• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

No child's play

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> No child's play Page: [1]
Login
Message << Older Topic   Newer Topic >>
No child's play - 18.Jun.2010 3:43:41 PM   
JAAS

 

Posts: 3
Joined: 18.Jun.2010
Status: offline
Hi everyone.. I've been reading the forum for quite some time but never had to actually ask a question.. here it goes.

Today my boss asked me to block internet access to a group of users and only allow them to access certain sites. Internet access should remain open to all other users..

I've been (no kidding) dealing with this for over 8 hours straight.. I have and read Tom's book but I'm still stucked.

I've managed to get the results wanted (more or less) but I'm absolutely sure there's a better way of doing it.

Here's what I currently have..


Access Rule : HTTPS for ALL
Action: Allow
From: Perimeter
To: External
Protocol: HTTPS
Users: All users

Access Rule : HTTP Allowed Sites for All
Action: Allow
From: Perimeter
To: URL Set
Protocol: HTTP
Users: All Users

Access Rule : HTTP for SalesGroup
Action: Allow
From : Perimeter
To: URLSet (allowed sites for group)
Protocol: HTTP
Users : salesgroup

Access Rule : Internet for the rest
Action: Allow
From: Perimeter
To: External
Protocol: HTTP
Users: All Users (Exception: salesgroup)


For now this works, but only until the group discovers that they have open access to https and figure out that mosts sites (like facebook) can be accessed via https.
Don't know why, but if I remove the Rule allowin https to all and add https protocol to the other rules I get a Denied message on the logging for protocol "SSL-Tunnel"... isn't ssl-tunnel protocol the same as HTTPS?

I'm lost here


BTw... all clients have firewall client installed + the IE proxy settings are set + the DG points to the ISA server (if I take this out LogMeIn nor Outlook(Exchange) won't work.)
Post #: 1
RE: No child's play - 3.Aug.2010 12:25:23 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
1. Combine the HTTP and HTTPS together. There is no point in them being separate.
2. You are incorrectly using Perimeter as the From instead of Internal
3. The last rule "Internet for the rest" is pointless.

You need this, in this order:


Access Rule : HTTP for SalesGroup
Action: Allow
From : Internal
To: DomainSet of allowed sites for group
Protocol: HTTP, HTTPS
Users : salesgroup

Access Rule : General Web Access for ALL
Action: Allow
From: Internal
To: External
Protocol: HTTP, HTTPS
Users: All users


Now with all that said,...it is doomed to being a huge amount of work to maintain.  HArdly any web site out there is a "single" sites,..they are all intertangled and linked to other sites or they will not function.  You will probably find yourself adding to the Domain Set all the time to keep sites "working".

Populate the Domain Set with this format:
*.somesite.com
*.mygoodsite.org
*.microsoft.com
*.google.com

_____________________________

Phillip Windell

(in reply to JAAS)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> No child's play Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts