ISA 2006 Blocking URL and Domain Sets

Hello,

I have a Firewall rule which is successfully blocking some sites yet not others even though they are in the same SET - porn sites especially. All URLs/Domains are entered into the SET in the *.domain.com format. Anyone know what's causing this - are the porn sites employing a trick - encrypting traffic or something like that?

Clients are Webproxy
CiderspineAsked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
I have heard of this.... and it catches many filters, not just ISA. There is a tendency (and it IS being addressed) for dns redirects to the domain name to be redirected or vice versa. However, my system is working fine just using the *.vikingpasses.com - however, I have every patch known to man for ISA installed - I run Windows 2003 standard SP2 on my ISA box and use ISA2006 Enterprise with two array members.
0
 
Keith AlabasterEnterprise ArchitectCommented:
You really should not mix urls and domains together.
Put domains in a domain set and urls in a url set then put both into the TO field of the rule or the exception part of the rule - depending on how you have implemented it.
0
 
CiderspineAuthor Commented:
Keith,

I have done that but still doesn't work. For example if I put *.microsoft.com and *.vikingpasses.com a Domain Set, Microsoft is blocked as expected but vikingpasses.com isn't?

Ben
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Keith AlabasterEnterprise ArchitectCommented:
Are you putting these in a specific deny rule or as exceptions in an allow rule?
www.vikingpasses.com only has a single ip address associated with it so, if anything, I would have expected to see the results reversed  ie the MS site being the one that still got through....

open the ISA gui, select monitoring - logging - start query
Try the vikings site from the client
Which rule is allowing the vikings site to get through - the same rule number that should be blocking?
0
 
CiderspineAuthor Commented:
Specific deny.
Rule allowing vikings to get through - Permit Internal to External <<this is the last rule.
0
 
Keith AlabasterEnterprise ArchitectCommented:
last rule is a deny everything and cannot be changed

try again but this time try the microsoft site - I assume this is blocked by your deny rule?
Take the vikingpasses out of the existing domain set and make a new domain set with just this in. For ISA to ignore it, ISA must believe that the traffic it sees passing through its web filter does not match what you have put in your domain set. Put this at rule 1 and lets see what happens.

If it still goes through, please cut and paste the WHOLE of the line from the log where it has been allowed through. You are on ISA2006? Have you deployed ALL of the updates etc?
0
 
CiderspineAuthor Commented:
Last to the implicit deny I should have said.

Microsoft is blocked by my 'Deny Filtered Sites' rule as expected.
Domain Set with just vikingpasses works.

Yes - 2006. No updates yet.
0
 
Keith AlabasterEnterprise ArchitectCommented:
If it still goes through, please cut and paste the WHOLE of the line from the log where it has been allowed through

Lets have a look at the output then - weird. I tried it here and it blocks immediately
0
 
CiderspineAuthor Commented:
It's blocking viking site now and another. I added *.sexymania.net to the same domain set and it will not block it but it still blocks the rest.

Attached txt file of the log results that allowed it to connect.
isalog.txt
0
 
Keith AlabasterEnterprise ArchitectCommented:
sounds stupid I know, but you ARE hitting return after you enter the last name aren't you? I have only seen it once before but not having the Return key hit means no CR/LF is submitted therefore the last entry may be ignored.
0
 
CiderspineAuthor Commented:
Here's something I've found.

If I google it and select the link it gets blocked and the link generally points to www.domain.com
If I remove the www it gets through.
I thought the *. took care of that?
0
 
Keith AlabasterEnterprise ArchitectCommented:
It should - but there were some funnies in the first release hence my question about if you had applied all the updates to ISA2006.

If you cannot apply the patches now (release management/whatever) then as a workaround it sounds like you could just add a dummy entry on the end such as *.nosuchdomain.com as the last entry
0
 
CiderspineAuthor Commented:
I'll try the patches tomorrow on a lab server. Thanks for your help - much appreciated. I'll update my results tomorrow afternoon.

Ben
0
 
Keith AlabasterEnterprise ArchitectCommented:
No worries Ben - if the issue is still there afterwards just post again - I'll be here. As i recall those updates don't require a reboot.

Cheers
Keith
0
 
CiderspineAuthor Commented:
Hi Keith,

Not applied any updates yet. It's definitely a problem with the wildcard - I can reproduce it with every domain I enter in the set to behave in the following way -

www.microsoft.com - ISA blocks (consistent with sets and rules)
microsoft.com          - ISA doesn't block (not consistent with sets and rules)

I tried your suggestion but no success. Any ideas? I can't try the updates becaus I can't risk disrupting our production server. I'll have to build another and test on that.

Ben
0
 
CiderspineAuthor Commented:
Aha! Because the wilcard is present ISA is looking for a host name (cname/A record) prefix the to the domain - if there's no prefix then it considers it a no-match.

If I add *.domain.com and domain.com to the set then its blocks. Questions is - is there a way around this without duplicating domains in the set?

I wonder if some domains microsoft.com etc redirect a URL entered in the domain.com format to www.microsoft.com which would explain why it worked for microsoft?
0
 
CiderspineAuthor Commented:
I'll patch and see if it makes a difference then.

Apologies for going beyond the scope of the post but what difference is there between a url filter *.domain.com and a domain filter *.domain.com - surely each will achieve the same result?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nope lol

the domain uses the fqdn approach  ie *.subdomain.domain.locality etc
using the reverse though of www.subdomain.domain.com would stop everything on that server
www.subdomain.domain.* would stop everything on that domain - you have no granularity

the URL set can go down into individual sites and virtual directories
ie
http://www.domain.com/site1/woohoo/*
http://www.domain.com/site1/downloads/*

However, it would allow
http://www.domain.com/site1/readme/*
http://www.domain.com/site1/anything_else/*    as these were not specifically named

So, domains (* at either end but never both) stop everything for the server or domain
Urls are much more selective and can delve into the virtual directories on a site/domain which domain sets cannot.
0
 
CiderspineAuthor Commented:
I understand.
Thanks - most appreciated.
0
 
Keith AlabasterEnterprise ArchitectCommented:
You're welcome - if you still have the issue, feel free to post again here and if necessary, I'll escalate it.

Thanks
Keith
0
 
samhic1Commented:
It might not be your problem but I found this on Microsoft's Site about blocking domains, I do not like the way this works:

When you create a domain with a wildcard character, such as *.microsoft.com, this only includes host computers at the domain, for example www.microsoft.com, ftp.microsoft.com. Note that if the domain name points to a host, *.microsoft.com will have no effect on the URL http://Microsoft.com.
0
 
Keith AlabasterEnterprise ArchitectCommented:
That is correct - you need two lines in the set.

*.microsoft.com is NOT the same as microsoft.com
The first are all servers within the microsoft.com domain and the second is the actual domain reference

People are now performing DNS redirects but hopefully the next version of ISA will address this.
0
 
lrkwalkersCommented:
Or you could use *microsoft.com
0
All Courses

From novice to tech pro — start learning today.