Tutorials

 Für unsere deutschen Kunden Premier Support ist auch in deutscher Sprache verfügbar. Wir helfen Ihnen gerne bei allen Ihren Migrationsproblemen.
Specify Alternate Text

Block Internet Access for certain URL's and Security groups

Few days ago a customer called me and asked to configure the server for limited access for several different groups of users in his organization. The customer did not want employees to browse to certain sites that have nothing to do with the daily work of those users but he wanted to allow the users to browse the sites during lunch.

In this article we will use ISA 2004 to accomplish this task.


Create a security group and add users to that group

  1. In order to restrict access to certain URL's we need to create a Security group. Start the Small Business Server Server Management console from the Start Menu and click on 'Add a security group'.
    Block Internet Access for certain URL's and Security groups
  2. The 'Add a security wizard' has been started, click next.
    Block Internet Access for certain URL's and Security groups
  3. We name this security group 'SBS Restricted Internet Access' and we give it a usefull description. Click next.
    Block Internet Access for certain URL's and Security groups
  4. In this window we can add the users to the Security Group. We don't want that John Doe has access to certain URL's so we highlight John's name in the list and click add. One that is done click Next.
    Block Internet Access for certain URL's and Security groups
  5. The wizard confirms that we have added John Doe to the 'SBS Restricted Internet Access' security group. Click Next.
    Block Internet Access for certain URL's and Security groups

Create a new Firewall Policy and a Domain Name Set

Before we start this procedure there is something important that you need to understand before we continue. In ISA 2004 we can create Domain Name Sets and URL sets. Domain Name Sets can control all protocols and all client types, URL sets can only control connection coming from web proxy clients. This means that if you create a URL set and you use that in your rule only connections from a browser which is set to use a web proxy will be blocked and all other can pass. That is not what you would like to see so in this case we choose to create a Domain Name Set. Later in this article we will show that everything is blocked to the domains you define in a Domain Name Set.

  1. Start the ISA Server Manager and choose on the right side of the window 'Create New Access Rule'.
    Block Internet Access for certain URL's and Security groups
  2. The 'New Access Rule Wizard' has been started. We name this rule 'SBS Restrcited Internet Access'.
    Block Internet Access for certain URL's and Security groups
  3. We need to set what should happen when the conditions are met. In our case we want the rule to deny access. Click next.
    Block Internet Access for certain URL's and Security groups
  4. We set this rule to apply to all protocols. Click next.
    Block Internet Access for certain URL's and Security groups
  5. We need to set to which traffic this rule should apply to. Click add.
    Block Internet Access for certain URL's and Security groups
  6. Expand 'Networks', highlight 'Internal' and click add.
    Block Internet Access for certain URL's and Security groups
  7. Verify that the Internal network is listed and click Next.
    Block Internet Access for certain URL's and Security groups
  8. We need to specify the destination. Click add.
    Block Internet Access for certain URL's and Security groups
  9. In figure 9 we create a new Domain Name Set. Click New.
    Block Internet Access for certain URL's and Security groups
  10. In this example (see figure 10) we name our Domain Name Set 'SBS Restricted Domain' and we block 'www.smallbizserver.net'. I don't why anybody would want to block our site but anyway, this is an example. Click OK.
    Block Internet Access for certain URL's and Security groups
  11. Our Domain Name Set is listed, we highlight it and click add. After this we click Close.
    Block Internet Access for certain URL's and Security groups
  12. Our Access Destination Rule is ready, click Next.
    Block Internet Access for certain URL's and Security groups
  13. Remove the 'All Users'' group and click add.
    Block Internet Access for certain URL's and Security groups
  14. Now we need to add the users or a security group. Click New.
    Block Internet Access for certain URL's and Security groups
  15. The New User Sets Wizard is started and we add our 'SBS Restricted Internet Users'. Click next.
    Block Internet Access for certain URL's and Security groups
  16. We choose to add Windows Users and Groups.
    Block Internet Access for certain URL's and Security groups
  17. Click on Advanced.
    Block Internet Access for certain URL's and Security groups
  18. Click on the button Find Now. That will you a list. Highlight the Security Group we already created in the first part of this article and click OK.
    Block Internet Access for certain URL's and Security groups
  19. The new User Set has been created and click Next.
    Block Internet Access for certain URL's and Security groups
  20. Click add to add the User Set.
    Block Internet Access for certain URL's and Security groups
  21. The SBS Restricted Internet Users 'User Set' has been aded to our new rule. Click next.
    Block Internet Access for certain URL's and Security groups
  22. The wizard has been completed. Click Finish.
    Block Internet Access for certain URL's and Security groups
  23. ISA Server informs you that you need to save and update your settings. Click Apply.
    Block Internet Access for certain URL's and Security groups

Verify your Firewall rule and fine tune settings

Now we want to know if this really works. We logon to a Windows XP SP2 workstation with John Doe's credentials.

Block Internet Access for certain URL's and Security groups

  1. Now we want to give access to those Restricted Sites during lunch hours. Open ISA Server Manager as shown in figure 1 and double click the Rule we just made and choose the Tab 'Schedule'. Click New.
    Block Internet Access for certain URL's and Security groups
  2. We have created a 'Lunch' schedule that lasts from 12:00 - 03:00. John Doe is from the Mediterranean so he takes a very long lunch!
    Block Internet Access for certain URL's and Security groups

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.