Entering a signature to block MSN Messenger
Entering an extension to block BitTorrent connections
Exporting the HTTP security configuration using the httpfilterconfig.vbs script
The Add Protocols dialog box
- The client was configured as a Web proxy, Firewall and SecureNAT client. The SecureNAT client is not required, but DHCP had set the default gateway on the client.
- The client was a member of the same Active Directory domain as the ISA firewall
- The ISA firewall was a member of the Active Directory domain, so that we can fully leverage the security provided by the Firewall client
- A WPAD entry was created in DNS so that the client could autodetect the ISA firewall
- A Computer Network Object was created to allow the DNS server outbound access to the DNS protocol
- A Protocol Rule was created to allow the DNS server outbound access to the DNS protocol
- The Properties of the default internal network were configure so that the settings on the Firewall client tab would configure the Web browser to use the FQDN of the ISA firewall, instead of the default setting of the NetBIOS name of the ISA firewall. In addition, only the autoconfiguration script setting was enabled.
Note that autodiscovery is not required, as you can manually configure the Firewall client. In addition, the Firewall client itself is not required, since the Web proxy client can authenticate with the ISA firewall, but I always deploy the Firewall client on client operating systems, so I saw no reason to change this in the demo.
Create the Access rule
Before we test the configuration, let's create the Access Rule allowing the DNS server outbound access to the DNS protocol. We'll also create the DNS server computer object "on the fly" while creating the Access Rule:
- In this ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
- Click the Tasks tab in the Task Pane and then click the Create New Access Rule link.
- On the Welcome to the New Access Rule Wizard page, enter DNS Outbound in the Access Rule name text box and click Next.
- On the Rule Action page, select the Allow option and click Next.
- On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
- In the Add Protocols dialog box, click the Common Protocols folder and then double click the DNS entry. Click Close.
- Click Next on the Protocols page.
- On the Access Rule Sources page, click the Add button.
- In the Add Network Entities dialog box, click the New menu and click Computer.
The New Computer Rule Element dialog box
The Add Network Entities dialog box
- In the Add Network Entities dialog box (Figure F), click the Computers folder and double click the DNS Server entry. Click Close.
- Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button.
- In the Add Network Entities dialog box, double click the External entry and click Close.
- Click Next on the Access Rule Destinations page.
- On the User Sets page, accept the default setting, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
Firewall policy used to support the demo
Error dialog box that appears when the MSN Messenger fails to connect
Adding columns to the ISA firewall's log viewer
Adding columns to the ISA firewall log viewer
Log file entries showing connections blocked by the HTTP security filter
Editing the log filter settings to display only connections blocked by the HTTP security filter
Log file entries filter to show only those blocked by the HTTP security filter (click the figure to see full size)
The Sessions tab in the ISA firewall's Monitoring node
Entering an extension to block BitTorrent connections5. In the Extension dialog box above, enter .torrent in the Extension text box. Click OK.
6. Click Apply in the Configure HTTP policy for rule text box.
7. Enter the remainder of the entries in tables 1 and 2. If that's too much work for you, then read on. I'll show you a way to export this configuration to an .xml file and then import the configuration to another machine. Since I've already created the .xml file for you, all you'll need to do is import the .xml file settings.
8. After entering all the entries, click OK in the Configure HTTP policy for rule dialog box.
9. Click Apply to save the changes and update the firewall policy.
10. Click OK in the Apply New Configuration dialog box.
Related Topics:Collaboration Cloud Enterprise Software
Comment and share: SolutionBase: Using ISA Server 2004's HTTP Security Filter to block instant messengers and peer-to-peer applications