[isalist] Re: Access Rule Issue...

  • From: "Tom Rogers" <trogers@xxxxxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 2 Feb 2009 10:19:27 -0500

http://www.ISAserver.org
-------------------------------------------------------

Ok, here is what I did.

I created a URL set of the sites that I need to allow.

I created Rule 1 as follows:

ACTION: Allow (and log)
PROTOCOLS: HTTP/HTTPS
FROM: Internal
TO: (my URL Set)
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type

I created Rule 2 as follows:

ACTION: Deny (redirect to custom page and log)
PROTOCOLS: All Outbound
FROM: Internal
TO: External
USERS: (my specific user)
SCHEDULE: Always
CONTENT TYPES: All content type

SSL sites are still not allowed, so what do I need to change to allow
this user to access the necessary SSL sites?

-Tom


> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, January 30, 2009 8:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Access Rule Issue...
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> A1 - you must not use name-based destination in a rule that includes
"all
> protocols".  Name-based rules are ONLY for HTTP and HTTPS.
> A2 - you cannot use URL sets for SSL connections because unlike CERN
HTTP
> and CERN FTP traffic, ISA never has access to the entire URL for HTTPS
> tunnels.
> 
> You can create two rules:
> 1. allow HTTP/HTTPS from to specific destinations
> 2. deny all
> 
> JimmyJoeBob Alooba
> Office 2007 on Win7 Beta
> 
> 
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Friday, January 30, 2009 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Access Rule Issue...
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> I am using ISA 2006 SP-1 on a W2K3 SP1 server.
> 
> I created an access rule for a specific user that denies all traffic
> from internal to external, except a list of a few websites that I put
> into a URL Set. This works just fine, except when it comes to
accessing
> https websites and I cannot figure it out.
> 
> If the user tries to go to any website outsite of the URL Set
contents,
> I redirect to a custom page stating that the website is not allowed
from
> this computer. For example, if the user tries to go to cnn.com, my
> custom denial page displays.
> 
> But with the HTTPS sites failure for the allowed sites, it does not go
> to my custom page, but just tells me IE cannot display the webpage.
> 
> For example - in my URL Set I have a website
> HTTP://WWW.EXCELLUSBCBS.COM/* but when you go to this root website it
> changes to https://www.excellusbcbs.com/wps/portal/xl in a web
browser.
> So then I put that new address into my URL Set as well. I don't get
the
> redirect page, but I just get an error stating IE cannot display the
> webpage.
> 
> Why is this? I have allowed that specific URL in my URL Set.
> 
> TIA,
> 
> -Tom Rogers
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2009