Solved

ISA 2004 - streaming video

Posted on 2006-07-15
12
469 Views
Last Modified: 2013-11-16
Hi All,
I've got an ISA rule that is intended to block stremaing media (audio and video).  It appears to work almost correctly.  When a user tries to launch a video on the web (in a web page for instance), the user is prompted for his/her authentication.  If they enter their username and password, it allows the video.  

Question:  How can I stop the video/audio from prompting for permission to play?

Thanks,
Terry
0
Comment
Question by:colepc
  • 5
  • 4
12 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
How are you blocking?
Right-click the allow rule and select configure http
Block the downloads from
0
 

Author Comment

by:colepc
Comment Utility
Clue #1 has appeared...there is no option for 'configure http' on the rule I've created.  The selected protocols used on this rule include MMS, PNM, and RTSP.  I initially had HTTP in there as well (it was in the "Streaming Media" protocol group), but all http was blocked (not just video).  I removed http from it then and general web content was accessible again.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Are you operating in proxy mode only? ie only one NIC?
0
 

Author Comment

by:colepc
Comment Utility
Nope.  2 nics.  one outside one inside.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Oh, ok. Just reread your other post; you have removed http from the list of protocols.... lol
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
So how have you set the rules?
Allow all outgoing except for these protocols?
Deny these protocols for all users?
0
 

Author Comment

by:colepc
Comment Utility
My base question needs to change based on what I've observed today.  The behavior of the video feeds (and audio) prompting a user for credentials in order to see it is slightly off from what you are thinking of (in this case anyway).  Check this out...

I've observed that on the terminal server (where all users will access the internet...completely RDP network), if the user is a member of the local Administrators group (for the TS box), the behvior is different for the video feed.  The text of the credentials dialog is different when the user is an Administrator (again, local to the TS) than when the users is just an "internet user" on the SBS (or Domain User). To illustrate better than a description, check these 2 pictures, one of each dialog box:


As Administrator on the TS:  http://www.colepc.com/As_administrator_image.gif

Not as the administrator on the TS:  http://www.colepc.com/not_as_administrator_image.gif

The other thing that's come to light, is that the login shown in the 2nd image is a nuisance; that is, it pesters the snot out of the "non local admin" user whenever they attempt to browse the internet.  If the user visits a blocked page (due to an ISA rule, say "www.match.com", for example), they are prompted with the same login screen. Providing valid credentials does not satisfy the login...it returns incessantly.  I didn't realize this behaviour was happening as I've been logged into the TS for testing as a Domain Admin (including membership as a local Admin on the TS).  I finally saw it from a user's point of view which leads me to here.

I've tried to isolate this behavior to possibly other less priviledged local users on the TS, but the appropriate behaviour only occurs when the user is an admin.  Of course, this is bad news for other local security on the actual TS box!

Does that ring any bells?

Thanks,
Terry
0
 

Author Comment

by:colepc
Comment Utility
Here's the answer...

The problem was not with ISA permissions, but rather the redirect page I had entered whenever a "deny" rule was encountered.   Although I put the "custom_denied.htm" page in \inetpub\wwwroot, the parent folder's permissions were not inherited by the page resulting in only allowing Administrators to view the page.

Manually inheriting permissions on the redirect page(s) solved the issue.

Duh.



0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Is this a duplicate question to this one or did the one answer fit both questions?
http://www.experts-exchange.com/Security/Firewalls/Q_21926953.html#17168873

Nice one Terry.

0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
Comment Utility
Closed, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now