[isalist] Re: Uploads to Facebook don't work anymore...

  • From: D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR <DPietruszka@xxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 3 Dec 2009 12:00:17 -0500

I use the signature option on the HTTP configuration to do that, I'm kind of 
busy now, but let me see if I find out some document about it.
If not just do a search on the web, about using signature to block firefox on 
ISA, and that will lead you to block other browsers as well.

Regards
Diego R. Pietruszka
MIS - Shift Manager
MSC (USA) - Interlink Transport Technologies
Direct Phone: (908)605-4147

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Thursday, December 03, 2009 11:53 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

So how are you going about blocking non-IE browsers?  I know there was a 
discussion on that a few years ago, and I had done that at that time, but 
apparently those are the settings that didn't get copied over when I rebuilt my 
ISA server this summer.  If I recall, it had something to do with blocking port 
80 and forcing everyone through the proxy, along with some tag identification.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Thursday, December 03, 2009 7:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Then why you don't block firefox.
I had a similar case here with the developers, looks like Visual Studio or some 
software they use to write code have a kind of embedded browser, not sure how 
that work, but the point is, using that thing on some way, they were able to 
avoid websense. So I block that "browser" from being able to browse internet. 
I'm actually allowing just IE as browser.

Regards
Diego R. Pietruszka
MIS - Shift Manager
MSC (USA) - Interlink Transport Technologies
Direct Phone: (908)605-4147

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Thursday, December 03, 2009 7:34 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The categorization of proxy sites actually pretty good in Websense.  With 
SurfControl the kids would sit down at a computer when they got into class and 
the first thing they'd do is a Google search for proxy sites and go through the 
list and usually within a minute they'd find one that wasn't blocked.  With 
Websense, I don't think they've been able to find one at all using that 
technique and pretty much given up on that.  Now that they cannot use that 
method anymore, they're starting to bring in software on their flash drives to 
try and get around the filtering (hence the HTTPS block).   They found a 
loophole with Firefox last month (the default policies in Websense), so within 
a week I found copies of Firefox installed on every computer they could find.



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Thursday, December 03, 2009 7:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

I mean a "proxy avoidance" site, no a proxy server.

Regards
Diego R. Pietruszka
MIS - Shift Manager
MSC (USA) - Interlink Transport Technologies
Direct Phone: (908)605-4147

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Wednesday, December 02, 2009 9:28 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

How does Websense determine if the connection is to a proxy?

t

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Wednesday, December 02, 2009 5:30 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Hmm, I would suggest you to re-enable HTTPS for the students, then filter the 
proxy avoidance category using the websense configuration options, and then do 
an analysis of the traffic to see if they are really reaching any proxy site 
after all that is in place.
By that way you will keep using the authentication, the filtering by categories 
and the statistics of internet use.

If you have the budget to move to the software you really like, go for that 
option, but if this what you have to use no matter what, then I would try to 
have both (websense and ISA) working on the better possible way together.

Bye
Diego

Sent from my Iphone

________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of 
Ball, Dan [DBall@xxxxxxxxxxx]
Sent: Wednesday, December 02, 2009 7:45 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...
Well, after thinking about this for a day or so, I've come to the conclusion 
that creating custom protocols in Websense is simply not practical.  We have 
waaaaaaay too many websites that would need entering.  So, I think the best 
route would be to utilize the ISA server policies for websites that we can 
"trust", and access these directly, without authentication.

There are two ways I can think of off the top of my head on how to do this:

1.       Create an ISA Firewall Policy Rule with a list of addresses that are 
allowed access without authentication.  Benefits: Simple list to maintain, no 
configuration needed in Websense.  Drawbacks: All "unauthenticated" web 
requests still go through Websense, but hit the default policy.  The default 
policy would then have to be changed to allow everything.  If I can find a way 
to verify all legitimate requests are hitting the other policies in Websense, 
then this is a feasible solution.   Problem: Verifying that all users are 
authenticated in Websense.

2.       Utilize the bypass firewall option in the ISA Network configuration.  
Benefits: Websense completely out of the picture, as the add-in web filter 
"should not" kick in for those requests, and the Websense Default Policy can be 
more restrictive.  Drawbacks:  List is a bit more difficult to maintain.  
Problem:  This scenario is untested, unsure of outcome and/or how well it would 
scale.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Wednesday, December 02, 2009 3:34 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

OK, let see how I have it configure, I know you have to be extremely more 
careful with students than any company user, but anyway.
Our users are limited to a list of allowed sites, so no much comparison there, 
these poor guys have cero fun on the web.


1-      Our developers, that is another story and for them I'm using the a 
protocol where proxy websites are being filtered. Anyway and because of course 
Websense is far from being perfect, we do monitor the internet activity and I 
catch so far 1 proxy avoidance website not being detected for Websense.

2-      Well, I completely agree that is not the most flexible software out 
there for individual permissions, but I would if there is no other option 
adjust the way how you are filtering your users. I would for example create 
just a bunch of categories (for example: students, teachers, administration, 
IT) and make the users members of any of those groups and then give permission 
to users by making them member of the different internet access groups. How 
many groups can you have? 20, then you will need 20 policies.
That probably mean, you will have to change the way how you are working, but I 
guess is going to be easier on the long run. Now, if you are on an 
organization, where user 1 needs this access, user 2 another and so on, then 
you have a problem and then yes, I would look to another product.

I know the unauthenticated users problem, that is why, I'm not allowing 
internet access without authentication. Unless you come  from the wireless 
network, in which case they have their own policy and ISA rule.
Regarding the amount of servers, I have 1 which is my ISA CSS, on where the 
websense policy server is running (I was needing that server anyway), and then 
I installed the filtering service on each ISA server acting as a proxy (I was 
needing them as well for ISA). So I'm not having a problem of additional 
servers needed for websense, yes of course more traffic, services running on 
the box and stuff like that.

I don't want to sound like a websense vendor, don't misunderstand me. I was 
told you will have to use websense and I'm learning to deal with it, maybe 
there are better software out there but I can tell you how I survived and 
things are working pretty good.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Wednesday, December 02, 2009 2:55 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Well, it pertains to the ISA server, so it is still relevant... *grin*   I have 
two basic groups of users, one for students and one for staff.   The students 
group is locked down pretty tight, while the staff one allows normal web 
browsing but blocks the clearly naughty or dangerous places.

I'm running into two main issues:

1.       Students are not allowed HTTPS, as there are tons of proxy programs 
out there that look for this and utilize it to bypass all filtering.  To bypass 
this for one particular site requires the creation of a custom protocol on port 
443 for a specific IP address.  Hence, to block numerous websites requires 
numerous custom protocols.

2.       The policies in Websense follow the old *nix style security, where you 
can create a policy for one group but if there is one user that requires one 
tiny modification you have to duplicate the entire security policy, remove the 
user from that group, and apply the custom policy to that one user.  Then, if 
you need to make a change for "all" users, you have to go through each and 
every policy individually and make that same change, because they are 
essentially duplicates of each other.

Because of the way the Websense security is handled, I have to make the 
"default" group the same as the Student filtering or block it entirely.  
Otherwise, any "unauthenticated" user will have zero filtering, which totally 
defeats the purpose of the filtering in the first place...  That then leaves 
the ISA firewall policies out of the equation because any ISA rule that would 
normally allow traffic through unfiltered would then hit the Websense "default" 
filtering policy, making it infinitely more difficult to use this program 
effectively.

So... Now instead of one program, which ran on the ISA server, I now have to 
have three servers to do the same job with extremely less granular control.  We 
are definitely regretting the decision to switch to Websense!


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Wednesday, December 02, 2009 1:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Hey, sorry I know this is now a websense list, but what are you trying to 
filter exactly ? a group of websites for a group of users? What else?
I mean, I have about 2000 users here and I'm doing all the job with 4 
protocols, and that allows me to meet the requirements of Managers, VPs, 
regular users, developers, etc.

Of course I assume you have it install integrated with ISA, is that right?

Regards
Diego R. Pietruszka
MIS - Shift Manager
MSC (USA) - Interlink Transport Technologies
Direct Phone: (908)605-4147

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Wednesday, December 02, 2009 11:05 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

I will agree with you on how well it works, but as for usability I will rank it 
extremely low (okay, maybe even lower than that).  I was seriously tempted to 
install the old SurfControl last week because I was getting so ticked at 
Websense.  It (SurfControl) may have been a buggy product, but it was 
infinitely more configurable than Websense will ever be.

We have it up and working now after many hours of having an engineer doing most 
of the work (I get the impression they definitely do not like ISA servers).   
But, after the first couple days of having it running "properly" I already have 
a big list of websites that need to be "allowed" through the filtering again.  
After yet another session with the engineer yesterday afternoon it appears that 
I now have to define a custom protocol for each and every one of those websites 
to allow them through.  Well, it's either that or open the HTTPS protocol up to 
everyone with no restrictions (their unofficial recommendation).

I'm going to do some experimenting with it a bit today to see if I can do a 
different workaround instead of their recommended methods.  Now that I know how 
it works relatively intimately, it's time to hack it apart! *grin*


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Wednesday, December 02, 2009 7:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

It is hard to have it working correctly but when you have it, is a good 
product, believe me, I'm using it since several years ago.
The easiest way to see if websense is your problem, since your uploader cannot 
show the message blocking messages, is to do a network capture as Jim said, and 
you will see the connection to the websense service on the right port right 
away. Another way is to use the logmonitor on websense server while testing the 
uploading (which is believe is a waste of money ;-) , sorry I had to add the 
comment).

That happen to me several times, when you are using a none HTTP browser, so you 
app failed without any apparent reason, and we always forgot the monitoring 
options on websense.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Wednesday, December 02, 2009 7:36 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Thanks, that clears it up a bit, now I know what to look for.  Yes, we are 
using authentication on outbound traffic and I have a strong suspicion that 
Websense has something to do with this issue.  We are becoming less enamored 
with it daily, and I have spent countless hours with their tech support in the 
last few weeks.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, December 02, 2009 1:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

No; there is no rule allowing the request as specified.
Don't worry about rules that disallow specific commands or headers; you would 
see those rules quoted.
The protocol quoted is in lowercase, which indicates a CERN proxy request.
Are you forcing authentication on the outbound traffic?
The request is not coming from the browser, but the "image uploader", which may 
have authentication issues (cant' tell from a single log entry).
A Netmon capture could tell you...

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 11:52 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

I can see that... There is no rule allowing http from localhost to localhost so 
it fails (somehow I don't think such a rule would resolve the issue though).   
Subsequent Googling on those topics didn't shed any light on it either.  Is 
this a Facebook App error or something on my end?


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 01, 2009 1:16 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The destination IP will be the ISA internal IP, because this is a CERN proxy 
request.
Regardless, this request was denied because there is no firewall policy that 
would allow it (thus quoting the default rule).

________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of 
Ball, Dan [DBall@xxxxxxxxxxx]
Sent: Tuesday, December 01, 2009 7:22 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...
Hmmmmmm..... I don't see anything changed on the Internal Network configuration 
(same it has been for months), and that destination IP is the ISA server itself.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 01, 2009 10:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The request was denied by the default rule; indicating that you have no policy 
that allows this request.
Interestingly enough, the request was identified as being destined for the 
"internal" network.
This tells me that unless you deployed ISA in a single-net configuration you or 
someone you shouldn't trust has been playing with the internal network 
definition.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 6:50 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Oh, I agree, that is only the tip of that looming iceberg... But, like I said, 
my obvious answer to "do it from home" wasn't acceptable, so I have to figure 
out how to get it working again... *sigh*


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Tuesday, December 01, 2009 9:45 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The fact that ISA or something else is not allowing the upload don't worry me 
too much, what is incredible here is:

Do the taxpayer on your school district knows that the school district is using 
money for somebody to be able to upload pictures to facebook? amazing

Regards
Diego R. Pietruszka
MIS - Shift Manager

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 9:27 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Uploads to Facebook don't work anymore...

In the last couple of weeks, something changed (no idea what), and now people 
inside our network can no longer upload pictures to Facebook.  The upload 
application seems to be working, then crashes at the end.   (Of course, the 
obvious solution of doing it from home is unacceptable... *grumble*)

I looked on the ISA server (ISA 2006), and this is the error message where it 
dies:

Original Client IP               Client Agent       Authenticated Client      
Service Server Name     Referring Server               Destination Host Name    
     Transport            MIME Type         Object Source   Source Proxy     
Destination Proxy            Bidirectional                Client Host Name      
       Filter Information            Network Interface          Raw IP Header  
Raw Payload      GMT Log Time      Source Port        Processing Time           
    Bytes Sent          Bytes Received Result Code        HTTP Status Code      
          Cache Information          Error Information             Log Record 
Type               Authentication Server   Log Time                Destination 
IP    Destination Port               Protocol               Action   Rule       
Client IP               Client Username                Source Network           
    Destination Network      HTTP Method    URL
0.0.0.0   Image Uploader               Yes         Proxy    SERVERNAME    
http://www.facebook.com/editalbum.php?&aid=349361&add=1&created=1#           
10.20.1.10            TCP                                        -              
-                              -              Req ID: 0e8e449f             -    
          -              -              12/1/2009 2:12:02 PM    0              
1              4310       639014                  12202 The ISA Server denied 
the specified Uniform Resource Locator (URL).    0x4         0xa80    Web Proxy 
Filter                              12/1/2009 9:12:02 AM         10.20.1.1      
        8080       http       Denied Connection         Default rule        
10.20.6.117         DOMAIN\username                Internal                
Internal                POST     
http://upload.facebook.com/photos_upload.php?created_album=1&aid=349361&id=504175590

The traffic is hitting the default rule for some reason (which is why it is 
dying), but the protocol is http, which "should" be able to make it through.

--------------------------------------------------
Dan Ball
Network and Systems Technician
Marquette Area Public Schools
1103 West College Avenue
Marquette, MI 49855
E-Mail: dball@xxxxxxxxxxx<UrlBlockedError.aspx>
Phone: (906)225-5779
Fax: (906)225-5377
--------------------------------------------------

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2009