Also, I just checked, and the rule to allow 21/80/443 traffic is configured to apply to Authenticated Users rather than All Users.
-----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 2:45 PM To: NT System Admin Issues Subject: RE: ISA Question Yes, my explicit blocks seem to work okay. But the weird thing is, sometimes ISA seems to correctly block traffic other than 21/80/443, because I've had to create special rules for a couple of funky apps than run on other ports. It's crazy. -----Original Message----- From: Jason Morris [mailto:[email protected]] Sent: Thursday, May 14, 2009 12:11 PM To: NT System Admin Issues Subject: RE: ISA Question The only way I've ever been able to get the firewall rules to actually mean something is to require authentication. Unless it was an explicit deny to a set of URLs. That worked fine with All Users set in the Users tab. For instance I used to manage a blacklist on the server that would disallow access to a bunch of sites. I don't do that anymore, I use a SaaS filter called ZScaler to help me do it, and I chain my proxy server to theirs for access. Good luck. Jason -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 10:42 AM To: NT System Admin Issues Subject: ISA Question I'm not an ISA expert by a long shot, but I managed to get ISA 2006 working here and we've been running it for some time. I just discovered, though, that something may not be right. We caught some kids using a proxy server to bypass the State of Florida's content filter. The content filter blocks proxy sites, but only if they run on port 80. These kids were using sites on alternate ports. However, this shouldn't be possible because our local ISA server shouldn't be allowing traffic on those ports. I just ran a test while running a live log query, and sure enough I was able to access http://air-proxy.com:82/?p=submit. The log said that this traffic was allowed under a rule I have called "Allow outbound Web and FTP traffic." I double-checked that rule, though, and it's definitely configured to only allow FTP, HTTP, and HTTPS traffic over ports 21, 80, and 443, respectively. What could I be missing here? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
