http://www.ISAserver.org ------------------------------------------------------- I finally got it working, I was having some kind of weird issue with the automatic script configuration on IE. My TMG clients were configuring IE with the proxy information and also was assigning a script configuration. For some weird reason (I couldn't have an answer from Microsoft on the case I opened on why), but when the script was configured on IE, some of the HTTPS connections were reaching the TMG server as a proxy traffic, so TMG was seeing IP addresses instead of URLs, so there was no way for it to block or allow. Most of that traffic was HTTPS redirections (for example after you login on a secure site). As soon as I removed the automatic script option (meaning the client is no longer assigning a script to IE), things started working just fine. That is pretty cool, but I have no idea why the above happened. I just can say it happened. Regards Diego R. Pietruszka -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, October 13, 2010 10:01 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Filtering URLs with TMG http://www.ISAserver.org ------------------------------------------------------- TMG is not ISA and URL Filtering is not Web Sense. If you approach them as if they are, disappointment is surely your reward. You also have to separate the concept of "URL blocking" from "protocols". You can't use URLs for HTTPS connections unless you also employ HTTPS Inspection. You can't use URLs for traffic from TMGC or SecureNET clients. Ya gotta think it through - Web Sense "pretends" to understand URLs by reassembling host and resource headers - a technique that doesn't' work as well as it appears. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Tuesday, September 21, 2010 8:09 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Filtering URLs with TMG http://www.ISAserver.org ------------------------------------------------------- Hello all (sorry for the long email) I migrated to TMG hopping to get rid of Websense. Websense works pretty good doing what is supposed to do, but the integration with ISA and all the 10000 services running on different servers make it kind of annoying some times. The point is, we have different categories of users and I have a rule on TMG allowing Internet access for each category or group (just to the sites listed on the URLs sets). That rule is basically saying if you are member of AD group A, you are allowed to the URLs listed on this URL set, if you are on AD group B then you have access to the URLs listed on another URL set and so on. That scenario worked fine with Websense. If I allowed group A to go to *.thisparticularsite.com, the thing simply worked. On TMG is not that easy, I have several examples where even if we add all the possible combinations for a URL to match, TMG will still block access to the page, in some cases I had to add IP addresses or even ranges of IP addresses to have the users accessing those sites. A case I was working just now was https://www.firstfederalbankonline.com , where even if I added all the below listed options to the allowed URL set, the thing will not work. *.firstfederalbankonline.com firstfederalbankonline.com https://www. firstfederalbankonline.com firstfederal.com *.firsfederal.com The last 2 where added because I found the page accessing that URL while loading. TMG always was showing an entry blocking something, that something had no URL detail on the log but was one of the IPs on the bank's class C subnet. So I finished adding the entire class C range to my rule and things started working fine. So here is the question. I'm doing something wrong (on the way I'm implementing the rules), or this is a regular behavior and I will have to either leave with it or install Websense or another app again? Thanks for any info on this. Regards Diego R. Pietruszka ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx