ISA Access Rule is blocking flash content

[snuggletech]

Here's one for you boys and girls and please, please help me because it's driving me mad!

A long time ago i set up an Access Rule in our ISA server (2004) to ban the "repeat offenders" but allow them access to certain sites listed on our home page. Almost like a small intranet if you like.

All was fine untill our website hosts (moonfruit) started running on a Content Delivery Network, i'm not sure if the issue is caused by this as we don't have an exact start date on the problem. Just seemed to start happening at roughly the same time.
Now the kids can't see the home page which is flash 10 based it just comes up with a white page and the phishing filter comes up with a cross.
I have information from the hosts and have added every possible combination of our URL and the ones they use as well as plenty of flash file extentions; none of that worked.
I added myself into the repeat offenders list (admin level of access) and the site still wouldn't show anything. However i then installed IE8 and i was able to see the site but a test with students account came up negative so i changed my membership status so i had the same level as the kids and i couldn't access it either.

I'm 99% sure it is to do with the content rather then anything else as other sites in this access rule that rely a lot on flash don't work properly e.g. nike.com and adidas.com. They show the content but links don't work etc.

I'm so confused and i feel like i'm chaising my tale. Can anyone point me in a general direction to get me started or if anyone else has had this issue or similar and managed to sort it out then tell me how.
Willing to give as much info as it takes to get this bug off my back so ask away.

Much love, peace.
Snuggle Tech

[TheLibrarian]

Sure fire test would be to add a top level rule that allows everyone full access to the page / site in question.

[snuggletech]

Well I did give this a go as it seems logical but alas no joy.
I created a rule that allowed all outgoing traffic from our network to our aproved sites list and to a URL set containing all the possibles for the homepage. I set for all users and just the repeat offenders group and no change.
The only way i can get this to work is by having a rule that allows access to all http sites above the repeat offenders but this is pointless as they can get to places we don't want them to go. It is allows our totally banned users to get out.

[tom_newton]

Can't win at this without logs - surely the ISA access log will show what resource is being blocked?

[spc-rocket]

Here's one for you boys and girls and please, please help me because it's driving me mad!

A long time ago i set up an Access Rule in our ISA server (2004) to ban the "repeat offenders" but allow them access to certain sites listed on our home page. Almost like a small intranet if you like.

All was fine untill our website hosts (moonfruit) started running on a Content Delivery Network, i'm not sure if the issue is caused by this as we don't have an exact start date on the problem. Just seemed to start happening at roughly the same time.
Now the kids can't see the home page which is flash 10 based it just comes up with a white page and the phishing filter comes up with a cross.
I have information from the hosts and have added every possible combination of our URL and the ones they use as well as plenty of flash file extentions; none of that worked.
I added myself into the repeat offenders list (admin level of access) and the site still wouldn't show anything. However i then installed IE8 and i was able to see the site but a test with students account came up negative so i changed my membership status so i had the same level as the kids and i couldn't access it either.

I'm 99% sure it is to do with the content rather then anything else as other sites in this access rule that rely a lot on flash don't work properly e.g. nike.com and adidas.com. They show the content but links don't work etc.

I'm so confused and i feel like i'm chaising my tale. Can anyone point me in a general direction to get me started or if anyone else has had this issue or similar and managed to sort it out then tell me how.
Willing to give as much info as it takes to get this bug off my back so ask away.

Much love, peace.
Snuggle Tech

HI,

You need to create a rule in isa which blocks access to flash sites using the content type tab and define flash content. (sorry dont know what it is exactly called). The in the To box have the External network. In the exception box create a domain set for sites you do want to allow flash content. This is how we do it here and it works fine.

We created two content types called Flash Based video which has the following criteria.

Selected Type:
video/x-flv

and Flash Content with the folowing type:
application/x-shockwave-flash
.swf

The above rule will be based on a deny access option.

Let me know if you want more info.

Ash.

[snuggletech]

I've spent part of the day looking at the logs in ISA (not as easy as it could be i might add) and i think i may now be looking in the right place.
Ran a query to find all denied and failed connection attempts to any URL containing our homepage address and i got alot back but got NONE from the Rule that is having the problem or from the user i've been using to test it! Obvisouly that makes no sense to me as students that aren't in the repeat offenders rule can see the homepage fine.
They have however all come back with the same error:

10054 an existing connection was forcibly closed by the remote host

I also ran a query on any connection issues with said group and all it returned are the sites we don't wish them to use or sites they don't need to use, so at least that shows the rule to be working - minus the webpage.

The final query i've done is all denied/failed attempts to the website from my test PC regardless of group/rule or user and got some interesting returns:

I have a deny at the time you access the website (Belfairs High School) but the client user name isn't the student but "annonymous" and the rule is our "banned users group" (a normal deny everything rule for punishing the little buggers for a week or two).
I then have within the next second two more URLs starting the same but with the following extensions:
/sm4.css
/ie.css

I then have about 10 Urls all ending with different .jpg files and finally and deny and fail on the following URL:

http://www.belfairs.southend.sch.uk/...ash_Player.jpg which i'm assuming is just the button to download it rather then anything important.

I really hope i've been looking at the right sort of stuff in the logs, if not any added help in that department would be greatfuly recieved.
I'm just getting this niggle that it's something to do with this "annonymous" user name preventing the actual user from viewing the site.
Cheers for the help so far anyway chaps

[shreevie]

Well I did give this a go as it seems logical but alas no joy.
I created a rule that allowed all outgoing traffic from our network to our aproved sites list and to a URL set containing all the possibles for the homepage. I set for all users and just the repeat offenders group and no change.
The only way i can get this to work is by having a rule that allows access to all http sites above the repeat offenders but this is pointless as they can get to places we don't want them to go. It is allows our totally banned users to get out.

We had a similar problem with our VLE, i ended up doing the same thing. The one thing with ISA is the way it prioritises the rules so after some messing about i found that the rule for allow all users to our VLE had to be above our blacklists and general internet access rule.

Also from my experience of ISA the anonymous user part in the logs is due to the ISA client not being used to help authenticate users. Not that it's needed of course, but you can always test it out if you want.

[snuggletech]

HI,

You need to create a rule in isa which blocks access to flash sites using the content type tab and define flash content. (sorry dont know what it is exactly called). The in the To box have the External network. In the exception box create a domain set for sites you do want to allow flash content. This is how we do it here and it works fine.

We created two content types called Flash Based video which has the following criteria.

Selected Type:
video/x-flv

and Flash Content with the folowing type:
application/x-shockwave-flash
.swf

The above rule will be based on a deny access option.

Let me know if you want more info.

Ash.

Hi Ash sorry it's been so long between replies but this job had to take a back burner for, oh sooo many reasons. It's now back to haunt me so was planning on giving your solution a go. Just after as much info you can give me really, don't want to miss anything. Also out of interest am i right in thinking that this would stop flash game sites (grrr) unless i permit them?

[spc-rocket]

Hi Ash sorry it's been so long between replies but this job had to take a back burner for, oh sooo many reasons. It's now back to haunt me so was planning on giving your solution a go. Just after as much info you can give me really, don't want to miss anything. Also out of interest am i right in thinking that this would stop flash game sites (grrr) unless i permit them?

Hi,

No probs. Yes it should block games sites as well, but obviously not games which are bough on memory sticks, in their my docs etc as these downloaded games. It should block access to flash sites that are on the net. The thing to do here is to create a domain name set and add in all the white listed sites which contains flash so they are not blocked by this. This will make it easier to manage the whole thing i.e. if you have a student saying that they can't get to display flash content on a site and the site is okay then you just add it to the whitelisted domain name set and it should be accessible.

Ash.