Allowed Web Sites
Use this window to configure the web sites end users are allowed to access during the ExtremeControl Assisted Remediation and Registration process. This window is configured as part of your portal configuration, and is accessed by selecting the Open Editor button in the Network Settings panel of the Portal Configuration tree.
There are three subtabs in the window: Allowed URLS, Allowed Domains, and Web Proxy Servers.
Allowed URLs
This tab lists the URLs that end-systems can access while the end-system is being assessed, when the end-system is quarantined, or when the end-system is not registered on the network. The ExtremeControl engine proxies these HTTP connections to the allowed URLs as long as the engine is configured with an appropriate DNS server.
Any URLs that you have referenced in the captive portal configuration must be entered into this tab so an end-system with restricted access to the network is permitted to communicate to the URL. For example, a URL entered in the Helpdesk Information section should be entered here so a quarantined end-system can access the Helpdesk web site while quarantined.
Enter the URL you want to add to the list and select Add. URLs must be entered without "http://www". For example, if "http://www.apple.com" is an allowed website, then enter "apple.com" as the allowed URL.
You can use the Import button to import a file of URLs to the list. Files must be formatted to contain one URL per line. Lines starting with "#" or "//" are ignored.
| NOTE: | It is not necessary to enter URLs that are accessed over secure HTTP (HTTPS). To restrict access to these URLs, you must configure network policy to allow or disable HTTPS traffic all together or restrict it to specific IP ranges. |
When an allowed URL is added, all web pages located within the directory are
also allowed. For example, if apple.com is configured as an allowed URL, then HTTP connections for the following URLs are also
permitted: www.apple.com/downloads
www.apple.com/downloads/macosx
HTTP connections to URLs located on different hosts than that of the allowed URL
entry are not permitted. These HTTP connections are redirected to the Assisted
Remediation or MAC Registration web page. Using the same example, if apple.com is configured
as an allowed URL, HTTP connections for the following URLs are not allowed: store.apple.com
store.apple.com/download
Images on the web page are displayed properly if the images are served on a separate HTTP connection at a different URL. For example, the web
page http://www.apple.com/support/downloads/ contains images downloaded from http://images.apple.com.
Therefore, if apple.com/support/downloads/ is configured as an allowed URL, all of the text
on the web page would be displayed properly,
but the images would not be displayed on the web page
unless images.apple.com is also entered as an Allowed URL.
Allowed Domains
This tab lists the domains to which end users can browse while the end-system is being assessed, the end-system is quarantined, or when the end-system is not registered on the network. The ExtremeControl engine proxies these HTTP connections to the allowed domains as long as the engine is configured with an appropriate DNS server.
The higher-level domain information not explicitly specified in an allowed
domain entry are also permitted for an end-system as well as any web pages
served from within the domain. For example, if apple.com is configured as an allowed domain, then HTTP connections for the following URLs are also
permitted: www.apple.com
www.info.apple.com
store.apple.com
store.apple.com/info
images.apple.com
www.apple.com/software
apple.com/software
HTTP connections not matching the specified domain level information in an allowed domain
entry are not permitted. These HTTP connections are redirected to the Assisted
Remediation or Registration web page. Using the same example, if apple.com is configured
as an allowed domain, HTTP connections for the following URLs are not allowed: www.apple2.com
store.apple-chat.com
www.msn.com
If multiple allowed domain entries are configured with overlapping
first-level and second-level domain information, then the allowed domain entry
that is more specific takes precedence. For example, if apple.com and
store.apple.com are configured as allowed domain entries, then the apple.com entry
is effectively disabled. Therefore, HTTP connections for the following URLs are allowed: store.apple.com
store.apple.com/info
www.store.apple.com/info
The following HTTP connections are not allowed: www.apple.com
www.apple.com/support
images.apple.com
The following is a list of default allowed domains that are pre-configured for ExtremeControl remediation. These allowed domains are provided as part of the assisted remediation assessment functionality, which allows end-users limited Internet access to update patches, antivirus definitions, and to upgrade vulnerable software in order to comply with the network security policy. The ExtremeControl engine proxies traffic to these allowed domains when an end user selects a remediation link presented on the violations page.
A default allowed domain should only be deleted if it is determined that a quarantined user should not be able to access it. In some cases, you need to add additional URLs or domains. If a quarantined user selects a remediation link to resolve an issue and is redirected back to the remediation web page, the domain or URL needs to be added to provide access to that site.
| adobe.com | akadns.net | akamai.com |
| akamai.net | altn.com | apache.org |
| apple.com | archives.neohapsis.com | asp.net |
| aws.amazon.com | bitdefender.com | bugzilla.org |
| ca.com | cdnetworks.com | cert.org |
| cisco.com | clamav.net | cve.mitre.org |
| debian.org | drupal.org | eset.com |
| eu.ntt.com | f-secure.com | gnu.org |
| godaddy.com | ibm.com | ipswitch.com |
| isc.org | kaspersky.com | lac.co.jp |
| level3.com | localmirror.com | kaspersky-labs.com |
| macromedia.com | mandriva.com | mcafee.com |
| microsoft.com | mozilla.org | mysql.com |
| netwinsite.com | norton.com | novell.com |
| nsatc.net | openssl.org | oracle.com |
| osvdb.org | pandasecurityusa.com | php.net |
| phpnuke.org | redhat.com | samba.org |
| secunia.com | securiteam.com | securityfocus.com |
| securitytracker.com | sendmail.org | sophos.com |
| sourceforge.net | squid-cache.org | sun.com |
| support.citrix.com | suse.com | suse.de |
| symantec.com | symantecliveupdate.com | techtarget.com |
| trendmicro.com | ubuntu.com | us-cert.gov |
| verisign.com | verisigninc.com | vmware.com |
| vupen.com | web.mit.edu | webroot.com |
| windows.com | windowsupdate.com | wireshark.org |
| xforce.iss.net | zerodayinitiative.com | zope.org |
Web Proxy Servers
This tab is used to specify the web proxy server(s) deployed on the network. The ExtremeControl engine proxies end-system Allowed URL and Allowed Domain HTTP traffic to the defined web proxy servers if the network utilizes proxy servers to access the Internet.
If multiple web proxy servers are configured, the ExtremeControlengine round robins HTTP connections to the configured proxy servers. If the allowed web site is located with the ExtremeControl engine's configured domain, the ExtremeControl engine directly contacts the web site and does not go through the configured web proxy servers.
For information on related help topics:
For information on related help topics: