?
Solved

ISA 2006: Cannot block websites properly

Posted on 2008-11-05
14
Medium Priority
?
1,067 Views
Last Modified: 2011-04-14
Ok, it might seem simple to many of you but I'm unable to get ISA 2006 to block websites properly. ISA server is running Windows 2003 R2 SP2, clients are running Windows XP.
- I created an AD group called Restricted Users  containing those who should only be able to access certain websites.
- I created a rule called Common Protocols which allow certain protocol including HTTP to All Users
- I created a rule called Block Websites,
From Anywhere
To External
Exception: WHITELIST
Protocol HTTP

- WHITELIST is a URL set containing all the allowed websites.
- I target this one to Restricted Users group

Immediately after applying this rule, users in Restricted Users group are unable to access any websites including those in WHITELIST. Other users can still browse internet no problems.

Entries in WHITELIST are
*anz.com.au
*cnn.com.au
*apple.com

I couldn't browse http://www.anz.com.au or www.apple.com, so I added in
*.anz.com.au
*.cnn.com.au
*.apple.com

Still blocking every websites. What am I doing wrong here ?
0
Comment
Question by:Johnny_Nguyen
  • 7
  • 6
14 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892399
1-The Access Rule of the BlockWebsite should be set above Common Protocols rules not below them.

2-Modify the Block Website Access Rule to  (Allow From Anywhere to WHITELIST , HTTP&HTTPS Protocols Allowed , apply to Restricted Users Group in AD)
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892488
1. Yes, the Access Rule is above Common Protocols, which is second from bottom.
2. You suggest modifying the Block Website Access Rule to "Allow ...."  that will not block anything then.

I did try creating a rule blocking all HTTP/HTTPS access (to restricted user) and another rule above it allowing HTTP/HTTPS  accessing to WHITELIST, it still blocked everything.

Was my syntax in Whitelist correct ?
0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892543
What do you need exactly.
You need to restrict the (Restricted User Group) to access only the websites in Whitelist , or you do not need to allow them to access it.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892558
Sorry I should have made that clear from the 1st post.
I need to restrict the Restrict Users group to access only websites in Whitelist.
0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892592
Then Go with my first post , because you are allowing these websites in Whitelist to the restricted users only.(From AnyWhere to Whitelist not to External)

the Common protocols Access Rule will allow other websites to other users (You have to create another group in AD containing all other users except Restricted Users)
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892633
I can see your point but No offence, I don't think that is the way of doing this.
It's not a good idea creating a group containing all other user except Restricted users, neither is it a professional way of grouping uses in AD because everytime I create a new normal user I have to add them in this group !  What about system users (Exchange admins, Sharepoint Admins, Built-in Administrator) I have to also add them in ?

Second, I think Microsoft ISA can do this restriction easily, and I did this the way instructed in HELP. What was I doing wrong ?
0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892658
Ok
after creation of the Aceess Rule that I instructed you to create , create another Acces Rule below this Access Rule that ( Deny - Internal -to External - Users: Restricted users)

So the first rule will allow the restricted users to access the Whitelis websites, the othe one will prevent them to access any other websites.

The common protocols Access rule will enable all other users to access the internet
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892670
In my 2nd post I mentioned I tried that already. No lucks.

What was wrong with the way I did it at 1st ?
0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892678
did u use External instead of Witelist?
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892686
I used External, and also I tried Whitelist, finally I used Anywhere for testing purposes. Still not working.
0
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 22892757
use Internal instead of AnyWhere
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 22892829
I don't think we're going anywhere with your suggestion, because from the VERY basic level, if "from Anywhere" doesn't work then "from Internal" surely won't work !!!!!

Again, does any body know what's wrong at all with my original way of blocking websites ?
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 22893680
Couple of things you need to do here Your whitelist rule create it with the following parameters;

Name: Allowed Web Sites
Action: Allow
Protocols: Selected(HTTP,HTTPS)
From: Internal
To:WHITELIST
UserGroup: Restricted Users

Be sure to have this rule above any other that explicitly denies these actions.

Now in your WHITELIST Url set..
*anz.com.au
*cnn.com.au
*apple.com

this only allows for possible sub domains of the apple site (For example) support.apple.com you also need to include a wildcard for the resource part of the url ie apple.com/*

Regards
Steve
0
 
LVL 1

Accepted Solution

by:
Johnny_Nguyen earned 0 total points
ID: 22915997
Ok, I finally got this resolved, the URL sets feature wasn't working because the client proxy wasn't set correctly to ISA server.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question