How to block websites on ISA Server using Domain Name Sets
ISA, Security September 1st, 2010When you define access rule on ISA Server, you usually cannot specify all websites that users will access because you don’t know what are they. The best solution is to allow users to access all the websites. Then, the problem comes. While they are working, some users now can access game sites or some may access social networking sites. This wastes both company resources and time. Therefore, you have to restricted those websites.
On ISA Server, there is a Domain Name Set object which you can use to control access to a website. For example, if you don’t want users to access google.com, you create a Domain Name Set object with value *.google.com and add it to denied rule. This will blocks users from access entire google.com including its sub-domains such as maps.google, video.google, etc. Domain Name Set is applied to all clients type and all protocols which means it support SecureNAT, Web Proxy or Firewall client types and applied to any protocols that define in the rule.
This article show you how to create a denied access rule to restricted users from internal network to access some restricted websites such as facebook.com, myspace.com, hi5.com by using Domain Name Sets.
If you are new to ISA Server, I first recommend you read this series – Getting started with Microsoft ISA Server 2006.
Step-by-step
- Suppose that I have already configured these access rule which allow DNS query and allow Internet access for all clients on the Internal network.
- Now I will create a new access rule to block some websites. Let’s name the rule as ‘Restricted WebSites‘.
- On Rule Action, select Deny and click Next.
- On Protocols, select All outbound traffic. Click Next.
- On Access Rule Sources, add Internal to the sources. Click Next.
- On Access Rule Destinations, I will create a new Domain Name Set’s object which contains a list of websites that I want to block. Click Add.
- On Add New Entities, select New -> Domain Name Set from drop-down menu.
- On New Domain Name Set Policy Element, set name to ‘Restricted WebSites‘ and add these websites to this set.
- *.facebook.com
- *.myspace.com
- *.hi5.com
Then, click OK.
Note: By adding ‘*‘ in front of the website name, it will include any sub-domain name of that website.
- You will see a new Domain Name Set’s object has been created.
- Add the ‘Restricted WebSites‘ object to the Access Rule Destinations and click Next.
- On User Sets, click Next.
- On Completing the New Access Rule Wizard, click Finish.
- Click Apply to save changes and update the configuration.
Note: Makes sure that the new access rule that you have created is on top or higher than the allow Internet access’s rule.
- These are completed access rules on this example.
- Let’s try to access www.facebook.com with SecureNAT’s client. Here is the result.
- Let’s try to access www.facebook.com with Web Proxy’s client. Here is the result.
- This is the log while access the blocked website.
Related post
- Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
Related posts:
September 26th, 2010 at 9:39 pm
Thanks, your the guy…..
October 17th, 2010 at 10:37 am
nice… But some sites are not blocked…..any suggestions..?
November 11th, 2010 at 2:37 am
Muchas gracias por este tutorial sufrio mucho para bloquear el maldito facebook
November 12th, 2010 at 10:04 pm
Thanks a lot. Any idea how to block by time period?
November 16th, 2010 at 10:16 am
Hi, Mandume
You can configure time on each rule by double-click on an access rule and select Schedule tab. There, you can select which time you want the access rule to be active.
January 2nd, 2011 at 11:47 am
When you define access rule on ISA Server, you usually cannot specify all websites that users will access because you don
February 4th, 2011 at 11:31 am
Dear Sir!
hope you are find and well, I create the Rule but I some Problem in deferent Browser, in some Browser that rule working but the only Mozilla Firefox browser is not working so what should I do for this browser
February 10th, 2011 at 9:37 pm
Thanks, your tips are straight forward and easy to follow
March 2nd, 2011 at 11:50 am
Dear Sir!
hope you are doing well, I need to Block the Youtube site Through ISA Server but I couldn’t I have all Ready made the Rule but it dose’nt worked so what should I Do?
March 4th, 2011 at 6:53 pm
Thank you,
I want to set time perid please!
April 13th, 2011 at 1:34 am
thank.
June 12th, 2011 at 3:56 pm
Thank you for a very simple instruction.. its work wonderful
August 21st, 2011 at 2:54 am
i can block any site except youtube any sugestion
August 30th, 2011 at 3:50 pm
Thanks a lot.
October 1st, 2011 at 1:17 am
I need to Block sites on some users
November 17th, 2011 at 8:01 pm
Hi linglom , i need help regarding few things:
1. In ISA 2006 :How to block internet access of single domain users
2. In ISA 2006 :How to block downloading.
December 9th, 2011 at 12:37 pm
@ Tabish
You can block internet access of single domain users by blocking the user itself. Create a DENY rule for specific domain user, denying access to EXTERNAL network before allowing others.
You can block donwloading by specifying the extention to you firewall created rule. Right click the rule, select Configure HTTP, at the Extension Tab, add all the extension of the files you want to block.
I suggest, you can you use 3rd party program like GFI Webmonitor for more comprehensive blocking.
Hope this help.
December 29th, 2011 at 11:10 am
I really enjoyed this site. This is such a Great resource that you are providing and you give it away for free. It gives in depth information. Thanks for this valuable information.
December 30th, 2011 at 11:21 am
The blog is absolutely fantastic. Lots of great information and inspiration, both of which we all need. Thanks.