Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: How block site on ISA Server 2004?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> RE: How block site on ISA Server 2004? Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: How block site on ISA Server 2004? - 20.Jul.2004 12:19:00 PM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline
quote:
Originally posted by pnx:
In the ULR Set window It is written something like "if your DNS is not configured propely this could not work". Maybe is It a DNS problem?
I think this is the problem. If I execute NSLOOKUP and type a url like "www.microsoft.com" I obtain "www.microsoft.com.mydomain.com".

I never understood how to configure correctly the DNS server. I don't want to make the server a domain controller, I don't want to create Active Directory because I don't need it.

My DNS server always report error 414: "The DNS server machine currently has no DNS domain name. Its DNS name is a single label hostname with no domain". I never found a way to solve this problem. I tried changing the name of the server (now called Homeserver) without result.
It seems this is a diffused problem.

(in reply to manguonden)
Post #: 21
RE: How block site on ISA Server 2004? - 20.Jul.2004 12:41:00 PM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		Now I removed the "mydomain.com" from the "primary dns suffix" textbox in the "Computer Name Tab".

In this way the DNS seems to work well (also if error 414 is still present).

It seems like ISA blocks the IP and not the URL. In fact, if I block adv.hwupgrade.it, ISA block also www.hwupgrade.it and forum.hwupgrade.it that have the SAME IP addess. [Roll Eyes]

(in reply to manguonden)
Post #: 22
RE: How block site on ISA Server 2004? - 20.Jul.2004 6:40:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

Your nslookup looked unusual because you did not include the trailing period:

should be:

www.microsoft.com.

You should always have the correct primary DNS suffix configured on computers on your network.

Check out the many articles I've done on DNS configuration in the ISA deployment kits on this site.

HTH,
Tom

(in reply to manguonden)
Post #: 23
RE: How block site on ISA Server 2004? - 20.Jul.2004 8:48:00 PM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		Ok, now I've made order with DNS, and it works well.

Is seems that ISA still doensn't block the URL, but just the IP. Tomorrow I'll make some other tests, and I'll can be more precise.

Thanks again.
Bye, pnx.

(in reply to manguonden)
Post #: 24
RE: How block site on ISA Server 2004? - 21.Jul.2004 1:06:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

Give me an example of a URL you want to block and I'll test it.

Thanks!
Tom

(in reply to manguonden)
Post #: 25
RE: How block site on ISA Server 2004? - 21.Jul.2004 7:37:00 PM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		Ok Tom, now I'm sure DNS is set correctly!

I've tryed again, but the result is the same, ISA blocks the IP, not the URL. [Frown]

Try to block the url "http://adv.hwupgrade.it",
then go to "www.hwupgrade.it". [Wink]

Bye, thanks again Tom.

(in reply to manguonden)
Post #: 26
RE: How block site on ISA Server 2004? - 21.Jul.2004 10:48:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

I tested it. Here's what the browser said when I blocked it:

Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.



Technical Information (for support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 192.168.1.60
Date: 7/21/2004 8:49:31 PM
Server: CELESTIX-H5L4CS
Source: proxy

Here's the log file entry:

0.0.0.0 No Proxy CELESTIX-H5L4CS adv.hwupgrade.it TCP Internal External - - - - - - 0 1 4311 417 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 0x0 0x800 Web Proxy Filter 7/21/2004 3:49:31 PM 192.168.1.8 192.168.1.60 8080 http Denied Connection Deny TEST anonymous http://adv.hwupgrade.it/ Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; .NET CLR 1.1.4322) GET

HTH,
Tom

(in reply to manguonden)
Post #: 27
RE: How block site on ISA Server 2004? - 22.Jul.2004 9:56:00 AM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		What did you typed in the browser to get that result, www.hwupgrade.it or adv.hwupgrade.it ? [Smile]

If I create a rule that blocks adv.hwupgrade.it, I can't access to www.hwupgrade.it, but I don't want to block also www ! [Wink]

(in reply to manguonden)
Post #: 28
RE: How block site on ISA Server 2004? - 22.Jul.2004 10:04:00 AM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		If've found the problem. I must set the Proxy in the browser to get the rule working correcly.

I've never used to set the proxy, because in the network there are some notebook that moves also outside the network, so the users must always enable or disable the proxy.
It always worked perfeclty with ISA2000 without setting the proxy in the browser...

(in reply to manguonden)
Post #: 29
RE: How block site on ISA Server 2004? - 22.Jul.2004 4:09:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

You should have autodiscovery enabled on all browsers and a wpad entry in DHCP and DNS.

Let me check what happens when the client is configured as a SecureNAT client.

NOTE: All Windows clients should be configured as a Web Proxy or Firewall client. Otherwise, your security isn't any better than you would see with a Pix or netscreen.

HTH,
Tom

(in reply to manguonden)
Post #: 30
RE: How block site on ISA Server 2004? - 22.Jul.2004 4:24:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

I tested with a SecureNAT client using a Domain Name Set (like in the article on the front page of this Web site). Here's what I get:

0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) No Proxy ISALOCAL 212.110.12.189 TCP - - - - - - 0 32 2248 252 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 0x0 0x800 Web Proxy Filter Internal External 7/22/2004 9:23:02 AM 212.110.12.189 80 http Denied Connection Default rule 10.0.0.5 anonymous GET http://212.110.12.189/

Technical Information (for support personnel)

Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)

So, it works for Web Proxy and SecureNAT clients.

HTH,
Tom

(in reply to manguonden)
Post #: 31
RE: How block site on ISA Server 2004? - 22.Jul.2004 7:00:00 PM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		Thank you for help Tom,
but I think that maybe I haven't been so much clear... I'll explain the situation. [Wink]

All my clients are FIREWALL CLIENTS and there is also the ISA IP configured as gateway, but the proxy-setting is not configured in the browser.

The FWC software detects ISA and all work correctly.

With this type of configuration I cannot block a specific URL, but only a specific IP.
In fatc, adv.hwupgrade.it and www.hwupgrade.it have the SAME IP Address, and If I deny access to "adv", also "www" become inaccessible.

With the same identical configuration, this didn't happen with ISA2000.

The only way I've found to let it work correctly (deny "adv" and allow "www") is to set up the Proxy setting in the Internet Explorer Options (or Mozilla, or other browser).

(in reply to manguonden)
Post #: 32
RE: How block site on ISA Server 2004? - 23.Jul.2004 8:14:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi PNX,

I see. The reason ISA does this is so users cannot enter IP addresses to get around the ISA firewall security.

For example, suppose you do not want users to go to www.badsite.com and the IP address of that site is 2.2.2.2

So, you block the URL www.badsite.com. When users try to go to www.badsite.com, they are blocked.

Then the users find out if they enter http://2.2.2.2 they can get to www.badsite.com

Is that good or bad?

HTH,
Tom

(in reply to manguonden)
Post #: 33
RE: How block site on ISA Server 2004? - 23.Jul.2004 8:32:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

Are you sure it worked with ISA 2000? Or did you disable the reverse lookup feature?

The reason why you have more granular control when using the Web Proxy is that the Web Proxy at the ISA firewall actually receives the request for the actual URL and the proxies the request to the Web server.

In contrast, the Firewall client and the SecureNAT client do *not* send the actual URL to the ISA firewall. Instead, they resolve the name of the Web site, and then send their requests. In the case of the Firewall client, the Firewall client sends the IP address of the site to which it wants to connect to the Firewall service on the ISA firewall, and the ISA firewall proxies the request. In the case of the SecureNAT client, the SecureNAT client sends a request for the IP address of the destination Web server to the internal interface of the ISA firewall, and the ISA firewall NATs the request.

The ISA 2000 firewall worked the same way. Its the basic difference between how Web Proxy requests and non-Web proxy requests work.

HOWEVER, now that I think about it, maybe you had the HTTP Redirect filter enabled in ISA 2000. If so, it might have worked since the full URL may have been forwarded to the Web Proxy service, even from SecureNAT and Firewall clients. The ISA 2004 firewall does not have an HTTP Redirector and it does not have a Web Proxy service. It only has a Web Proxy filter, which has a lot of advantages over the Web Proxy service, but perhaps with the advantages, you've encountered one of the disadvantages.

Regardless, I still maintain that allow clients, from all operating systems, should be configured as Web Proxy clients and they should either use autodiscvoery, or be assigned an autoconfiguration script (via Group Policy or manual configuration).

HTH,
Tom

(in reply to manguonden)
Post #: 34
RE: How block site on ISA Server 2004? - 23.Jul.2004 9:06:00 AM   
pnx

 

Posts: 31
Joined: 19.Jul.2004
From: Italy
Status: offline 		Thanks Tom, You've been VERY VERY clear, now I understand... [Smile]

Thank you again, Bye. [Wink]
pnx

(in reply to manguonden)
Post #: 35
RE: How block site on ISA Server 2004? - 23.Jul.2004 2:28:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Pnx,

Thanks!

Tom

(in reply to manguonden)
Post #: 36

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> RE: How block site on ISA Server 2004? Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts