Well, it pertains to the ISA server, so it is still relevant... *grin* I have two basic groups of users, one for students and one for staff. The students group is locked down pretty tight, while the staff one allows normal web browsing but blocks the clearly naughty or dangerous places. I'm running into two main issues: 1. Students are not allowed HTTPS, as there are tons of proxy programs out there that look for this and utilize it to bypass all filtering. To bypass this for one particular site requires the creation of a custom protocol on port 443 for a specific IP address. Hence, to block numerous websites requires numerous custom protocols. 2. The policies in Websense follow the old *nix style security, where you can create a policy for one group but if there is one user that requires one tiny modification you have to duplicate the entire security policy, remove the user from that group, and apply the custom policy to that one user. Then, if you need to make a change for "all" users, you have to go through each and every policy individually and make that same change, because they are essentially duplicates of each other. Because of the way the Websense security is handled, I have to make the "default" group the same as the Student filtering or block it entirely. Otherwise, any "unauthenticated" user will have zero filtering, which totally defeats the purpose of the filtering in the first place... That then leaves the ISA firewall policies out of the equation because any ISA rule that would normally allow traffic through unfiltered would then hit the Websense "default" filtering policy, making it infinitely more difficult to use this program effectively. So... Now instead of one program, which ran on the ISA server, I now have to have three servers to do the same job with extremely less granular control. We are definitely regretting the decision to switch to Websense! From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Wednesday, December 02, 2009 1:10 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... Hey, sorry I know this is now a websense list, but what are you trying to filter exactly ? a group of websites for a group of users? What else? I mean, I have about 2000 users here and I'm doing all the job with 4 protocols, and that allows me to meet the requirements of Managers, VPs, regular users, developers, etc. Of course I assume you have it install integrated with ISA, is that right? Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147 From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, December 02, 2009 11:05 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... I will agree with you on how well it works, but as for usability I will rank it extremely low (okay, maybe even lower than that). I was seriously tempted to install the old SurfControl last week because I was getting so ticked at Websense. It (SurfControl) may have been a buggy product, but it was infinitely more configurable than Websense will ever be. We have it up and working now after many hours of having an engineer doing most of the work (I get the impression they definitely do not like ISA servers). But, after the first couple days of having it running "properly" I already have a big list of websites that need to be "allowed" through the filtering again. After yet another session with the engineer yesterday afternoon it appears that I now have to define a custom protocol for each and every one of those websites to allow them through. Well, it's either that or open the HTTPS protocol up to everyone with no restrictions (their unofficial recommendation). I'm going to do some experimenting with it a bit today to see if I can do a different workaround instead of their recommended methods. Now that I know how it works relatively intimately, it's time to hack it apart! *grin* From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Wednesday, December 02, 2009 7:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... It is hard to have it working correctly but when you have it, is a good product, believe me, I'm using it since several years ago. The easiest way to see if websense is your problem, since your uploader cannot show the message blocking messages, is to do a network capture as Jim said, and you will see the connection to the websense service on the right port right away. Another way is to use the logmonitor on websense server while testing the uploading (which is believe is a waste of money ;-) , sorry I had to add the comment). That happen to me several times, when you are using a none HTTP browser, so you app failed without any apparent reason, and we always forgot the monitoring options on websense. Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, December 02, 2009 7:36 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... Thanks, that clears it up a bit, now I know what to look for. Yes, we are using authentication on outbound traffic and I have a strong suspicion that Websense has something to do with this issue. We are becoming less enamored with it daily, and I have spent countless hours with their tech support in the last few weeks. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, December 02, 2009 1:04 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... No; there is no rule allowing the request as specified. Don't worry about rules that disallow specific commands or headers; you would see those rules quoted. The protocol quoted is in lowercase, which indicates a CERN proxy request. Are you forcing authentication on the outbound traffic? The request is not coming from the browser, but the "image uploader", which may have authentication issues (cant' tell from a single log entry). A Netmon capture could tell you... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 11:52 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... I can see that... There is no rule allowing http from localhost to localhost so it fails (somehow I don't think such a rule would resolve the issue though). Subsequent Googling on those topics didn't shed any light on it either. Is this a Facebook App error or something on my end? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 01, 2009 1:16 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The destination IP will be the ISA internal IP, because this is a CERN proxy request. Regardless, this request was denied because there is no firewall policy that would allow it (thus quoting the default rule). ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan [DBall@xxxxxxxxxxx] Sent: Tuesday, December 01, 2009 7:22 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... Hmmmmmm..... I don't see anything changed on the Internal Network configuration (same it has been for months), and that destination IP is the ISA server itself. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, December 01, 2009 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The request was denied by the default rule; indicating that you have no policy that allows this request. Interestingly enough, the request was identified as being destined for the "internal" network. This tells me that unless you deployed ISA in a single-net configuration you or someone you shouldn't trust has been playing with the internal network definition. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 6:50 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... Oh, I agree, that is only the tip of that looming iceberg... But, like I said, my obvious answer to "do it from home" wasn't acceptable, so I have to figure out how to get it working again... *sigh* From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Tuesday, December 01, 2009 9:45 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... The fact that ISA or something else is not allowing the upload don't worry me too much, what is incredible here is: Do the taxpayer on your school district knows that the school district is using money for somebody to be able to upload pictures to facebook? amazing Regards Diego R. Pietruszka MIS - Shift Manager From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, December 01, 2009 9:27 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Uploads to Facebook don't work anymore... In the last couple of weeks, something changed (no idea what), and now people inside our network can no longer upload pictures to Facebook. The upload application seems to be working, then crashes at the end. (Of course, the obvious solution of doing it from home is unacceptable... *grumble*) I looked on the ISA server (ISA 2006), and this is the error message where it dies: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 0.0.0.0 Image Uploader Yes Proxy SERVERNAME http://www.facebook.com/editalbum.php?&aid=349361&add=1&created=1# 10.20.1.10 TCP - - - Req ID: 0e8e449f - - - 12/1/2009 2:12:02 PM 0 1 4310 639014 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 0x4 0xa80 Web Proxy Filter 12/1/2009 9:12:02 AM 10.20.1.1 8080 http Denied Connection Default rule 10.20.6.117 DOMAIN\username Internal Internal POST http://upload.facebook.com/photos_upload.php?created_album=1&aid=349361&id=504175590 The traffic is hitting the default rule for some reason (which is why it is dying), but the protocol is http, which "should" be able to make it through. -------------------------------------------------- Dan Ball Network and Systems Technician Marquette Area Public Schools 1103 West College Avenue Marquette, MI 49855 E-Mail: dball@xxxxxxxxxxx<UrlBlockedError.aspx> Phone: (906)225-5779 Fax: (906)225-5377 --------------------------------------------------