fuzzyfreak
asked on
Restrict user to certain websites using ISA 2000
I am getting fed up with a user accessing inappropriate websites. I have looked at trying to stop this using ISA but it is a continuing process, I have to add each identified website to my rule. I have decided it would be far easier to just allow only the few websites he should be accessing. How do I set up in ISA an allow rule for only him and only the few websites I wish him to access?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check this article:
http://support.microsoft.com/kb/300492
http://support.microsoft.com/kb/300492
ASKER
I am going to need some help here. That article tells you how to create a destination set and an exception rule. So now I have allowed certain websites for a security group, but presumably I have to now use an opposing rule to disallow all websites because by default all users have access to all websites.
Also, as part of trying to resolve this, have you any idea where I might find the "SBS Internet Users" group?
Also, as part of trying to resolve this, have you any idea where I might find the "SBS Internet Users" group?
The group should be there in your Active Directory.
ASKER
I found it, it is actually called Internet Users.
I still cannot get the article to work for me, it seems incomplete.
I still cannot get the article to work for me, it seems incomplete.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Before I look at opendns, I am considering just upgrading ISA. I have SBS2003, my two questions are -
Should I upgrade to ISA 2004 or 2006
Would it be a straight upgrade, carrying my custom policy elements and access policies over?
Thanks
Should I upgrade to ISA 2004 or 2006
Would it be a straight upgrade, carrying my custom policy elements and access policies over?
Thanks
With SBS2003 it has to be ISA2004 and the only way to do that is get the SBS SP1 Update from MS. You cannot install ISA2006 and you cannot install ISA2004 from a stand-alone copy of the CD,...it must come from the SBS Premium Installation CD and be installed through the SBS Wizards. I do not know it you can install over the top of the old ISA,..but I would not,...I would uninstall ISA200 first,...then install ISA2004.
ISA 2004 is a big improvement over ISA2000 but it is not going to help that much with what you want to do. Resticting user's Web Destiantion is way more difficult to do depenably and correctly then people realize. I run ISA2006 here and have been using ISA since back when it used to be called Microsoft Proxy Server v.2,, and was an ISA MVP for 3 years..and yet I still use OpenDNS for handling this. Handling it at the DNS Level is much more dependable and reliable then doing it at the Firewall Level. Doing it at the DNS level takes care of the problem long before the Firewall has to worry about it and the user has no way to bypass it or sneek around it somehow,...particularly if they are not local admins on their machine,...and even that won't help them if youo do your LAN's DNS Scheme properly.
If you want to have multiple level of restrictions you can't do it all with OpenDNS because OpenDNS will always be global. So you would set the global restriction with OpenDNS and then do the "additional" restrictions with ISA.
ISA 2004 is a big improvement over ISA2000 but it is not going to help that much with what you want to do. Resticting user's Web Destiantion is way more difficult to do depenably and correctly then people realize. I run ISA2006 here and have been using ISA since back when it used to be called Microsoft Proxy Server v.2,, and was an ISA MVP for 3 years..and yet I still use OpenDNS for handling this. Handling it at the DNS Level is much more dependable and reliable then doing it at the Firewall Level. Doing it at the DNS level takes care of the problem long before the Firewall has to worry about it and the user has no way to bypass it or sneek around it somehow,...particularly if they are not local admins on their machine,...and even that won't help them if youo do your LAN's DNS Scheme properly.
If you want to have multiple level of restrictions you can't do it all with OpenDNS because OpenDNS will always be global. So you would set the global restriction with OpenDNS and then do the "additional" restrictions with ISA.
ASKER
OK, so in reference to my original question, it cannot be done.
Using OpenDNS and an upgrade ISA2004 will give me my solution.
Using OpenDNS and an upgrade ISA2004 will give me my solution.
OK, so in reference to my original question, it cannot be done.
No, I didn't say that. I said doing it with ISA2000 was a waste of time (not impossible). I am saying that it (ISA2000) is so inflexible and unpredictable in this particular regard,... that I presented you with a more workable and better solution that looks more at the "big picture" and will serve your purposes better. Combining the two,...ISA2004 (via within the SBS product),... with a service like OpenDNS will give the best solution.
No, I didn't say that. I said doing it with ISA2000 was a waste of time (not impossible). I am saying that it (ISA2000) is so inflexible and unpredictable in this particular regard,... that I presented you with a more workable and better solution that looks more at the "big picture" and will serve your purposes better. Combining the two,...ISA2004 (via within the SBS product),... with a service like OpenDNS will give the best solution.
ASKER
OK, thanks. I think opendns is all that is necessary as a solution to my issue. The ISA upgrade is currently an unnecessary expense. Thank you very much.
ASKER
I appreciate the input of both contributers, it helped me make a valid decision. I am currently using the free version of OpenDNS which appears to be all I need to resolve my issue.
The ISA upgrade is currently an unnecessary expense. Thank you very much.
There is no expense. Moving up to 2004 from 2000 is part of updating the SBS2003 Premium to SP1. It is just that you cannot download the SBS SP1 for Premium. You can download it for SBS Standard,...but not Premium. ISA is only included with Premium. So you have to contact MS to get the Media to update your SBS Premium to SP1 which will include ISA 2004. You need to do this no matter what else you are doing or not doing.
There is no expense. Moving up to 2004 from 2000 is part of updating the SBS2003 Premium to SP1. It is just that you cannot download the SBS SP1 for Premium. You can download it for SBS Standard,...but not Premium. ISA is only included with Premium. So you have to contact MS to get the Media to update your SBS Premium to SP1 which will include ISA 2004. You need to do this no matter what else you are doing or not doing.
ASKER
OK, how confusing as my SBS is now on SP2 and my ISA is still 2000.
You probably installed the "regular" SP2 for the "regular" Server 2003 that was downloaded.
ISA only legally comes with SBS Premium.
ISA2000 came with SBS Premium, no SP
ISA2004 came with SPS Premium SP1
The SP1 for SBS Premium was not downloadable (SBS Regular was). You have to contact your retailer or MS directly to get it.
Since you have already "skipped" past it I do not know if you can go back because you would have to uninstall SP2 first,...I don't know what kind of mess that would make.
ISA only legally comes with SBS Premium.
ISA2000 came with SBS Premium, no SP
ISA2004 came with SPS Premium SP1
The SP1 for SBS Premium was not downloadable (SBS Regular was). You have to contact your retailer or MS directly to get it.
Since you have already "skipped" past it I do not know if you can go back because you would have to uninstall SP2 first,...I don't know what kind of mess that would make.
ASKER