When you define access rule on ISA Server, you usually cannot specify all websites that users will access because you don’t know what are they. The best solution is to allow users to access all the websites. Then, the problem comes. While they are working, some users now can access game sites or some may access social networking sites. This wastes both company resources and time. Therefore, you have to restricted those websites.On ISA Server, there is a Domain Name Set object which you can use to control access to a website. For example, if you don’t want users to access google.com, you create a Domain Name Set object with value *.google.com and add it to denied rule. This will blocks users from access entire google.com including its sub-domains such as maps.google, video.google, etc. Domain Name Set is applied to all clients type and all protocols which means it support SecureNAT, Web Proxy or Firewall client types and applied to any protocols that define in the rule.
This article show you how to create a denied access rule to restricted users from internal network to access some restricted websites such as facebook.com, myspace.com, hi5.com by using Domain Name Sets.
If you are new to ISA Server, I first recommend you read this series – Getting started with Microsoft ISA Server 2006.
Step-by-step to block websites using Domain Name Sets
- Suppose that I have already configured these access rule which allow DNS query and allow Internet access for all clients on the Internal network.
- Now I will create a new access rule to block some websites. Let’s name the rule as ‘Restricted WebSites‘.
- On Rule Action, select Deny and click Next.
- On Protocols, select All outbound traffic. Click Next.
- On Access Rule Sources, add Internal to the sources. Click Next.
- On Access Rule Destinations, I will create a new Domain Name Set’s object which contains a list of websites that I want to block. Click Add.
- On Add New Entities, select New -> Domain Name Set from drop-down menu.
- On New Domain Name Set Policy Element, set name to ‘Restricted WebSites‘ and add these websites to this set.
- You will see a new Domain Name Set’s object has been created.
- Add the ‘Restricted WebSites‘ object to the Access Rule Destinations and click Next.
- On User Sets, click Next.
- On Completing the New Access Rule Wizard, click Finish.
- Click Apply to save changes and update the configuration.
Note: Makes sure that the new access rule that you have created is on top or higher than the allow Internet access’s rule.
- These are completed access rules on this example.
- Let’s try to access www.facebook.com with SecureNAT’s client. Here is the result.
- Let’s try to access www.facebook.com with Web Proxy’s client. Here is the result.
- This is the log while access the blocked website.