Hi Morvan, No one ever said effective security was easy or fast :) The principle of least priviledge says that you give users access to what they need. So, you need to define in advance what those resources are, and then continue to track usage requirements. Blocking sites on a too granular basis incurs too much overhead. You're better off creating a network access policy and then reviewing usage reports and whacking employees who violate the network use policy. HTH, Tom -----Original Message----- From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx] Sent: Friday, November 21, 2003 9:11 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: destination sets question http://www.ISAserver.org Hi Thom! I understand but I can't do it. My police is allow all and deny somethings. What isn't explicit denied is allowed, ok! In Site and Content Rules I have one open_access ALLOW rule and a set of DENY rules based on destinations sets and/or content, to implement this policy. If I create a rule like you say: destinations = all destinations except (http://br.groups.yahoo.com, PATH=/group/superwaba/), action=deny I will deny everthing else (http://br.groups.yahoo.com, PATH=/group/superwaba/). I can't do it, cause my users need access all sites on the web, that I don't deny. With such rule I will implement a restrictive policy "deny all and allow especific destinations". I can't determine all sites where my users need to go, my organization have interest that they can search solutions in the internet, so I can't use such restrictive police. I need something in ISA in site and content rules: destinations = selected destinations set (xxxx-sets) except (xxxx-sets), but it isn't available. Site and content rules have only the option destinations = all destinations except (xxxx-sets). I can't belive that I can't resolve this problem with ISA, Im thinking a lot about this question and can't see one way to do this with ISA. Some form will be create a destination set and list the maximum number of PATHs and subdomains to deny into yahoo.com, and create a deny rule based on this destinations, i.e, all domains and paths that differ from http://br.groups.yahoo.com, PATH=/group/superwaba/. Such form is no efective and very bad, for don't say impossible (How I will know all paths and subdomains into yahoo.com?). Thanks, Morvan. At 19:58 11/11/2003 -0600, you wrote: http://www.ISAserver.org >Hi Morvan, >OK, I see what you're trying to do. You should be able to create the >exception in the Deny Rule, and then create an allow rule with the >exception destination set. However, You can not use a wildcard in both >the FQDN and the path. >HTH, >Tom >www.isaserver.org/shinder -----Original Message----- From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx] Sent: Monday, November 10, 2003 8:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: destination sets question Hi Tom! >>At 19:44 06/11/2003 -0600, you wrote: >>http://www.ISAserver.org >>If you want to block the entire yahoo site, try *.yahoo.com and >>yahoo.com >OK, I do it like follow: >Destinations sets: >----------------- >1. deny-sites = (*.yahoo.com, yahoo.com) 2. >allowed_URLs_into_deny-sites = ( http://br.groups.yahoo.com, >PATH=/group/superwaba/* ) >Content Rules: >------------- >1. Name= DenyWholeYahoo, destinations=[(selected destination >sets)=deny-sites], action=deny, applies_to=any-request >This Content Rule deny the whole yahoo site, and the unique field where >I can put exceptions is in the (applies_to) field, but it is only >related to (client_sets) don't to (destination sets). >If I create and allow rule pointed to >destination_set=(allowed_URLs_into_deny-sites) (see 2 above) the deny >rule (DenyWholeYahoo) have more priority, and match first! >>If you need to create an exception, instruct the Site and Content Rule >>that you need to create an exception. Make sure to create the >>Desitnation Set that represents the exception before you create the >So I didn't understand where I instruct the Site and Content Rule (ex. >DenyWholeYahoo - see 1 bove) to create an exception pointing to an >destination set like (allowed_URLs_into_deny-sites) (see 2 above). >My intention is deny the whole yahoo for (any_request) but allow the >URL (http://br.groups.yahoo.com, PATH=/group/superwaba/*) into the >yahoo site for (any_request too). The client (client sets) who try to >access is indeferent for me. >Thanks in advance, >Morvan. >=============================================== >-----Original Message----- >From: Morvan [mailto:mmuller@xxxxxxxxxxxxxxxx] >Sent: Thursday, November 06, 2003 8:57 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] destination sets question >http://www.ISAserver.org >I have configured destinations sets for ex: >deny-sites = (*.yahoo.com, yahoo.com) >and have a content rule: >action=deny destination="deny-sites" aplly-to="everyone" >With this I deny the whole yahoo site. >But my intention is deny the whole yahoo site, except some destination >like: >br.groups.yahoo.com/* (and other 2 yahoo subdomains) >How can I do it with ISA? >Thanks, ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')