locked
IAG File Access Application - How to restrict the upload of specific file types? RRS feed

  • Question

  •  I have configured the File Access application feature of our IAG and have successfully enabled access to hidden shares on our file servers.  

    The appliance is just about ready to be introduced to our users but I would like to further secure our environment by restrcting the type of files that can be uploaded from our user's client PC's.

    I have added the list of file extensions I wish to Exclude on the Download/Upload tab of the Applications Properties page but this has not had the desire effect.  I am still able to upload the type of files that I have specified in the list.

    I would appreciate any advice I can get.

    Thanks
    • Edited by Jacques Venter Tuesday, July 22, 2008 3:21 PM Spelling
    • Moved by Keith Alabaster Tuesday, June 16, 2009 6:01 PM Wrong Forum (From:Forefront Edge Security - General)
    Tuesday, July 22, 2008 3:20 PM

Answers

  • While the configuration for upload/download restrictions may seem straightforward, It's important to realize that it requires the administrator to configure two things:

    1) The application's Endpoint upload and download policy
    2) The application's Download/Upload tab parameters

    Many mistakenly think that setting just one of the above is enough. Here's a brief description of how this works:

    1) The upload/download tab in the application properties is only used to identify the properties that will be used to determine what is considered an upload or download.
    2) The selected endpoint policy is used to enforce the actual download and upload.

    For example, the IAG administrator wants to block *.exe and *.com executables from being uploaded. The administrator needs to set the Upload Policy on the Application’s General tab to “Never”.  Then set the Uploads settings on the Application’s Download/Upload tab to “Identify by Extensions” and select the "Include" radio button.  In the extension list add on their own lines, exe and com (both without a dot before the extension).  Make sure to uncheck Identify by URLs and Identify by Size or more potentially be blocked then you expect.  This means that any other file types WILL be allowed.

    Another example:

    For example, the IAG administrator wants only common image files to be allowed to download. The administrator needs to set the download Policy on the Application’s General tab to “Never”.  Then set the download settings on the Application’s Download/Upload tab to “Identify by Extensions” and select the "EXCLUDE" radio button.  In the extension list add on their own lines the common image types (jpg, jpeg, gif, png, bmp etc), all without a dot before the extension. Also, the administrator must exclude the extension types used by the website itself, like asp, htm, html etc, otherwise, the site itself would not be allowed as the "never" policy selected will prevent these files from being accessed.

     


    Ben Ari Microsoft CSS IAG Support Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, June 17, 2009 6:39 PM
    Wednesday, June 17, 2009 6:39 PM

All replies

  • You may have already done this, but just to verify:

    1. Open the Application Properties dialog box and access the Download/Upload tab.
    2. In the “Uploads” area, enable the option “Identify by URLs”.

    Post back and let us know if this is already done.
    Shijaz Abdulla | MVP - ISA Server | http://blog.shijaz.com
    Wednesday, July 23, 2008 5:40 AM
  • Thanks for replying to my equiry.  I had already attempted this but it did not work.  Do you have any other ideas?

    Wednesday, July 23, 2008 9:14 AM
  • While the configuration for upload/download restrictions may seem straightforward, It's important to realize that it requires the administrator to configure two things:

    1) The application's Endpoint upload and download policy
    2) The application's Download/Upload tab parameters

    Many mistakenly think that setting just one of the above is enough. Here's a brief description of how this works:

    1) The upload/download tab in the application properties is only used to identify the properties that will be used to determine what is considered an upload or download.
    2) The selected endpoint policy is used to enforce the actual download and upload.

    For example, the IAG administrator wants to block *.exe and *.com executables from being uploaded. The administrator needs to set the Upload Policy on the Application’s General tab to “Never”.  Then set the Uploads settings on the Application’s Download/Upload tab to “Identify by Extensions” and select the "Include" radio button.  In the extension list add on their own lines, exe and com (both without a dot before the extension).  Make sure to uncheck Identify by URLs and Identify by Size or more potentially be blocked then you expect.  This means that any other file types WILL be allowed.

    Another example:

    For example, the IAG administrator wants only common image files to be allowed to download. The administrator needs to set the download Policy on the Application’s General tab to “Never”.  Then set the download settings on the Application’s Download/Upload tab to “Identify by Extensions” and select the "EXCLUDE" radio button.  In the extension list add on their own lines the common image types (jpg, jpeg, gif, png, bmp etc), all without a dot before the extension. Also, the administrator must exclude the extension types used by the website itself, like asp, htm, html etc, otherwise, the site itself would not be allowed as the "never" policy selected will prevent these files from being accessed.

     


    Ben Ari Microsoft CSS IAG Support Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, June 17, 2009 6:39 PM
    Wednesday, June 17, 2009 6:39 PM