You can block access to Web sites based on virtually any component of the HTTP communication using ISA Server 2004 HTTP policy. For example, you might want to prevent access to all Web sites that contain a reference to the popular file-sharing application, Kaaza. This file-sharing program can present a risk to network security because the files downloaded through this application can contain viruses, worms and copyrighted material.
In the following walkthrough, you will configure the HTTP policy for the Administrator Internet Access and Limited Access Web Users rules to block all Web connections to sites that contain the string “Kaaza” in them. While this example uses a blunt approach to blocking Kaaza-related sites, it does demonstrate the power of ISA Server 2004’s deep HTTP inspection mechanisms.
Perform the following steps to prevent users from accessing Kaaza-related sites:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node.
2. Right-click the Administrator Internet Access rule and click Configure HTTP.
3. In the Configure HTTP policy for rule dialog box, click the Signatures tab.
4. On the Signatures tab, click the Add button.
5. In the Signature dialog box, enter a name for the signature in the Name text box. In this example we will enter Kaaza URL. Select the Request URL entry in the Search in list. Enter the string kaaza in the Signature text box. Click OK.
6. Click Apply and OK in the Configure HTTP policy for rule dialog box.
7. Repeat the preceding steps for the Limited Access Web Users rule.
8. Click Apply to save the changes and update firewall policy.
9. Click OK in the Apply New Configuration dialog box.
Now the we have an ISA Server 2004 Access Policy in place, we can test the policy.
Perform the following steps to test Access Policy:
1. First, review the Access Policies created on the ISA Server 2004 firewall. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Review the Access Rules in the Details pane of the console.
2. Log on to the CLIENT computer as User2. Open the browser and enter www.microsoft.com in the Address bar. Press ENTER.
3. The home page of the Microsoft site appears in the browser. In the Internet Explorer Address bar, enter www.isaserver.org and press ENTER.
4. You will see the MSN search page indicating that the www.isaserver.org page could not be found. You can provide a more informative response to users by redirecting denied requests to an Internet Web server.
5. In Internet Explorer, enter www.msn.com and press ENTER.
6. You see the home page of the www.msn.com Web site. Note that some graphics do not appear on the page because they fall outside the range of sites allowed by the Domain Set we created for the Access Rule.
7. In the Internet Explorer Address bar, enter the URL http://www.msn.com/kaaza. An error page is returned indicating that the HTTP Security filter has blocked the connection. The Signature configured in the HTTP policy for the Access Rule detected that Kaaza was in the URL and blocked the connection attempt.
8. Log off the CLIENT machine and then log on as Administrator.
9. Open the Web browser and enter www.microsoft.com in the Address bar of Internet Explorer and press ENTER. The Microsoft Web site appears.
10. Enter www.isaserver.org in the Address bar of Internet Explorer and press ENTER. As an Administrator, you are able to access the site.
11. Enter www.isaserver.org/kaaza in the Address bar of Internet Explorer. You see the same HTTP Security filter error message. Again, the settings in the HTTP policy of the rule block the connection attempt.
12. Click Start and click the Run command. In the Run dialog box, enter cmd in the Open text box. Click OK.
13. At the command line, enter the line telnet ftp.microsoft.com 21 and press ENTER. You will see a banner saying 220 Microsoft FTP Service. Enter quit and press ENTER. You will then see the message 221 Thank-you for using Microsoft products!
14. At the command prompt, enter the line telnet dragons.ca.usdal.net 6667 and press ENTER. You will see an error indicating that the connection failed. If you look at the connection attempt in the ISA Server 2004 real-time log monitor, you will see that the connection attempt was actively denied by the firewall.
15. Log off the CLIENT computer.
In this ISA Server 2004 Configuration Guide section, we discussed the variety of methods you can use to control outbound access to the Internet using ISA Server 2004 Access Rules. In the walkthroughs, you created Access Rules that controlled access to specific Web sites and protocols based on user and group membership. In addition, you created policy elements “on the fly” while creating the Access Rules. In the next chapter of the ISA Server 2004 Configuration Guide, we examine the procedures required to publish a Web and FTP server located on the perimeter network segment.