Some questions about ISA firewall policies

Hello
I'm newcomer of ISA server 2006 So here you are my questions!
1- ) I notice that when i create access rule on ISA i found "Instant Messaging" when i open i find Msn,Icq,...etc But i didnt see  other instant message like  Yahoo Messnger or Google talk ... so how can i Create access rule to deny these isntant messaging ?

2- ) is there is any problem if i join ISA Server to Domain controller After installing ISA server 2006 on the box OR it should be joind already to domain controller before installing ISA server 2006?

ali_alannahAsked:
Who is Participating?
 
Stephen MandersonConnect With a Mentor Software EngineerCommented:
Hi there,

Please take a look at the following tutorial on how to block these messenger applications from running through ISA.
http://www.isaserver.org/tutorials/How_to_Block_Dangerous_Instant_Messengers_Using_ISA_Server.html

With regards to ISA I would do the join to the domain before the install personally.

Regards
Steve
0
 
SteveH_UKCommented:
I agree with MrManderson that you should join first.

Note that many of these IM clients are hard to block because they appear like normal web traffic.  ISA itself doesn't provide a particularly helpful solution to this problem, and is not fully solved by the suggestions in the linked document.  All the user has to do is rename the executable in general.

Instead, I recommend that you consider whether you need an application protocol filter.  These are rather expensive, but are designed to block some of these kinds of software, and are automatically updated on a regular basis.
0
 
SteveH_UKConnect With a Mentor Commented:
See http://www.barracudanetworks.com/ns/products/web-filter-overview.php for the Barracuda solution, but many others exist.  All expensive, though :(
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
In respect to the IM's, yes there are only one or two named specifically and this is because these had options to use ports other than the traditional port 80 to pass their traffic across. In reality, almost all IM style utilities use port 80. If you want to block those then you need to create the controls yourself. Most applications use agents or 'signatures' to identify the type of traffic they represent and the type of service they are connecting to. This link shows a number of the common 'User Agents' in use.

http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx

Use the http filters on each rule to control the user-agents you want to block/allow. Remember the http filter is applied to that rule only. ie Change the http filter on rule 1 but that changer does not apply to rule 2, rule 3 etc - it only applies to the rule that the filter is changed on.



In respect to the connection, it does not matter either way on the order. The only real difference is if you are going to be using rule authentication through Active Directory or such like. You cannot 'prepare' the system in advance as the ISA would not have the ability to see the AD. Many providers prepare the ISA server systems before they ship them to customers. Bottom line - it is up to you.

Keith
ISA MVP
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
All Courses

From novice to tech pro — start learning today.