IP VS. URL (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies


WIDOC -> IP VS. URL (30.Jan.2009 1:00:02 PM)

I'm trying to create a rule to an external site, but it only works when the "To" is the sites IP address.  Typically I use a URL(http://www.google.com), and I want to use the URL, but I can't get that to work.  I set the rule the way I want it, Allow, HTTPS, Internal, To, yadda yadda and using the URL for the "To" it won't connect.  Leaving everything else the same, if I substitute the IP address of the site, it now works.  I can replicate with multiple sites.  Is it SSL?  Is it DNS?  Is there a redirect?  What am I missing?

Thanks in advance...


paulo.oliveira -> RE: IP VS. URL (30.Jan.2009 2:47:28 PM)


the most probably is DNS. Check your DNS and ISA NICs configurations first.

You can also try to create a URL like this http://www.google.com/*
Or, a domain name set like this: *.google.com

Paulo Oliveira.

WIDOC -> RE: IP VS. URL (30.Jan.2009 2:54:54 PM)

I have DNS settings in my external NIC configuration.  From the ISA server I can ping the address from a command prompt and it resolves the IP correctly.  What specifically in regards to DNS do you recommend I verify or configure?



Dumber -> RE: IP VS. URL (30.Jan.2009 3:20:29 PM)

The way to configure it is setting the DNS configuration to the Internal DNS servers and let the internal DNS servers query on the internet by using forwarders or roothints.

So how to configure the nics:

IP, subnet, DNS

IP, subnet, Gateway.

WIDOC -> RE: IP VS. URL (30.Jan.2009 3:35:20 PM)

That is different than how I have it now.  As it is, I an DNS entries for the external pointing to external DNS servers and on the internal I have it pointing to the Domain DNS server.

I've changed the DNS settings as you mentioned an it did not resolve my issue.



paulo.oliveira -> RE: IP VS. URL (30.Jan.2009 3:40:05 PM)


Marcel is right. You can also check this article about how to configure your ISA NICs: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Paulo Oliveira.

Dumber -> RE: IP VS. URL (30.Jan.2009 3:42:10 PM)

Are the internal DNS servers resolving the external DNS hostnames correctly?

WIDOC -> RE: IP VS. URL (30.Jan.2009 3:59:40 PM)

Beside the DNS settings on the External NIC (which I have since removed), my settings match up with the settings in the article.  Pings from other internal domain servers resolve addresses correctly.

Can it be something with SSL?  I don't get the default ISA smackdown page, I get the message below on the empty white page:

Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address:
Date: 1/30/2009 8:55:58 PM [GMT]
Source: proxy 

paulo.oliveira -> RE: IP VS. URL (30.Jan.2009 4:15:13 PM)


but this ainīt a SSL web site, is it? [8|]

Paulo Oliveira.

WIDOC -> RE: IP VS. URL (30.Jan.2009 4:19:06 PM)

Yes, the site I'm trying to control access to is HTTPS.

I'm sorry.  Looking back my original post didn't emphasize that more.

I used http://www.google.com in my example just to show the format that I was generally using.

paulo.oliveira -> RE: IP VS. URL (31.Jan.2009 3:54:32 PM)


did you try to create a domain name set?

Paulo Oliveira.

WIDOC -> RE: IP VS. URL (2.Feb.2009 9:57:51 AM)

I had not.

I just created one and now I can get to the site using the name and not the IP.  So that part of my issue is resolved.  Now I need to verify that I can block portions of the site.

So thanks, and if you have any other tips in regards to blocking parts of a site, please let me know.

Thanks again,


paulo.oliveira -> RE: IP VS. URL (2.Feb.2009 4:19:50 PM)


unfortunally, ISA can not inspect SSL traffic between the client and the external web server. [&o]

Thatīs the reason your URL set did not work.

One more thing, if Iīm not mistaken, URL sets only applies to HTTP web sites.

Paulo Oliveira.

WIDOC -> RE: IP VS. URL (2.Feb.2009 4:31:51 PM)

I"m picking that up as I keep reading more.  So, an SSL site is all or nothing.

SteveMoffat -> RE: IP VS. URL (2.Feb.2009 5:15:47 PM)

SSL sites can be controlled by domain name.

paulo.oliveira -> RE: IP VS. URL (3.Feb.2009 6:45:55 AM)


yes! It only works for the http traffic.

Paulo Oliveira.

WIDOC -> RE: IP VS. URL (26.Feb.2009 12:08:51 PM)

When I create a new Domain Name Set it does allow access to the site, but still I have no ability to block individual pages/parts of the site.

I'm looking at Cleartunnel and SSL Decoder as possible solutions to my problem.  They imply that they will give me the ability to control HTTPS sites just like HTTP sites.

Does anyone have any experience with these products experience doing this type of blocking?

Page: [1]