Data Centers

Let ISA Server keep your users from surfing to places they shouldn't

The Internet presents a world of temptation to your users. John Sheesley shows you how ISA server can keep them from visiting nonwork-related Web sites.


Connecting your network to the Internet doesn't always make your users more productive. Some users have other ideas for using unrestricted access to the Internet, such as checking sports scores, catching up on celebrity gossip, or even surfing to porn sites. Not only does such activity interfere with work time, it also consumes valuable network bandwidth and can open up your company to legal issues.

So how do you control where users go on the Internet? If you’re running ISA Server, you only have to go as far as your server. From there, you can configure special rules that dictate which Web sites users can and can't visit.

Choosing the right method
You have two choices when deciding how to block access to forbidden sites. First, you can block access to all Web sites and then only allow users to go to certain sites. Alternatively, you can allow users to access all sites, but then explicitly deny access to certain sites.

The method you choose will depend a lot on your corporate environment. It’s a good idea not to make the decision unilaterally but based upon input from the users and, most importantly, your organization’s management. If you make the decision yourself, one which makes perfect sense to you but doesn’t reflect the needs of your users or corporate culture, your users may wind up burning you in effigy, or management may come screaming in asking why your blockage policies aren’t consistent. When everyone understands the reasons for the policy and the implications of the policy, it will go down a little easier.

Author's note
Depending on the version of ISA Server you’re using, you can set policies on an individual server level or an enterprise level. Enterprise-level policies will apply to all ISA servers in the array. For the purposes of this Daily Feature, I’ll look at individual ISA servers. If you’re using enterprise policies, the only differences in the instructions will be that you’ll select choices from the Enterprise object in the Tree pane and not from the Servers And Arrays object.

Block all, allow a few
To block access to all Web sites except for those on an approved list, you must first create a list of approved sites. You’ll need to know the URLs and/or the IP addresses of the sites that users will be allowed to access. Because IP addresses can sometimes change, URLs might be a better choice.

Don’t worry about listing individual URLs for Web sites in the same domain such as www.microsoft.com and support.microsoft.com. When it comes time to enter the list, you can use wildcard characters to allow everything in a certain domain. However, if you would want to allow support.microsoft.com but not www.microsoft.com, you’ll need to list the exact URL.

With your list of approved sites in hand, you’re ready to create your policy. To begin, you’ll need to start the ISA Management MMC. Click Start | Programs | Microsoft ISA Server | ISA Management. In the Tree pane, expand the Servers And Arrays object to view all of the servers running ISA Server. Click the plus sign next to the first server and then double-click Policy Elements.

In the right pane, you’ll see several folders. Right-click Destination Sets and click New | Set. When the New Destination Set window appears, enter the name for your list in the Name field. You can call the list anything you want. You can also enter a detailed description for the list in the Description field.

To add an allowed destination, click Add. You’ll then see the Add/Edit Destination window appear. Please note that you can only enter one destination at a time. You can either enter the specific URL in the Destination field or select IP Addresses and enter the range of allowed addresses in the From and To ranges. After you’ve entered the information for the first allowed address, click OK. You can then click Add to add another destination or click OK to save your changes.

Next, double-click Access Policy in the Tree pane. Right-click Site And Content Rules and click New | Rule. When the New Site And Content Rule wizard appears, enter a name such as Allowed Web Sites in the Site And Content Rule Name field. Click Next to continue.

You’ll then see the Rule Action window. Select Allow and click Next. The Rule Configuration window will then appear. By default, the Allow Access Based On Destination radio button is selected. There’s nothing to change on this page, so click Next to continue.

The Destination Sets window will appear next. Select Specified Destination Set from the Apply This Rule To drop-down list. When you do, you’ll see the Names drop-down list appear. Select the name of the destination set that you created above from the Names drop-down list and then click Next.

Finally, you’ll see a summary screen displaying all of the selections you made when running the wizard. Make sure all the information is correct. If you need to make a change, click Back to go backwards through the wizard’s screens. Make the corrections and then click Next to go forward again. If everything’s correct, click Finish.

Allow all, block a few
Now let’s look at the exact opposite—allowing users to access the Internet with the exception of a specific list of forbidden Web sites. To begin, you’ll need a list of blocked sites; as with the list of allowed sites, you’ll need a URL and/or an IP address for the sites you want to block. In this instance, it might be a good idea to get the IP addresses of sites you want to block in addition to the URLs. If you only block the URL and not the IP address, users can still get to the Web site by using either an alternate URL or by entering the IP address.

After you have your list of blocked sites, you’re ready to create your policy. The basic procedure is the same for blocking a few sites as it was for allowing a few sites. Start the ISA Management MMC and create a destination set. Except this time, the destination set will list the sites you want to block, not the sites you want to allow.

After you create the destination set, you’ll need to start the New Site And Content Rules wizard, just like I explained before. However, after naming the rule and clicking Next, you’ll select Deny on the Rule Action screen.

When you click Next on the Rule Action screen, you’ll see the Rule Configuration screen. By default, Deny Access Based On Destination should be selected. You don’t need to change anything if it is; just click Next to continue. If it’s not selected, select it and click Next.

The Destination Sets window then appears. Select Specified Destination Set from the Apply This Rule To drop down-list. When you do, you’ll see the Names drop-down list appear. Select the name of the destination set that you created from the Names drop-down list and then click Next.

Finally, you’ll see a summary screen displaying the selections you made when running the wizard. Ensure your selections are correct, and if so, click Finish, and you're done. If your selections need to be changed, follow the same steps I described above on how to go back through the wizard to make changes.

Conclusion
The Internet presents many temptations to your users and can quickly divert them from their work. Fortunately, you can use ISA Server to restrict Web surfing and cut down on wasted bandwidth. Take some time to decide on the proper policy for your network and then gather your list. ISA Server will do the rest.

Editor's Picks