How to regulate internet access via ISA

Posted on 2004-11-04
Last Modified: 2010-04-09

I am currently looking for instruction on how to regulate Internet access via ISA.

We currently have two T1 lines coming into the corporate office, one is a private T1 that doesn't have access to the public internet and the other T1 is strictly public.

How the users connect, we have 40+ users that are connected to the local LAN and they use the Public T1 for all internet access. We have 60+ users that connect to the corporate office via private T1 and use the public T1 for their internet access as well. Then we have rougly 200 users that connect to the corporate office with the public T1 through a Citrix connection via HP thin clients and use internet explorer off of the Metaframe servers. So virtually we already have everybody routed to the corporate office and using the public T1 for internet access. But now we want to regulate what sites they can get to.  

How would I setup Microsoft ISA to regulate what sites the users have access to? Im looking for step by step instructions.


Question by:corahealth
    LVL 9

    Accepted Solution

    Open up Policy Elements> Destination Sets and right click on DESTINATION SETS. Create a destination set named "restricted sites". Populate that destination set with the sites you are going to allow. This will be time consuming, but eventually you'll have your list nicely made and only add to it when new sites to be allowed are approved. In our destination set you can add the sites using the DESTINATION field, not the IP ADRESSES filed and enter like so.....

    * - allows full access to anything on msn
    ** - would allow full access to anything in MSN's sub-site/folder of WEATHER (just an example)
    * - allows access to any site for using the suffix
    *.gov - will allow access to any .gov site
    * - allows access to the IE windows update site
    * - allows access to Trendscans antivirus update site

    and so on.

    Open up Access Policy> Site and Conent rules and right click on SITE AND CONETENT RULES and  create a new rule. Name it "Limited Web Access". For destinations choose a set and point it to your newly created destination set of RESTRICTED SITES. On ACTION choose ALLOW. On APPLIES TO you can either add user groups, or just set to ANY REQUEST and lock down EVERYONE's access. Groups are better because admins and the such would not be included. DONE

    The to do one of two things. Under Site and conent rules Disable the "allow rule", OR, if your going to give admins and the like full access simply open up the rule and go to the "Applies To" tab and change it to apply to users and groups. Add the admin groups or ohters.

    due to changes/additions to the site and content rules you need to do the folllowing

    Expand the MONITORING section in the tree. Double click SERVICES. Right click on WEB PROXY service and choose stop.  When stop repeat it and choose start.

    As long as you have no rules for site and content that already exist to override this, you'll restrict access to the sites you desire.

    People will tell you too much trouble, and it is a lot of trouble. But I just finished setting this up for a company with 400+ users and it was 2-3 weeks of pain in the butt and now it is simple mantenance.

    One problem you will see in this setup.....

    Lets say you give restricted access to * finance. When a user hits a page in that site and that site has adverstisements that popup...your user gets flooded with pop up boxes for authentication. They will get a pop up for every add on that page that doesn't meant the *.msn/com/money/personal finance access. When we ran into this, for example at http://www. had to find an alternate, non-ad laden site like It is eihter do that or let the user cancel every single popup box every single time they visit a page like that.

    Hope it all helps. Please let me know if you need any clariication or assitance.
    LVL 7

    Expert Comment

    Might want to use VB scripting to create and manage your blocked destination sets:

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now