How to block websites on ISA Server using Domain Name Sets

When you define access rule on ISA Server, you usually cannot specify all websites that users will access because you don’t know what are they. The best solution is to allow users to access all the websites. Then, the problem comes. While they are working, some users now can access game sites or some may access social networking sites. This wastes both company resources and time. Therefore, you have to restricted those websites.On ISA Server, there is a Domain Name Set object which you can use to control access to a website. For example, if you don’t want users to access google.com, you create a Domain Name Set object with value *.google.com and add it to denied rule. This will blocks users from access entire google.com including its sub-domains such as maps.google, video.google, etc. Domain Name Set is applied to all clients type and all protocols which means it support SecureNAT, Web Proxy or Firewall client types and applied to any protocols that define in the rule.

This article show you how to create a denied access rule to restricted users from internal network to access some restricted websites such as facebook.com, myspace.com, hi5.com by using Domain Name Sets.

If you are new to ISA Server, I first recommend you read this series – Getting started with Microsoft ISA Server 2006.

Step-by-step to block websites using Domain Name Sets

  1. Suppose that I have already configured these access rule which allow DNS query and allow Internet access for all clients on the Internal network.
    Current Access Rules
  2. Now I will create a new access rule to block some websites. Let’s name the rule as ‘Restricted WebSites‘.
    New Access Rule Wizard
  3. On Rule Action, select Deny and click Next.
    Rule Action
  4. On Protocols, select All outbound traffic. Click Next.
    Protocols
  5. On Access Rule Sources, add Internal to the sources. Click Next.
    Access Rule Sources
  6. On Access Rule Destinations, I will create a new Domain Name Set’s object which contains a list of websites that I want to block. Click Add.
    Access Rule Destinations
  7. On Add New Entities, select New -> Domain Name Set from drop-down menu.
    Add New Domain Name Set's Object
  8. On New Domain Name Set Policy Element, set name to ‘Restricted WebSites‘ and add these websites to this set.
    • *.facebook.com
    • *.myspace.com
    • *.hi5.com

    Then, click OK.
    Note: By adding ‘*‘ in front of the website name, it will include any sub-domain name of that website.
    Enter Restricted Websites

  9. You will see a new Domain Name Set’s object has been created.
    Add Restricted Websites Object to Rule
  10. Add the ‘Restricted WebSites‘ object to the Access Rule Destinations and click Next.
    Restricted Websites Object as Destination
  11. On User Sets, click Next.
    User Sets
  12. On Completing the New Access Rule Wizard, click Finish.
    Completing the New Access Rule Wizard
  13. Click Apply to save changes and update the configuration.
    Note: Makes sure that the new access rule that you have created is on top or higher than the allow Internet access’s rule.
    Apply Changes
  14. These are completed access rules on this example.
    Current Access Rules
  15. Let’s try to access www.facebook.com with SecureNAT’s client. Here is the result.
    Accessing the Blocked Website on as SecureNAT client
  16. Let’s try to access www.facebook.com with Web Proxy’s client. Here is the result.
    Accessing the Blocked Website on as Web proxy client
  17. This is the log while access the blocked website.
    Logging

24 Comments

  1. samson idakwo September 26, 2010
  2. bimal October 17, 2010
  3. Blaze November 11, 2010
  4. mandume November 12, 2010
  5. linglom November 16, 2010
  6. Mohibullah February 4, 2011
  7. Abdul Azeez February 10, 2011
  8. Mohibullah March 2, 2011
  9. Gerald March 4, 2011
  10. ประกาศฟรี April 13, 2011
  11. jkwt June 12, 2011
  12. azher August 21, 2011
  13. iframe traffic August 30, 2011
  14. like-ISA October 1, 2011
  15. Tabish November 17, 2011
  16. Jolland December 9, 2011
  17. ISAPRO_BEGINNER April 10, 2012
  18. ISAPRO_BEGINNER April 10, 2012
  19. Jolland April 11, 2012
  20. ISAPRO_BEGINNER May 12, 2012
  21. Mohamed September 9, 2012
  22. Neelen November 1, 2012
  23. Nasir February 27, 2013
  24. Imtiaz Latif March 19, 2013

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.