Registered users    
MembershipMembership:
Latest New UserLatest:Tim Whiteside
New TodayNew Today:18
New YesterdayNew Yesterday:7
User CountOverall:23106
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12634
Marina Roos12290
Eriq Neale2105
Michael Patrick1906
Stan Guinn1847
Robert Pearman1728
Nick Pieters1425
Stewart Brown609
Kevin D.563
william warren548
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Smallbusiness Server > ISA Server 2004
Subject: Issue with Domain Name sets
Prev Next
You are not authorized to post a reply.

Author Messages
Andy Sims User is Offline
United Kingdom
Member since
4/7/2005

Platinum Membership
Posts: 218
5/28/2008 12:22 PM  
I have two access rules to enable certain applications to access certain domains to access datastreams.  These rules are configured to allow access for all users to specific domains defined in domain name sets.  Only http protocol is allowed.  I am testing an IronKey(TM) for potential rollout as a corporate standard.  This device is a USBKey with hardware encryption and inbuilt Firefox browser to allow secure (and private/anonymous) web browsing.   In my tests, have noted in the ISA logs that there are connections allowed by both my Domain Name Set based rules to several IP addresses which the firefox browser uses while setting up the secure channels.  These connections are logged with no url so I presume the host header is set to an IP address.  According to http://www.isaserver.org/articles/isa2004_accessrules.html the rule should fail as the http protocol is matched to the domain set using host header fields and, in these cases, the reverse lookup certainly does not resolve to the domain name set (as tested via nslookup on a client).
 
Any ideas as to why the rule allows the connection?
 
Thanks
Andy
 
EDIT: just checked that the problem also applies when a Domain Name Set is replaced by a URL set
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1728
5/28/2008 05:18 PM  
can you see which rule is allowing the traffic?

isa will process the rules in order.

a rule that denys the traffic will block it.

a rule that doesnt apply, will be ignored.

a rule that allows the traffic is found and the traffic is allowed.

the situation you are describing suggests that there is a rule further down the list that allows this traffic.
Andy Sims User is Offline
United Kingdom
Member since
4/7/2005

Platinum Membership
Posts: 218
5/28/2008 05:28 PM  
ISA monitor shows the rule that allows the connection. I have two of these rules using DNS(URL) sets positioned one above the other and both above the SBS Internet access rule. If both are enabled, the uppermost rule allows the connection, if this is disabled the other allows it.
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1728
5/28/2008 05:30 PM  
just to confirm then,

one of your domain name set rules allows the traffic, if this is disabled then the next rule, which is also a domain name set rule, allows the traffic.

can you post up the confguration of the rule, and the traffic that is being allowed that shouldnt be.
Andy Sims User is Offline
United Kingdom
Member since
4/7/2005

Platinum Membership
Posts: 218
5/28/2008 06:05 PM  
Yes you have the situation correct. Example rule:
Action: Allow
Protocols: http
From: All protected networks
To: manifold URL set (or manifold DNS set) = http://www.manifold.net/* (or *.manifold.net) (as an aside, Manifold is well worth a look if you are into GIS!)
Users: All users
Schedule: Always
Content types: all

Example traffic allowed from ISA FWlog.
Server 2008-05-28 08:00:05 TCP 10.0.0.11:1290 72.55.140.19:80 10.0.0.11 Internal External Establish 0x0 Manifold Sites HTTP 0 0 0 0 - - username TOR.EXE:3:5.1 89223 498967

Tor.exe is used by Firefox to create a secure, anonymous connection.

Thanks
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1728
5/28/2008 07:11 PM  
is normal web browsing picked up by this rule also?
Andy Sims User is Offline
United Kingdom
Member since
4/7/2005

Platinum Membership
Posts: 218
5/29/2008 09:11 AM  
No, all is handled by SBS Internet Access Rule.
I disabled both new rules and tried again. In this case, the connection to the IP address is allowed by the standard SBS Microsoft Update Sites Access rule (which is also a DNS set based rule), so this issue is not specific to the rules I have created.
You are not authorized to post a reply.
Forums > Microsoft Smallbusiness Server > ISA Server 2004 > Issue with Domain Name sets


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.2812536 seconds.   :   Terms Of Use   :   Privacy Statement