Solved

ISA2006 - creating a URL set to use as a whitelist

Posted on 2010-09-06
10
1,918 Views
Last Modified: 2013-11-16
Hi

I have been using my ISA2006 box successfully for a little while now. How I would like to now create a "white-list" to stop users getting onto any site not mentioned in the list.

I have this working in test environment, however I have issues adding sites to the white-list and making them work correctly. For example i know to add yahoo i would include in the URL-set *.yahoo.co.uk/*

However a site i need to add is https://aftersales.i.daimler.com/

So in my thinking i have added *.daimler.com/* and even *.i.daimler.com/*

Yet it still won't work, and i'm struggling for ideas

Thanks

Mark

0
Comment
Question by:marky1984
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 7

Expert Comment

by:CGretski
ID: 33611035
ISA cannot see the URLs in an SSL session,
You cannot use a URL set - you'd be better with a domain set
0
 
LVL 1

Author Comment

by:marky1984
ID: 33611063
Thanks for the reply, how would i add the mentioned URL above in there then?
0
 
LVL 7

Accepted Solution

by:
CGretski earned 250 total points
ID: 33611080
Your domain name set would contain
 *.daimler.com
That would allow all subdomains/servers of daimler.com
You'd need to add daimler.com also if you use that  (without the www. )
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 33611470
You should not have a url set with an * at both the front and at the end - it can have unpredictable results. In the same way you should not mix 'types' in a url set. For example, you should not have an FQDN type url entry and an ip address entry in the same url set. The same also applies to domain sets.

In respect to the https, when you create a url set, or add/delete an entry, it states clearly in the box that the entry supports http only, not https.

ISA CAN deal with https but only at the moment the initial request is made - and only if the respective https site is the FIRST site requested. The best-practice route to deal with https is as mentioned above, with a domain set.

Alternatively, you can upgrade to the newest version called Forefront TMG 2010 which DOES allow inspection of https traffic.

Keith - ISA & Forefront MVP
0
 
LVL 1

Author Comment

by:marky1984
ID: 33612461
Excellent, I will have a dig at all this later and let you know how i get on

Thanks!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:marky1984
ID: 33616432
Well that made my life a lot simpler, THANKS!

I have another slight issue in that the daimler site use an embedded java app. This won't go though my ISA at all, it asks for authentication and no matter what i put in it won't work. I have tried creating a rule for the specific site to allow all users through but still no joy. I can get it to work going via other proxies not managed by myself but this isn't ideal

My ISA log for the query is attached
isalog.xls
0
 
LVL 2

Expert Comment

by:aimcitp
ID: 33619190
On your "allow" rule, are you allowing all content types or just http?
0
 
LVL 1

Author Comment

by:marky1984
ID: 33624440
It allows all types
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33629287
Different question Mark - this one is done.
0
 
LVL 1

Author Comment

by:marky1984
ID: 33634319
no worries, thanks for the help!

Will ask another question shortly.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now