Link to home
Start Free TrialLog in
Avatar of Johnny_Nguyen
Johnny_Nguyen

asked on

ISA 2006: Cannot block websites properly

Ok, it might seem simple to many of you but I'm unable to get ISA 2006 to block websites properly. ISA server is running Windows 2003 R2 SP2, clients are running Windows XP.
- I created an AD group called Restricted Users  containing those who should only be able to access certain websites.
- I created a rule called Common Protocols which allow certain protocol including HTTP to All Users
- I created a rule called Block Websites,
From Anywhere
To External
Exception: WHITELIST
Protocol HTTP

- WHITELIST is a URL set containing all the allowed websites.
- I target this one to Restricted Users group

Immediately after applying this rule, users in Restricted Users group are unable to access any websites including those in WHITELIST. Other users can still browse internet no problems.

Entries in WHITELIST are
*anz.com.au
*cnn.com.au
*apple.com

I couldn't browse http://www.anz.com.au or www.apple.com, so I added in
*.anz.com.au
*.cnn.com.au
*.apple.com

Still blocking every websites. What am I doing wrong here ?
Avatar of Hisham_Elkouha
Hisham_Elkouha
Flag of United Kingdom of Great Britain and Northern Ireland image

1-The Access Rule of the BlockWebsite should be set above Common Protocols rules not below them.

2-Modify the Block Website Access Rule to  (Allow From Anywhere to WHITELIST , HTTP&HTTPS Protocols Allowed , apply to Restricted Users Group in AD)
Avatar of Johnny_Nguyen
Johnny_Nguyen

ASKER

1. Yes, the Access Rule is above Common Protocols, which is second from bottom.
2. You suggest modifying the Block Website Access Rule to "Allow ...."  that will not block anything then.

I did try creating a rule blocking all HTTP/HTTPS access (to restricted user) and another rule above it allowing HTTP/HTTPS  accessing to WHITELIST, it still blocked everything.

Was my syntax in Whitelist correct ?
What do you need exactly.
You need to restrict the (Restricted User Group) to access only the websites in Whitelist , or you do not need to allow them to access it.
Sorry I should have made that clear from the 1st post.
I need to restrict the Restrict Users group to access only websites in Whitelist.
Then Go with my first post , because you are allowing these websites in Whitelist to the restricted users only.(From AnyWhere to Whitelist not to External)

the Common protocols Access Rule will allow other websites to other users (You have to create another group in AD containing all other users except Restricted Users)
I can see your point but No offence, I don't think that is the way of doing this.
It's not a good idea creating a group containing all other user except Restricted users, neither is it a professional way of grouping uses in AD because everytime I create a new normal user I have to add them in this group !  What about system users (Exchange admins, Sharepoint Admins, Built-in Administrator) I have to also add them in ?

Second, I think Microsoft ISA can do this restriction easily, and I did this the way instructed in HELP. What was I doing wrong ?
Ok
after creation of the Aceess Rule that I instructed you to create , create another Acces Rule below this Access Rule that ( Deny - Internal -to External - Users: Restricted users)

So the first rule will allow the restricted users to access the Whitelis websites, the othe one will prevent them to access any other websites.

The common protocols Access rule will enable all other users to access the internet
In my 2nd post I mentioned I tried that already. No lucks.

What was wrong with the way I did it at 1st ?
did u use External instead of Witelist?
I used External, and also I tried Whitelist, finally I used Anywhere for testing purposes. Still not working.
use Internal instead of AnyWhere
I don't think we're going anywhere with your suggestion, because from the VERY basic level, if "from Anywhere" doesn't work then "from Internal" surely won't work !!!!!

Again, does any body know what's wrong at all with my original way of blocking websites ?
Couple of things you need to do here Your whitelist rule create it with the following parameters;

Name: Allowed Web Sites
Action: Allow
Protocols: Selected(HTTP,HTTPS)
From: Internal
To:WHITELIST
UserGroup: Restricted Users

Be sure to have this rule above any other that explicitly denies these actions.

Now in your WHITELIST Url set..
*anz.com.au
*cnn.com.au
*apple.com

this only allows for possible sub domains of the apple site (For example) support.apple.com you also need to include a wildcard for the resource part of the url ie apple.com/*

Regards
Steve
ASKER CERTIFIED SOLUTION
Avatar of Johnny_Nguyen
Johnny_Nguyen

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial