• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need to Block SSL VPN traffic in ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> Need to Block SSL VPN traffic in ISA Page: [1]
Message << Older Topic   Newer Topic >>
Need to Block SSL VPN traffic in ISA - 26.Apr.2011 8:20:08 AM   


Posts: 42
Joined: 26.Aug.2008
Status: offline

I have a ISA enterprise integrated with Websense Web Filtering Solution.

We need to block (Outbound) all SSL VPN traffic initiated across the proxy, but we need to allow normal https site. In other words, we need to block all the public SSL Sites( Citrix SSL VPN or Portal Published via IAG / UAG).

The only option available in ISA as of now is to create a Domain Name Set and add all the SSL VPN sites and these sites will be accessed directly. However, i donít want to go with option as we donít have the exact SSL VPN Urls. There could be around 1000's URL's.

In Websense, we can do protocol filtering for https. Blocking https in Websense will block all the SSL VPN traffic as well as https traffic.

Does ISa has the intelligence to Block SSL VPN traffic and allow only normal https?

Post #: 1
RE: Need to Block SSL VPN traffic in ISA - 29.Apr.2011 9:58:11 AM   


Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You're treating it like SSL-VPN is something special,...some "new & unique" kind of traffic and that the other is "normal SSL".  It is not.  SSL-VPN is not even "traffic" to begin with,...SSL is the traffic,...VPN is just what you do with it.

So it is just SSL (HTTPS),...that is all it is,...there is only one kind of SSL,...and there is no way to distinguish it from any other SSL traffic.

URLs?  URLs are just simply not even part of the conversation and do not,..can not,...and will never,....be applied to SSL traffic because the URL portion of the string is encrypted in the SSL packets and cannot be read by the ISA,..hence no decisions can be based on its contents.  The URL is the part after the ".com",...the Domain Name is the part before and including the ".com".  They are two entirely different things.  Domain Name Sets are for Domain Names and URL Sets are for URLs.  You cannot use URL Sets with HTTPS,...you can only use Address Sets, Computer Sets, and Domain Name Sets.

So the bottom line,...blocking by Domain Name (Domain Name Set) or by IP# (Address Set) is your only real option.


Phillip Windell

(in reply to shufu)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> Need to Block SSL VPN traffic in ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts