Allowed Web Sites Window
Use this window to configure the web sites that end users are allowed to access during the NAC Assisted Remediation and Registration process. This window is configured as part of your portal configuration, and is accessed from the Network Settings section of the Edit Portal Configuration window.
There are three subtabs in the window: Allowed URLS, Allowed Domains, and Web Proxy Servers.
Allowed URLs
This tab lists the URLs that end-systems can access while the end-system is being assessed, when the end-system is quarantined, or when the end-system is not registered on the network. The Extreme Access Control engine proxies these HTTP connections to the allowed URLs as long as the engine is configured with an appropriate DNS server.
Any URLs that you may have referenced in the captive portal configuration must be entered into this tab so an end-system that is restricted access to the network is permitted to communicate to the URL. For example, a URL entered in the Helpdesk Information section should be entered here so a quarantined end-system may access the Helpdesk web site while quarantined.
Enter the URL you want to add to the list and click Add. URLs must be entered without "http://www". For example, if "http://www.apple.com" is an allowed website, then "apple.com" should be entered as the allowed URL.
You can use the Import button to import a file of URLs to the list. Files must be formatted to contain one URL per line. Lines starting with "#" or "//" are ignored.
| NOTE: | It is not necessary to enter URLs that are accessed over secure HTTP (HTTPS). To restrict access to these URLs, you must configure network policy to allow or disable HTTPS traffic all together or restrict it to specific IP ranges. |
When an allowed URL is added, all web pages located within the directory are
also allowed. For example, if apple.com is configured as an allowed URL, then HTTP connections for the following URLs are also
permitted: www.apple.com/downloads
www.apple.com/downloads/macosx
HTTP connections to URLs located on different hosts than that of the allowed URL
entry are not permitted. These HTTP connections are redirected to the Assisted
Remediation or MAC Registration web page. Using the same example, if apple.com is configured
as an allowed URL, HTTP connections for the following URLs are not allowed: store.apple.com
store.apple.com/download
Images on the web page may not be displayed properly if the images are served on a separate HTTP connection at a different URL. For example, the web
page http://www.apple.com/support/downloads/ contains images downloaded from http://images.apple.com.
Therefore, if apple.com/support/downloads/ is configured as an allowed URL, all of the text
on the web page displays properly,
but the images do not display on the web page
unless images.apple.com is also entered as an Allowed URL.
Allowed Domains
This tab lists the domains to which end users can browse while the end-system is being assessed, the end-system is quarantined, or when the end-system is not registered on the network. The Extreme Access Control engine proxies these HTTP connections to the allowed domains as long as the engine is configured with an appropriate DNS server.
The higher-level domain information not explicitly specified in an allowed
domain entry is also permitted for an end-system as well as any web pages
served from within the domain. For example, if apple.com is configured as an allowed domain, then HTTP connections for the following URLs is also
permitted: www.apple.com
www.info.apple.com
store.apple.com
store.apple.com/info
images.apple.com
www.apple.com/software
apple.com/software
HTTP connections not matching the specified domain level information in an allowed domain
entry is not permitted. These HTTP connections are redirected to the Assisted
Remediation or Registration web page. Using the same example, if apple.com is configured
as an allowed domain, HTTP connections for the following URLs are not allowed: www.apple2.com
store.apple-chat.com
www.msn.com
If multiple allowed domain entries are configured with overlapping
first-level and second-level domain information, then the allowed domain entry
that is more specific takes precedence. For example, if apple.com and
store.apple.com are configured as allowed domain entries, then the apple.com entry
is effectively disabled. Therefore, HTTP connections for the following URLs are
allowed: store.apple.com
store.apple.com/info
www.store.apple.com/info
The following HTTP connections are not allowed: www.apple.com
www.apple.com/support
images.apple.com
The following is a list of default allowed domains that are preconfigured for NAC remediation. These allowed domains are provided as part of the assisted remediation assessment functionality, which allows end-users limited Internet access to update patches, antivirus definitions, and to upgrade vulnerable software in order to comply with the network security policy. The Extreme Access Control engine proxies traffic to these allowed domains when an end user clicks on a remediation link presented on the violations page.
A default allowed domain should only be deleted if it is determined that a quarantined user should not be able to access it. In some cases, you may need to add additional URLs or domains. If a quarantined user selects a remediation link to resolve an issue and is redirected back to the remediation web page, the domain or URL needs to be added to provide access to that site.
| adobe.com | akadns.net | akamai.com |
| akamai.net | altn.com | apache.org |
| apple.com | archives.neohapsis.com | asp.net |
| aws.amazon.com | bitdefender.com | bugzilla.org |
| ca.com | cdnetworks.com | cert.org |
| cisco.com | clamav.net | cve.mitre.org |
| debian.org | drupal.org | eset.com |
| eu.ntt.com | f-secure.com | gnu.org |
| godaddy.com | ibm.com | ipswitch.com |
| isc.org | kaspersky.com | lac.co.jp |
| level3.com | localmirror.com | kaspersky-labs.com |
| macromedia.com | mandriva.com | mcafee.com |
| microsoft.com | mozilla.org | mysql.com |
| netwinsite.com | norton.com | novell.com |
| nsatc.net | openssl.org | oracle.com |
| osvdb.org | pandasecurityusa.com | php.net |
| phpnuke.org | redhat.com | samba.org |
| secunia.com | securiteam.com | securityfocus.com |
| securitytracker.com | sendmail.org | sophos.com |
| sourceforge.net | squid-cache.org | sun.com |
| support.citrix.com | suse.com | suse.de |
| symantec.com | symantecliveupdate.com | techtarget.com |
| trendmicro.com | ubuntu.com | us-cert.gov |
| verisign.com | verisigninc.com | vmware.com |
| vupen.com | web.mit.edu | webroot.com |
| windows.com | windowsupdate.com | wireshark.org |
| xforce.iss.net | zerodayinitiative.com | zope.org |
Web Proxy Servers
This tab is used to specify the web proxy server(s) deployed on the network. The Extreme Access Control (Access Control) engine proxies end-system Allowed URL and Allowed Domain HTTP traffic to the defined web proxy servers if the network utilizes proxy servers to access the Internet.
If multiple web proxy servers are configured, the Access Control engine round robins HTTP connections to the configured proxy servers. If the allowed web site is located with the Access Control engine's configured domain, the Access Control engine directly contacts the web site and not go through the configured web proxy servers.
For information on related help topics: