Hi all, I think I have a working solution for those of us trying to make a web redirect with an exception to let through windows update. I'm now looking for anyone to help test/try it. I have this working now for two weeks with no complaints... so far. -- Directions -- For Inbound side: 1 - Create a class named 'Security' with protocol 'IP' and bind a host list named 'security' on the inside. 2 - Create a Security child class (click on security then add class) named 'SSL' and select the 'SSL' protocol. Add an exception policy to this. 3 - Create a Security child class named 'pass-through'. My class has 5 matching rules to allow windows update and symantec (we use their antivirus). The matching rules are for the 'http (web)' protocol, 'Outside Location' and have a criterion 'Host DNS Name or IP Address' with the following hosts: *.microsoft.com *.akamai.net *.windowsupdate.com *.symantec.com *.symantecliveupdate.com This should make one class with 5 matching rules. 4 - Create a Security child class named 'HTTP-redirect' with protocol 'http (web)' for location any. Add a never admit policy and ask web traffic to 'web-redirect' to a URL on the inside of the PacketShaper that is a web page that you create explaining that hosts have been blocked from the Internet. 5 - Add a discard policy to the 'Default' child class of 'Security' For Outbound side: 1 - Copy the Security class with children from the Inbound to the outbound. 2 - Remove the 'never-admit' policy from the 'HTTP-redirect' child class. Usage: Our PacketShaper sits between UConn LANS and the Internet. We use the process above to block hosts with security problems from the Internet, and redirect their web traffic to a page that tells them that they have a security issue and how to get in touch with the help desk. When we detect a security problem with an IP, we add that IP to the security host list (hl add security <ip> [from telnet]). The next time they browse the web they are automatically sent to this page: http://turkey.uits.uconn.edu/stop/ They have the following limitations while their IP is in the host list: 1 - all http requests are redirected to the page above. 2 - any requests to microsoft sites, windows update or symantec (including liveupdate) still work. 3 - all ssl traffic to the Internet is allowed. (Could be a potential security problem but the only way I can currently make it work.) 4 - all other IP traffic to/from the host/internet is discarded to the shaper bit bucket! Tech note: The SSL child class with exception is required to be there to make windowsupdate work. Part of the way windowsupdate works is through ssl and it's server location is dynamic. Let all ssl through. I'm attaching an image of what my similar packetshaper config looks like. Please share your success / issues! Have fun! - Mike
Attachment:
blocker.png
Description: blocker.png
