More Web Filtering

ISA Server has Web filtering features other than the ability to block a list of sites that you might find useful. To experiment with these features, follow the same procedure as in Step 3 in the main article to create another blocking rule, but this time, name it File_Blocker and set the destination to the external network instead of to Bad-Sites. Move the File_Blocker rule to sit just above the Site_Blocker rule in the firewall policy.

Right-click your File_Blocker rule, select Properties, then go to the Content Types tab. By default, the rule applies to all content types, hence, the rule is now preventing all file downloads from the Web, which isn't what we want. Instead, choose the Selected content types option and select only the Audio and Video check boxes, as Figure A shows. Now ISA Server will prevent your users from downloading any audio or video files from the Web via HTTP, which could save you a lot of bandwidth.

ISA Server determines a file's type by using its filename extension (e.g., .mp3) and MIME description (e.g., audio/mpeg). You can highlight a file type on the tab in Figure A and click Details to see the list of filename extensions and MIME descriptors that make up that content type. You can also create your own custom content type by clicking New.

Note, however, that specifying file types on a rule's Content Types tab causes that rule to

apply only to HTTP traffic. This is true even if the Proto-cols tab says that the rule applies to all traffic. If you want to block protocols other than HTTP, you'll have to create additional rules,but even if you do, you won't be able to block file downloads by filename extension or MIME type for those non-HTTP protocols—this feature is only for HTTP. Moreover, unless you purchase a third-party extension such as Collective Software's ClearTunnel, you won't be able to limit HTTP Secure (HTTPS) traffic because the channel is encrypted.

Next, go to the Action tab. On this tab (which Figure B shows), you can enter the URL for an internal Web server that hosts a custom Denied Access page that contains your official acceptable use policy. If you don't enter a URL, denied HTTP requests will get a generic-looking error page. You could configure both your File_Blocker and Site_Blocker rules to show your custom page when access is denied.

Finally, to do even more advanced HTTP filtering, open the Properties dialog box of the rule that allows Internet access (not the blocking rules), go to the Protocols tab, click Filtering, and select Configure HTTP. You'll see a set of tabs for doing application-layer filtering of HTTP. I can't discuss all the available HTTP filtering options in this article, but as an example of what's possible, go to the Extensions tab, select Block specified extensions, and add .wmf to the list. This is an alternative to using the Content Types tab for blocking unwanted file types. In this case, you're blocking the image file type associated with the nasty graphics rendering engine vulnerability published in January 2006 (Microsoft Security Bulletin MS06-001—Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution). Click OK and Apply to save your changes.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.