Block Web access in ISA Server 2006

Network administration - There are countless threats from outside the network to gain access to and exploit internal network resources when given the opportunity. In general, the firewall system is the main shield of the network, blocking unwanted traffic and unauthorized access sessions. For that reason, ISA Server 2006 has been used by many systems to prevent possible security problems.

However, external threats are not the only concern. Because there are always many users in the system, and you cannot claim that no one has access to non-work-related websites, and the worst possible situation is to damage the site. raw system when accessing malicious websites.

Most systems have policies that restrict the operations that users are allowed to access the Internet using the company's computer resources. Administrators must closely monitor and control that session, and can block access to malicious or inappropriate sites.

Domain Name Sets in ISA Server 2006

There are many different options that may apply to these situations, but in this article we will focus on how to use Domain Name Sets and URL Sets to block access to dangerous or inappropriate sites. . All ISA Server workstations can use Domain Name Sets to block access sessions. However, only Web Proxy and Firewall clients can be controlled at the group or user level.

Domain Name Sets allow users to block complete access to a site, like espn.com . If you create a Domain Name Set with * .espn.com , you will block users from accessing all pages in the espn.com domain. Similarly, you can create multiple Domain Name Set to block access to many different domains.

We can also use Domain Name Sets to block access at a larger level by specifying a specific server on the domain. For example, you can create an entry for www3.espn.com to block access to the www3 server while still allowing access to the rest of the espn.com domain.

Domain Name Sets apply to all protocols and all workstations. This means that when the Domain Name Set entry is created, all traffic to the domain will be blocked without regard to the ISA Server 2006 workstation type. then you can use URL Sets to block access instead of Domain Name Sets .

---

URL Sets in ISA Server 2006

URL Sets are like Domain Name Sets except URL Sets only block access to web connections. In order for URL Sets to work properly, connections must use HTTP or HTTPS protocols (FTP servers configured as Web Proxy clients may also be blocked) and must be handled by the Web Proxy filter.

For example, you can create a URL Set with an entry for hotmail.com and create a rule to block access to hotmail.com using all protocols. Any attempt to access the hotmail.com site with a browser application will be blocked, however users using configured SMTP or POP3 clients will still be able to retrieve mail from hotmail.com because the URL Set Only applies to HTTP, HTTPS and FTP access sessions via Web Proxy.

Always remember the difference between Domain Name Sets and URL Sets . URL Sets allow you to restrict access, block traffic to the desired URL using HTTP and HTTPS protocols as long as the connected client is using that protocol through the Web Proxy filter. In contrast, Domain Name Sets block all access to the domain using any protocol.

Create Access Rule

Domain Name Sets and URL Sets need to use Access Rules . You can create Domain Name Sets or URL Sets as a function of the Access Rule wizard. Follow the steps below to create an Access Rule and Domain Name or related URL Set to block access:

1. Open the Management Console of ISA Server 2006.

2. Expand the server name and select the Firewall Policy .

3. Click the Tasks tab in the Task Pane .

4. Select Create a New Access Rule .

5. Enter a name for Access Rule (For example Block ESPN) and then click Next .

6. Select Deny on the Rule Action page and click Next .

7. On the Protocols page, select the Domain Name Set or URL Set .

If you create a Domain Name Set , select All Outbound Traffic .

If you create a URL Set , select Selected Protocols and then select HTTP and HTTPS .

8. Click Next .

9. Click the Add button on the Access Rule Sources page.

10. Click on Networks then select Internal . Then click Close .

11. Click Next .

12. Select Add on the Access Rule Destinations page.

13. On the Add Network Entities page, select Domain Name Set or URL Set .

14. Then enter a name for the Domain Name or URL Set in the dialog box displayed.

15. Click the New button and enter the domain name you want to block access to. For example * .espn.com .

16. Click OK .

Remember that Access Rules are processed in the order that follows. You need to move the new Access Rule and any other Deny Rules to the top of the list so that the system will process the previous rejection rules then handle the access permission rule.