Ciderspine
asked on
ISA 2006 Blocking URL and Domain Sets
Hello,
I have a Firewall rule which is successfully blocking some sites yet not others even though they are in the same SET - porn sites especially. All URLs/Domains are entered into the SET in the *.domain.com format. Anyone know what's causing this - are the porn sites employing a trick - encrypting traffic or something like that?
Clients are Webproxy
I have a Firewall rule which is successfully blocking some sites yet not others even though they are in the same SET - porn sites especially. All URLs/Domains are entered into the SET in the *.domain.com format. Anyone know what's causing this - are the porn sites employing a trick - encrypting traffic or something like that?
Clients are Webproxy
ASKER
Keith,
I have done that but still doesn't work. For example if I put *.microsoft.com and *.vikingpasses.com a Domain Set, Microsoft is blocked as expected but vikingpasses.com isn't?
Ben
I have done that but still doesn't work. For example if I put *.microsoft.com and *.vikingpasses.com a Domain Set, Microsoft is blocked as expected but vikingpasses.com isn't?
Ben
Are you putting these in a specific deny rule or as exceptions in an allow rule?
www.vikingpasses.com only has a single ip address associated with it so, if anything, I would have expected to see the results reversed ie the MS site being the one that still got through....
open the ISA gui, select monitoring - logging - start query
Try the vikings site from the client
Which rule is allowing the vikings site to get through - the same rule number that should be blocking?
www.vikingpasses.com only has a single ip address associated with it so, if anything, I would have expected to see the results reversed ie the MS site being the one that still got through....
open the ISA gui, select monitoring - logging - start query
Try the vikings site from the client
Which rule is allowing the vikings site to get through - the same rule number that should be blocking?
ASKER
Specific deny.
Rule allowing vikings to get through - Permit Internal to External <<this is the last rule.
Rule allowing vikings to get through - Permit Internal to External <<this is the last rule.
last rule is a deny everything and cannot be changed
try again but this time try the microsoft site - I assume this is blocked by your deny rule?
Take the vikingpasses out of the existing domain set and make a new domain set with just this in. For ISA to ignore it, ISA must believe that the traffic it sees passing through its web filter does not match what you have put in your domain set. Put this at rule 1 and lets see what happens.
If it still goes through, please cut and paste the WHOLE of the line from the log where it has been allowed through. You are on ISA2006? Have you deployed ALL of the updates etc?
try again but this time try the microsoft site - I assume this is blocked by your deny rule?
Take the vikingpasses out of the existing domain set and make a new domain set with just this in. For ISA to ignore it, ISA must believe that the traffic it sees passing through its web filter does not match what you have put in your domain set. Put this at rule 1 and lets see what happens.
If it still goes through, please cut and paste the WHOLE of the line from the log where it has been allowed through. You are on ISA2006? Have you deployed ALL of the updates etc?
ASKER
Last to the implicit deny I should have said.
Microsoft is blocked by my 'Deny Filtered Sites' rule as expected.
Domain Set with just vikingpasses works.
Yes - 2006. No updates yet.
Microsoft is blocked by my 'Deny Filtered Sites' rule as expected.
Domain Set with just vikingpasses works.
Yes - 2006. No updates yet.
If it still goes through, please cut and paste the WHOLE of the line from the log where it has been allowed through
Lets have a look at the output then - weird. I tried it here and it blocks immediately
Lets have a look at the output then - weird. I tried it here and it blocks immediately
ASKER
It's blocking viking site now and another. I added *.sexymania.net to the same domain set and it will not block it but it still blocks the rest.
Attached txt file of the log results that allowed it to connect.
isalog.txt
Attached txt file of the log results that allowed it to connect.
isalog.txt
sounds stupid I know, but you ARE hitting return after you enter the last name aren't you? I have only seen it once before but not having the Return key hit means no CR/LF is submitted therefore the last entry may be ignored.
ASKER
Here's something I've found.
If I google it and select the link it gets blocked and the link generally points to www.domain.com
If I remove the www it gets through.
I thought the *. took care of that?
If I google it and select the link it gets blocked and the link generally points to www.domain.com
If I remove the www it gets through.
I thought the *. took care of that?
It should - but there were some funnies in the first release hence my question about if you had applied all the updates to ISA2006.
If you cannot apply the patches now (release management/whatever) then as a workaround it sounds like you could just add a dummy entry on the end such as *.nosuchdomain.com as the last entry
If you cannot apply the patches now (release management/whatever) then as a workaround it sounds like you could just add a dummy entry on the end such as *.nosuchdomain.com as the last entry
ASKER
I'll try the patches tomorrow on a lab server. Thanks for your help - much appreciated. I'll update my results tomorrow afternoon.
Ben
Ben
No worries Ben - if the issue is still there afterwards just post again - I'll be here. As i recall those updates don't require a reboot.
Cheers
Keith
Cheers
Keith
ASKER
Hi Keith,
Not applied any updates yet. It's definitely a problem with the wildcard - I can reproduce it with every domain I enter in the set to behave in the following way -
www.microsoft.com - ISA blocks (consistent with sets and rules)
microsoft.com - ISA doesn't block (not consistent with sets and rules)
I tried your suggestion but no success. Any ideas? I can't try the updates becaus I can't risk disrupting our production server. I'll have to build another and test on that.
Ben
Not applied any updates yet. It's definitely a problem with the wildcard - I can reproduce it with every domain I enter in the set to behave in the following way -
www.microsoft.com - ISA blocks (consistent with sets and rules)
microsoft.com - ISA doesn't block (not consistent with sets and rules)
I tried your suggestion but no success. Any ideas? I can't try the updates becaus I can't risk disrupting our production server. I'll have to build another and test on that.
Ben
ASKER
Aha! Because the wilcard is present ISA is looking for a host name (cname/A record) prefix the to the domain - if there's no prefix then it considers it a no-match.
If I add *.domain.com and domain.com to the set then its blocks. Questions is - is there a way around this without duplicating domains in the set?
I wonder if some domains microsoft.com etc redirect a URL entered in the domain.com format to www.microsoft.com which would explain why it worked for microsoft?
If I add *.domain.com and domain.com to the set then its blocks. Questions is - is there a way around this without duplicating domains in the set?
I wonder if some domains microsoft.com etc redirect a URL entered in the domain.com format to www.microsoft.com which would explain why it worked for microsoft?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll patch and see if it makes a difference then.
Apologies for going beyond the scope of the post but what difference is there between a url filter *.domain.com and a domain filter *.domain.com - surely each will achieve the same result?
Apologies for going beyond the scope of the post but what difference is there between a url filter *.domain.com and a domain filter *.domain.com - surely each will achieve the same result?
Nope lol
the domain uses the fqdn approach ie *.subdomain.domain.localit
using the reverse though of www.subdomain.domain.com would stop everything on that server
www.subdomain.domain.* would stop everything on that domain - you have no granularity
the URL set can go down into individual sites and virtual directories
ie
http://www.domain.com/site1/woohoo/*
http://www.domain.com/site1/downloads/*
However, it would allow
http://www.domain.com/site1/readme/*
http://www.domain.com/site1/anything_else/* as these were not specifically named
So, domains (* at either end but never both) stop everything for the server or domain
Urls are much more selective and can delve into the virtual directories on a site/domain which domain sets cannot.
the domain uses the fqdn approach ie *.subdomain.domain.localit
using the reverse though of www.subdomain.domain.com would stop everything on that server
www.subdomain.domain.* would stop everything on that domain - you have no granularity
the URL set can go down into individual sites and virtual directories
ie
http://www.domain.com/site1/woohoo/*
http://www.domain.com/site1/downloads/*
However, it would allow
http://www.domain.com/site1/readme/*
http://www.domain.com/site1/anything_else/* as these were not specifically named
So, domains (* at either end but never both) stop everything for the server or domain
Urls are much more selective and can delve into the virtual directories on a site/domain which domain sets cannot.
ASKER
I understand.
Thanks - most appreciated.
Thanks - most appreciated.
You're welcome - if you still have the issue, feel free to post again here and if necessary, I'll escalate it.
Thanks
Keith
Thanks
Keith
It might not be your problem but I found this on Microsoft's Site about blocking domains, I do not like the way this works:
When you create a domain with a wildcard character, such as *.microsoft.com, this only includes host computers at the domain, for example www.microsoft.com, ftp.microsoft.com. Note that if the domain name points to a host, *.microsoft.com will have no effect on the URL http://Microsoft.com.
When you create a domain with a wildcard character, such as *.microsoft.com, this only includes host computers at the domain, for example www.microsoft.com, ftp.microsoft.com. Note that if the domain name points to a host, *.microsoft.com will have no effect on the URL http://Microsoft.com.
That is correct - you need two lines in the set.
*.microsoft.com is NOT the same as microsoft.com
The first are all servers within the microsoft.com domain and the second is the actual domain reference
People are now performing DNS redirects but hopefully the next version of ISA will address this.
*.microsoft.com is NOT the same as microsoft.com
The first are all servers within the microsoft.com domain and the second is the actual domain reference
People are now performing DNS redirects but hopefully the next version of ISA will address this.
Or you could use *microsoft.com
Put domains in a domain set and urls in a url set then put both into the TO field of the rule or the exception part of the rule - depending on how you have implemented it.