SBS User Groups
OnLine Tools
Satisfied Customers

Restrict Internet Use Via ISA 2004
by Andy Goodman [SBS-MVP]

A number of people have asked me how to restrict a group of uses to a limited selection of websites. The most recent request coming from Elias on the MCP Magazine SBS Forum also know as the Redmond Magazine SBS Forum. I am sure there is more than one to to accomplish this, but here is my stab at it.

First lets create a security group, so of course we start in the Management Console.
Right Click on Security Groups and hit Add

Lets call our new security group losers just for fun, and it is always a good idea to put
a description in to remind you down the road why you created the group.

This is where we decide who is going to be effected by our limitations, I will only add
the Guest Account since I am doing this example on my live server, but you would add
and users or groups you want to limit. You could also skip this part and do it in the
ISA interface as you will see later, but I like to all of these things in the same place, so
I use the standard Windows Tools.

Ok just hit the Finish button on the summary screen.

Now fire up the ISA Server Management Console from  Start, Microsoft ISA Server, ISA Server Management

And let's create our new Access Rule.

First lets give our new rule a catchy name

Our rule is going to allow access to the internet although very limited so click Allow

Next we need to specify which Protocols we will allow so hit add

In the Add Protocol wizard only pick HTTP for this example, you can put HTTPS if you are going to
 allow them to use secure sites, we won't be.

If you wanted to add more Protocols you would hit Add again, but we will hit Next

Now tell the wizard where the traffic will come from, in our case that would be the Internal Network

If you were going to add another source this would be the place, but we will hit Next

Now here is where we get to be control freaks, this is where we set where they can go.
Hit Add to add our approved list, then New and pick URL Set

A catchy name that explains the reason for the Rule Set is always a good idea!
You can add as many URL's as you like to the list, these will be the only allowed places to surf to.

Now just hit Add and select our newly created URL Set

If you had multiple URL Sets you could add more here, we will hit Next.

This is where we tell ISA who to restrict, so we will remove the All Users Group

Now we will need to Create a New User Set, so hit Add then New and then User Set

Another catchy descriptive name will work nicely here

Hit Add and select Windows users and groups.

Remember the Security Group we created earlier, this is were we use it,
type in Losers and hit Check Names to make sure we don't have a typo.

Of course you could add more groups here, but just hit next for our demo.

Now the obligatory summary screen, hit finish to close the User Set Wizard.

Now select our newly created User Set

By now you know you can add more right, hit Next.

Hey we are almost done, this is the last Summary Screen to hit finish on.

But wait a minute, your not done yet, as in all things ISA 2004 when you are finished you HAVE TO HIT APPLY

Watch the little progress bar knowing that your hard work (ok so it wasn't that hard)  is about to pay off

The Wizard wants to help build you ego, just stop smirking and hit OK

Now here is where you can get in trouble. ISA applies the rules in the order you see below,
when it find an access rule that matches it applies it and STOPS READING RULES.
In order for our rule to work as intended we must move it to the top of the list.

Unfortunately there is not a move to top button so you have to keep clicking,
You can right click the rule as above or use the handy link on the right as below.

And don't forget, we just made more changes so we need to click Apply once again.

Hit OK one more time, and now you can rest your clicker finger.

And that is all there is to it.
Now that you have gone through this it should be very easy for you to figure out how to make other rules in ISA also,
it is very intuitive once you jump in, My Hats Off to the ISA Team for that!
We now have a limited group that can only go to the 2 best sites on the Internet, well imho anyway :>)

          *All trademarks and copyrights are property of their respective owners.
          **Author and/or Publisher assumes no responsibility, use these suggestions and guidelines at your own risk


Home Up