3:54:32 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

did you try to create a domain name set?

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 11
RE: IP VS. URL - 2.Feb.2009 9:57:51 AM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
I had not.

I just created one and now I can get to the site using the name and not the IP.  So that part of my issue is resolved.  Now I need to verify that I can block portions of the site.

So thanks, and if you have any other tips in regards to blocking parts of a site, please let me know.

Thanks again,

JB

(in reply to paulo.oliveira)
Post #: 12
RE: IP VS. URL - 2.Feb.2009 4:19:50 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

unfortunally, ISA can not inspect SSL traffic between the client and the external web server.

Thatīs the reason your URL set did not work.

One more thing, if Iīm not mistaken, URL sets only applies to HTTP web sites.

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 13
RE: IP VS. URL - 2.Feb.2009 4:31:51 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
I"m picking that up as I keep reading more.  So, an SSL site is all or nothing.

(in reply to paulo.oliveira)
Post #: 14
RE: IP VS. URL - 2.Feb.2009 5:15:47 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
SSL sites can be controlled by domain name.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to WIDOC)
Post #: 15
RE: IP VS. URL - 3.Feb.2009 6:45:55 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

yes! It only works for the http traffic.

Regards,
Paulo Oliveira.

(in reply to WIDOC)
Post #: 16
RE: IP VS. URL - 26.Feb.2009 12:08:51 PM   
WIDOC

 

Posts: 8
Joined: 30.Jan.2009
Status: offline
When I create a new Domain Name Set it does allow access to the site, but still I have no ability to block individual pages/parts of the site.

I'm looking at Cleartunnel and SSL Decoder as possible solutions to my problem.  They imply that they will give me the ability to control HTTPS sites just like HTTP sites.

Does anyone have any experience with these products experience doing this type of blocking?

(in reply to paulo.oliveira)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> IP VS. URL Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts