A lot of potential problems that users get themselves into can be solved with a little bit of education and policies up front. Even a simple warning can be enough to keep users from doing things they shouldn't. In this article we'll focus on how to enable a Terms Of Service page to be presented to Web users on both ISA firewall Protected Networks and users who access Web sites published by the ISA firewall.
Using Terms Of Service pages to solve compliance issues
As regulatory compliance issues become increasingly important in firewalled environments, the more important it is that ISA firewall administrators have the ability to provide a basic Terms Of Service agreement page before users can access Web sites. While most companies may have required users to sign a network usage policy document before enabling access to the Internet, there may still be companies out there who have not yet implemented such a policy.
A Terms Of Service page can be used to either reinforce what was already agreed upon in the company's network usage policy document, or if the company does not have such as document, you can use the Terms Of Service page to inform users of the current policy and require them to click I Agree before enabling them access to the Internet.
In an ideal situation, you could require users on ISA firewall Protected Networks to agree to network usage policy for all protocols, instead of just Web protocols that are mediated by the ISA firewall's Web proxy filter. However, this would be a challenging configuration and management situation, because the user agent software would be unaware of the Terms Of Service page, and applications such as POP3, NNTP or SMTP applications (and many others) would not be able to accommodate these requirements. There might be ways around this, but most would require a level of sophistication on the end-user's part that falls outside what we see in typical firewalled environments.
Another scenario where a Terms Of Service page would be useful is for Web publishing rules. In this scenario, users are typically anonymous, or if they are not anonymous, they might not be part of the organization, such as what happens when Web Publishing Rules are used to enable partner access to corporate Web sites. In this situation, you might want to provide a more comprehensive Terms Of Service page that includes detailed information about what users are allowed and not allowed to do when accessing corporate managed Web sites.
Legal input is required for Terms Of Service pages
In both inbound and outbound scenarios, I highly recommend that you confer with your company's legal experts about what to include, and what not to include, in a Terms Of Service Web page. This is critical because the wording of the Terms Of Service can and will be used for (and against) you in a court of law.
This is especially important in situations where you implement bridging of encrypted communications, such as when you publish SSL-secured Web sites. The ISA firewall has complete access to the otherwise encrypted content and users should be aware of the situation before conducting transactions that they may otherwise consider to be encrypted from source to destination.
Configuring the ISA firewall to provide a Terms Of Service page
OK, so how do you get a Terms Of Service page to appear for both users on ISA firewall Protected Network and for external users accessing corporate Web sites via Web Publishing Rules? Well, you could learn to be a programmer and come up with your own solution.
A better solution is to use a great, cost-effective third party tool named WebTOS. The WebTOS software enables you to create the type Terms Of Service pages we've been discussing for both users on ISA firewall Protected Networks and for external users accessing Web content via Web Publishing Rules. WebTOS is a very nice and simple solution for the problem of providing a Terms Of Service page for external and internal users.
However, before deploying WebTOS, you should know some things about what it can and cannot do:
- You can create one customizable Terms Of Service page for hosts on ISA firewall Protected Networks
- You can enable Terms Of Service pages on a per-listener basis
- The Terms Of Service pages are presented before any ISA firewall authentication takes place; so you can enable Terms Of Service pages even for sites that require the ISA firewall to authenticate users before allowing access
- You can configure each Web listener with a Terms Of Service page. Each listener can be configured with a customized exception list for clients that do not support Terms Of Service pages. This allows clients who do not support Terms Of Service pages (such as the OMA, ActiveSync and RPC/HTTP clients) to connect without being exposed to the Terms Of Service page.
- Users on ISA firewall Protected Networks will only be presented with a Terms Of Service page for HTTP connections. SSL connections will not elicit a Terms Of Service page. The same is true for all other protocols not mediated by the Web proxy filter.
The rest of this article will demonstrate how you can use WebTOS to present a Terms Of Service page to uses on ISA firewall Protected Networks and to external users accessing corporate content via Web Publishing Rules.
Installing the WebTOS software
The first step is to install the WebTOS software. Perform the following steps to install WebTOS:
- Go to the Collective Software Web site and download WebTOS evaluation version.
- If the ISA firewall console is open, close it. This will prevent you from having to close and reopen the ISA firewall console after the WebTOS software is installed.
- Double click on the WebTOS.msi file.
- Click Next on the Welcome to the Collective Software WebTOS v1.0.3 Setup Wizard page.
- Select the I accept the terms in the License Agreement option and click Next after reading the license agreement.
- Click the Complete button.
- On the Ready to Install page, click Install.
- Click Finish on the Completing the Collective Software WebTOS v1.0.3 Setup Wizard page.
- Click OK on the Collective Software WebTOS v1.0.3 Setup dialog box informing you to restart the firewall service before using WebTOS.
Configuring the WebTOS software on an ISA firewall- protected networks
Now let's see how the WebTOS software works:
- Open the ISA firewall console.
- In the ISA firewall console, expand the server name and then click the Monitoring node.
- Click the Services tab in the details pane of the ISA firewall console.
- Right click the Microsoft Firewall service and click Stop.
- After the Status of the Microsoft Firewall service shows Stopped, then right click the Microsoft Firewall service again and click Start.
- Expand the Configuration node in the left pane of the ISA firewall console and click the Networks node.
- Double click on one of your ISA firewall Protected Networks. In this example we'll see how it works with the default Internal Network, but the same principles would apply for any other ISA firewall Network you create.
- Click Yes in the Collective Software WebTOS dialog box.
- In the Internal Properties dialog box, click the WebTOS tab.
- On the WebTOS page, put a checkmark in the This listener will display a Terms-of-Service screen checkbox. The first option you have is to determine how often the Terms Of Service page should reappear to the user. You have two options: after the user's last agreement time and after the user's last Web access. You can enter the number of hours the Terms Of Service page will reappear based on when the user last agreed to the Terms Of Service or when the user last accessed the web. I prefer the number of hours since the user's last agreement, as it keeps the users on their toes.
Notice that there are three text boxes available for you to enter information for requests that should not be presented with the Terms Of Service form: User Agent, IP Address and URL. The User Agent text box is used to prevent certain browsers and other Web applications from being presented with the form. For example, the OWA, OMA, ActiveSync and RPC/HTTP clients are not able to respond to the form, so their connections would fail if the form were presented to them. You just enter the User Agent string presented by these apps in the User Agent text box to prevent the form from being presented to this applications. The IP Address box allows you to exclude clients based on source IP address.
There are two ways you can enter the User Agent, IP Address or URL: using a regular expression (REGEX) or by entering simple strings (the actual User Agent, IP address or URL). Click the button next to any of the text boxes to enter the simple string. If you want to enter a regular expression, then just enter it into the text box. In addition, you can put the entries in either the Show TOS if requests match all or the Exempt requests matching any, which provides you a lot more flexibility in terms of who is and is not presented with a Terms Of Service form. See Figure A.
|Configuring WebTOS on the default Internal Network|
Click Apply and then click OK. Click Apply to save the changes and update the firewall policy and Click OK in the Apply New Configuration dialog box.
Now let's see what happens when we try to access a Web site from a SecureNAT client on the default Internet Network. Open the browser and go to TechProGuild. You'll be presented with the screen shown in Figure B.
|The WebTOS Terms Of Service page appears before allowing access to the Web site|
After clicking the I Agree button you'll see something like the screen in Figure C.
|Web site access is allowed after agreeing to the corporate Terms Of Service agreement|
Configuring the WebTOS Software on a Web Listener used for a Web Publishing Rule
A Terms Of Service form can also be configured for users accessing published Web sites that are published using Web Publishing Rules. In the following example I've published the OWA Web site using HTTP to HTTP bridging. This is for demonstration purposes only, because HTTP to HTTP bridging for access to OWA Web sites is a security nightmare and should never be done in a production environment. However, to save me some time in creating the certificates and deploying them to the ISA firewall's Web listener, I'm using HTTP to HTTP here as an example only.
Perform the following steps after the WebTOS software is installed and you've created the Web Publishing Rule for the Web site. In this example the HTTP Web listener was created when I created the Web Publishing Rule. You also have the option of creating the Web listener before creating the Web Publishing Rule, but that's not how I did it in this example. Here are the steps I followed:
- Open the ISA firewall console and click the Firewall Policy node in the left pane of the console.
- Click the Toolbox tab in the Task Pane and click the Web Listeners folder.
- Double click the Web listener used in the Web Publishing Rule. In this example, the name of the Web listener is HTTP Listener.
- Click the WebTOS tab and put a checkmark in the This listener will display a Terms-of-Service screen. You have two options for when the Terms Of Service screen should appear: Once for every browser session and number of Hours after the user's last agreement time or Hours after the user's last Web access. You have the same options regarding exceptions to the Terms Of Service page, based on User Agent, IP Address and URL. There are two ways you can enter the User Agent, IP Address or URL: using a regular expression (REGEX) or by entering simple strings (the actual User Agent, IP address or URL). Click the button next to any of the text boxes to enter the simple string. If you want to enter a regular expression, then just enter it into the text box. You also have the same options regarding Show TOS if requests match all and Exempt requests matching any. See figure D.
|Configuring WebTOS to present a Terms Of Service page for a published Web site|
- Click Apply and then click OK.
Now go the OWA Web site. You'll see what appears in Figure E.
|The Terms Of Service page appears before access is allowed to the published OWA Web site|
Click I Agree and you'll see the OWA logon page presented by the FBA filter, or the log on dialog box, shown in Figure F.
|The ISA firewall's forms-based authentication page appears|
Finally, the OWA site appears as shown in Figure G.
|The user's mailbox appears after successfully authenticating|
Customizing the WebTOS Web pages
The out of the box Terms Of Service pages are pretty nice, but I'm sure you'll want to customize the pages to meet your own requirements and put your own company's branding on them. The good news is that if you're handy with HTML, or can use an HTML editor, then you can configure the page to meet your requirements.
There are just a few issues and limitations:
- The ISA firewall isn't a full-featured Web server, so you can't get fancy with server side scripting. This includes ASP code.
- The HTML files are located at \Program Files\MS ISA Server\Collective Software\WebTOS\HTML Files Note that you can't create any subdirectories under this, so all your files must remain here. Note that if you're using ISA Server 2004 Enterprise Edition, then you need to mirror your customizations on each ISA firewall array member.
- You can use the following file extensions: .jpg, .jpeg, .gif, .png, .css and .js
- The default files are: TOS_proxy.htm, TOS_published.htm, default.css and a bunch of .gif files. You can edit these files, but make sure to save them with the same names. Otherwise, you'll need to make sure that you change the relevant references in the .css file.
The example pages include comments to get you up and running.
Terms Of Service agreements enable users on ISA firewall Protected Networks to agree to the corporate network usage policy, and allow external users to agree to provisions regarding remote access to corporate hosted Web resources. Even thought I already mentioned it once, one important issue to keep in mind with Terms Of Service pages is that you have your corporate legal department create or review the Terms Of Service pages presented to users. You can use your own programming skills and resources to create a Terms Of Service page solution using the ISA firewall, or you can use WebTOS. We reviewed what the WebTOS application does and how you can make it work in your environment.