Solved

ISA SERVER 2006 & URL SET

Posted on 2007-11-28
6
1,443 Views
Last Modified: 2012-06-21
Hello
I'm new to ISA Server,   we have experinced strange problem
our work environment is ( 1 Domain controller DC1 with windows server 2003 Sp2 & 50 Pcs with windwos XP professional sp2 all connected to DC1 & ISA server 2006 installed on a server with 2 NIC with Windows 2003 Sp2 and joined to Domain controller Dc1)
- Our business rule need to let some users Allow to Access ONLY 1 web site "our company web site" on the internet  and Deny all other web Sites
- I made the following Access Rules
=================================================================================
Order            Name                                      Action        Protocols               From/Listner     |  To      |
=================================================================================
3  |    AllowUsersToAcces1WebSite          | Allow       | DNS,HTTP,HTTPs  | Internal           | Co.WebSite*
4  | DenyUsersToAccesAnyotherWebSite | Deny        | DNS,HTTP,HTTPs  | Internal           | AnywebSoite*
-------------------------------------------------------------------------------------------------------------------------------
Notes:
1- Co.WebSite is URL Set i have created ( Name : Co.WebSite  & Added the URL http://www.mycompanyweb.com )
2- AnyWebSite is URL Set i have created ( Name : AnywebSite  & Added the URL http://*)
3- the clients are using NATSecure ( by setting the deafult gateway to refer to ISA IP)  

The problems:-
1- after i configured the access rule as above i tested from the clients it works good!!! BUT after sometimes the clients cant Access  our company site , Sure and any other sites
I dont know what's going on  , so i delete the rule and reacreate it again and try from clients the same problem come "works good but after sometimes cant access to the internet"

2- we have some pages use "https:// " in our company web site but when i apply the above rule the user couldnt access any pages use https:// even i added https://www.mycomanyweb.com/" and i read during creat the URL SET the following Note (  Urls Included in this set (applicable for HTTP traffic Only" )  , SO how can add https/www.ourcompanyweb.com" to the URL SET ?

am waintting your help



IF the DNS is not configured correctly, rules using URL Set may not be applied as expected  Urls Included in this set (applicable for HTTP traffic Only"
0
Comment
Question by:ali_alannah
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20365139
Are you using the web proxy or the firewall client?

If you are not, ISA does not see the URL only the IP address.  It then does a reverse lookup on the IP address, but may not get the DNS name you are expecting if the same IP address is used to host multiple web sites.

I recommend that you firstly use Domain Name Sets, unless you want to block/allow specific paths on a site.  Then, review the firewall logs to see the actual site name it is blocking.

You may also choose to use either the Firewall Client or Web Proxy, as it will provide more info to ISA Server.

Remember as well that DENY rules do exactly that.  If you want some authenticated users to have access then that rule will need to come before the DENY rule, but also remember that authenticated rules must come after all non-authenticated rules as they introduce an implicit DENY-ALL for non-authenticated connections.
0
 

Author Comment

by:ali_alannah
ID: 20367105
Hello SteveH_UK,
Thanks for your help but please could you make it easy in steps because am newcomer to ISA server so do you mean

1- Using webProxy Or Firewalls client will solve this problem ? Because we are not use Proxy or Firewall clinent ONLY use SecuredNAT , So if this will solve our problem we can config the clients to use one of these (web Proxy or Firewall clients)

2- I dont understand what do u mean "I recommend that you firstly use Domain Name Sets"  , as i explain in my questions am using http://www.mycompanyweb.com  as URL SET to allow the client to acces it and using (http://*) as URl set to Deny accet to other all websites
 
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 100 total points
ID: 20367982
Add a rule above these two rules you have put in to allow http & https From Internal TO Internal - this assumes that you have your internal web server inside the local area network.

A domain set can be used instead of a url set - url sets follow the http://whatever/* format - domain sets use *.yourdomain.com style formats without http or https infront of them. this may help but the fact that your rules are working for a while suggests that you have done the job correctly.

Have you run the BPA on your ISA system? You need .net framework 1.1 for this to operate.

http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 19

Accepted Solution

by:
SteveH_UK earned 400 total points
ID: 20368160
URL Sets and Domain Name Sets are two different types of objects in ISA Server.  A URL Set can include, for example: "http://www.acompany.com/thispage"; but a domain name set only includes "www.acompany.com".  When you are configuring a rule and are choosing the "To" options, you can create a Domain Name Set the same way as an URL Set.

You do not need to use the firewall client or the web proxy (we didn't for a while), but they do help with diagnosing issues as ISA Server can provide more information, and it also enables user authentication so that you can create per-user rules.  As a general rule, it is a good idea to use the firewall client, but you will need to configure the Internal network to support it.  Have a look at the ISA Server Product Documentation, and then let me know if you need more help, that is if you decide to do either of these.

Make sure you've got the latest updates for ISA Server 2006, as they include a really helpful improvement in the log display.

Can you check that clients can find your company website, because I'm not sure that your DNS rules are ok.  If everyone uses external DNS servers, then you need to create an access rule that allows Internal to External for the DNS protocol.  If you have internal DNS servers, then you still need to do this for your internal DNS servers.  You can check client DNS lookup using:

nslookup www.google.com

If then, you are still having problems, try the following:

nslookup www.yourcompany.com

Then try:

ping -a 1.2.3.4

where 1.2.3.4 is the IP address that nslookup returns.  What you need to know is whether a reverse DNS lookup on 1.2.3.4 gives www.yourcompany.com.  I suspect that it does not, or at least does not consistently.  In these cases, you need to add the reported address to your URL Set or Domain Name Set in ISA Server.
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20368179
If you are taking on the responsibility for managing an ISA Server, or any firewall, you really must understand TCP/IP, DNS, DHCP and general firewall principles.  Can I recommend that you find a good book, perhaps by SAMS Publishing or Microsoft Press.  The exam kit books tend to be quite good.

Of course, we'll do our best to answer your current problems as quickly as we can!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20368253
Off topic - Steve - check out my profile at some point and drop me an email if you feel like it.

Keith
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now