[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 216
  • Last Modified:

Blocking file extensions for specific users

Hello all,

I have an ISA Server 2004 installed on a 2003 server it is part of a domain. I am trying to block file extensions for specific users. I have an access rule setup with basic protocols for client access to the internet. I copied that rule, renamed it and placed it in front of the original rule. I then edited the http filter in the new rule with the file extensions I wanted to block. Then added the user groups that I wanted to block.  With the understanding that if you are not in the group you would pass through to the next client access rule and have access as usual. The extension blocking works fine for the group, and those not in the group that are members of the domain do not skip a beat. The issue is.... is if you are not a member of the domain, you get prompted for credentials when accessing the internet. Now this wouldn't be a bad thing except that we are a school district and allow guest to have internet access through a "guest" wireless.  Once connected to the guest SSID you are redirected to a web portal to sign in with a guest account. When I enable the rule with the file extension blocking, guests are being prompted for credentials when they open up internet explorer. The monitoring log shows authentication failure, then   deny  by the "blocking" rule. It doesn't pass down to the allow client access rule, even though the guest is not a member of any of the groups assigned to the blocking rule.  I am using DHCP to push out WPAD to the clients for the proxy settings.

Any help or ideas is greatly appreciated.

Thanks!
0
TimMcGrath
Asked:
TimMcGrath
  • 8
  • 7
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Get up to sp3 anyway - better monitoring tool by far.

On first pass, sounds like you will need to create a netwotk associated with the internal interface and add the ip addresses that can be assigned by the free wireless unit to it. We can then put in specific rules pertaining to the new network to external but need more info.

what EXACTLY do you see in the isa log for the couple of lines output when the wireless user tries to gain access to the web?

Keith
0
 
TimMcGrathAuthor Commented:
Keith,

thanks for the response.
I have "internal" network associate with internal interface that has the ip range that the wireless controller is on.  Are you saying I should create another network? Also, it is not just with the wireless any machine that is not part of the domain has the same issue. If I setup a machine that is part of a work group and try to access the internet, it is prompted for credentials.  If I disable the rule, they can access the internet.

Also, laptops that are configured for our internal wireless (PEAP, WPA2, machine authetication, and user authentication) can access the internet. If they are in the groups configured to block file extensions, the extensions are blocked, if they are not in those groups, they still have access to the internet.  When I apply the rule with the blocked extensions it seems like it wants authentication from everyone.  When I disable that rule, everything is fine.  If that makes sense.

All I see in the log is the ip address of the guest machine then it states web proxy client authentication, deny and the rule name.

sp3: We have routing and remote access on the ISA using OSPF. We have had an issue when adding sp3 and running OSPF. We will be changing them to static routes in the near future.
0
 
TimMcGrathAuthor Commented:
Did I not give enough info??? Is there anyone with an idea's....or should I close the question and dig elsewhere?????

Any info is greatly appreciated.

thanks
0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
Keith AlabasterEnterprise ArchitectCommented:
Bit busy Tim - During the week I have to deal with my day job requirements, if i have spare time in the evenings I progress calls on EE, else they wait till the weekends. Ear bashing from the wife I can deal with. Missing deadlines from the job that pays my mortgage I cannot.

Sure, dig where ever you can but I will look at this again tomorrow. If you wish to close the question that has to be your call.

Thanks
Keith
0
 
TimMcGrathAuthor Commented:
Keith,
totally understand. I have a staff of 3 supporting over 1200 computers, 40 servers 3500 users, 200+ networking devices.....I here ya about missing deadline! Don't have the wife thing yet, but the girlfriend is my ear about that! Totally understand! Any addtional info you can help out with, when you have time is greatly appreciated. I will keep trying to research what is going on. I'll the question open for a bit.

Thanks again for your input

Tim
0
 
Keith AlabasterEnterprise ArchitectCommented:
Tim, cut and paste your firewall rules to the clipboard and then to excel - use the upload option at the bottom and I'll take a look over.
0
 
TimMcGrathAuthor Commented:
Keith,

Sorry about this, but do you just want my client access rule. or all the rules. How do I copy all the rules to the clipboard? Never done this, I've just exported them to xml files.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Screen shots will do fine Tim. Check my profile for a safe email address to send it to if you are concerned about putting the files up for general access.
0
 
TimMcGrathAuthor Commented:
Ok, Still haven't figured this one out, but let me see if I can explain it better.
I am attempting to creat a rule that blockes specific file extensions for specific groups. I have a general access rule that applies to all users with the protocols they need for daily outbound connections (http, https, FTP, Video, and some custom ports for online apps) When I create the deny rule I created a rule with HTTP, HTTPS, configured the filter to block the extensions, and then added the user groups.  I place the rule before by "internet acces rule" for all users. When the deny rule is enabled, anomyous users (securenat clients) cannot access the internet. When monitoring connections, they get denied at the new denied rule. (I understand this is by design....at first I thought if the rule didn't apply to a group it would pass  to the next rule....I was wrong) Is there a way to apply the deny rule to specific groups but still allow securenat clients to connet??

ISA 2004 SP2
Windows 2003 server
Windows 2003 Domain
ISA server is part of the domain.
Created user group in ISA containing AD groups.

Thank you for the above comments,
any suggestions is greatly appreciated.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Not necessary Vic - this one slipped by my radar so delete - refund is appropriate.

Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks Vic, just did so -

Tim - the thought is very much appreciated. It can be quite a thankless task here on EE sometimes so someone taking this much effort is doubly rewarding to us, so thank you. if you decide how many points you want to put to the question then Vic or I can do this for you.

Cheers

keith

0
 
TimMcGrathAuthor Commented:
Vic- thank you for re-opening the question

Keith -  thanks for the help and pointing me in the right direction.  You guys here at EE are a great help. I know all of you have other jobs, solving your own problems....and have a personal life too. So again, thank you.
Just FYI - Solution to the original question: Created a separate network segment for all guest users. Then created a "perimeter network: on the ISA with limited access to HTTP/HTTPS.  Using IDM  on our Procurve switches, all guest get put into a guest vlan in the perimeter network. Wireless users get routed into the perimeter network via our wireless controller using a guest SSID.
I then enabled "require authentication" on the internal network. Added the specific groups to block the specific file extensions.  Working great!  Being able to refer back to your comments and links was a great help




I think I had 500 points originally. So that is what I am putting in.

Also, thank you for the additional info on MS forefront. After reading the links you sent we moved forwarded and added some funds to our budget to start moving forward on it.  After reading some other ISA security post, we also added funds for a ASA frontend firewall (so you will probably see a post on that setup in the near future ...ha-ha) So the points are well deserved since one question indirectly got me several answers from you!

Thanks again!
Tim
0
 
Keith AlabasterEnterprise ArchitectCommented:
More than welcome - and good call on the solution you have implemented. An alternative you may want to at least take a look at (for the ASA) is the IAG2007 box.

http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx

Keith
0
 
TimMcGrathAuthor Commented:
Keith -
thanks again.
IAG looks like it's worth investing in. Thanks for the link and advice.
Tim
0
 
Keith AlabasterEnterprise ArchitectCommented:
:)
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now