Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | mansoor-ahmad |
View: | 219 times |
Download: | 0 times |
of 22
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
1/22
Using ISA 2004 Firewall Domain Name Sets to
Control Internet AccessStrong user/group based inbound and outbound access control is one of
the key security features seen in true stateful application layer inspection
firewalls. Unlike simple stateful filtering firewalls, the stateful application
layer inspection firewall can make allow or deny decisions based on
application layer information, such as the name of the user or the user's
group membership, when evaluating an inbound or outbound request.
This article discusses how to use the ISA 2004 firewall's Domain Name
Sets feature to control outbound access and block forbidden sites.
Published: Jul 09, 2004
Updated: Sep 09, 2004
Section: Articles
Author: Thomas Shinder
Rating: 4.1/5 - 75 Votes
Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
By Thomas W Shinder MD, MVP
Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000113
One of the more popular applications of the ISA 2004 firewall is to control what sites users can
access through the ISA firewall. For example, you might want to limit a group of users to a
specific collection of Web sites, while blocking access to all other sites. At the same time, you
might want other groups to have full access to all sites on the Internet.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 1/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
2/22
There are a number of ways this can be accomplished using ISA 2004 firewalls. In this article,
well focus on how to use the ISA 2004 firewalls Domain Name Sets feature to control access
to Internet servers. Domain Name Sets can be used by all ISA client types, including
SecureNAT, Web Proxy and Firewall clients. However, if you want to control access by user or
group, you need to configure the clients as Web Proxy or Firewall clients (or both).
Now I can hear you say "but I dont want to install the Firewall client and I dont want to
configure the browsers as Web Proxy clients". Thats fine, but youll have to go withoutuser/group based authentication. The reason is there is no provision in the network or transport
layers (or any layer under layer 7) to send user credentials to the firewall. So, all firewalls that
perform user/group based authentication depend on a client "piece" to enforce authentication
requirements.
The good news is that its fairly easy to automate provisioning for the Web Proxy and Firewall
clients, and to automate the installation of the Firewall client. Check out the ISA Server 2000
in Education Deployment Kit (http://isaserver.org/tutorials/isaedukit.html) for details on how
to automate these processes.
Domain Name Sets are used to control access to an entire site. For example, if you dont want
people going to any site in the cisco.com domain, then you create a Domain Name Set with the
entry *.cisco.com. If you didnt want anyone going to any site in the domain checkpoint.com,
then you would create a Domain Name Set entry for *.checkpoint.com . If you wanted to block
only a particular server in the cisco.com domain, you could create an entry like
www1.cisco.com, and that could be used to block access to the www1.cisco.com server, but
allow access to other servers on the cisco.com site.
An advantage of Domain Name Sets is that they apply to all protocols and all client types. In
contrast, URL Sets are only used for Web connections. These Web connections must be handled
by the Web proxy filter and include connections made using the HTTP, HTTPS and FTP (FTP from
machines explicitly configured as Web Proxy clients) protocols.
For example, we create a URL set with an entry news.cisco.com and create a rule blocking
connections to the site using any protocol. We then open the Outlook Express newsreader. The
connection will be allowed to the news.cisco.com NNTP server because the URL Set is only
evaluated for HTTP, HTTPS and HTTP tunneled (Web Proxy) FTP sessions.
WARNING:
Its critical that you understand the differences between the functionality provided by
Domain Name Sets and URL Sets. Remember that Domain Name Sets can be used to
control access for all protocols and all client types. URL Sets control access for clients
establishing a connection via the Web Proxy filter.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 2/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
3/22
In this article well take a look at two examples that demonstrate how to use ISA 2004 firewall
Domain Name Sets:
A simple scenario, where we create a Domain Name Set for a list of blocked sites for all
users
A less simple scenario, where you want to allow a group of users access to a selected
group of sites, but want to block access to all other sites for all protocols
Before we get into the scenarios, lets examine the basic network infrastructure used in our
example.
The Lab Network
The figure below shows the IP addressing information, the operating system and the salient
services running on each machine participating in our lab network.
The domain controller on the protected network behind the ISA 2004 firewall is also a DNS
resolver for the network. The DNS resolver can resolve names for internal network clients and
can also resolve names for Internet hosts. If the DNS root hints file is primed correctly on the
DNS server on the DC, then youll be able to resolve Internet host names too using the same
DNS server as that used to resolve internal network host names. Note that this is not my
preferred configuration. I prefer the DNS server on the internal network to use a DNS forwarder
that is under my control (such as a caching-only DNS server on the ISA firewall itself, or a
caching-only forwarder on a DMZ segment). But to keep things simple in our current discussion,
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 3/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
4/22
well allow the DNS server on the Internal network domain controller to perform recursion to
resolve Internet host names.
NOTE:
Depending on how you configured the DNS server, you may or may not have a "primed"
(ready) Root Hints file. Check out http://support.microsoft.com/default.aspx?scid=kb;EN-
US;249868 for information on fixing the problem.
The ISA 2004 firewall is a member of the internal network domain. We make this machine a
member of the Internal network domain so that we can use the Active Directory user databaseto authenticate Firewall and Web Proxy client users. The ISA 2004 firewall must be a member of
the Internal network domain to authenticate domain users that are Firewall clients. The ISA
2004 firewall does not need to be a member of the domain if you only want to authenticate Web
Proxy clients. In the case of Web Proxy clients, you can use RADIUS to authenticate domain
users. Full details on configuring RADIUS for Web Proxy clients are included in Tom and Deb
Shinders Configuring I SA Server 2004.
In the current example, the ISA 2004 firewall is a bastion host because it has a network
interface on an external, untrusted network. In general, I do not like a bastion host to be a
member of the domain. A better solution is to put an ISA 2004 firewall that is not a domain
member in front of the ISA 2004 firewall that is a domain member. This creates a back to backISA 2004 firewall configuration and provides a very high level of protection for the Internal
network. While its unlikely that the domain member ISA firewall will ever be compromised, the
possibility always exists. The front-end firewall in this configuration provides a high level of
security and better "peace of mind".
NOTE:
In order to obtain a very high level of protection for your back-end ISA firewall, its
important to have more than a stateful filtering firewall in front of the back-end ISA
firewall. This is why I prefer to use an ISA 2004 firewall in front of the back-end ISA
2004 firewall. A basic stateful packet filtering firewall, like PIX or Netscreen, performs
only stateful filtering but is unable to perform both stateful filtering and stateful
application layer inspection. A simple stateful filtering firewall provides only nominal
protection for the services located on the DMZ segment between the front-end firewall
and the domain member ISA firewall, and the stateful filtering device provides little or no
protection for the back end ISA firewall. For details on these issues, check out ISA
Firewall Fairy Tales - What Hardware Firew all Vendors Don't W ant You to Know
at http://isaserver.org/articles/2004tales.html
The Windows XP client machine on the ISA 2004 protected network is configured as a Web
Proxy, Firewall and SecureNAT client. The SecureNAT client configuration will apply to the first
scenario we cover in this article where we block a group of sites to everyone. The Web Proxy
and Firewall client configuration applies to the second example, where we block and allow sites
based on group membership.
In general, all Windows clients should be configured as both Web Proxy and Firewall clients.
They should be configured a SecureNAT clients only if you require SecureNAT functionality
(e.g., if the machine needs PPTP or ICMP access). The exceptions to this rule are network
servers, such as DHCP, DNS, Active Directory, Certificate, RADIUS, SQL, SharePoint and just
about any other network server you can think of. These servers should never be configured as
Firewall clients, although feel free to configure them as Web Proxy or SecureNAT client if you
have a reason to do so.
I have done some very basic configuration of the ISA 2004 firewall in advance. The firewall rule
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 4/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
5/22
set includes a DNS server Access Rule that allows all clients outbound access to the DNS
protocol from the Internal network to the External network. You can lock this down a bit by
allowing only the DNS server outbound access to the DNS protocol. I have also created an "all
open" rule that allows outbound access to all protocols to all users from the Internal network to
the External network. Well look at the effect of the rule order in each of the scenarios covered
here.
Scenario 1: Blocking Servers for All Users using Domain Name
Sets
In the first example, we create a rule that blocks all users from accessing all servers in the
cisco.com, checkpoint.com and sonicwall.com domains. User authentication is not required
because this rule will apply to all users.
There are a couple ways we can approach creating this deny rule. One way is to first create the
Domain Name Set first and then create the Access Rule. Thats how we used to do things with
ISA Server 2000 firewalls. The problem with this approach is that 9 times out of 10, I would
forget to create the Destination Set before trying to create the rule. In contrast, the ISA 2004
firewall allows us to create rule elements "on the fly", so we dont need to create these elements
in advance.
Perform the following steps to create the Deny Access Rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management
console, expand the server name and then click the Firewall Policy node.
2. Click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access
Rule link.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In
this example, well name the rule Block Forbidden Sites. Click Next.4. On the Rule Action page, select the Deny option and click Next.
5. On the Protocols page, select the default option All outbound traffic and click Next.
6. On the Access Rule Sources page, click the Add button.
7. In the Add Netw ork Entities dialog box, click the Networks folder and then double
click Internal. Click Close.
8. Click Next on the Access Rule Sources page.
9. On the Access Rule Destinations page, click the Add button.
10. In the Add Netw ork Entities dialog box, click the New menu and then click Domain
Name Set.
11. In the New Domain Name Set dialog box, enter in the Name text box Forbidden
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 5/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
6/22
Sites. Click the New button. Enter *.cisco.com and press ENTER. Click the New button
again and enter *.checkpoint.com and press ENTER. Click the New button one more
time and enter *.sonicwall.com and press ENTER. Click OK.
12. In the Add Netw ork Entities dialog box, click the Domain Name Sets folder and then
double click the Forbidden Sites entry. Click Close.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 6/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
7/22
13. Click Next on the Access Rule Destinations page.
14. On the User Sets page, accept the default entry All Users and click Next.15. Click Finish on the Completing the New Access Rule W izard page.
16. Move the Forbidden Sites rule to the top of the list. The rule set now looks like that in
the figure below.
17. Click Apply to save the changes and update the firewall policy.
18. Click OK in the Apply New Configuration dialog box.
The first rule will block connections from any host, using any protocol, to the forbidden sites.
The second rule allows all hosts on the Internal network to access DNS servers on the Internet,
and the third rule allows all users access to all sites on the Internet using any protocol. ISA
2004 firewalls evaluate connections from the top down and the first rule to match the
connections parameters is applied. Well, almost. Rules that apply to authenticated users are
also applied to unauthenticated users, so theres sort of an implicit "unauthenticated users"
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 7/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
8/22
group. Well examine this issue in more detail later in this article.
Now lets test the connection. Well go to the Windows XP machine on the Internal network and
try to connection to the www.cisco.com Web site using Internet Explorer. Remember,
Internet Explorer is configured as a Web Proxy client (actually, its using the default
configuration, which is to autodetect the proxy, and weve configured the required wpad entries
to make this work). The figure below shows what the user sees when trying to access a
forbidden site.
When we check out the connection in the ISA 2004 firewalls log viewer, we can see that the
Block Forbidden Sites rule denied the connection attempt to the site.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 8/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
9/22
Next, lets see what happens when we try to access a forbidden site using a non-Web protocol.
We can simulate such a connection using the Telnet command. Open a Command Prompt and at
the Command Prompt, enter telnet news.cisco.com 119 and press ENTER. Youll see an error
message indicating that the connection failed.
If we go to the ISA 2004 firewalls log viewer, we can see that the Block Forb idden Sites rule
denied the connection attempt to TCP port 119. Note the question mark to the right of the user
name, Administrator. If you want to know what the question mark means, make sure to grab
a copy of our ISA 2004 firewall book, Tom and Deb Shinders Configuring I SA Server 2004
Scenario 2: Limiting a Group of Users to a Collection of Sites
In this scenario, we will create a group called TEMPS and place user accounts of users who are
temporary workers in that group. In this example, we have created a global security group
called TEMPS and have created a user named Temp1. We then placed user Temp1 in the
TEMPS Global Group. This prepares us for the ISA 2004 firewall configuration steps.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 9/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
10/22
In the following procedure, we will create a rule that blocks the TEMPS group from accessing
the Internet, with the exception of the microsoft.com., isaserver.org, and msexchange.org sites.
In this example we will allow the members of the TEMPS group access to all protocols when
accessing these sites. If we wanted, we could limit these users to just the HTTP and HTTPS
protocols. These three sites contain all the information required by the users in the TEMPS
groups. All other authenticated users will have access to all Internet sites by virtue of an "all
open" authenticated users outbound access rule.
Perform the following steps to create the Deny rule that denies members of the TEMPS group
access to all sites except the allowed sites:
1. In the Microsoft Internet Security and Acceleration Server 2004 management
console, expand the server name and then click the Firewall Policy node.
2. In the Firewall Policy node, click the Tasks tab on the Task Pane. Click the Create a
New Access Rule link.
3. On the Create a New Access Rule W izard page, enter a name for the rule in the
Access Rule name text box. In this example, well call this rule Block TEMPS Except
TEMP S Sites. Click Next.
4. On the Rule Action page, select the Deny option and click Next.
5. On the Protocols page, select the All outbound traffic option in the This rule applies
to list and click Next.6. On the Access Rule Sources page, click the Add button.
7. In the Add Netw ork Entities dialog box, click the Networks folder and double click the
Internal network. Click Close.
8. On the Access Rule Destinations page, click the Add button.
9. In the Add Netw ork Entities dialog box, click the Networks folder and double click the
External network.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, click the Add button. In the Add Users dialog box, click the
New menu.
12. On the Welcome to the New User Sets page, enter a name for the firewall group in
the User set name text box. In this example, well name the group TEMPS Access.Firewall groups allow you to group users based on firewall requirements, not Active
Directory requirements. ISA 2004 Firewall Groups allows you to group users and does
not require you to be a member of the domain admins group. Click Next.
13. On the Users page, click the Add button. In the fly-out menu, click the Windows users
and groups option.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 10/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
11/22
14. In the Select Users or Groups dialog box, click the Locations button and select the
Entire Directory option. In the Enter the object names to select text box, enter
TEMPS and click the Check Names button. The Temps entry will become underlined.
Click OK.
15. Click Next on the Users page.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 11/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
12/22
16. Click Finish on the Completing the New User Set Wizard page.
17. In the Add Users dialog box, double click on the TEMPS Access Firewall Group. Click
Close.
18. On the User Sets page, click the All Users entry in the This rule applies to requestsfrom the following user sets list and click the Remove button. Click Next.
19. Click Finish on the Completing the New Access Rule W izard page.
20. In the Firewall Policy list in the details pane, double click the Block Temps Except
Temps Sites rule.
21. In the Block Temps Except Temps Sites Properties dialog box, click the To tab.
22. On the To tab, click the Add button in the Exceptions section.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 12/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
13/22
23. In the Add Netw ork Entities dialog box, click the New menu and then click the
Domain Name Set command.
24. In the New Domain Name Set Policy Element dialog box, enter TEMPS Allowed in
the Name text box. Click the New button. Enter *.microsoft.com and press ENTER.
Click the New button again. Enter *.isaserver.org and press ENTER. Click the New
button one more time. Enter *.msexchange.org. Click OK.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 13/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
14/22
25. In the Add Netw ork Entities dialog box, click the Domain Name Sets folder and then
double click on the TEMPS Allowed entry. Click Close.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 14/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
15/22
26. Click Apply and then click OK in the Block Temps Except Temps Sites Properties
dialog box.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 15/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
16/22
27. Move the DNS outbound Access Rule to the top of the firewall policy list, and make the
Block Temps Except Temps Sites to second on the list, as it appears in the figure
below. You might wonder why we need to do this. The reason is that although the
condition on the Block Temps Except Temps Sites rule indicates that the rule only
applies to the TEMPS group, the fact is that it also applies to any unauthenticated
connections. However, the rule has more far-reaching effects than just blocking access to
whatever is listed in the To column. If the first rule matching the connections
parameters requires authentication, and the user is unable to authenticate, then the
connection is DENIED, even though the connection was not initiated by a user in the
Firewall Group for which the Rule was intended. Make sure you understand that last
statement. Again, if there is a rule that applies to the connection by matching the
connections characteristics, but the user is unable to authenticate, then the connection
is DENIED. This is why we need to put the DNS access rule before the Block Temps
Except Temps Sites rule. If we put the DNS access rule after the Block Temps rule,
then the connection would match the Protocol, the From and the To for the Block
Temps Except Temps Sites rule, an the connection would be denied, even though its
an anonymous access attempt and no t an attempt from a member of the TEMPS Access
group. For this reason, I recommend that you put your anonymous allow rules before any
authenticated deny rules (by anonymous rule I mean any rule that applies to all users)
I promise that you will have trouble with this and hopeful this rule matching model will
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 16/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
17/22
change either with a service pack or a "dot" upgrade to the ISA 2004 firewall software.
Whenever I make a rule that denies a group access to all sites except for a small collection of
sites, I like to make a rule that explicitly allows them access to the allowed sites. This helps
keep things organized and doesnt require that you depend on a "all open" rule or some other
rule that provide them access to the required sites.
Perform the following steps to create the rule that allows the TEMPS group access to the TEMPSAllowed Domain Name Set:
1. In the Microsoft Internet Security and Acceleration Server 2004 management
console, click the Firewall Policy node and then click the Tasks tab on the Task Pane.
Click the Create a New Access Rule link.
2. On the Welcome to the New Access Rule W izard page, enter a name for the rule in
the Access Rule name text box. In this example, well name the rule Allow TEMPS to
TEMPS Allowed. Click Next.
3. On the Rule Action page, select the Allow option and click Next.
4. On the Protocols page, select the Selected protoco ls option in the This rule applies
to list and then click the Add button.
5. In the Add P rotocols dialog box, click the Common P rotocols folder and then doubleclick on the HTTP and HTTPS protocols. Click Close.
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click the Add button.
8. In the Add Netw ork Entities dialog box, click the Networks folder and double click
Internal. Click Close.
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click the Add button.
11. In the Add Netw ork Entities dialog box, click the Domain Name Sets folder. Double
click on the TEMPS Allowed entry and click Close.
12. Click Next on the Access Rule Destinations page.
13. On the User Sets page, click the All Users entry and click Remove. Click the Addbutton.
14. In the Add Users dialog box, double click on the TEMPS Access Firewall Groupand
click Close.
15. Click Next on the User Sets page.
16. Click Finish on the Completing the New Access Rule W izard page.
Now well make one more change. Instead of an "all open" rule that applies to all users, well
change the "all open" rule we made before starting this exercise so that it applies to all
authenticated users except for members of the TEMPS Access group. This will prevent the
members of the TEMPS Access Firewall Group from using the anonymous "all open" rule to
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 17/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
18/22
access sites outside of those we want them to access.
I should note that this is not strictly required, as the Block Temps Except Temps Sites rule
should block all access from members of the TEMPS Access Firewall Group to sites and
protocols outside of those allowed and explicitly allowed. However, I do recommend the
approach we use here as it prevents you from getting into trouble by having groups
"inadvertently" use a rule to access content they should not have otherwise accessed.
Perform the following steps to change the "all open" rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management
console, click on the Firewall Policy node.
2. Click the Toolbox tab in the Task Pane. On the Toolbox tab, click the Users entry
beneath it.
3. Drag the All Authenticated Users entry from the list ofUsers to the Condition column
for the All Open rule and then release the left mouse button. Click the Include
command in the menu that appears.
4. In the Users list, drag the TEMPS Access Firewall Groupto the same location. This
time, click the Exclude command.5. Next, right click the All Users entry for the All Open rule and click Remove
6. Click Apply to save the changes and update the firewall policy.
7. Click OK in the Apply New Configuration dialog box.
8. Your firewall policy should look like the figure below.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 18/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
19/22
The first rule allows all hosts on the Internal network access to DNS servers on the Internet.
This is an anonymous access rule, so no host needs authenticate to match this rule.
The second rule, Block Temps Except Temps Sites, denies all outbound protocols from
Internal network clients to the Internet if they belong to the TEMPS Access Firewall Group and
if they are not able to authenticate. Again, there is no reason to expect that unauthenticated
users should be denied, but they are. If a rule requires a user to authenticate and the user is
unable to authenticate (is acting as a SecureNAT client), then the connection is denied. Go
figure.
The third rule, Allow TEMPS to TEMPS Allowed, allows members of the TEMPS Access
Firewall Group located on the Internal network access to only the HTTP and HTTPS protocols to
sites in the TEMPS Allowed Domain Name Set. This rule does not allow access to other sites,
and does not allow access to other protocols when members of the TEMPS Access Firewall Group
connect to the allowed sites.
The last rule, All Open, allows all authenticated users access to all sites using all protocols,
except for user in the TEMPS Access group. This rule provides for outbound "all open" for
authenticated users while preventing members of the TEMPS Access Firewall Group from using
this rule to access other sites.
Lets test this rule set by logging onto the Windows XP machine as a domain admin. Domain
admins are not a member of the TEMPS Access group, so they would fit into the groups All
Users and Authenticated Users if they are using the Web Proxy and/or Firewall client
configuration. Since the Windows XP is a Firewall and Web Proxy client, all TCP and UDP
connections will be authenticated.
Open Internet Explorer and go to www.isaserver.org. You should get to the Web site
successfully because the All Open rule allowed the connection, as seen in the figure below. Try
other sites, like www.msexchange.org and www.windowsecurity.com. You will be able to connect
to each of these sites because you are able to use the All Open rule to connect to them.
Log off of the Windows XP machine and log on as Temp1, who is a member of the TEMPS Global
Group and a member of the TEMPS Access Firewall Group.
Open Internet Explorer and go to www.msn.com. You should see what appears in the figure
below.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 19/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
20/22
Now try to go to www.isaserver.org. Youll be able to access the ISAServer.org home page. The
log file entries look like what you see in the figure below.
However, this doesnt mean this user has free reign over ISAServer.org Web sites. Remember,
we limited users of the TEMPS Access Firewall Group to only the HTTP and HTTPS protocols. To
test this, lets do the NNTP test again using Telnet from the Command Prompt.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 20/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
21/22
Open a Command Prompt on the Windows XP client and enter telnet w ww .isaserver.org 119
and press ENTER. Youll receive an error indicating that the connection failed. If you look in the
ISA 2004 firewalls log file viewer, youll see a line like that in the figure below.
Summary
In this article we examined two scenarios where you can use Domain Name Sets to control
outbound access through the ISA 2004 firewall. In the first scenario, we saw how we can create
a deny rule that blocks specific sites for all users. In the second scenario, we saw how you can
create Access Rules that allow a group of users access to a collection of sites using specific
protocols and deny access to sites and protocols outside of those explicitly allowed. Domain
Name Sets are a powerful tool that allow you to lock down SecureNAT, Web Proxy and Firewall
clients with a minimum of effort. When combined with the principle of least privilege, your ISA
firewall can provide a higher level of security than any other firewall on the market today.
I hope you enjoyed this article and found something in it that you can apply to your own
network. If you have any questions on anything I discussed in this article, head on over to
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000113 and post a message.
Ill be informed of your post and will answer your questions ASAP. Thanks! Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org,
subscribe to our 'Real-Time Article Update' by clicking he re . Please note that we do NOT sell or
rent the email addresses belonging to our subscribers; we respect your privacy.
About Thomas Shinder
Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a
technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in
development and implementation of IP-based communications strategies for major
firms such as Xerox, Lucent and FINA.
Click here for Thomas Shinder's section.
2/20/2011 Using ISA 2004 Firewall Domain Name
isaserver.org//2004domainnamesets 21/
8/6/2019 Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
22/22
Latest articles by Thomas Shinder
Product Review: Celestix HOTPin
Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 2: Enabling ISP Redundancy
Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 1: Configuring the Virtual
Infrastructure and the TMG Firewall Interfaces
Configuring TMG Beta 3 for SSTP VPN Connections - Part 3: Configure TMG VPN Settings and
Making the Connection
Configuring TMG Beta 3 for SSTP VPN Connections - Part 2: Configuring the Firewall to Accept
SSTP Connections
Receive all the latest articles by email!
Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample
Enter Email
Become an ISAserver.org member!
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
About Us : Email us : Product Submission Form : Advertising Information
ISAserver.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.
Copyright 2011 TechGenix Ltd. All rights reserved. Please read ourPrivacy Policy andTerms &
Conditions.
2/20/2011 Using ISA 2004 Firewall Domain Name