none
Prevent all Website except my corporate website in TMG

    Question

  • Hi

    I want to prevent all website except our company web site. Actually, I make URL Set which included my company website and after that I set e Firewall Policy Deny IP to external Except URL Set! but it does not work. sometimes this IP have access to all external and sometimes does not have access to External! In this situation my exception did not work!

    Regards

    Vahid Aghakhani

    Wednesday, January 23, 2013 7:42 AM

Answers

All replies

  • Hi,

    if you only want to allow access to your corporate website you must delete all Firewall policy rules which explictly allow or deny access to external websites!
    After that create a Firewall Policy rule with a URL set which allows only access to your corporate website!


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Wednesday, January 23, 2013 8:08 AM
  • Hi,

    Actually I want to set this rule just for some IP not all of them.

    that picture is my TMG which is show what firewall policy I have.

    Regards

    Vahid Aghakhani

    Wednesday, January 23, 2013 10:17 AM
  • Hi,

    rule no. 5 allows all access to the LOCAL HOST! Why? Should should limit access to the TMG Server for only specific Admin clients and required protocols

    all clients in rule no. 6 are allowed to access every website on the Internet

    if you only want to deny specific clients access to all websites except the corporate website you must create a Firewall policy rule which only allows access to the corporate website

    rule no. 9 allows access to all websites for all users, so you must delete this rule or change this rule


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Marked as answer by LenovoW510 Wednesday, January 23, 2013 5:02 PM
    • Unmarked as answer by LenovoW510 Thursday, January 24, 2013 10:16 AM
    Wednesday, January 23, 2013 10:48 AM
  • Hi Marc,

    I do your solution but still does not work!

    I uploading a picture from new rules in my ISA

    So, I want to explain my rules to you step by step:

    no. 1: This rule is for me (administrator) to connecting ISA server from the external.

    no. 2: This is the clients which is connected to internet and have full access to internet without any deny permission.

    no. 3: This is the clients that I want give access to my company website which it is www.gozine2.ir

    no. 4: This is for Administrator, it give an access to administrator for remote to ISA server from internal network.

    I change my rules but still now as a prototype IP:10.1.1.111 does not have access to www.gozine2.ir which is our company URL.

    Please help me to solve this problem. it makes me nut!


    Regards, Vahid Aghakhani V.Aghakhani@live.com

    Thursday, January 24, 2013 10:25 AM
  • Hi,

    Thank you for the post.

    “I change my rules but still now as a prototype IP:10.1.1.111 does not have access to www.gozine2.ir which is our company URL” – what is live logging tell when the client ip 10.1.1.111 access the company website? Have you try other client ip like:10.1.1.112, does it work?

    Regards,


    Nick Gu - MSFT

    Monday, January 28, 2013 7:35 AM
    Moderator
  • Hi Nick,

    Ye I do that but still now it does not work! Now, I set the DNS of my ISP on URL Set, now IP 10.1.1.111 can have access to our company website with its IP but, this IP can not have access to our website company with the www.gozine2.ir!

    Our website company IP is 94.232.174.142.

    In this situation I trace our website with IP 10.1.1.111 but it show the request to me and when I use nslookup for our website it does not reverse to me except our ISP's DNS. Indeed, I upload my TMG rules picture to see what I did on my TMG.

    Regards

    Vahid Aghakhani


    Regards, Vahid Aghakhani V.Aghakhani@live.com

    Monday, January 28, 2013 8:45 AM
  • Hi,

    Thank you for the update.

    “I set the DNS of my ISP on URL Set, now IP 10.1.1.111 can have access to our company website with its IP” – what do you mean about “set the DNS of my ISP on URL Set”? how do you configure the DNS settings on TMG server and client machines? Generally, the internal clients should be point to internal DNS server on their network adapter, and create DNS access rule on TMG server as per this guide: http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx

    Regards,


    Nick Gu - MSFT

    Monday, January 28, 2013 8:57 AM
    Moderator
  • Hi Again, Thank you for your reply. Nick I do not have DNS server in my network I use my ISP DNS Server for all client in my network. So, in this situation, should I do that job on the guide? Actually, I have a TMG server which is my gateway and it forward Valid IP to invalid IP (46.xxx.xxx.xxx to 10.1.1.x) with RRAS. Clients user DNS which is provided by my ISP and set it to their network connection. As a prototype: IP: 10.1.1.111 Subnet: 255.0.0.0 Gateway: 10.1.1.1 (TMG Server) DNS1: 77.104.106.2(This is for my ISP) DNS2: 77.104.106.3(This is for my ISP)

    Regards, Vahid Aghakhani V.Aghakhani@live.com

    Monday, January 28, 2013 10:38 AM
  • Hi,

    Thank you for the post.

    Since you have the access rule require authentication and Secure NAT Client does not support user based authentication, then the traffic was blocked by TMG server. Regarding DNS configuration, I recommend you read this article: http://technet.microsoft.com/en-us/library/cc995245.aspx

    Regards,


    Nick Gu - MSFT

    Wednesday, January 30, 2013 5:51 AM
    Moderator
  • Hi Nick

    I'm Sorry for late to answer you.

    I do not have DNS in my network I use my ISP's DNS IP and user in role no. 3 has full access to internet and they do not have any problem but when I want make exception for someone in my network which is not on role no. 3 this problem happened.

    I do not know what did I do but at this time the IP: 10.1.1.111 have access too my company website just with it's IP Address not by the domain.

    Thank you for your Answer


    Regards, Vahid Aghakhani V.Aghakhani@live.com


    • Edited by LenovoW510 Monday, February 04, 2013 8:46 AM
    Monday, February 04, 2013 8:46 AM