A lot of potential problems that users get themselves into
can be solved with a little bit of education and policies up front. Even a
simple warning can be enough to keep users from doing things they shouldn’t. In
this article we’ll focus on how to enable a Terms Of
Service page to be presented to Web users on both ISA firewall Protected
Networks and users who access Web sites published by the ISA firewall.
Using Terms Of Service pages to solve compliance
As regulatory compliance issues become increasingly
important in firewalled environments, the more important it is that ISA
firewall administrators have the ability to provide a basic Terms Of Service agreement page before users can access Web sites.
While most companies may have required users to sign a network usage policy
document before enabling access to the Internet, there may still be companies
out there who have not yet implemented such a policy.
A Terms Of Service page can be used to either reinforce what
was already agreed upon in the company’s network usage policy document, or if
the company does not have such as document, you can use the Terms Of Service
page to inform users of the current policy and require them to click I Agree before enabling them access to
In an ideal situation, you could require users on ISA
firewall Protected Networks to agree to network usage policy for all protocols, instead of just Web
protocols that are mediated by the ISA firewall’s Web proxy filter. However,
this would be a challenging configuration and management situation, because the
user agent software would be unaware of the Terms Of
Service page, and applications such as POP3, NNTP or SMTP applications (and
many others) would not be able to accommodate these requirements. There might
be ways around this, but most would require a level of sophistication on the
end-user’s part that falls outside what we see in typical firewalled
Another scenario where a Terms Of
Service page would be useful is for Web publishing rules. In this scenario,
users are typically anonymous, or if they are not anonymous, they might not be
part of the organization, such as what happens when Web Publishing Rules are used
to enable partner access to corporate Web sites. In this situation, you might
want to provide a more comprehensive Terms Of Service
page that includes detailed information about what users are allowed and not
allowed to do when accessing corporate managed Web sites.
Legal input is required for Terms Of Service pages
In both inbound and outbound scenarios, I highly recommend
that you confer with your company’s legal experts about what to include, and
what not to include, in a Terms Of Service Web page. This
is critical because the wording of the Terms Of
Service can and will be used for (and against) you in a court of law.
This is especially important in situations where you
implement bridging of encrypted communications, such as when you publish SSL-secured
Web sites. The ISA firewall has complete access to the otherwise encrypted
content and users should be aware of the situation before conducting
transactions that they may otherwise consider to be encrypted from source to
Configuring the ISA firewall to provide a Terms Of
OK, so how do you get a Terms Of
Service page to appear for both users on ISA firewall Protected Network and for
external users accessing corporate Web sites via Web Publishing Rules? Well,
you could learn to be a programmer and come up with your own solution.
A better solution is to use a great, cost-effective third
party tool named WebTOS. The WebTOS software
enables you to create the type Terms Of Service pages
we’ve been discussing for both users on ISA firewall Protected Networks and for
external users accessing Web content via Web Publishing Rules. WebTOS is a very nice and simple solution for the problem
of providing a Terms Of Service page for external and
However, before deploying WebTOS,
you should know some things about what it can and cannot do:
can create one customizable Terms Of Service page for hosts on ISA
firewall Protected Networks
can enable Terms Of Service pages on a per-listener basis
Terms Of Service pages are presented before any ISA firewall
authentication takes place; so you can enable Terms Of Service pages even
for sites that require the ISA firewall to authenticate users before
can configure each Web listener with a Terms Of
Service page. Each listener can be configured with a customized exception
list for clients that do not support Terms Of
Service pages. This allows clients who do not support Terms Of Service pages (such as the OMA, ActiveSync and
RPC/HTTP clients) to connect without being exposed to the Terms Of Service
on ISA firewall Protected Networks will only be presented with a Terms Of Service page for HTTP connections. SSL connections
will not elicit a Terms Of Service page. The same
is true for all other protocols not mediated by the Web proxy filter.
The rest of this article will demonstrate how you can use WebTOS to present a Terms Of Service page to uses on ISA
firewall Protected Networks and to external users accessing corporate content
via Web Publishing Rules.
Installing the WebTOS software
The first step is to install the WebTOS
software. Perform the following steps to install WebTOS:
to the Collective Software
Web site and download WebTOS evaluation version.
the ISA firewall console is open, close it. This will prevent you from
having to close and reopen the ISA firewall console after the WebTOS software is installed.
click on the WebTOS.msi
on the Welcome to the Collective
Software WebTOS v1.0.3 Setup Wizard page.
the I accept the terms in the
License Agreement option and click Next after reading the
the Complete button.
the Ready to Install page,
Finish on the Completing the Collective Software WebTOS v1.0.3 Setup
OK on the Collective Software WebTOS v1.0.3 Setup dialog box informing you to
restart the firewall service before using WebTOS.
Configuring the WebTOS software on an ISA firewall-
Now let’s see how the WebTOS
the ISA firewall console.
the ISA firewall console, expand the server name and then click the
the Services tab in the details pane of the ISA firewall console.
click the Microsoft Firewall service and click Stop.
the Status of the Microsoft Firewall service shows Stopped, then right
click the Microsoft Firewall service again and click Start.
the Configuration node in the left pane of the ISA firewall console and
click the Networks node.
click on one of your ISA firewall Protected Networks. In this example we’ll
see how it works with the default Internal Network, but the same
principles would apply for any other ISA firewall Network you create.
Yes in the Collective Software WebTOS dialog box.
the Internal Properties dialog box, click the WebTOS
the WebTOS page, put a checkmark in the This listener will display a Terms-of-Service screen
checkbox. The first option you have is to determine how often the Terms Of Service page should reappear to the user. You have
two options: after the user’s last agreement time and after the user’s
last Web access. You can enter the number of hours the Terms Of Service page will reappear based on when the user
last agreed to the Terms Of Service or when the user last accessed the
web. I prefer the number of hours since the user’s last agreement, as it
keeps the users on their toes.
Notice that there are three text boxes available for you to
enter information for requests that should not be presented with the Terms Of Service form: User Agent, IP Address and URL. The User
Agent text box is used to prevent certain browsers and other Web applications
from being presented with the form. For example, the OWA, OMA, ActiveSync and
RPC/HTTP clients are not able to respond to the form, so their connections
would fail if the form were presented to them. You just enter the User Agent
string presented by these apps in the User Agent text box to prevent the form
from being presented to this applications. The IP
Address box allows you to exclude clients based on source IP address.
There are two ways you can enter the User Agent, IP Address
or URL: using a regular expression (REGEX) or by entering simple strings (the
actual User Agent, IP address or URL). Click the button next to any of the text
boxes to enter the simple string. If you want to enter a regular expression,
then just enter it into the text box. In addition, you can put the entries in
either the Show TOS if requests match all or the Exempt requests matching any,
which provides you a lot more flexibility in terms of who is and is not
presented with a Terms Of Service form. See Figure A.
|Configuring WebTOS on the default Internal
Click Apply and
then click OK. Click Apply
to save the changes and update the firewall policy and Click OK in the Apply New Configuration dialog box.
Now let’s see what happens when we try to access a Web site
from a SecureNAT client on the default Internet Network. Open the browser and
go to TechProGuild. You’ll be
presented with the screen shown in Figure B.
|The WebTOS Terms Of
Service page appears before allowing access to the Web site
After clicking the I
Agree button you’ll see something like the screen in Figure C.
|Web site access is allowed after agreeing to the corporate Terms Of Service agreement|
Configuring the WebTOS Software on a Web Listener
used for a Web Publishing Rule
A Terms Of Service form can also be
configured for users accessing published Web sites that are published using Web
Publishing Rules. In the following example I’ve published the OWA Web site
using HTTP to HTTP bridging. This is for demonstration purposes only, because
HTTP to HTTP bridging for access to OWA Web sites is a security nightmare and
should never be done in a production environment. However, to save me some time
in creating the certificates and deploying them to the ISA firewall’s Web
listener, I’m using HTTP to HTTP here as
an example only.
Perform the following steps after the WebTOS
software is installed and you’ve created the Web Publishing Rule for the Web
site. In this example the HTTP Web listener was created when I created the Web
Publishing Rule. You also have the option of creating the Web listener before
creating the Web Publishing Rule, but that’s not how I did it in this example.
Here are the steps I followed:
the ISA firewall console and click the Firewall Policy node in the left pane of the console.
the Toolbox tab in the Task
Pane and click the Web Listeners
click the Web listener used in the Web Publishing Rule. In this example,
the name of the Web listener is HTTP
tab and put a checkmark in the This listener
will display a Terms-of-Service screen. You have two options for when
the Terms Of Service screen should appear: Once for every browser session and
number of Hours after the user’s last agreement time
or Hours after the user’s last Web
access. You have the same options regarding exceptions to the Terms Of Service page, based on User Agent, IP Address
and URL. There are two ways you
can enter the User Agent, IP Address or URL: using a regular expression (REGEX) or by entering simple
strings (the actual User Agent, IP address or URL). Click the button next
to any of the text boxes to enter the simple string. If you want to enter
a regular expression, then just enter it into the text box. You also have
the same options regarding Show TOS
if requests match all and Exempt
requests matching any. See figure D.
|Configuring WebTOS to present a Terms Of Service page for a published Web site|
Apply and then click OK.
Now go the OWA Web site. You’ll see what appears in Figure
|The Terms Of Service page appears before access is
allowed to the published OWA Web site
Click I Agree and
you’ll see the OWA logon page presented by the FBA filter, or the log on dialog
box, shown in Figure F.
|The ISA firewall’s forms-based authentication page appears|
Finally, the OWA site appears as shown in Figure G.
|The user’s mailbox appears after successfully authenticating|
Customizing the WebTOS Web pages
The out of the box Terms Of Service
pages are pretty nice, but I’m sure you’ll want to customize the pages to meet
your own requirements and put your own company’s branding on them. The good
news is that if you’re handy with HTML, or can use an HTML editor, then you can
configure the page to meet your requirements.
There are just a few issues and limitations:
ISA firewall isn’t a full-featured Web server, so you can’t get fancy with
server side scripting. This includes ASP code.
HTML files are located at \Program
Files\MS ISA Server\Collective Software\WebTOS\HTML
Files Note that you can’t create any subdirectories under this, so all
your files must remain here. Note that if you’re using ISA Server 2004
Enterprise Edition, then you need to mirror your customizations on each
ISA firewall array member.
can use the following file extensions: .jpg, .jpeg, .gif, .png, .css and .js
default files are: TOS_proxy.htm,
and a bunch of .gif files. You can edit these files, but make sure to save
them with the same names. Otherwise, you’ll need to make sure that you
change the relevant references in the .css file.
The example pages include comments to get you up and
Terms Of Service agreements enable
users on ISA firewall Protected Networks to agree to the corporate network
usage policy, and allow external users to agree to provisions regarding remote
access to corporate hosted Web resources. Even thought I already mentioned it
once, one important issue to keep in mind with Terms Of
Service pages is that you have your corporate legal department create or review
the Terms Of Service pages presented to users. You can use your own programming
skills and resources to create a Terms Of Service page
solution using the ISA firewall, or you can use WebTOS.
We reviewed what the WebTOS application does and how
you can make it work in your environment.