Linglom’s Blog

Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter

71 Responses to “Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter”

1. Subhasha Says:
   April 22nd, 2008 at 2:37 pm

   It is a good document for the administrators for amall and mediun companies those who can’t use third party tools.

2. Mohammed Says:
   April 22nd, 2008 at 3:44 pm

   Really appriciated this effort.

   Very Helpfull
   Thanks

3. Jim Says:
   April 25th, 2008 at 10:45 pm

   To Whom it may concern;
   I am looking to limit users to certain websites. Can you give me a detailed information on this matter. I have configured the server so I can access it to go to the internet but now I need to have only users go to certain website and I cannot figure out how to do this on an ISA 2006. FYI I am very new to ISA 2006 thanks for your help.

4. linglom Says:
   April 29th, 2008 at 3:07 pm

   To Jim,
   You can filter users by configure on a rule. On rule properties, there is a Users tab which you can add/remove a certain group or a user to use this rule.

5. Jim Says:
   April 29th, 2008 at 7:56 pm

   Hello Linglom,
   I do appreciate you sending the documentation on blocking websites, But I need to add a rule to limit users to go to certain sites only. How can I do this?
   Thanks Jim

6. Arham Says:
   June 12th, 2008 at 8:36 pm

   I need to allow yahoo’s voice chat and web cams through ISA 2006
   2.is Content filtering possible in ISA 2006 ? if yes please tell me how to configure it ??
   3. how can i allocate bandwidth to the users in ISA 2006

7. Adel HIgazy Says:
   July 10th, 2008 at 3:11 am

   Thanks, but i need to know how i can detect user who use or run sniffung and spoofing programes from isa server.

8. niraj Says:
   July 11th, 2008 at 6:24 pm

   hi… Linglom

   How to give mail access for outlook express in ISA 2006.

9. linglom Says:
   July 12th, 2008 at 11:44 pm

   To Adel HIgazy,
   I’m not sure that ISA Server can do that. It can be but I really don’t know how.
   To detect that kind of traffics, try to setup IDS in your system. The free popular one is snort.

   To niraj,
   Depending what kind of mail server protocol you have used (HTTP, IMAP, POP3), then simply allow that protocol.

10. Nirmal Says:
    July 29th, 2008 at 1:43 pm

    Anyone guide me:

    I have installed ISa server 2006 in my system , it blocks my trend micro security agent, how can i allow this agent to run through isa server 2006.

11. Hany Says:
    August 17th, 2008 at 9:09 pm

    when i block MSN Messenger by configure signature to “msnmsgr.exe” this block msnmsgr.exe and also hotmail mail access. there any soulution. to block msn access without blocking hotmail access.

    thanks.

12. linglom Says:
    August 21st, 2008 at 10:36 pm

    If you blocked only the signature “msnmsgr.exe”, you can check email on hotmail through web access. I’ve tested it.

13. rezanet Says:
    August 27th, 2008 at 4:57 pm

    Hi
    Thank you for this tutorial,
    I did all the things you said and also I tried several signatures for Yahoo!messenger but it does not work and people in our company still can connect I really tried several ways to block yahoo messenger like : blocking YMSG protocol- blocking port 5000…5050,5150,5151,5051(both TCP and UDP inbound and outbound)-blocking by several URL’s -blocking all that I found by ISA logging feature- etc.
    the only way that works was to deny HTTPS but it will block yahoo mail also wich I don’t want to block that!
    would you please help me with this issue?
    This issue makes really big problem in my job

    thank you so much for your kind attention.

14. linglom Says:
    August 28th, 2008 at 10:36 pm

    In my post is the older version of Yahoo Messenger so it may not work with the latest version.

    Currently, I’ve tested with Yahoo Messenger 8.1. I can block by denying outbound TCP port 5050 and everything works fine.
    What is your version of Yahoo Messenger?

15. rezanet Says:
    August 30th, 2008 at 1:13 pm

    Hi linglom,

    Thank you for your attention.
    I have the same version but mine does not work
    maybe you would like to know about my network topology!
    I have one Juniper SSG140 as my core router and I have isa between two virtual router!
    One leg of ISA is in trust-vr as internal leg and the second one (Outgoing) is in untrust-vr!
    The default route in Juniper is to forward all internet traffic to ISA!
    I have one HP-DL380 (2x Quad proccessor-6GB ram) win2k3ent and ISA 2006 Std installed.
    I know that I should not install ISA2006Std on a computer with more than 4 proccessor but I was not sure that 4 proccessor means Virtual proccessors or only physicals!!?!
    So for assurance I tried ISA on a computer with one CPU also! everything was same!
    When I enabled logging on ISA, I found that yahoo messenger first will try port 5050 and it will be blocked by ISA successfully! and then messenger try to telnet to destination server! I did block telnet too! but then messenger will try HTTPS and then it will connect under port 80!
    As I want to let people to use yahoo mail I can not block HTTPS because as you know, login servers for both messenger service and mail service is same
    I used Wireshark to find the application signature and I tried several signature like : msg.yahoo.com – YMSGR – mud.yahoo.com – address.yahoo.com – etc…
    But all failed and does not work
    It really makes me upset

    Thank you again.

16. rezanet Says:
    August 30th, 2008 at 1:19 pm

    One more thing which maybe you want to know is that I have only SecureNAT clients!

17. linglom Says:
    August 31st, 2008 at 9:13 am

    In this case, I think the problem may not be related with your network topology or client type. After I read Yahoo! Messenger Help, it seems that the application will try attempt to connect on other ports (including 80) if the 5050 fails. Therefore, there is no way to block by using rule port. (But mine works, strange!)

    So I want you to try block these servers : scs.msg.yahoo.com, scsa.msg.yahoo.com, scsb.msg.yahoo.com and scsc.msg.yahoo.com. These are servers that the messenger connect to. But I haven’t tested it yet.

    Reference: How do I configure my firewall/proxy server?

    If the solution above doesn’t work. I think you may need to block by other means. For instance, block by using group policy (if the PC is in the domain) to restrict installing the application instead of blocking from firewall.

18. rezanet Says:
    August 31st, 2008 at 10:35 am

    Hi linlom,
    Thank you for your follow up.
    Yesterday I spent full day to monitor yahoo messenger packets by Wireshark, and I did block these TCP ports : 20,25,23,119,5050,5150,5051.(which I found that it was right as explained in the link you provided-thank you)
    It does work till now! and I hope it will
    I will also try the servers and let you know the result
    but I wonder why the signature did not work I think it was best solution !
    I think this is because new yahoo messenger use Mozilla interface which result in changed signature! I mean the signature become Mozilla/4.0! what’s your idea?
    thank you for your help and attention anyway
    Now I’m working on Google Talk ,any advice will be appreciated
    The signature is Google Talk in User-Agent area! but it does not work too )

    Have a nice day:)

19. Sud Says:
    October 5th, 2008 at 5:17 pm

    Hi Linlom,

    I need to allow AOL messenger access from ISA 2006, after allowing required ports and aol IM related servers, still aol clients are not getting connected,, any advice please

20. linglom Says:
    October 6th, 2008 at 3:18 pm

    Hi, Sud

    I have nerver use AOL Messenger before. But after I have trying to allow it, I think you may have to disable ISA Server Firewall client on the client PC. Then, try to create a new access rule on the ISA Server to allow “AOL Instant Messenger and HTTPS” protocol and source (From) is the your client PC and destination (To) are the domain name set (*.aol.com), URL sets (http://aol.com/*) and a Computer IP (64.12.26.103). This IP, I have captured from ISA logging. But I’m not sure what it is. I think it’s one of the AOL Server.

    And the second rule, you should allow DNS and NetBios Name Service protocol from AnyWhere to AnyWhere. This rule you may try to narrow down later. I’m not sure about AOL DNS Servers.

    With these configuration as above, I can sign in AOL Messenger. I’ve tested already.

    If you need more information, see How to Use America Online 9.0 with ISA Server 2004

21. Sud Says:
    October 6th, 2008 at 5:36 pm

    Hi Linglom,

    Thanks for the reply, as suggested we are not using firewall client on clients PC, as i have created a seperate rule for AOL Messenger access, the issue here is i am able to login to AOL sometime, after which it gets disconnected and need to login again, there is no time limit set and no other restriction.

22. linglom Says:
    October 9th, 2008 at 9:41 am

    What do you mean “no time limit set and no other restriction”? Time limit in AIM? I don’t understand.

23. Sud Says:
    October 9th, 2008 at 3:21 pm

    Hi linglom,

    I mean time limit and restrictions in ISA. Problem is i am not able to connect to AIM after doing all the steps mentioned by you.

24. linglom Says:
    October 10th, 2008 at 2:47 pm

    I think there are other IP Addresses besides that I’ve told you before. You may need to observe in the ISA Server log for more IP Addresses that AIM use to connect to its server.

25. Niranjan Says:
    October 17th, 2008 at 4:56 pm

    This is really nice article. Thanks for sharing it. I want to get the user information that is entered in the ISA Login to my web site. How can i do it?
    Thanks

26. Judgegi Says:
    October 22nd, 2008 at 2:46 pm

    Hi Linlom,

    I need to block download bytes timit access from ISA 2006, for all users.

    Thx

27. linglom Says:
    October 24th, 2008 at 10:49 pm

    Try Bandwidth Splitter. It is a third party tool which is an extension of the ISA Server.

    You can use up to 10 users for free. More than that you need to pay.

28. Judgegi Says:
    October 25th, 2008 at 10:44 am

    Hi Linlom,

    Thank you for your follow up.
    I need to help for ISA Server 2006 Proxy setting, after allowing http, https, smtp, pop3, dns and ftp rules, still clients are getting connected with internet without setting up browser proxy, how i can block clients without proxy setting.

    thx

29. tiperera Says:
    November 7th, 2008 at 1:26 am

    Hi Luangaroon
    Thank you for this tutorials…Is there any possibility to block Metadata keywords (On google) via ISA 2006

    Thanks

30. Taher Says:
    November 17th, 2008 at 10:27 pm

    Hi linglom
    Thank you for all information
    I need block Bear share program
    Please Help me for block it

    Regards

31. linglom Says:
    November 18th, 2008 at 8:51 pm

    See Common Application Signatures. I’m not sure that they are obsoleted or not so you may have to try by yourself.

32. Sophal Says:
    December 11th, 2008 at 8:17 am

    Hi Linglom,

    Could you please tell me how to block skype with ISA 2006?
    I already try to block in many way but still cannot.

    Hope to hear the solution.

    Regards,
    SOPHAL.

33. linglom Says:
    December 11th, 2008 at 3:02 pm

    Hi, Sophal

    Have you try to block these ports?
    - Outbound port 33033
    - Inbound TCP 43017
    - Inbound TCP 4391
    - Inbound TCP 4900 – 5100

34. Sophal Says:
    December 11th, 2008 at 4:29 pm

    Hi LingLon,
    I already try to block that port but still cannot.
    Skype program use the random ports and also can access via HTTP and HTTPS. for the destinations also have alot for client connect. so it will be difficult to block.
    Got any idea about blocking Skype program?

    Regards,
    SOPHAL

35. linglom Says:
    December 12th, 2008 at 8:27 pm

    If the program can access through HTTP and HTTPS, then it’ll difficult to block it or may not be able to completely block it.

    So I suggest other option which may not concern with ISA Server, you have to define your IT policy to access Internet more strict. For example:
    - Do not allow user to install any third party program without authorization. This can be done by using group policy in Active Directory. You also can install an inventory software on client computers to check if they’ve installed unauthorized software on their computers.
    - You can create an access rule on ISA Server to restrict outbound traffic as much you can. Limit HTTPS access to only the trust site.
    - Monitor traffic on ISA Server regularly. If someone try to using skype, it’ll generate lot of outbound traffic and you’ll notice it.

36. Rabbit Says:
    December 31st, 2008 at 9:43 am

    hi linglom,

    u’ve talk about blocking access to download file .torrent in isa 2006, but i prefer to open that port in stead, how to do?

37. linglom Says:
    January 11th, 2009 at 9:32 am

    Hi, Rabbit
    Download a .torrent file doesn’t need to open any port only allow HTTP traffic. But if you want to download file using Bittorrent software, it may depends on which software you’re using. And I’m not use Bittorrent so I can’t support in that way.

38. rockonn Says:
    January 17th, 2009 at 5:07 pm

    i had setup the isa server 2006 in my network…our exchange is in main office. In our office we have configured outlook 2003 for clients.

    Now they cant access mail through outlook 2003. but they can access through web access…what should i do to solve the problem?

    thanks

39. linglom Says:
    January 19th, 2009 at 9:22 pm

    Hi, Rockonn
    I have no experience about Exchange. I suggest you visit isaserver.org. There are many resources about ISA Server and Exchange.

40. Néjm-Eddine Says:
    January 26th, 2009 at 7:01 pm

    Hi Thank you very much for your effort it helps us.

41. Ahmad Says:
    February 5th, 2009 at 6:46 pm

    i blocked some website how can i change the (page can not be display)massage in isa server 2006.

    Thanks

42. gary Says:
    February 8th, 2009 at 5:27 am

    Hi, I followed your directions exactly as written. For a few minutes, my ISA server was able to access the internet with no problems and then I was not able to access the internet any more. I know my external interface has the correct address and DNS information. The error I am getting when I try to go to a web page is

    error code: 403 forbidden. the isa server denied the specified uniform resource locator (url). (12202)

    I am using the edge firewall setup.

    Please help if you can or indicate what additional info you require to solve this.

    Thank you,

    Gary

43. linglom Says:
    February 8th, 2009 at 9:09 pm

    Hi, Gary

    I’m not sure about this error. But if the error has occurred when you create a web publishing rule, you should read this thread: Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator – ISA Server.org

44. linglom Says:
    February 8th, 2009 at 9:17 pm

    Hi, Ahmad

    You can customize the error pages on ISA Server. The templates are located in the folder – C:\Program Files\Microsoft ISA Server\ErrorHtmls.

45. Ahmad Says:
    February 10th, 2009 at 2:35 pm

    Hi,Linglom
    thanks for your information.but there is problem i blocked some video and audio extension and page comes with this error.how can i change the htm page error i checked i did not find this error page 1.(Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217))
    and also this error page.
    2.(Error Code: 403 Internal Server Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217))

    thanks alote

46. Ahmad Says:
    February 10th, 2009 at 2:44 pm

    Dear Linglom,

    i have one more problem that is.when iam going to ISA server management and then click on monitoring and then logging and on right side when iam clicking start query is shows in URL only ip not Domain name of users.

    thanks

47. linglom Says:
    February 10th, 2009 at 8:51 pm

    Hi, Ahmad
    For more information about customizing ISA Server’s error page, see How to Customize HTML Error Messages in ISA Server 2006 – Microsoft.com

    For the second question, there are client’s IP and Username columns. Have you seen both columns in the Logging? If the Client Username column is empty, it means that the client connection isn’t authenticated with the AD that ISA Server is in.

48. Ahmad Says:
    February 11th, 2009 at 2:19 pm

    Dear Linglom,

    Thanks for your help i really appreciat it. again a question the client user column is anonymous and i can see the client ip.
    there is no option in website to send you screenshop.

    thanks alote

49. linglom Says:
    February 12th, 2009 at 10:03 am

    Hi, Ahmad
    What client type you’re using? To authenticate all traffic, you’ll need to install firewall client. Also, make sure that rules that you are configured are not allow anonymous access either specify user,group or authenticated users would be sufficient.

50. Ahmad Says:
    February 12th, 2009 at 5:35 pm

    Dear linglom,

    thanks alote for your help.but iam so confuse about this.

    Regards

    Ahmad

51. Ahmad Says:
    February 17th, 2009 at 6:48 pm

    Dear linglom,

    i configured the VPN in isa server 2006 it give some error 800 i dont know why Please if you tell me VPN configuration.

    Thanks

52. linglom Says:
    February 17th, 2009 at 9:51 pm

    Hi, Ahmad
    I don’t have experience about VPN. I haven’t tried VPN yet. But there are many resources about configuring VPN on ISA Server on the Internet:

    • Enabling the ISA Server 2004 VPN Server – ISAServer.org
    • How to configure a VPN server by using Internet Security and Acceleration (ISA) Server 2006 – Microsoft.com
    • How to configure a VPN connection to your corporate network in Windows XP Professional – Microsoft.com
    • Error Message: VPN Connection Error 800: Unable to Establish Connection – Microsoft.com
53. Nandha Says:
    February 21st, 2009 at 5:40 pm

    Dear Linglom,

    In my organisation we have implementing ISA server 2006. and we have created four policys mentioned below
    1. Only mail access rule – users can access the company mail only.
    2.Allowed sites access rule – users can access only particular sites.
    3. Access with restriction access rule – users can access al the websites except particular sites
    4. Full access rule – all the websites can access.

    In this scenario, only the Full access rule users can able to access the yahoo,msn and gtak etc..

    but, we need to give the chat permission for mail,allowed and access with restriction user also.

    how to create the policy for this senario, kindly help us.

54. Nandha Says:
    February 22nd, 2009 at 10:08 pm

    dear sir,

    any update on the above

55. linglom Says:
    February 23rd, 2009 at 9:56 am

    Hi, Nandha
    I’m not sure about mail chat. I don’t have this kind of traffic in my environment.

    But I’ve found some posts related with this issue.

    • Block Yahoo mail chat
    • Allowing/Denying IM and other protocols on ISA Server
56. Nandha Says:
    February 23rd, 2009 at 1:36 pm

    thank u for your information and will check the above link

57. Ahmad Says:
    March 1st, 2009 at 7:17 pm

    Dear Linglom,

    i just configured VPN in isa server 2006 but the problem is that when iam typing \\isaserver in run from client it cant find the the server but when iam typing ip from server to a client it can find it that computer
    Please if help me what is the problem.

    Note: when iam typing from server \\client computer cant find if iam typing an ip of client it can find it

    Thanks in advance

58. linglom Says:
    March 6th, 2009 at 9:28 pm

    Hi, Ahmad
    You may have to check DNS configuration whether it points to the correct server.

59. Ahmad Says:
    March 8th, 2009 at 9:57 pm

    Dear linglom,

    i solved the problem it was blocked by isa server

    Thanks

60. ahmad Says:
    April 7th, 2009 at 3:14 pm

    i cant block yahoo messenger 9 with isa 2006
    i tried to filter signatures: scs.msg.yahoo.com, scsa.msg.yahoo.com, scsb.msg.yahoo.com and scsc.msg.yahoo.com but didnt work

61. Ahmad Says:
    April 7th, 2009 at 8:30 pm

    dear linglom,
    iam using ISA server 2006 and how can i allocate bandwidth to the users in ISA 2006

62. linglom Says:
    April 13th, 2009 at 9:17 pm

    Hi, ahmad (comment No.60)
    To completely block messengers from ISA Server aren’t easy. Most of them now can communicate through HTTP(80) which makes them even hard to block. The best way to solve the problem is control software restriction installation on PCs. This can be achieved using Group Policy.

    ---

    Hello, Ahmad (comment No.61)
    To allocate bandwidth, there is a third party tool but it isn’t free. See comment No.27 of this post for the link.

63. Rehan Says:
    April 14th, 2009 at 8:36 pm

    Dear linglom,

    First of all i really appriciate this website is very helpfull for new ISA server 2006 administrator. I published my exchange server 2003 POP3 and SMTP but when i want to use this it’s give me (Socket Error: 10060, Error Number: 0×800CCC0E) Error.I have two network cards in my isa server and i follow same step which you mention on your site for installation. one more confussion what address i will set on outlook express for retrive my mails ISA public address or mail public address. my exchange server is also public IP address.

64. Nandha Says:
    May 7th, 2009 at 9:10 am

    Hamid

    yahoo messenger will work on port no 5050. so create the rule to block the port number 5050. it will be blocked. we have tried in our organistation.

65. Rashid Says:
    May 26th, 2009 at 1:41 pm

    I want to configure the ISA2006 with single network card templete. during updating that templete the computer give me the given below error : No external IP address defined
    ”
    and when I configure the Internet proxy option under tools/connection/Lan settings/ proxy address/port
    the browser give the error code 502.

    and with single network card what will be the lan card configuration.

66. Amol Says:
    June 9th, 2009 at 7:40 pm

    Hi dear,
    I need signatures to Block the Gmail somehow ppl get the access i want give access only for some users & what about annonymous proxy ppl are getting access to other mail from this how to block them please tell me

67. Sathish Says:
    June 22nd, 2009 at 11:26 pm

    i am new to ISA Server 2006 . i installed ISA Server 2006 my office i want to know one thing i want to enable some users can access only one particular sites. how to create the rule . Appreciate your help.

68. Kotb Says:
    June 23rd, 2009 at 3:00 pm

    Dear linglom I need to block yahoo messenger using ISA 2006 please your help

    Thanks.

69. Kotb Says:
    June 23rd, 2009 at 3:09 pm

    Hi, I have ISA 2006 , I need to block users from downloading files from the internet , please your help

70. linglom Says:
    June 26th, 2009 at 10:39 pm

    Hi, Amol
    There is no way to completely block these proxy websites. You have to block them manually so you have to update rules regularly.

    ---

    Hi, Sathish
    See Part III: Create Firewall Policy Rule

    ---

    Hi, Kotb
    See comment 64 for blocking Yahoo Messenger. To block downloading files, you can block certain extensions such as zip, rar, exe, etc. Right-click on the rule -> select Configure HTTP -> select Extensions tab -> add extensions that you want.

71. Asher Says:
    June 29th, 2009 at 1:41 pm

    Dear linglom,

    thanks for providing such step by step configuration.
    would appreciate if you guys can teach us how to configure VPN so that local users can use internet only by using the VPN by typing their password and Id which is alloted by the administrator.

    Thanks
    Regards,
    Asher

Leave a Reply