Hi Billy,

So if I understand this correctly, these users are not permitted to add URL's and the Role has a few external links that are rewriting successfully? If so, how many machines are unable to hit the external links vs. machines that are working fine.

-John

there is a initial allow any open ACL that is by default associated to all roles. if that is enabled the users will be able to use the re writer to access internet. you will have to lock down the role to the resources in that role only.

It has always been my understanding that the IVE is unable to initiate traffic out the external interface. Are you running with only the internal interface active?

If so, I would still think 2 conditions would need to be met for what is occurring - (1) the internal interface would need to be on a subnet with access to the Internet, and (2) the IVE would need to be using a DNS server which would resolve internet DNS names.

Ken

Thanks for your answer.

Automatically, WEB Page(Custom start page) of internal Server can be openned on User's IE Browser right after user creats this session.
It means this role has custome start page(role->UI option->Custom page->Startpage URL).
But it must not be rewrited because this role has a rewrite policy that gets this session not be rewrited (Don't rewrite content: Redirect to target web server) on the top of "selective rewrite policy list".
In other word, any user can not created the rewrite session.

Thanks for your answer.

From what I understand, user can only use the re writer on the following situation.
1) typing URLs on bookmarks page. => this function is not be used.
2) adding new bookmark page => this function is not be used.
3) typing URLs on browser's address bar (ex: "https://<SSLVPN_URL>/dana/home/launch.cgi?url=<custom_url>")
But in this case, it seems user session used re writer by typing only "custom URL" on the brower's address bar.

Thanks for your answer. kenlars

Yes. This case met both of your 2 conditions.

But I mentioned previously, user can only use the re writer on the following situation.
1) typing URLs on bookmarks page. => this function is not be used.
2) adding new bookmark page => this function is not be used.
3) typing URLs on browser's address bar (ex: "https://<SSLVPN URL>/dana/home/launch.cgi?url=<custom url>")

You mean...if it met your 2 conditions, user can creat rewrite session by typing custom URL on their broswer's address bar?

Your understanding of the three ways the user can initiate rewrite is correct. The user cannot initiate rewrite in any other way. Entering a URL (e.g., http://www.google.com) in the browser Address field will not cause rewrite.

I'm really confused about your custom start page. It seems to me that you said the following -

• it is a page on a server internal to your network
• there is a selective rewrite rule which causes it not to be rewritten, but accessed directly.

If these two are correct, I am at a loss to understand how a user on the Internet can access a web site within your network directly, as that is what this would mean.

I am guessing your rewriting rules are not doing what you think they are doing. I'd recommend you do a policy trace to see how they are working.

Ken