• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1987
  • Last Modified:

ISA2006 - creating a URL set to use as a whitelist

Hi

I have been using my ISA2006 box successfully for a little while now. How I would like to now create a "white-list" to stop users getting onto any site not mentioned in the list.

I have this working in test environment, however I have issues adding sites to the white-list and making them work correctly. For example i know to add yahoo i would include in the URL-set *.yahoo.co.uk/*

However a site i need to add is https://aftersales.i.daimler.com/

So in my thinking i have added *.daimler.com/* and even *.i.daimler.com/*

Yet it still won't work, and i'm struggling for ideas

Thanks

Mark

0
marky1984
Asked:
marky1984
  • 5
  • 2
  • 2
  • +1
2 Solutions
 
CGretskiCommented:
ISA cannot see the URLs in an SSL session,
You cannot use a URL set - you'd be better with a domain set
0
 
marky1984Author Commented:
Thanks for the reply, how would i add the mentioned URL above in there then?
0
 
CGretskiCommented:
Your domain name set would contain
 *.daimler.com
That would allow all subdomains/servers of daimler.com
You'd need to add daimler.com also if you use that  (without the www. )
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Keith AlabasterEnterprise ArchitectCommented:
You should not have a url set with an * at both the front and at the end - it can have unpredictable results. In the same way you should not mix 'types' in a url set. For example, you should not have an FQDN type url entry and an ip address entry in the same url set. The same also applies to domain sets.

In respect to the https, when you create a url set, or add/delete an entry, it states clearly in the box that the entry supports http only, not https.

ISA CAN deal with https but only at the moment the initial request is made - and only if the respective https site is the FIRST site requested. The best-practice route to deal with https is as mentioned above, with a domain set.

Alternatively, you can upgrade to the newest version called Forefront TMG 2010 which DOES allow inspection of https traffic.

Keith - ISA & Forefront MVP
0
 
marky1984Author Commented:
Excellent, I will have a dig at all this later and let you know how i get on

Thanks!
0
 
marky1984Author Commented:
Well that made my life a lot simpler, THANKS!

I have another slight issue in that the daimler site use an embedded java app. This won't go though my ISA at all, it asks for authentication and no matter what i put in it won't work. I have tried creating a rule for the specific site to allow all users through but still no joy. I can get it to work going via other proxies not managed by myself but this isn't ideal

My ISA log for the query is attached
isalog.xls
0
 
aimcitpCommented:
On your "allow" rule, are you allowing all content types or just http?
0
 
marky1984Author Commented:
It allows all types
0
 
Keith AlabasterEnterprise ArchitectCommented:
Different question Mark - this one is done.
0
 
marky1984Author Commented:
no worries, thanks for the help!

Will ask another question shortly.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now