SolutionBase: Using ISA Server 2004's HTTP Security Filter to block instant messengers and peer-to-peer applications

Entering a signature to block MSN Messenger

This gallery is also available as a TechRepublic article.

ISA firewall's HTTP security filter controls outbound access through the ISA firewall by acting as a regulator for allow rules that pass the HTTP protocol through the ISA firewall. This means that even if the rule allows the connection, the communications will be subjected to additional application layer inspection checks and only after they pass these checks does the ISA firewall allow the communication through.

You can also use the HTTP security filter to block many different instant messenger applications. Not only can the HTTP security filter be used to block instant messenger applications, you can also use it to block many dangerous peer-to-peer applications, such as eDonkey, eMule, Kazaa, Morpheus, Bearshare, or Bitorrent. In this article, I'll show you how it works.

Instant messenger caveats

One thing to keep in mind when using the HTTP security filter to block instant messenger and peer-to-peer applications is that control is exerted only when the client application uses the HTTP protocol. If the client is able to access the Internet using a protocol other than HTTP, then the HTTP security filter will not be able to stop the application. You must then be very careful about applying the principle of least privilege if you want to block applications that can also use other protocols to connect to the Internet.

This can be difficult if you don't use a well crafted outbound access control firewall policy. For example, some instant messenger and P2P applications will scan all ports or a large number of ports, before failing over to using HTTP to access the Internet. This means you need to configure your firewall policy so that access to protocols other than HTTP is limited to specific sites, or if users do not need access to protocols other than HTTP, then do not create any access rules allowing users access to those protocols.

Another method you can use for some of the instant messenger or P2P applications is to block a critical server or block of IP addresses that the client must connect to before it becomes fully operational. In this case, you won't use the HTTP security filter to block sites. Instead, you use Network Objects such as Domain Name Sets, URL Sets, Computer Sets, or even Networks and Network Sets.

To demonstrate how to configure the settings, I'll show you how to set the HTTP security filter to block MSN Messenger and BitTorrent extensions. At the ISA firewall console, right click the Access Rule you created earlier and click the Configure HTTP command to access the Configure HTTP policy for rule dialog box. Then perform the following steps:

1. In the Configure HTTP policy for rule dialog box, click the Signatures tab.

2. On the Signatures tab, click the Add button.

3. In the Signature dialog box, enter MSN Messenger in the Name text box. Select the Request headers option from the Search in drop down list. In the HTTP header text box, enter User-Agent: In the Signature text box, enter MSN Messenger. Your Signature text box should look like that in the figure A. Click OK.

4. Click the Extensions tab. On the Extensions tab, select the Block specified extensions (allow all others) option from the Specify the action taken for file extensions drop down list. Click the Add button.