How to regulate internet access via ISA

Hello,

I am currently looking for instruction on how to regulate Internet access via ISA.

We currently have two T1 lines coming into the corporate office, one is a private T1 that doesn't have access to the public internet and the other T1 is strictly public.

How the users connect, we have 40+ users that are connected to the local LAN and they use the Public T1 for all internet access. We have 60+ users that connect to the corporate office via private T1 and use the public T1 for their internet access as well. Then we have rougly 200 users that connect to the corporate office with the public T1 through a Citrix connection via HP thin clients and use internet explorer off of the Metaframe servers. So virtually we already have everybody routed to the corporate office and using the public T1 for internet access. But now we want to regulate what sites they can get to.  

How would I setup Microsoft ISA to regulate what sites the users have access to? Im looking for step by step instructions.

Thanks


corahealthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TannerManCommented:
Open up Policy Elements> Destination Sets and right click on DESTINATION SETS. Create a destination set named "restricted sites". Populate that destination set with the sites you are going to allow. This will be time consuming, but eventually you'll have your list nicely made and only add to it when new sites to be allowed are approved. In our destination set you can add the sites using the DESTINATION field, not the IP ADRESSES filed and enter like so.....

*.msn.com - allows full access to anything on msn
*.msn.com/weather/* - would allow full access to anything in MSN's sub-site/folder of WEATHER (just an example)
*.state.al.us - allows access to any site for using the state.al.us suffix
*.gov - will allow access to any .gov site
*.windowsupdate.com - allows access to the IE windows update site
*.trendmiccro.com - allows access to Trendscans antivirus update site

and so on.

Open up Access Policy> Site and Conent rules and right click on SITE AND CONETENT RULES and  create a new rule. Name it "Limited Web Access". For destinations choose a set and point it to your newly created destination set of RESTRICTED SITES. On ACTION choose ALLOW. On APPLIES TO you can either add user groups, or just set to ANY REQUEST and lock down EVERYONE's access. Groups are better because admins and the such would not be included. DONE

The to do one of two things. Under Site and conent rules Disable the "allow rule", OR, if your going to give admins and the like full access simply open up the rule and go to the "Applies To" tab and change it to apply to users and groups. Add the admin groups or ohters.

due to changes/additions to the site and content rules you need to do the folllowing

Expand the MONITORING section in the tree. Double click SERVICES. Right click on WEB PROXY service and choose stop.  When stop repeat it and choose start.

As long as you have no rules for site and content that already exist to override this, you'll restrict access to the sites you desire.

People will tell you too much trouble, and it is a lot of trouble. But I just finished setting this up for a company with 400+ users and it was 2-3 weeks of pain in the butt and now it is simple mantenance.

One problem you will see in this setup.....

Lets say you give restricted access to *.msn.com/money/personal finance. When a user hits a page in that site and that site has adverstisements that popup...your user gets flooded with pop up boxes for authentication. They will get a pop up for every add on that page that doesn't meant the *.msn/com/money/personal finance access. When we ran into this, for example at http://www. weather.com.......we had to find an alternate, non-ad laden site like http://www.noaa.gov. It is eihter do that or let the user cancel every single popup box every single time they visit a page like that.

Hope it all helps. Please let me know if you need any clariication or assitance.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LimeSMJCommented:
Might want to use VB scripting to create and manage your blocked destination sets:

http://www.isaserver.org/articles/2004domainseturlset.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.