+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, ISA Access Rule is blocking flash content in Technical; Here's one for you boys and girls and please, please help me because it's driving me mad! A long time ...
  1. #1

    Join Date
    May 2009
    Location
    Leigh-on-Sea
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    ISA Access Rule is blocking flash content

    Here's one for you boys and girls and please, please help me because it's driving me mad!

    A long time ago i set up an Access Rule in our ISA server (2004) to ban the "repeat offenders" but allow them access to certain sites listed on our home page. Almost like a small intranet if you like.

    All was fine untill our website hosts (moonfruit) started running on a Content Delivery Network, i'm not sure if the issue is caused by this as we don't have an exact start date on the problem. Just seemed to start happening at roughly the same time.
    Now the kids can't see the home page which is flash 10 based it just comes up with a white page and the phishing filter comes up with a cross.
    I have information from the hosts and have added every possible combination of our URL and the ones they use as well as plenty of flash file extentions; none of that worked.
    I added myself into the repeat offenders list (admin level of access) and the site still wouldn't show anything. However i then installed IE8 and i was able to see the site but a test with students account came up negative so i changed my membership status so i had the same level as the kids and i couldn't access it either.

    I'm 99% sure it is to do with the content rather then anything else as other sites in this access rule that rely a lot on flash don't work properly e.g. nike.com and adidas.com. They show the content but links don't work etc.

    I'm so confused and i feel like i'm chaising my tale. Can anyone point me in a general direction to get me started or if anyone else has had this issue or similar and managed to sort it out then tell me how.
    Willing to give as much info as it takes to get this bug off my back so ask away.

    Much love, peace.
    Snuggle Tech

  2. #2
    TheLibrarian
    Guest
    Sure fire test would be to add a top level rule that allows everyone full access to the page / site in question.

  3. #3

    Join Date
    May 2009
    Location
    Leigh-on-Sea
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Well I did give this a go as it seems logical but alas no joy.
    I created a rule that allowed all outgoing traffic from our network to our aproved sites list and to a URL set containing all the possibles for the homepage. I set for all users and just the repeat offenders group and no change.
    The only way i can get this to work is by having a rule that allows access to all http sites above the repeat offenders but this is pointless as they can get to places we don't want them to go. It is allows our totally banned users to get out.

  4. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    Can't win at this without logs - surely the ISA access log will show what resource is being blocked?

  5. #5

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    742
    Thank Post
    17
    Thanked 106 Times in 66 Posts
    Rep Power
    37
    Quote Originally Posted by snuggletech View Post
    Here's one for you boys and girls and please, please help me because it's driving me mad!

    A long time ago i set up an Access Rule in our ISA server (2004) to ban the "repeat offenders" but allow them access to certain sites listed on our home page. Almost like a small intranet if you like.

    All was fine untill our website hosts (moonfruit) started running on a Content Delivery Network, i'm not sure if the issue is caused by this as we don't have an exact start date on the problem. Just seemed to start happening at roughly the same time.
    Now the kids can't see the home page which is flash 10 based it just comes up with a white page and the phishing filter comes up with a cross.
    I have information from the hosts and have added every possible combination of our URL and the ones they use as well as plenty of flash file extentions; none of that worked.
    I added myself into the repeat offenders list (admin level of access) and the site still wouldn't show anything. However i then installed IE8 and i was able to see the site but a test with students account came up negative so i changed my membership status so i had the same level as the kids and i couldn't access it either.

    I'm 99% sure it is to do with the content rather then anything else as other sites in this access rule that rely a lot on flash don't work properly e.g. nike.com and adidas.com. They show the content but links don't work etc.

    I'm so confused and i feel like i'm chaising my tale. Can anyone point me in a general direction to get me started or if anyone else has had this issue or similar and managed to sort it out then tell me how.
    Willing to give as much info as it takes to get this bug off my back so ask away.

    Much love, peace.
    Snuggle Tech
    HI,

    You need to create a rule in isa which blocks access to flash sites using the content type tab and define flash content. (sorry dont know what it is exactly called). The in the To box have the External network. In the exception box create a domain set for sites you do want to allow flash content. This is how we do it here and it works fine.

    We created two content types called Flash Based video which has the following criteria.

    Selected Type:
    video/x-flv

    and Flash Content with the folowing type:
    application/x-shockwave-flash
    .swf

    The above rule will be based on a deny access option.

    Let me know if you want more info.

    Ash.

  6. #6

    Join Date
    May 2009
    Location
    Leigh-on-Sea
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I've spent part of the day looking at the logs in ISA (not as easy as it could be i might add) and i think i may now be looking in the right place.
    Ran a query to find all denied and failed connection attempts to any URL containing our homepage address and i got alot back but got NONE from the Rule that is having the problem or from the user i've been using to test it! Obvisouly that makes no sense to me as students that aren't in the repeat offenders rule can see the homepage fine.
    They have however all come back with the same error:

    10054 an existing connection was forcibly closed by the remote host

    I also ran a query on any connection issues with said group and all it returned are the sites we don't wish them to use or sites they don't need to use, so at least that shows the rule to be working - minus the webpage.

    The final query i've done is all denied/failed attempts to the website from my test PC regardless of group/rule or user and got some interesting returns:

    I have a deny at the time you access the website (Belfairs High School) but the client user name isn't the student but "annonymous" and the rule is our "banned users group" (a normal deny everything rule for punishing the little buggers for a week or two).
    I then have within the next second two more URLs starting the same but with the following extensions:
    /sm4.css
    /ie.css

    I then have about 10 Urls all ending with different .jpg files and finally and deny and fail on the following URL:

    http://www.belfairs.southend.sch.uk/...ash_Player.jpg which i'm assuming is just the button to download it rather then anything important.

    I really hope i've been looking at the right sort of stuff in the logs, if not any added help in that department would be greatfuly recieved.
    I'm just getting this niggle that it's something to do with this "annonymous" user name preventing the actual user from viewing the site.
    Cheers for the help so far anyway chaps

  7. #7

    Join Date
    Dec 2006
    Location
    Warwickshire
    Posts
    20
    Thank Post
    7
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by snuggletech View Post
    Well I did give this a go as it seems logical but alas no joy.
    I created a rule that allowed all outgoing traffic from our network to our aproved sites list and to a URL set containing all the possibles for the homepage. I set for all users and just the repeat offenders group and no change.
    The only way i can get this to work is by having a rule that allows access to all http sites above the repeat offenders but this is pointless as they can get to places we don't want them to go. It is allows our totally banned users to get out.
    We had a similar problem with our VLE, i ended up doing the same thing. The one thing with ISA is the way it prioritises the rules so after some messing about i found that the rule for allow all users to our VLE had to be above our blacklists and general internet access rule.

    Also from my experience of ISA the anonymous user part in the logs is due to the ISA client not being used to help authenticate users. Not that it's needed of course, but you can always test it out if you want.

  8. #8

    Join Date
    May 2009
    Location
    Leigh-on-Sea
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by spc-rocket View Post
    HI,

    You need to create a rule in isa which blocks access to flash sites using the content type tab and define flash content. (sorry dont know what it is exactly called). The in the To box have the External network. In the exception box create a domain set for sites you do want to allow flash content. This is how we do it here and it works fine.

    We created two content types called Flash Based video which has the following criteria.

    Selected Type:
    video/x-flv

    and Flash Content with the folowing type:
    application/x-shockwave-flash
    .swf

    The above rule will be based on a deny access option.

    Let me know if you want more info.

    Ash.
    Hi Ash sorry it's been so long between replies but this job had to take a back burner for, oh sooo many reasons. It's now back to haunt me so was planning on giving your solution a go. Just after as much info you can give me really, don't want to miss anything. Also out of interest am i right in thinking that this would stop flash game sites (grrr) unless i permit them?

  9. #9

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    742
    Thank Post
    17
    Thanked 106 Times in 66 Posts
    Rep Power
    37
    Quote Originally Posted by snuggletech View Post
    Hi Ash sorry it's been so long between replies but this job had to take a back burner for, oh sooo many reasons. It's now back to haunt me so was planning on giving your solution a go. Just after as much info you can give me really, don't want to miss anything. Also out of interest am i right in thinking that this would stop flash game sites (grrr) unless i permit them?
    Hi,

    No probs. Yes it should block games sites as well, but obviously not games which are bough on memory sticks, in their my docs etc as these downloaded games. It should block access to flash sites that are on the net. The thing to do here is to create a domain name set and add in all the white listed sites which contains flash so they are not blocked by this. This will make it easier to manage the whole thing i.e. if you have a student saying that they can't get to display flash content on a site and the site is okay then you just add it to the whitelisted domain name set and it should be accessible.

    Ash.

SHARE:
+ Post New Thread

Similar Threads

  1. Group Policy Blocking Flash
    By FN-GM in forum Windows Server 2008
    Replies: 8
    Last Post: 13th October 2009, 10:06 AM
  2. ISA 2006 blocking access to IP addresses
    By TheCrust in forum Windows
    Replies: 6
    Last Post: 16th January 2009, 01:57 PM
  3. ISA 2006 - avoid rule if logging into a certain machine
    By jmair in forum Network and Classroom Management
    Replies: 0
    Last Post: 13th November 2007, 10:48 PM
  4. isa 2004 Network rule
    By kaleem in forum Windows
    Replies: 1
    Last Post: 11th February 2006, 12:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •