[isalist] Re: Filtering URLs with TMG
- From: D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR <DPietruszka@xxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 13 Oct 2010 10:33:43 -0400
http://www.ISAserver.org
-------------------------------------------------------
I finally got it working, I was having some kind of weird issue with the
automatic script configuration on IE.
My TMG clients were configuring IE with the proxy information and also was
assigning a script configuration.
For some weird reason (I couldn't have an answer from Microsoft on the case I
opened on why), but when the script was configured on IE, some of the HTTPS
connections were reaching the TMG server as a proxy traffic, so TMG was seeing
IP addresses instead of URLs, so there was no way for it to block or allow.
Most of that traffic was HTTPS redirections (for example after you login on a
secure site).
As soon as I removed the automatic script option (meaning the client is no
longer assigning a script to IE), things started working just fine.
That is pretty cool, but I have no idea why the above happened. I just can say
it happened.
Regards
Diego R. Pietruszka
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, October 13, 2010 10:01 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Filtering URLs with TMG
http://www.ISAserver.org
-------------------------------------------------------
TMG is not ISA and URL Filtering is not Web Sense.
If you approach them as if they are, disappointment is surely your reward.
You also have to separate the concept of "URL blocking" from "protocols".
You can't use URLs for HTTPS connections unless you also employ HTTPS
Inspection.
You can't use URLs for traffic from TMGC or SecureNET clients.
Ya gotta think it through - Web Sense "pretends" to understand URLs by
reassembling host and resource headers - a technique that doesn't' work as well
as it appears.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Tuesday, September 21, 2010 8:09 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Filtering URLs with TMG
http://www.ISAserver.org
-------------------------------------------------------
Hello all (sorry for the long email)
I migrated to TMG hopping to get rid of Websense.
Websense works pretty good doing what is supposed to do, but the integration
with ISA and all the 10000 services running on different servers make it kind
of annoying some times.
The point is, we have different categories of users and I have a rule on TMG
allowing Internet access for each category or group (just to the sites listed
on the URLs sets).
That rule is basically saying if you are member of AD group A, you are allowed
to the URLs listed on this URL set, if you are on AD group B then you have
access to the URLs listed on another URL set and so on.
That scenario worked fine with Websense. If I allowed group A to go to
*.thisparticularsite.com, the thing simply worked.
On TMG is not that easy, I have several examples where even if we add all the
possible combinations for a URL to match, TMG will still block access to the
page, in some cases I had to add IP addresses or even ranges of IP addresses to
have the users accessing those sites.
A case I was working just now was https://www.firstfederalbankonline.com ,
where even if I added all the below listed options to the allowed URL set, the
thing will not work.
*.firstfederalbankonline.com
firstfederalbankonline.com
https://www. firstfederalbankonline.com
firstfederal.com
*.firsfederal.com
The last 2 where added because I found the page accessing that URL while
loading.
TMG always was showing an entry blocking something, that something had no URL
detail on the log but was one of the IPs on the bank's class C subnet. So I
finished adding the entire class C range to my rule and things started working
fine.
So here is the question.
I'm doing something wrong (on the way I'm implementing the rules), or this is a
regular behavior and I will have to either leave with it or install Websense or
another app again?
Thanks for any info on this.
Regards
Diego R. Pietruszka
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
