That's absolutely correct. Sean Rector, MCSE
-----Original Message----- From: Mayo, Bill [mailto:[email protected]] Sent: Thursday, May 14, 2009 3:02 PM To: NT System Admin Issues Subject: RE: ISA Question I think you are asking essentially the same question I asked on the ISA list a bit ago, to which Jim Harrison responded (copied and pasted from Jim): <quote> You're laboring under the misperception that "http = port 80" "HTTP" doesn't have a port - it's an application protocol that can traverse any port (mostly). The commonly-accepted port for HTTP is 80, just like the commonly-accepted port for SSL is 443, but there's nothing that says they have to stay there. It's a basic feature of any CERN proxy that the client can ask for any destination port it wants. IO: (normal) Client --> ISA: GET http://host.domain.tld/abs_path?querystring HTTP/1.x (yours) Client --> ISA: GET http://host.domain.tld:4000/abs_path?querystring HTTP/1.x Jim </quote> My understanding of what Jim said was that it doesn't matter what ports you have defined for the HTTP protocol, if the client makes a proper request for HTTP over a non-standard port, ISA will allow it. -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 2:45 PM To: NT System Admin Issues Subject: RE: ISA Question Yes, my explicit blocks seem to work okay. But the weird thing is, sometimes ISA seems to correctly block traffic other than 21/80/443, because I've had to create special rules for a couple of funky apps than run on other ports. It's crazy. -----Original Message----- From: Jason Morris [mailto:[email protected]] Sent: Thursday, May 14, 2009 12:11 PM To: NT System Admin Issues Subject: RE: ISA Question The only way I've ever been able to get the firewall rules to actually mean something is to require authentication. Unless it was an explicit deny to a set of URLs. That worked fine with All Users set in the Users tab. For instance I used to manage a blacklist on the server that would disallow access to a bunch of sites. I don't do that anymore, I use a SaaS filter called ZScaler to help me do it, and I chain my proxy server to theirs for access. Good luck. Jason -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 10:42 AM To: NT System Admin Issues Subject: ISA Question I'm not an ISA expert by a long shot, but I managed to get ISA 2006 working here and we've been running it for some time. I just discovered, though, that something may not be right. We caught some kids using a proxy server to bypass the State of Florida's content filter. The content filter blocks proxy sites, but only if they run on port 80. These kids were using sites on alternate ports. However, this shouldn't be possible because our local ISA server shouldn't be allowing traffic on those ports. I just ran a test while running a live log query, and sure enough I was able to access http://air-proxy.com:82/?p=submit. The log said that this traffic was allowed under a rule I have called "Allow outbound Web and FTP traffic." I double-checked that rule, though, and it's definitely configured to only allow FTP, HTTP, and HTTPS traffic over ports 21, 80, and 443, respectively. What could I be missing here? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ Virginia Opera's 35th Anniversary Season The One You Love Celebrate with a 2009-2010 Subscription: La Boh?me, The Daughter of the Regiment, Don Giovanni and Porgy and BessSM Visit us online at www.vaopera.org or call 1-866-OPERA-VA This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
