• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Trying to limit access to specific directories and files

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Trying to limit access to specific directories and files Page: [1]
Login
Message << Older Topic   Newer Topic >>
Trying to limit access to specific directories and files - 3.Mar.2009 1:51:22 PM   
mecsi

 

Posts: 4
Joined: 3.Mar.2009
Status: offline
I'll start off by saying that I know this may be frowned upon, but.... I have an ISA server with one (1) NIC. I've been asked to publish an internal web site to the outside world, but in the process to make sure that only specific pieces of the site are available. I took up this task by trying to setup Paths in the publishing rule, but I have to admit I am completely stuck now!!! So I ask this. Take a look at the paths below, (these represent valid links on the web site) and help me to figure out how to tell ISA that these are valid. I should mention that when I put them in as-is, they seem to show up correctly in Mappings.

https://mywebsite.company/psp/hr89prd/EMPLOYEE/HRMS/h/?tab=DEFAULT
https://mywebsite.company/psp/hr89prd/EMPLOYEE/HRMS/?cmd=logout
https://mywebsite.company/psc/hr89prd/EMPLOYEE/HRMS/s/WEBLIB_PT_NAV.ISCRIPT1.FieldFormula.IScript_PT_NAV_PAGELET?Bodyid=true&c=Wui%2buAiaQOQ%3d
Post #: 1
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 12:29:29 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

I'll start off by saying that I know this may be frowned upon, but.... I have an ISA server with one (1) NIC. I've been asked to publish an internal web site to the outside world,


That is the job of the ISA,...fine.

quote:

but in the process to make sure that only specific pieces of the site are available.


That is not the job of the ISA. Stop wasting your time there.  All you are going to do is create a disaster.

User Access Control within the site is the job of two things:
  1. The NTFS File System on the Web Server itself.
  2. The actual design and functioanlity of the web site code itself.

#2 is particularly crucial.  The developer of the Site has to have the knowledge and skills to develope (write code) to do this properly.  This is the person that the "bosses" are supposed to be running to,...not the Firewall Admin,...in order to get this done.

You can tell them I said so,....they can't fire me

_____________________________

Phillip Windell

(in reply to mecsi)
Post #: 2
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 12:55:43 PM   
mecsi

 

Posts: 4
Joined: 3.Mar.2009
Status: offline
Thanks for the response Pwindell.

I told 'em what you said, and instead of firing you, they said you have to show up work this weekend

As you may have encountered in your own carear, part of my job is to "make do". The app in question is a fairly out-of-the-box type of thing. There's not much room for customization, and even if there were, that luxury would not likely be afforded me.

I've actually managed to make all of this work pretty well (even though as you say I probably shouldn't). I found that in mappings, directories can be specified for access (dirname1/dirname2/) and specific pagelets or scripts can also be specified as long as you leave out the parameters that would be passed (i.e. leaving out everything from the "?" character on). Whatever isn't explicitely allowed, gets sent to the error page (12202.htm or 12202r.htm, which I spruced up a bit) by the default deny rule.

It's certainly not nearly as ellegant as having the originating web server determine what an individual page should look like based on some criteria (Client IP or username, etc), but it solves the basic need.

Thanks again.

(in reply to pwindell)
Post #: 3
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 2:00:26 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

I told 'em what you said, and instead of firing you, they said you have to show up work this weekend


Cool!

quote:

As you may have encountered in your own carear, part of my job is to "make do". The app in question is a fairly out-of-the-box type of thing. There's not much room for customization, and even if there were, that luxury would not likely be afforded me.


I am an one-man IT shop here, so I do understand that.  I probably should be a little less dogmatic on that. Yes, as you are seeing you can control some of that the way you are trying, but I think it can really get out of hand if you aren't conservative about it.

Maybe you can blend that with using File System Permissions on the web server.  Just keep in mind that with the NTFS permissions if the user tries to access something that they don't have permission to they will get an Auth Prompt,...there is no stopping that to my knkowledge, the key is that they should not know any credentials that will get them to where they don't belong.

_____________________________

Phillip Windell

(in reply to mecsi)
Post #: 4
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 2:56:58 PM   
mecsi

 

Posts: 4
Joined: 3.Mar.2009
Status: offline
Thanks Phillip,

I completely understand, but unfortunately, and for the sake of brevity, I left a key component of the requirements out of my initial question. You see the goal was not just to publish a limited access web site (easy enough...sort of), but additionally, to insure that the client experience be different (i.e. acces to specific functions of the site) based on the client computer's IP address.

In other words, the same account, coming from an internal corporate IP, allows access to everything the account has been granted, but from the outside, clicking on certain links results in an access error (12202.htm, etc). We don't have split DNS for this domain, nor are we interested in providing different URLs to make the distinction.

So you see, I can't use NTFS permissions to limit, becuase the same user account may have valid access to a directory or file, but should only be able to access it from the inside.

To do this I had to create two publishing rules (which I call "Internal" and "External"). The Internal allows access to everything (i.e. /* = /*), and the External has those limits that I was trying to figure out how to do. I differentiate the two rules by IP ranges. The internal "FROM" includes a network object I created that lists just internal company IPs. The External "FROM" includes the default network object called "Internal" (which for me is really all IPs, since I only have one NIC) and EXCLUDES the network object I mentioned above which contains internal company IPs (ALL IPs - Corporate IPs = Internet). Both rules publish the same external URL.

The client IP then becomes the determinig factor in which publishing rule is applied, and therefore what the user can access.

-Mecsi


(in reply to pwindell)
Post #: 5
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 5:32:05 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Ok, I see.

Well the Split-DNS I used to really hate before I understood it.  Now I see it as a "given" and that everyone should set it up out of the box whether they think they need it or not.  Because, sooner or later, they will need it.  You could probably have that in place in 10-15 minutes,..there isn't much to it.

As far as the rest of it, I think I am no longer sure how much you have already figured out and what things you still can't get the way you want.  So I am not sure "where you're at" now with it.

Don't forget about ISA Link Translation abilities where you have have certain links translated into different links.  Maybe you can redirect some of those "forbidden" links to more usefull links rather than having the "error" pages and the customization that goes along with that.  It is hard for me to visualize exactly all that you are doing, but the Link Translation features may be useful for some things you want to do.

There is also the Paths Tab in the Publishing Rule that might provide some options.

I don't really use either of these in "real life" so all I can do a suggest investigating them. Sources of information would be, of course the built in Help (it's not so bad sometimes),..then there is this site we are on, and then there is:

Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx



_____________________________

Phillip Windell

(in reply to mecsi)
Post #: 6
RE: Trying to limit access to specific directories and ... - 2.Apr.2009 6:33:20 PM   
mecsi

 

Posts: 4
Joined: 3.Mar.2009
Status: offline
I like split DNS too, but I work for a fairly large multi-national company, so I can't think of a single thing I could actually accomplish in 15 minutes, except for eating lunch at my desk. It would be a pretty involved project to split this domain.

As far as the rest of it, the stuff I've done seems to be working. I just wrote it down to share how I did it.

I'm also aware of the link translation stuff, but in this particular case, redirecting users to more accessible pages, would probably just be confusing. We decided to go with an "access denied" page.

Thanks for the links, and thanks again for your input.

-Mecsi

(in reply to mecsi)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Trying to limit access to specific directories and files Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts