Solved

ISA2006 - creating a URL set to use as a whitelist

Posted on 2010-09-06
10
1,947 Views
Last Modified: 2013-11-16
Hi

I have been using my ISA2006 box successfully for a little while now. How I would like to now create a "white-list" to stop users getting onto any site not mentioned in the list.

I have this working in test environment, however I have issues adding sites to the white-list and making them work correctly. For example i know to add yahoo i would include in the URL-set *.yahoo.co.uk/*

However a site i need to add is https://aftersales.i.daimler.com/

So in my thinking i have added *.daimler.com/* and even *.i.daimler.com/*

Yet it still won't work, and i'm struggling for ideas

Thanks

Mark

0
Comment
Question by:marky1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 7

Expert Comment

by:CGretski
ID: 33611035
ISA cannot see the URLs in an SSL session,
You cannot use a URL set - you'd be better with a domain set
0
 
LVL 1

Author Comment

by:marky1984
ID: 33611063
Thanks for the reply, how would i add the mentioned URL above in there then?
0
 
LVL 7

Accepted Solution

by:
CGretski earned 250 total points
ID: 33611080
Your domain name set would contain
 *.daimler.com
That would allow all subdomains/servers of daimler.com
You'd need to add daimler.com also if you use that  (without the www. )
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 33611470
You should not have a url set with an * at both the front and at the end - it can have unpredictable results. In the same way you should not mix 'types' in a url set. For example, you should not have an FQDN type url entry and an ip address entry in the same url set. The same also applies to domain sets.

In respect to the https, when you create a url set, or add/delete an entry, it states clearly in the box that the entry supports http only, not https.

ISA CAN deal with https but only at the moment the initial request is made - and only if the respective https site is the FIRST site requested. The best-practice route to deal with https is as mentioned above, with a domain set.

Alternatively, you can upgrade to the newest version called Forefront TMG 2010 which DOES allow inspection of https traffic.

Keith - ISA & Forefront MVP
0
 
LVL 1

Author Comment

by:marky1984
ID: 33612461
Excellent, I will have a dig at all this later and let you know how i get on

Thanks!
0
 
LVL 1

Author Comment

by:marky1984
ID: 33616432
Well that made my life a lot simpler, THANKS!

I have another slight issue in that the daimler site use an embedded java app. This won't go though my ISA at all, it asks for authentication and no matter what i put in it won't work. I have tried creating a rule for the specific site to allow all users through but still no joy. I can get it to work going via other proxies not managed by myself but this isn't ideal

My ISA log for the query is attached
isalog.xls
0
 
LVL 2

Expert Comment

by:aimcitp
ID: 33619190
On your "allow" rule, are you allowing all content types or just http?
0
 
LVL 1

Author Comment

by:marky1984
ID: 33624440
It allows all types
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33629287
Different question Mark - this one is done.
0
 
LVL 1

Author Comment

by:marky1984
ID: 33634319
no worries, thanks for the help!

Will ask another question shortly.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Allow Traffic through Forefront TMG 14 137
Cisco ASA 5512 LAN Config 16 103
firewall inside of network 9 83
Sonicwall Soho - need to reboot to save changed setting 4 75
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question