RE: destination sets question
- From: Morvan <mmuller@xxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 21 Nov 2003 12:10:32 -0300
Hi Thom!
I understand but I can't do it.
My police is allow all and deny somethings. What isn't explicit denied is
allowed, ok!
In Site and Content Rules I have one open_access ALLOW rule and a set of
DENY rules based
on destinations sets and/or content, to implement this policy.
If I create a rule like you say:
destinations = all destinations except (http://br.groups.yahoo.com,
PATH=/group/superwaba/), action=deny
I will deny everthing else (http://br.groups.yahoo.com,
PATH=/group/superwaba/).
I can't do it, cause my users need access all sites on the web, that I
don't deny.
With such rule I will implement a restrictive policy "deny all and allow
especific destinations".
I can't determine all sites where my users need to go, my organization have
interest that they can
search solutions in the internet, so I can't use such restrictive police.
I need something in ISA in site and content rules:
destinations = selected destinations set (xxxx-sets) except (xxxx-sets),
but it isn't available. Site and content rules have only the option
destinations = all destinations except (xxxx-sets).
I can't belive that I can't resolve this problem with ISA, Im thinking a
lot about this question and can't see one way to do this with ISA.
Some form will be create a destination set and list the maximum number of
PATHs and subdomains to deny
into yahoo.com, and create a deny rule based on this destinations, i.e, all
domains and paths that differ from http://br.groups.yahoo.com,
PATH=/group/superwaba/. Such form is no efective and very bad, for don't
say impossible (How I will know all paths and subdomains into yahoo.com?).
Thanks,
Morvan.
At 19:58 11/11/2003 -0600, you wrote:
http://www.ISAserver.org
>Hi Morvan,
>OK, I see what you're trying to do. You should be able to create the
>exception in the Deny Rule, and then create an allow rule with the
>exception destination set. However, You can not use a wildcard in both
>the FQDN and the path.
>HTH,
>Tom
>www.isaserver.org/shinder
-----Original Message-----
From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx]
Sent: Monday, November 10, 2003 8:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: destination sets question
Hi Tom!
>>At 19:44 06/11/2003 -0600, you wrote:
>>http://www.ISAserver.org
>>If you want to block the entire yahoo site, try *.yahoo.com and
>>yahoo.com
>OK, I do it like follow:
>Destinations sets:
>-----------------
>1. deny-sites = (*.yahoo.com, yahoo.com)
>2. allowed_URLs_into_deny-sites
>= ( http://br.groups.yahoo.com,
>PATH=/group/superwaba/* )
>Content Rules:
>-------------
>1. Name= DenyWholeYahoo, destinations=[(selected destination
>sets)=deny-sites], action=deny, applies_to=any-request
>This Content Rule deny the whole yahoo site, and the unique field where
>I can put exceptions is in the (applies_to) field, but it is only
>related to (client_sets) don't to (destination sets).
>If I create and allow rule pointed to
>destination_set=(allowed_URLs_into_deny-sites) (see 2 above) the deny
>rule (DenyWholeYahoo) have more priority, and match first!
>>If you need to create an exception, instruct the Site and Content Rule
>>that you need to create an exception. Make sure to create the
>>Desitnation Set that represents the exception before you create the
>So I didn't understand where I instruct the Site and Content Rule (ex.
>DenyWholeYahoo - see 1 bove) to create an exception pointing to an
>destination set like (allowed_URLs_into_deny-sites) (see 2 above).
>My intention is deny the whole yahoo for (any_request) but allow the URL
>(http://br.groups.yahoo.com, PATH=/group/superwaba/*) into the yahoo
>site for (any_request too). The client (client sets) who try to access
>is indeferent for me.
>Thanks in advance,
>Morvan.
>===============================================
>-----Original Message-----
>From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx]
>Sent: Thursday, November 06, 2003 8:57 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] destination sets question
>http://www.ISAserver.org
>I have configured destinations sets for ex:
>deny-sites = (*.yahoo.com, yahoo.com)
>and have a content rule:
>action=deny destination="deny-sites" aplly-to="everyone"
>With this I deny the whole yahoo site.
>But my intention is deny the whole yahoo site, except some destination
>like:
>br.groups.yahoo.com/* (and other 2 yahoo subdomains)
>How can I do it with ISA?
>Thanks,
Other related posts:
