How to regulate internet access via ISA

Posted on 2004-11-04
Medium Priority
Last Modified: 2010-04-09

I am currently looking for instruction on how to regulate Internet access via ISA.

We currently have two T1 lines coming into the corporate office, one is a private T1 that doesn't have access to the public internet and the other T1 is strictly public.

How the users connect, we have 40+ users that are connected to the local LAN and they use the Public T1 for all internet access. We have 60+ users that connect to the corporate office via private T1 and use the public T1 for their internet access as well. Then we have rougly 200 users that connect to the corporate office with the public T1 through a Citrix connection via HP thin clients and use internet explorer off of the Metaframe servers. So virtually we already have everybody routed to the corporate office and using the public T1 for internet access. But now we want to regulate what sites they can get to.  

How would I setup Microsoft ISA to regulate what sites the users have access to? Im looking for step by step instructions.


Question by:corahealth

Accepted Solution

TannerMan earned 2000 total points
ID: 12496117
Open up Policy Elements> Destination Sets and right click on DESTINATION SETS. Create a destination set named "restricted sites". Populate that destination set with the sites you are going to allow. This will be time consuming, but eventually you'll have your list nicely made and only add to it when new sites to be allowed are approved. In our destination set you can add the sites using the DESTINATION field, not the IP ADRESSES filed and enter like so.....

*.msn.com - allows full access to anything on msn
*.msn.com/weather/* - would allow full access to anything in MSN's sub-site/folder of WEATHER (just an example)
*.state.al.us - allows access to any site for using the state.al.us suffix
*.gov - will allow access to any .gov site
*.windowsupdate.com - allows access to the IE windows update site
*.trendmiccro.com - allows access to Trendscans antivirus update site

and so on.

Open up Access Policy> Site and Conent rules and right click on SITE AND CONETENT RULES and  create a new rule. Name it "Limited Web Access". For destinations choose a set and point it to your newly created destination set of RESTRICTED SITES. On ACTION choose ALLOW. On APPLIES TO you can either add user groups, or just set to ANY REQUEST and lock down EVERYONE's access. Groups are better because admins and the such would not be included. DONE

The to do one of two things. Under Site and conent rules Disable the "allow rule", OR, if your going to give admins and the like full access simply open up the rule and go to the "Applies To" tab and change it to apply to users and groups. Add the admin groups or ohters.

due to changes/additions to the site and content rules you need to do the folllowing

Expand the MONITORING section in the tree. Double click SERVICES. Right click on WEB PROXY service and choose stop.  When stop repeat it and choose start.

As long as you have no rules for site and content that already exist to override this, you'll restrict access to the sites you desire.

People will tell you too much trouble, and it is a lot of trouble. But I just finished setting this up for a company with 400+ users and it was 2-3 weeks of pain in the butt and now it is simple mantenance.

One problem you will see in this setup.....

Lets say you give restricted access to *.msn.com/money/personal finance. When a user hits a page in that site and that site has adverstisements that popup...your user gets flooded with pop up boxes for authentication. They will get a pop up for every add on that page that doesn't meant the *.msn/com/money/personal finance access. When we ran into this, for example at http://www. weather.com.......we had to find an alternate, non-ad laden site like http://www.noaa.gov. It is eihter do that or let the user cancel every single popup box every single time they visit a page like that.

Hope it all helps. Please let me know if you need any clariication or assitance.

Expert Comment

ID: 12513496
Might want to use VB scripting to create and manage your blocked destination sets:


Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question