Well, poop. Thanks for the insight, Bill.
John -----Original Message----- From: Mayo, Bill [mailto:[email protected]] Sent: Thursday, May 14, 2009 4:52 PM To: NT System Admin Issues Subject: RE: ISA Question I asked essentially the same question as a follow-up. What Jim said is that the port is relevant if it is a firewall or SecureNAT client, but the HTTP proxy works on a protocol level (my interpretation/understanding). I will again quote him: <quote> Adding explicit ports only affects SecureNET and FWC requests. FWC/SNET clients attempt direct connections to the destination IP on that destination port. When this occurs, ISA will apply port-based policies. Web proxy clients connect to the ISA proxy listener and issue the requests as shown below. Since the "port-based rules" are satisfied by the client connection to ISA, the request is evaluated on the basis of the UEL itself. The same question might be asked of any protocol; especially since many people frequently need to use non-standard ports in order to violate their ISP acceptable use policy. Jim </quote> Believe me, John, I am with you. I was shocked to find that HTTP traffic was able to get out on ports not defined in the protocol definition, especially considering such things had caused me problems in the past. -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 3:05 PM To: NT System Admin Issues Subject: RE: ISA Question HTTP can, of course, run over any port, just as any other protocol can. But when you look at the protocol's properties in ISA, there's a Parameters tab where a port range is defined--and it's defined as port 80. So, what's the purpose of that tab if the port number specified there is ignored? -----Original Message----- From: Mayo, Bill [mailto:[email protected]] Sent: Thursday, May 14, 2009 3:02 PM To: NT System Admin Issues Subject: RE: ISA Question I think you are asking essentially the same question I asked on the ISA list a bit ago, to which Jim Harrison responded (copied and pasted from Jim): <quote> You're laboring under the misperception that "http = port 80" "HTTP" doesn't have a port - it's an application protocol that can traverse any port (mostly). The commonly-accepted port for HTTP is 80, just like the commonly-accepted port for SSL is 443, but there's nothing that says they have to stay there. It's a basic feature of any CERN proxy that the client can ask for any destination port it wants. IO: (normal) Client --> ISA: GET http://host.domain.tld/abs_path?querystring HTTP/1.x (yours) Client --> ISA: GET http://host.domain.tld:4000/abs_path?querystring HTTP/1.x Jim </quote> My understanding of what Jim said was that it doesn't matter what ports you have defined for the HTTP protocol, if the client makes a proper request for HTTP over a non-standard port, ISA will allow it. -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 2:45 PM To: NT System Admin Issues Subject: RE: ISA Question Yes, my explicit blocks seem to work okay. But the weird thing is, sometimes ISA seems to correctly block traffic other than 21/80/443, because I've had to create special rules for a couple of funky apps than run on other ports. It's crazy. -----Original Message----- From: Jason Morris [mailto:[email protected]] Sent: Thursday, May 14, 2009 12:11 PM To: NT System Admin Issues Subject: RE: ISA Question The only way I've ever been able to get the firewall rules to actually mean something is to require authentication. Unless it was an explicit deny to a set of URLs. That worked fine with All Users set in the Users tab. For instance I used to manage a blacklist on the server that would disallow access to a bunch of sites. I don't do that anymore, I use a SaaS filter called ZScaler to help me do it, and I chain my proxy server to theirs for access. Good luck. Jason -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Thursday, May 14, 2009 10:42 AM To: NT System Admin Issues Subject: ISA Question I'm not an ISA expert by a long shot, but I managed to get ISA 2006 working here and we've been running it for some time. I just discovered, though, that something may not be right. We caught some kids using a proxy server to bypass the State of Florida's content filter. The content filter blocks proxy sites, but only if they run on port 80. These kids were using sites on alternate ports. However, this shouldn't be possible because our local ISA server shouldn't be allowing traffic on those ports. I just ran a test while running a live log query, and sure enough I was able to access http://air-proxy.com:82/?p=submit. The log said that this traffic was allowed under a rule I have called "Allow outbound Web and FTP traffic." I double-checked that rule, though, and it's definitely configured to only allow FTP, HTTP, and HTTPS traffic over ports 21, 80, and 443, respectively. What could I be missing here? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
