• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1770
  • Last Modified:

How To Allow only certain Domains and URL's using ISA server 2004 and block everything else.

I am new to ISA server, so bear with me.

Our configuration:

Windows 2003 with ISA server 2003 set up as just a Web Proxy connected to our network.

Our Purpose:

This may not be the best solution, but it's what I thought up on short notice.  We need to be able to restrict our users so they can only access certain websites and domains.  Supervisors and the like will not be configured to access the internet through the proxy, but other users will.  I do realize that it will not be beyond certain people's ability to circumvent this policy, but should control most people.

What I've done so far:

The web proxy works great, except I am having trouble allowing only certain sites.  Blocking sites works great.  However, allowing sites is not working right.  My Policy is set up as follows:
Order - Name - Action - Protocols -  From - To - Condition

1.  Allow Domains - Allow - HTTP/HTTPS - Internal - Domain List - All users
2.  Allow Urls - Allow - HTTP/HTTPS - Internal - Url List - All Users
3.  Last Default Rule - Deny - All Traffic - All Networks - All Networks - All Users

I have tried some other variations, like putting a deny rule to deny access to http://*, which just blocks standard web traffic.  I can get web access if I put in a rule that states that HTTP/HTTPS from Internal to External for All Users is allowed.  However, this rule gives me access to any web page.  I have tried placing that rule inbetween rule 2 and the default rule as well as placing it first with the same results.

Any suggestions regarding a possible solution with the current setup would be appreciated, as well as any comments on a better method of acheiving the same end results are apprecaited as well.  We are a Microsoft only business currently with about 200 users.  Most website access is to the internal web server, so most people don't need to access many external sites.
0
Bjorn_Watland
Asked:
Bjorn_Watland
  • 10
  • 8
1 Solution
 
Keith AlabasterCommented:
Two items.
1. You can use group policy to assign the proxy server address and port and remove the ability for the users to untick the proxy. this will force the users to use the settings. You can leave the admins out of the group so they can bypass ISA as needed.

2. In the same policy, add in local web sites to the IE exceptions to that they do not need to use ISA server.
In th ISA rules, select allow all but in the 'to' box, use the exceptions box beneath to block the web sites you want to allow.
Alternatively, block all web sites but put the allowed web sites into the exception list.

You can create url sets and just put the url set into the exception. this way you can add/delete urls in the url set without having to keep amending the rule.
Obviously you can have a different rule for different groups if you wish.

ie You can create different AD user groups that can use different url sets as needed.
0
 
Bjorn_WatlandAuthor Commented:
I do plan on configuring users using GPOs, however, I am only testing on one workstation currently, and I can not get the firewall to only allow those sites I specify in the URL and Domain Lists.  I am using a list to block that states http://* and https://* are blocked, I put in an exclusion of the domain list and url list I had made with no success.
0
 
Keith AlabasterCommented:
Open the gui
click on monitoring - logging.
click start query
test a web site from the client.
Which rule allows the traffic out through ISA?

Are you passing traffic to ISA on port 80 (transparent proxy) or 8080 (webproxy)?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Bjorn_WatlandAuthor Commented:
I am using 8080.  Right now, the Default Rule is blocking traffic.
0
 
Keith AlabasterCommented:
OK. if it is the default rule, then ISA does not think you have allowed the traffic to go out.

Where are you doing the test from, an internal client or the ISA server itself?
0
 
Bjorn_WatlandAuthor Commented:
When I try to access a site from the allowed domains list, the server reports in the log that the attempt is Unidentified IP Traffic.
0
 
Bjorn_WatlandAuthor Commented:
I am testing from a workstation that is on the same network as the ISA server.  That message before about the server blocking a website through the default policy was from a domain that was not specified in the allow lists.
0
 
Keith AlabasterCommented:
OK. Stupidly enough, ISA does not create a protocol for its own web proxy traffic by default.
Create a new protocol called WEBPROXY for tcp port 8080 outgoing. Add this to the list of allowed protocols for your rules.
0
 
Bjorn_WatlandAuthor Commented:
Thanks for that.  I think the problem I have now is the default rule is blocking access attempts to domains I have listed in my Allow Lists.  I've checked a few domains to rule out any strange redirecting issues.  If I modify my allow rules to also allow internal traffic in addition to the specified URLs or Domains, I can get access to anything.  I also created a url list of http://* for blocking.  Then I have that rule in place, I can't get to anything, and it's the reason listed in the log for why a particular site is being blocked.  I have put that rule below and above my allow lists.  I have also put the allow lists in the exceptions for the blocking rule.  I'm guessing I shouldn't use http://* to block sites, but is there another way?
0
 
Keith AlabasterCommented:
blocking http://* will block all. Yep that would do it lol.

Can you give me an example of what you want to block/allow?

For example
Block all http.  exception  site1   site 2   site3     users X only
Block all https  exception site 4  site 5   site 6    users x & Y only

Is that about the sum of it?
0
 
Bjorn_WatlandAuthor Commented:
Right now, I am only going to configure regular staff to go through th eproxy, and everyone else will not.  I have a long list of about 4500 allowed domains and URLs that staff need to access to do their job.  An example would be https://www.accesskent.com/deeds/ or http://www.wvsos.com/.  This setup is kind of a reverse block list, I only want to allow a small number of pages, rather then block a large number.
0
 
Bjorn_WatlandAuthor Commented:
I did set up a rule for blocking all http and https traffic and excluding those specific domain and url lists, however, traffic is still blocked, I believe since the protocol itself is being blocked by that same policy.
0
 
Keith AlabasterCommented:
If it is being blocked by the same policy then this will show in the log.  ie traffic will be denied by rule X, not by the default rule.

Bjorn, we are obviously not quite tieing up together on this one as this is the simplest thing that ISA can do with its eye closed. I am posting some links here that will walk you through the process. If it still does not work after this then I think that we will need to look at your install process.

Configuration Guide
http://download.microsoft.com/download/6/9/0/690d2ee7-a4e0-4c0a-80d4-1e30ebcac1de/isa_2004_se_configuration_guide.doc

http filtering
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx

URL & Domain Sets
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomainnamesets.mspx
0
 
Bjorn_WatlandAuthor Commented:
I beleive I've figured out my problem.  I was formatting my Domain List as http://www.accesskent.com when I should be putting in www.accesskent.com.  I'll keep you posted if that solves my problem.  Thanks again for your help.
0
 
Keith AlabasterCommented:
Arrgghhh. Yep, that would do it.
0
 
Bjorn_WatlandAuthor Commented:
That did it.  I have the group policy set, and everything is testing alright.  Thanks again for your help.
0
 
Bjorn_WatlandAuthor Commented:
I was able to figure it out by following an example on the installation guide step by step, but watching the log is an invaluable tip.
0
 
Keith AlabasterCommented:
Thanks Bjorn and well done :)

Regards
keith
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now