Bjorn_Watland
asked on
How To Allow only certain Domains and URL's using ISA server 2004 and block everything else.
I am new to ISA server, so bear with me.
Our configuration:
Windows 2003 with ISA server 2003 set up as just a Web Proxy connected to our network.
Our Purpose:
This may not be the best solution, but it's what I thought up on short notice. We need to be able to restrict our users so they can only access certain websites and domains. Supervisors and the like will not be configured to access the internet through the proxy, but other users will. I do realize that it will not be beyond certain people's ability to circumvent this policy, but should control most people.
What I've done so far:
The web proxy works great, except I am having trouble allowing only certain sites. Blocking sites works great. However, allowing sites is not working right. My Policy is set up as follows:
Order - Name - Action - Protocols - From - To - Condition
1. Allow Domains - Allow - HTTP/HTTPS - Internal - Domain List - All users
2. Allow Urls - Allow - HTTP/HTTPS - Internal - Url List - All Users
3. Last Default Rule - Deny - All Traffic - All Networks - All Networks - All Users
I have tried some other variations, like putting a deny rule to deny access to http://*, which just blocks standard web traffic. I can get web access if I put in a rule that states that HTTP/HTTPS from Internal to External for All Users is allowed. However, this rule gives me access to any web page. I have tried placing that rule inbetween rule 2 and the default rule as well as placing it first with the same results.
Any suggestions regarding a possible solution with the current setup would be appreciated, as well as any comments on a better method of acheiving the same end results are apprecaited as well. We are a Microsoft only business currently with about 200 users. Most website access is to the internal web server, so most people don't need to access many external sites.
Our configuration:
Windows 2003 with ISA server 2003 set up as just a Web Proxy connected to our network.
Our Purpose:
This may not be the best solution, but it's what I thought up on short notice. We need to be able to restrict our users so they can only access certain websites and domains. Supervisors and the like will not be configured to access the internet through the proxy, but other users will. I do realize that it will not be beyond certain people's ability to circumvent this policy, but should control most people.
What I've done so far:
The web proxy works great, except I am having trouble allowing only certain sites. Blocking sites works great. However, allowing sites is not working right. My Policy is set up as follows:
Order - Name - Action - Protocols - From - To - Condition
1. Allow Domains - Allow - HTTP/HTTPS - Internal - Domain List - All users
2. Allow Urls - Allow - HTTP/HTTPS - Internal - Url List - All Users
3. Last Default Rule - Deny - All Traffic - All Networks - All Networks - All Users
I have tried some other variations, like putting a deny rule to deny access to http://*, which just blocks standard web traffic. I can get web access if I put in a rule that states that HTTP/HTTPS from Internal to External for All Users is allowed. However, this rule gives me access to any web page. I have tried placing that rule inbetween rule 2 and the default rule as well as placing it first with the same results.
Any suggestions regarding a possible solution with the current setup would be appreciated, as well as any comments on a better method of acheiving the same end results are apprecaited as well. We are a Microsoft only business currently with about 200 users. Most website access is to the internal web server, so most people don't need to access many external sites.
ASKER
I do plan on configuring users using GPOs, however, I am only testing on one workstation currently, and I can not get the firewall to only allow those sites I specify in the URL and Domain Lists. I am using a list to block that states http://* and https://* are blocked, I put in an exclusion of the domain list and url list I had made with no success.
Open the gui
click on monitoring - logging.
click start query
test a web site from the client.
Which rule allows the traffic out through ISA?
Are you passing traffic to ISA on port 80 (transparent proxy) or 8080 (webproxy)?
click on monitoring - logging.
click start query
test a web site from the client.
Which rule allows the traffic out through ISA?
Are you passing traffic to ISA on port 80 (transparent proxy) or 8080 (webproxy)?
ASKER
I am using 8080. Right now, the Default Rule is blocking traffic.
OK. if it is the default rule, then ISA does not think you have allowed the traffic to go out.
Where are you doing the test from, an internal client or the ISA server itself?
Where are you doing the test from, an internal client or the ISA server itself?
ASKER
When I try to access a site from the allowed domains list, the server reports in the log that the attempt is Unidentified IP Traffic.
ASKER
I am testing from a workstation that is on the same network as the ISA server. That message before about the server blocking a website through the default policy was from a domain that was not specified in the allow lists.
OK. Stupidly enough, ISA does not create a protocol for its own web proxy traffic by default.
Create a new protocol called WEBPROXY for tcp port 8080 outgoing. Add this to the list of allowed protocols for your rules.
Create a new protocol called WEBPROXY for tcp port 8080 outgoing. Add this to the list of allowed protocols for your rules.
ASKER
Thanks for that. I think the problem I have now is the default rule is blocking access attempts to domains I have listed in my Allow Lists. I've checked a few domains to rule out any strange redirecting issues. If I modify my allow rules to also allow internal traffic in addition to the specified URLs or Domains, I can get access to anything. I also created a url list of http://* for blocking. Then I have that rule in place, I can't get to anything, and it's the reason listed in the log for why a particular site is being blocked. I have put that rule below and above my allow lists. I have also put the allow lists in the exceptions for the blocking rule. I'm guessing I shouldn't use http://* to block sites, but is there another way?
blocking http://* will block all. Yep that would do it lol.
Can you give me an example of what you want to block/allow?
For example
Block all http. exception site1 site 2 site3 users X only
Block all https exception site 4 site 5 site 6 users x & Y only
Is that about the sum of it?
Can you give me an example of what you want to block/allow?
For example
Block all http. exception site1 site 2 site3 users X only
Block all https exception site 4 site 5 site 6 users x & Y only
Is that about the sum of it?
ASKER
Right now, I am only going to configure regular staff to go through th eproxy, and everyone else will not. I have a long list of about 4500 allowed domains and URLs that staff need to access to do their job. An example would be https://www.accesskent.com/deeds/ or http://www.wvsos.com/. This setup is kind of a reverse block list, I only want to allow a small number of pages, rather then block a large number.
ASKER
I did set up a rule for blocking all http and https traffic and excluding those specific domain and url lists, however, traffic is still blocked, I believe since the protocol itself is being blocked by that same policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I beleive I've figured out my problem. I was formatting my Domain List as http://www.accesskent.com when I should be putting in www.accesskent.com. I'll keep you posted if that solves my problem. Thanks again for your help.
Arrgghhh. Yep, that would do it.
ASKER
That did it. I have the group policy set, and everything is testing alright. Thanks again for your help.
ASKER
I was able to figure it out by following an example on the installation guide step by step, but watching the log is an invaluable tip.
Thanks Bjorn and well done :)
Regards
keith
Regards
keith
1. You can use group policy to assign the proxy server address and port and remove the ability for the users to untick the proxy. this will force the users to use the settings. You can leave the admins out of the group so they can bypass ISA as needed.
2. In the same policy, add in local web sites to the IE exceptions to that they do not need to use ISA server.
In th ISA rules, select allow all but in the 'to' box, use the exceptions box beneath to block the web sites you want to allow.
Alternatively, block all web sites but put the allowed web sites into the exception list.
You can create url sets and just put the url set into the exception. this way you can add/delete urls in the url set without having to keep amending the rule.
Obviously you can have a different rule for different groups if you wish.
ie You can create different AD user groups that can use different url sets as needed.