• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Howto deny sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Howto deny sites Page: [1]
Login
Message << Older Topic   Newer Topic >>
Howto deny sites - 17.Feb.2004 4:20:00 PM   
Ralphie

 

Posts: 10
Joined: 23.Jan.2003
From: Netherlands
Status: offline
Guys i seem to overlook things. I can`t seem to figure out howto block certain sites. On ISA 2000 you could make an Destination Set, and then create an new site and content rule and apply the destination set.

Could someone give me a push in the right direction? "[Smile]"
Post #: 1
RE: Howto deny sites - 17.Feb.2004 4:31:00 PM   
Ralphie

 

Posts: 10
Joined: 23.Jan.2003
From: Netherlands
Status: offline
Ahhh i found it! So never mind [Smile]

(in reply to Ralphie)
Post #: 2
RE: Howto deny sites - 17.Feb.2004 8:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ralphie,

Very easy, eh?

Thanks!
Tom

(in reply to Ralphie)
Post #: 3
RE: Howto deny sites - 27.Feb.2004 4:27:00 PM   
reinier

 

Posts: 9
Joined: 27.Jul.2003
From: The Netherlands
Status: offline
Hi Guys,

So you found it but I'm still trying [Confused]
I'm trying to deny access to a few sites for all and every user that passes ISA 2004.
Tried to build this:
Deny Rule, from all networks to url set that contains the blocked sites. Applied it to all users. I set this on top of every other custom rule. My other rules allow http/https to every site...

Problem, I can still access the sites!
How does ISA interpret it's rules?

Thanks!
Reinier.

[ February 27, 2004, 04:29 PM: Message edited by: Reinier ]

(in reply to Ralphie)
Post #: 4
RE: Howto deny sites - 1.Mar.2004 12:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Reinier,

Try configuring the clients as Firewall or Web Proxy clients.

HTH,
Tom

(in reply to Ralphie)
Post #: 5
RE: Howto deny sites - 3.Mar.2004 9:38:00 AM   
reinier

 

Posts: 9
Joined: 27.Jul.2003
From: The Netherlands
Status: offline
Hi Tom,

Thanks. This is the famous "isa 2000 http redirection filter losing authentication"?

Did you figure out yet how ISA 2004 handles this? Or how to change the "redirection requests"??

I'd like to block the sites for the secure-nat clients also...

Reinier.

(in reply to Ralphie)
Post #: 6
RE: Howto deny sites - 3.Mar.2004 2:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Reiner,

Its not really an HTTP Redirector issue, but rather a name resolution issue. Since the SecureNAT client (the weakest and very low level of security client) resolves names itself, the firewall only knows the IP address of the destination, not the FQDN. Since the firewall doesn't do a reverse lookup for the IP address, it can't block based on name.

This is way all clients should be configured as Web Proxy and Firewall clients. The thing that really sets ISA firewalls apart from conventional packet filter firewalls, is the strong outbound access controls provided by the Web Proxy and SecureNAT clients.

Not using these client types is like buying a Testarosa and never driving it faster than 30 MPH.
[Big Grin]

HTH,
Tom

(in reply to Ralphie)
Post #: 7
RE: Howto deny sites - 10.Mar.2004 2:08:00 PM   
reinier

 

Posts: 9
Joined: 27.Jul.2003
From: The Netherlands
Status: offline
Hi Tom,

It's all clear to me now, thanks!

Reinier.

(in reply to Ralphie)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Howto deny sites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts