Beruflich Dokumente
Kultur Dokumente
Part I: Installation
Introduction
Step-by-step
2. Click Next.
8.Click Install.
Answer: For external interface, the IP Address should be in the same network as the router.
Same subnet as the router. Gateway point to router’s IP Address. DNS is ISP’s DNS.
Network Topology
From Part I, you have finished install ISA Server
2006. Before using the server, you need to do some
configurations first. On Getting Started with ISA
Server 2006 page on ISA Server Management, there
are 5 steps for set up ISA Server as the figure below.
Leg Perimeter
This is a standard network topology for medium to large
organization. There are another network which is Perimeter
network adding to ISA server compare to edge firewall. The
perimeter network or DMZ (Demilitarized Zone) is a network
that is less secure for serving Web server, E-Mail server, DNS
server,etc so that internet users can access these services
without access to internal network. The ISA Server needs 3
network interfaces.
Front Firewall
This is a network topology for organization that security is
high priority. In this case, there are more than 1 firewall server.
When hacker attacks the server and one fails, there is still back
firewall to protect your internal network. This template, ISA
Server will be act as front firewall server between internet and
perimeter network and needs 2 network interfaces.
Back Firewall
Note: For Front and Back Firewall templates, you have more than one firewall servers. It is best
practice that you should use
different firewall software or
using hardware firewall with
software firewall not the same
on front and back. If hacker can
destroy the front firewall, you
still have back firewall which
the hacker can’t use the
previous technique to attack the
firewall.
Step-by-step
This example will configure
ISA Server 2006 using Edge
Firewall template.
1. Open ISA Server Management.
1) On left window, expand Configuration and select Networks
2) On right window, select Templates tab.
3) Click on Edge Firewall template. Network Template Wizard window appears.
2. Click Next.
Step-by-step
Next, I will create a new web access rule for all users in internal network to access internet
(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.
6. Again, don’t forget to apply your setting on ISA Server to take effect. Click Apply.
Question: How can i password protect a user from entering an IP address to: Internet option,
connections, and LAN settings?
Answer: The best way is to use group policy to restrict users from modify settings. Here are the
steps to disable tabs on Internet Options using Group Policy:
1. Click the Start button. Type “gpedit.msc” into the Search box and press Enter.
2. On Local Group Policy Editor, expand User Configuration Administrative
Templates Windows Components Internet Explorer click on Internet
Control Panel.
3. On right side, you see polices that you can configure. If you want to disable users
editing LAN Settings, you have to disable the Connections Page. Double-click on
Disable the Connections page policy and change setting from Not Configured to
Disabled.
1. SecureNAT client
To configure SecureNAT client, only
change gateway in network properties
to ISA Server:
○ On Network Properties,
select Internet
Protocol(TCP/IP) and
click Properties.
○ On Internet Protocol(TCP/IP) Properties, change IP Address on default gateway to
ISA Server.
2. Firewall client
○ Download Firewall Client for ISA Server at
Microsoft or at here – Microsoft Firewall
Client.
Question: I have setup ISA 2006 Standard according to your guideline and it works fine. My ISA
is on Domain and it has been installed as member server. I want all users of Active
Directory to autheticate when they want to connect to online services. Is it possible to
ask them to authenticate by web form so that I can monitor every users?
Answer: It is inferred that users in active directory are already authenticated when they’re
logged in the domain so it is unnecessary to make them authenticate again when they
want to use the Internet. And ISA Server has logging system to log every traffic pass
in/out. So you can view users who are using the Internet and which website they surf.
From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work
in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that
it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo
Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic
using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let’s
see about HTTP traffic in the next section.
Note: This topic isn’t required in order to running ISA Server, only Part I to IV is sufficient. But
this topic will be benefits in most organization to improve security.
HTTP Traffic
HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by
default is on port 80) which is the protocol that is used by most applications. On each HTTP
connection, there will be a header information about client that send to server or server to client.
These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2),
User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.),
etc. I will not go into deep detail about HTTP protocol if you want more information, you can find
at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow
or block specific application or traffic.
To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that
pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which
running a web server. Let see the different example of each HTTP header information below.
When client sends request to the web server by browser the Internet Explorer to http://bkkexternal
(bkkexternal is the computer that runs a web server).
Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).
Note: “/r/n” is tag that tells end of a line, a control line feed.
Configurations
To configure HTTP filter, you need to know what attribute and value need to be configured.
On this post, I will show only the following:
1. Block specific browser: Firefox.
2. Block MSN Messenger, Windows Live Messenger.
3. Block download file .torrent.
4. Block AOL Messenger.
5. Block Yahoo Messenger.
6. Block Kazaa.
7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
8. Block post on web boards.
Step-by-step
1. Open Microsoft ISA Server Management Console.
2. Right-click on the rule that being configured HTTP filter -> select Configure HTTP.
3.
8. Block Kazaa.
Figure 1
In this two part article
series we will go
through procedures
required to create an
L2TP/IPSec site-to-site
link between two ISA
Server 2006 firewall
machines. The
ISALOCAL machine will simulate the Main Office firewall, and the ISA2005BRANCH will simulate the Branch
Office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site link and both computer certificates
and pre-shared keys to support the IPSec encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
• Create the Remote Network at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Activate the Site-to-Site Links
The lab network includes two ISA firewalls, one at the main office and one at the branch office, a domain controller
that is also running Exchange 2003, and a client machine located behind the branch office ISA firewall, which in this
case is Windows Server 2003 SP1. The figure below depicts the machines in this article and their IP addresses.
Figure 2
Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST machine are DHCP
servers. This is required to provide Routing and Remote Access Service IP addresses to assign the calling VPN
gateways. If your network does not have a DHCP server, you can use static address pools configured on each of the
ISA Server 2006 firewall/VPN gateways. I prefer to use DHCP because it will make it easier to assign on-subnet
addresses to the VPN gateways virtual interfaces.
In this article I will not go through the process of deploying certificates and will use a pre-shared key for our
L2TP/IPSec site to site VPN connection. I should note here that this is not a best practice and that you should use
certificates for machine authentication for your site to site VPNs. There are a number of methods you can use to obtain
and install machine certificates and I have gone through this procedure many times on the ISAserver.org Web site.
For a comprehensive review of how to obtain and install machine certificates for ISA firewalls in a site to site VPN
scenario, I highly recommend that you check out the ISA Server 2000 VPN deployment kit. While the ISA firewall
configuration is quite different, the certificate deployment issues remain unchanged. Check out the ISA Server 2000
VPN Deployment Kit.
IP Security protocol
(IPSec Tunnel Mode,
Figure 4
Layer Two Tunneling Protocol (L2TP) over IPSec or
The user account must have the same name as the Remote FigureSite
6 Network we’re creating,
and that’s defined by the name we included in the first page in the wizard. In this example,
we named the site to site
Network connection Branch, so
the user account we create on
the main office ISA firewall must
also have the name Branch,
and we will need to enable dial-
up access for that account. We’ll
go through the details of
creating that account later in
this article. Click OK.
6. On the Connection Owner
page you select which
machine in the array should
be the connection own for
Figure 7
this site to site VPN connection. This option is only seen in ISA Enterprise Edition and
not in Standard Edition. If you have NLB enabled on the array, then you don’t need to
manually assign the connection owner, as the integrated NLB process will
automatically assign a connection owner when NLB is enabled on the array.
In this example we are not using NLB on the main office array (I’ll do another article on
how to do that in the future), and there is only one member of our main office ISA
firewall Enterprise Edition array. So we’ll use the default entry, which is the name of
the ISA firewall at the main office and click Next. (note, the name of the server in the
graphic suggests that this machine is Standard Edition, but it is in fact Enterprise
Edition).
7. On the Remote Site
Gateway page, enter the IP
address or FQDN
representing the external
interface of the remote ISA
Server 2006 firewall
machine. Note that this is a
new feature in the 2006 ISA
firewall, in that before you
could not use a FQDN. This
is helpful as many branch
offices must use dynamic
addresses and so the only
way to reliably connect to
the branch office was via a
DDNS service.
Figure 11
We’re not running NLB at the branch office, so we’ll remove the checkmark from the
The remote site is enabled for Network Load Balancing. In a future article I’ll
show you how to create site
to site VPNs with the NLB
feature enabled. Click
Next.
13. On the Site to Site
Network Rule page you
can configure a Network
Rule that connects the
main and branch office ISA
firewall Networks.
Remember, the ISA firewall
requires that you always
have a Network Rule to
connect ISA firewall
Networks to each other. Even if you create the Networks and create Access Rules, the
connections will not work until you create a Network Rule.
The new ISA firewall fixes a problem that people had when creating site to site VPNs
with ISA 2004, in that most people forget or didn’t know that they needed a Network
Rule in order for it work. The 2006 ISA firewall will ask you if you want to create the
Network Rule while still in the wizard,Figure
which 13
is a nice convenience and great usability
improvement. It’s clear that the ISA firewall’s development team are a lot more mindful
of ease of use than the Exchange 2007 beta team!
Select the Create a Network Rule specifying a route relationship option and
accept the default name. Note that you also have the I’ll create a Network Rule
later option if you want to create the Network Rule manually. Notice that the default
option is to set a route relationship between the main and branch office ISA firewall
Networks. This is a excellent choice because you have a much wider range of protocol
access when using route relationships.
Click Next.
14. Another new feature in the 2006 ISA firewall is the Site to Site Network Access Rule
page. Here you can configure an Access Rule allowing connections from the main office
to the branch office. With the ISA 2004 firewall, you had to do this manually after the
wizard was completed, another kudo for the VPN developers on the ISA team!
You also have the option to not create an Access Rules at this time by selecting the I’ll
change the Access Policy later option.
When you select the Create an allow Access Rule. This rule will allow traffic cetween
the Internal Network and the new site to site Network for all users’ option, you’ll be
given three choices from the Apply the rule to these protocols drop down list. This
include:
All outbound traffic: Use this
option if you want to allow all
traffic from the main office to the
branch office.
All outbound traffic except selected: Select this option if you want to allow all traffic
except for a few protocols. Again, you use the Add button to set which protocols you want to
block.
Figure 15
In this example, we’ll being by allowing all protocols. Later, I’ll show you how you can use
user/group based authentication to control which users at the main office are allowed to
connect to the branch office. This is important, as typically you don’t want average users to
access to the branch office, you just want the administrators to get there. We’ll also see how
you can use user/group based
access controls at the branch office
to prevent branch office users from
getting adventurous.
Select the All outbound traffic
option and click Next.
15. Click Finish on the
Completing the New Site to
Site Network Wizard page.
16. In the Remaining VPN Site
to Site Tasks dialog box, it
informs you that that you need
to create a user account with
the name Branch. We’ll do
that in the next section. Click
OK.
You can see the new ISA firewall Remote
Site Network in the ISA firewall console, as
seen in the figure below.
DHCP Configuration
One last thing you need to confirm is your addressing
information for the site to site VPN gateway. You have two
options to assign IP addresses:
• DHCP
• Static address pool
I prefer to use DHCP because it allows you to assign VPN clients and gateways on-subnet addresses without having to
manually remove those addresses from the definition of the default Internet Network, to which the internal interface of
the ISA firewall belongs.
For example, suppose the ISA firewall’s internal interface has the IP address 192.168.1.1. The definition of the default
Internal Network is 192.168.1.0-192.168.1.255. If we wanted to use a static address pool to assign on-subnet
addresses, such as 192.168.1.10-192.168.1.20, we would have to change the definition of the default Internal Network
because these addresses we want to assign VPN clients overlap with the definition of the default Internal Network. In
this case the definition of the default Internal Network would change to:
192.168.1.0-192.168.1.9
192.168.1.21-192.168.1.255
On the other hand, if we used DHCP to assign the VPN clients on-subnet addresses, the ISA firewall will
automatically remove any address assigned to a VPN client or VPN gateway from the definition of the default Internal
Network and dynamically assign them to the definition of the VPN clients Network. This prevents overlap between the
VPN Clients Network and the default Internal Network.
You can check on the IP address assignment method by clicking on the Virtual Private Networks (VPN) node in the
left pane of the console and then clicking the Defiane Address Assignments link in on the Tasks tab in the Task
Pane. You’ll see what appears in the figure below.
Note that the Dynamic Host Configuration Protocol (DHCP) option is only available on ISA Standard Edition or
single-member ISA Enterprise Edition arrays. If you choose not to use DHCP, then you must click the Add button to
manually add your IP addresses assignment to VPN clients and VPN gateways.
If you use a static address pool, you might want to consider using off-subnet IP addresses. There is no problem with
this, but you must make your routing infrastructure aware that in order to reach the network ID used for the VPN
clients network that they must forward those connections to the ISA firewall interface from which the connection was
received.
In a simple dual NIC configuration, this would be the Internal interface. In a 3+ NIC configuration, you would
configure the routers to forward requests to the VPN clients network ID to the ISA firewall interface closest to the
routers.
Summary
In this, part 1 of a two part series on creating site to site VPNs using
the new ISA firewall, we went over the basic network configuration
and then started the configuration for the site to site VPN at the main
office ISA firewall. We created the Remote Site Network at the main
office ISA firewall and created the user account that the branch
office ISA firewall will use when calling the main office ISA
firewall.
In the second and last part of the site to site VPN series, we’ll move
our attention to the branch office ISA firewall and configure it to
connect to the main office ISA firewall. We’ll also create a user
account that the main office firewall will be able to use when calling
the branch office ISA firewall. Then we’ll test the solution by
activating the site to site VPN link and checking the log files and
sessions information to see what things look like in the ISA firewall
console when the site to site VPN is successfully established.
In this part 2 of our article series we’ll finish up by configuring the branch office ISA firewall
and then test the connection.
In part 1 in this two part series on configuring an L2TP/IPSec site to site VPN connection between two ISA firewalls
we went over the details of the sample network and configured the main office ISA firewall.
7. On the Remote Site Gateway page, enter the IP address or FQDN representing the
external interface of the main office ISA Server 2006 firewall. In this example, we’ll use
the FQDN main.msfirewall.org, so enter this value into the text box. Click Next.
8. On the Remote Authentication page, put a checkmark in the Local site can
initiate connections to remote site using these credentials check box. Enter the
name of the account that you created on the main office ISA firewall to allow the
branch ISA firewall access. In this example, the user account is named Branch (the
user account much match the name of
the demand-dial interface created at the
remote site). The branch office ISA
firewall will use this account to
authenticate to the main office ISA
firewall to create the site to site VPN
connection.
Select the Create a Network Rule specifying a route relationship option and
accept the default name. Note that you also have the I’ll create a Network Rule
later option if you want to create the
Network Rule manually. Notice that the
default option is to set a route
relationship between the main and
branch office ISA firewall Networks. This
is a excellent choice because you have a
much wider range of protocol access
when using route relationships.
Selected protocols
All outbound traffic except selected.
In this example, we’ll begin by allowing all protocols. Later, I’ll show you how you can
use user/group based authentication to control which users at the branch office are
allowed to connect to the main office. This will be a key configuration step, as branch
office users should have very limited access to resources at the main office network
and should be allowed access only to the server and protocols required to get their
work done, and they must also be forced to authenticate before gaining access to the
main office network.
If you check the real time log view on the branch office ISA firewall, you’ll see lines like those in the figure below.
Now click on the Sessions tab at the branch office ISA firewall. You’ll see an active session representing the site to
site VPN connection. Notice the filter to point out the site to site connection.
Conclusion
In this article series we discussed how to create an L2TP/IPSec site to site VPN connection between two ISA firewalls.
The discussion was limited to using a pre-shared key between the ISA firewalls at the main and branch offices, but you
should keep in mind that in a production environment you should strive to use machine certificate authentication
instead of a pre-shared key. I provided a link to the ISA Server 2000 VPN deployment kit which will provide you all
the information you need to deploy your certificates.
In the next article we’ll take a look at two things you can do to help secure and accelerating your branch office
connections: locking down the Access Rules for communications over the site to site VPN link and using Web proxy
chaining so that the branch office ISA firewall can benefit from the larger cache contained on the main office ISA
firewall. See you then! –Tom.
ISA Firewall Quick Tip: Internal DNS Forwarding Through ISA Server 2004/2006
This article shows to your how to configure your internal DNS server to forward requests to external servers,
a common scenario to your ISP's DNS servers. Configurations are done on the Internal DNS server and
also on ISA Server.
2. Right-click DNS-SRV ( ServerName ), where ServerName is the name of the server, and then
click the Forwarders tab.
3. Click a DNS domain in the DNS domain list. Or, click New, type the name of the DNS domain for
which you want to forward queries in the DNS domain box, and then click OK.
4. In the Selected domain's forwarder IP address box, type the IP address of the first DNS server
to which you want to forward, and then click Add.
5. Repeat step 4 to add the DNS servers to which you want to forward, usually you might have two
ISP's DNS server, enter them both.
6. Click OK
7. The last thing you should do on your DNS Server is to set it as a Secure Nat Client, this is done
by setting its Default Gateway to be ISA Server Internal IP
This is all what you have to do on your Internal DNS Server, now lets see what we need to do with ISA
Server.
2. Create a new Access rule, Right click Firewall Policy , then click on New then choose Access
Rule
3. The New Access Rule Wizard will be launched, give a name to your new rule , in this example we
will name it Forward DNS To ISP, then click Next
5. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected
Protocols
click on Add button, the Add Protocol page will open, expand the Infrastructure container,
choose the DNS protocol and click on Add , then click Close
The selected protocol will be displayed in the Protocols page, click Next
6. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog
box, from the Menu Bar, click on New and choose Computer .
The New Computer Rule Element page will open, click on the Browse button, then write your
Internal DNS server name in the
first textbox under Name, and click on Find, the IP address of the DNS server will be listed. Click
ok OK
You will return back to the New Computer Rule Element page, click on OK
7. click on the Computers folder. Double click on the DNS-SRV, then click the Close button in the
Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.
8. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add
Network Entities dialog box. Click Next on the Access Rule Destinations page.
9. On the User Sets page, accept the default setting of All Users.
10. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
11. Click the Apply button to save the changes and update the firewall policy.
13. The rule you have just created will permit your Internal DNS Server to communicate with your ISP's
DNS servers, now we need to create a rule to allow users to surf the internet, start creating a new
Access Rule
14. Right click Firewall Policy , then click on New then choose Access Rule
17. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected
Protocols, click on the Add button and from the Common Protocols folder, choose HTTP,
HTTPS, POP3 and SMTP. Click Add on each protocol your choose and once you select them all
click on Close. The protocols will e displayed in the Protocols page, click Next
18. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog
box, click on the Networks folder. Double click on the Internal network, then click the Close button
in the Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.
19. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add
Network Entities dialog box. Click Next on the Access Rule Destinations page.
20. On the User Sets page, accept the default setting of All Users.
21. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
22. Now, your rules will look like this:
23. Click the Apply button to save the changes and update the firewall policy.
Summary
In this article, we learned how to configure our Internal DNS Server to forward request to the ISP's DNS
servers; also we learned to create the necessary rule to allow ISA to allow the DNS communication
between the Internal DNS and the ISP DNS.
How i can detect user who use or run sniffung and spoofing programes from isa server.
To detect that kind of traffics, try to setup IDS in your system. The free popular one is
When i block MSN Messenger by configure signature to “msnmsgr.exe” this block
msnmsgr.exe and also hotmail mail access. There any soulution to block msn access
without blocking hotmail access.
If you blocked only the signature “msnmsgr.exe”, you can check email on hotmail through
web access. I’ve tested it.
It seems that the application will try attempt to connect on other ports (including 80) if the
5050 fails. Therefore, there is no way to block by using rule port. (But mine works,
strange!)
Yesterday I spent full day to monitor yahoo messenger packets by Wireshark, and I did
block these TCP ports : 20,25,23,119,5050,5150,5051.(which I found that it was right as
explained in the link you provided-thank you)
It does work till now! And I hope it will
I will also try the servers and let you know the result but I wonder why the signature did
not work I think it was best solution!
I think this is because new yahoo messenger use Mozilla interface which result in changed
signature! I mean the signature become Mozilla/4.0! What’s your idea?
thank you for your help and attention anyway. Now I’m working on Google Talk, any
advice will be appreciated The signature is Google Talk in User-Agent area! but it does not
work too )
You can customize the error pages on ISA Server. The templates are located in the folder –
C:\Program Files\Microsoft ISA Server\ErrorHtmls.
I configured the VPN in isa server 2006 it give some error 800 i dont know why Please if
you tell me VPN configuration.
I don’t have experience about VPN. I haven’t tried VPN yet. But there are many resources
about configuring VPN on ISA Server on the Internet:
○ Enabling the ISA Server 2004 VPN Server – ISAServer.org
○ How to configure a VPN server by using Internet Security and Acceleration (ISA)
Server 2006 – Microsoft.com
○ How to configure a VPN connection to your corporate network in Windows XP
Professional – Microsoft.com
○ Error Message: VPN Connection Error 800: Unable to Establish Connection –
Microsoft.com
In my organisation we have implementing ISA server 2006 and we have created four
policys mentioned below
1. Only mail access rule – users can access the company mail only.
2. Allowed sites access rule – users can access only particular sites.
3. Access with restriction access rule – users can access al the websites except particular
sites
4. Full access rule – all the websites can access.
In this scenario, only the Full access rule users can able to access the yahoo, msn and gtak
etc..
But, we need to give the chat permission for mail,allowed and access with restriction user
also.
How to create the policy for this senario, kindly help us.
I’m not sure about mail chat. I don’t have this kind of traffic in my environment.
But I’ve found some posts related with this issue.
○ Block Yahoo mail chat
○ Allowing/Denying IM and other protocols on ISA Server
i just configured VPN in isa server 2006 but the problem is that when iam typing \\isaserver
in run from client it cant find the the server but when iam typing ip from server to a client it
can find it that computer
Please if help me what is the problem.
Note: when iam typing from server \\client computer cant find if iam typing an ip of client
it can find it
You may have to check DNS configuration whether it points to the correct server.
To completely block messengers from ISA Server aren’t easy. Most of them now can
communicate through HTTP(80) which makes them even hard to block. The best way to
solve the problem is control software restriction installation on PCs. This can be achieved
using Group Policy.
You can block specific extensions by open configure HTTP policy for rule -> Select
extensions tab -> Select Block specified extensions (allow all others) -> Then you can add
the extensions that you want to block such as .exe, .mp3, etc.
Having the problem that sometimes internet connection drops for few minutes and the
interent connection just comes back online by itself or by restart the ISA server. They don’t
have constant interent connection.
You should check the Internet link between ISA Server and your ISP to see if it drop or
not. Sometimes, it could be hardware problem.
If that is not the case, try to check system log on ISA Server. If there is a problem with the
server, you will see some error message there.
Every thing is working fine except the voice and video for yahoo and msn. Please help me
how to allow voice and video chat
i have an rule in outlook that is allowed to send mails in the isa server, all outbound, from
internal, to external, but the problem is users can browse all the sites in the internet, but
when i change to rule for a specific sites, i cant send anymore,it doesnt see my webmail,
In the ISA server console.
how can i blocked facebook, orkut, game chating, sex site, in only one access deny rule. i
have isa std etd.
first creat the Domain list for facebook, Orkut, game chating, sex sites.
For crating Domain name list
Goto Firewall Management console –> Right side Toolbox –> Click New –> Select
Domain Name list
–> In the name type (Any name ) –> click Add *.facebook.com again click add
*.orkut.com and OK
now create a rule for Firewall Policy.
Right click firewall policy– > Select New and Access Rule –> Type the Name you want –>
then Next –> Rule action window Select DENY and next
–> Protocol window select HTTP and HTTPS and Next –> In the Access Rule source
window select INTERNAL and Next –> In Access Rule Destinations window Select
(Created DOMAIN SET) and Next
–> In the user set (select all user or crate some users for set of users) and next.
For deny the sexual sites:
You cannot deny all the sexual sits, for that u have to configure HTTP Signature.
After the Rule created, select the rule and right click select Configure HTTP select
Signature Tab
click add type any name for your reference.
in the Search in window select either select REQUEST URL or REQUEST BODy and In
the Signature window
type PORN, GAY, LESBIAN or SEX and give OK
Note : This HTTP signature will only applicable on ALLOW RULE.
I am not understand about the game chating
can u please tell me the difference between domain name set & url set.
The difference between Domain set and URL set is, if you want to block the only speific
URL means we can use the URLlist.
Ex. you want to block http://www.google.com, it will block only http://www.google.com
for the client request and it will not blocl http://mail.google.com or
http://msdn.microsoft.com. what URl you given that only will be block
Domain name list means will block the entire domain *.google.com, the * will use for
including subdomains of google.
This is the difference, will you understand.
For online gaming: use HTTP signature to block, if you know the WEB URL, you can use
either Domain or URL set for that.
Thanks
Nandha