Tutorials

Block Internet Access for certain URL's and Security groups

In this article we will use ISA 2004 to accomplish this task.

Create a security group and add users to that group

1. In order to restrict access to certain URL's we need to create a Security group. Start the Small Business Server Server Management console from the Start Menu and click on 'Add a security group'.
   
2. The 'Add a security wizard' has been started, click next.
   
3. We name this security group 'SBS Restricted Internet Access' and we give it a usefull description. Click next.
   
4. In this window we can add the users to the Security Group. We don't want that John Doe has access to certain URL's so we highlight John's name in the list and click add. One that is done click Next.
   
5. The wizard confirms that we have added John Doe to the 'SBS Restricted Internet Access' security group. Click Next.
   

Create a new Firewall Policy and a Domain Name Set

Before we start this procedure there is something important that you need to understand before we continue. In ISA 2004 we can create Domain Name Sets and URL sets. Domain Name Sets can control all protocols and all client types, URL sets can only control connection coming from web proxy clients. This means that if you create a URL set and you use that in your rule only connections from a browser which is set to use a web proxy will be blocked and all other can pass. That is not what you would like to see so in this case we choose to create a Domain Name Set. Later in this article we will show that everything is blocked to the domains you define in a Domain Name Set.

1. Start the ISA Server Manager and choose on the right side of the window 'Create New Access Rule'.
   
2. The 'New Access Rule Wizard' has been started. We name this rule 'SBS Restrcited Internet Access'.
   
3. We need to set what should happen when the conditions are met. In our case we want the rule to deny access. Click next.
   
4. We set this rule to apply to all protocols. Click next.
   
5. We need to set to which traffic this rule should apply to. Click add.
   
6. Expand 'Networks', highlight 'Internal' and click add.
   
7. Verify that the Internal network is listed and click Next.
   
8. We need to specify the destination. Click add.
   
9. In figure 9 we create a new Domain Name Set. Click New.
   
10. In this example (see figure 10) we name our Domain Name Set 'SBS Restricted Domain' and we block 'www.smallbizserver.net'. I don't why anybody would want to block our site but anyway, this is an example. Click OK.
    
11. Our Domain Name Set is listed, we highlight it and click add. After this we click Close.
    
12. Our Access Destination Rule is ready, click Next.
    
13. Remove the 'All Users'' group and click add.
    
14. Now we need to add the users or a security group. Click New.
    
15. The New User Sets Wizard is started and we add our 'SBS Restricted Internet Users'. Click next.
    
16. We choose to add Windows Users and Groups.
    
17. Click on Advanced.
    
18. Click on the button Find Now. That will you a list. Highlight the Security Group we already created in the first part of this article and click OK.
    
19. The new User Set has been created and click Next.
    
20. Click add to add the User Set.
    
21. The SBS Restricted Internet Users 'User Set' has been aded to our new rule. Click next.
    
22. The wizard has been completed. Click Finish.
    
23. ISA Server informs you that you need to save and update your settings. Click Apply.
    

Verify your Firewall rule and fine tune settings

Now we want to know if this really works. We logon to a Windows XP SP2 workstation with John Doe's credentials.

1. Now we want to give access to those Restricted Sites during lunch hours. Open ISA Server Manager as shown in figure 1 and double click the Rule we just made and choose the Tab 'Schedule'. Click New.
   
2. We have created a 'Lunch' schedule that lasts from 12:00 - 03:00. John Doe is from the Mediterranean so he takes a very long lunch!