Re: Unable to block domains using domain name set
- From: "Alex Chunikhin" <alexc@xxxxxxxxxxxx>
- Date: Sat, 6 May 2006 10:05:07 -0500
I was thinking about reverse lookup.
I've choose couple on domains and preformed nslookup domainname.com and than
nslookup by ip address - both query returned correct data.
All nslookup requests was sent from ISA itself, in fact new ISA pointing to
the same DNS server.
I think that to filter by domain all HTTP requests from SNAT clients should
be proxied, that's why I have "WEB PROXY" filter checked (applied) to HTTP
protocol in protocol properties.
But I have a feeling that they are not being proxied - if I uncheck WEB
PROXY filter from HTTP properties - nothing will change.
"A. Klimkin" <nothanks at microsoft.com> wrote in message
news:%2368qLXNcGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Phillip is right when he says that SNAT client resolves FQDN to IP address
*before* the request even reach an ISA server.
Though I haven't seen explicit references to any docs that could confirm
my idea, I suspect that to process SNAT client requests according to
firewall policy containing domain name sets, ISA server performs reverse
DNS lookup against the particular IP address. That is the only way ISA
server can find out if the particular SNAT request is a subject to apply
restrictions from domain name sets.
In your case, I believe the main issue was improper DNS settings on your
previous ISA installation. That is the reason why ISA was unable to
properly handle SNAT client requests.
Regards,
Andrew
"Alex Chunikhin" <alexc@xxxxxxxxxxxx> wrote in message
news:dfW6g.15258$_e3.2742@xxxxxxxxxxxxxxxxxxxxxxxx
Having hard time finding this on microsoft, but this is another article:
http://www.isaserver.org/articles/2004domainnamesets.html
There are a number of ways this can be accomplished using ISA 2004
firewalls. In this article, we'll focus on how to use the ISA 2004
firewall's Domain Name Sets feature to control access to Internet
servers. Domain Name Sets can be used by all ISA client types, including
SecureNAT, Web Proxy and Firewall clients. However, if you want to
control access by user or group, you need to configure the clients as Web
Proxy or Firewall clients (or both).
I just installed second ISA server in my network and it works there.
I cant figure out what's wrong with the first one.
"Phillip Windell" <@.> wrote in message
news:er4dSjGcGHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
"AlexC" <alexc@xxxxxxxxxxxx> wrote in message
news:QSu6g.43936$g%5.25907@xxxxxxxxxxxxxxxxxxxxxxxx
According to Microsoft this should work for both firewall clients and
secured nat clients.
In my case it works only for firewall clients.
Where did you read that? I thought it would work only for Web Proxy and
Firewall Clients,..but not SecureNAT.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
.
- References:
- Unable to block domains using domain name set
- From: AlexC
- Re: Unable to block domains using domain name set
- From: AlexC
- Re: Unable to block domains using domain name set
- From: Alex Chunikhin
- Re: Unable to block domains using domain name set
- From: A. Klimkin
- Unable to block domains using domain name set
- Prev by Date: Re: DMZ Access Problem
- Next by Date: Re: DMZ Access Problem
- Previous by thread: Re: Unable to block domains using domain name set
- Next by thread: Re: Firewall Service Fails to start automatic
- Index(es):
Relevant Pages
|
