I have tried 3 and 4 times to block https sites but i will not be able to block https sites by ISA Server 2006. I think i don't know the exact way to block https. Can some help me in this regards.
For example, i am trying to block www.gmail.com and after puting this in ISA Server 2006 > Firewall > URL Set and put this in block category. Users can not open http://www.gmail.com but they can access this by this link https://www.gmail.com. How can i block https in this regards.
I tried Domain Name Set yesterday but it did not work for me. i am mentioning the configuration What i did with my ISA 2006 Firewall, please let me know if i was wrong anywhere
Create new Access Rule > Protocol - http and https > Action - deny > From - Internal Network > To - System Define - Domain Name Set Rule where the following sites are block:-
*.gmail.com/*
*.google.com/accounts/*
*.mail.google.com/mail/*
*.orkut.co.in/Main#Home.aspx
*.orkut.com/*
.gmail.com/*
mail.google.com/mail/*
I have to block gmail and orkut but it is accessing by https and i am unable to block it by ISA 2006. please provide me Right way to do this.
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
in addition what Jason said, domain name sets only support the wildcard character "*" at the begin of the domain, and, URL set only supports at the end.
I have tested the same. I removed /* from all URL in Domain Name Set but it did not work for my. It does not effect on Gmail Access. It is still opening with https.
How is your client access based? Are they using the firewall client?
The problem I have with SSL on ISA is that if you are not using the firewall client then the user establishes a session with the WebSite independent of the ISA (not really independent, but ISA cannot filter the traffic). If it is on port 80 the traffic can be read by ISA and the firewall rules apply. If they connect on 443 the traffic is encrypted for server to client (google to user PC) and the ISA only sees the IP address of the server, not the hostname. In this scenario you will have to block the IP addresses of those sites (Which will probably break many other sites as well).
If you use the firewall client on the user computers then the encrypted session is between the ISA server and the Web server. ISA then passes the traffic to the client. Since ISA initiates the session it will decrypt the traffic read the host header and deny access by your rule.
I don't know of any whay in ISA to block SSL traffic if you are not using the Firewall Client. If there is, please let me know.
I could be wrong but that is how I understand ISA functions.