When you define access rule on ISA Server, you usually cannot specify all websites that users will access because you don’t know what are they. The best solution is to allow users to access all the websites. Then, the problem comes. While they are working, some users now can access game sites or some may access social networking sites. This wastes both company resources and time. Therefore, you have to restricted those websites.On ISA Server, there is a Domain Name Set object which you can use to control access to a website. For example, if you don’t want users to access google.com, you create a Domain Name Set object with value *.google.com and add it to denied rule. This will blocks users from access entire google.com including its sub-domains such as maps.google, video.google, etc. Domain Name Set is applied to all clients type and all protocols which means it support SecureNAT, Web Proxy or Firewall client types and applied to any protocols that define in the rule.
This article show you how to create a denied access rule to restricted users from internal network to access some restricted websites such as facebook.com, myspace.com, hi5.com by using Domain Name Sets.
If you are new to ISA Server, I first recommend you read this series – Getting started with Microsoft ISA Server 2006.
Step-by-step to block websites using Domain Name Sets
- Suppose that I have already configured these access rule which allow DNS query and allow Internet access for all clients on the Internal network.
- Now I will create a new access rule to block some websites. Let’s name the rule as ‘Restricted WebSites‘.
- On Rule Action, select Deny and click Next.
- On Protocols, select All outbound traffic. Click Next.
- On Access Rule Sources, add Internal to the sources. Click Next.
- On Access Rule Destinations, I will create a new Domain Name Set’s object which contains a list of websites that I want to block. Click Add.
- On Add New Entities, select New -> Domain Name Set from drop-down menu.
- On New Domain Name Set Policy Element, set name to ‘Restricted WebSites‘ and add these websites to this set.
- *.facebook.com
- *.myspace.com
- *.hi5.com
Then, click OK.
Note: By adding ‘*‘ in front of the website name, it will include any sub-domain name of that website.
- You will see a new Domain Name Set’s object has been created.
- Add the ‘Restricted WebSites‘ object to the Access Rule Destinations and click Next.
- On User Sets, click Next.
- On Completing the New Access Rule Wizard, click Finish.
- Click Apply to save changes and update the configuration.
Note: Makes sure that the new access rule that you have created is on top or higher than the allow Internet access’s rule.
- These are completed access rules on this example.
- Let’s try to access www.facebook.com with SecureNAT’s client. Here is the result.
- Let’s try to access www.facebook.com with Web Proxy’s client. Here is the result.
- This is the log while access the blocked website.
Thanks, your the guy…..
nice… But some sites are not blocked…..any suggestions..?
Muchas gracias por este tutorial sufrio mucho para bloquear el maldito facebook
Thanks a lot. Any idea how to block by time period?
Hi, Mandume
You can configure time on each rule by double-click on an access rule and select Schedule tab. There, you can select which time you want the access rule to be active.
Dear Sir!
hope you are find and well, I create the Rule but I some Problem in deferent Browser, in some Browser that rule working but the only Mozilla Firefox browser is not working so what should I do for this browser
Thanks, your tips are straight forward and easy to follow
Dear Sir!
hope you are doing well, I need to Block the Youtube site Through ISA Server but I couldn’t I have all Ready made the Rule but it dose’nt worked so what should I Do?
Thank you,
I want to set time perid please!
thank.
Thank you for a very simple instruction.. its work wonderful
i can block any site except youtube any sugestion
Thanks a lot.
I need to Block sites on some users
Hi linglom , i need help regarding few things:
1. In ISA 2006 :How to block internet access of single domain users
2. In ISA 2006 :How to block downloading.
@ Tabish
You can block internet access of single domain users by blocking the user itself. Create a DENY rule for specific domain user, denying access to EXTERNAL network before allowing others.
You can block donwloading by specifying the extention to you firewall created rule. Right click the rule, select Configure HTTP, at the Extension Tab, add all the extension of the files you want to block.
I suggest, you can you use 3rd party program like GFI Webmonitor for more comprehensive blocking.
Hope this help.
Very great….
But.. may i know..why.. some of our employee can only access google.com only.
He is a member of an OU group.. then all the member of the group can access sites like facebook at its given time but why this certain user..can only access google.. can you help me?
Can you make a snapshot for your rule? Maybe there is something wrong with your rule…
Thanks,,
I got mistake adding his name in the rule..
When the user removed the check box in IE for the proxy server, he can access the all sites !!!!!!
Websites are not blocked when the proxy is applied, only when it is removed “unticked” Why!!!
Thank you dear for support.
I install TMG server 2010 with all the security patch and updates. I create some Rules from internal to custom URL Category Sets/ URL Sets/ Domain Set Names to Active Directory Users and Groups accounts. When I disable the “Allow Internet to all users†to test the newly creates policy, the internet not works after monitoring logs and report I find the followings Error message of handshake authentication. When I apply these URL Category Sets /URL Sets / Domain Set Names with deny rules its work fine but when I apply these category on allow rules it does not work.
Regards,
Imtiaz latif