Creating New Firewall Policy Rules


Two common requests for new rules are to create a rule to restrict certain websites during business hours and always deny access to certain websites. Mangers often want to deny these sites to particular users as well. We'll use the components discussed previously to create both of these rules.

Restrict Access to Certain Websites by Time of Day and Username

To create a rule to deny access to particular websites during business hours, except the lunch hour, in Firewall Policy, follow these steps:

1.

Highlight the SBS Internet Access Rule and in the Tasks pane click on Create New Access Rule. This opens the New Access Rule Wizard. Enter a descriptive name for the rule such as Restricted Websites; then click Next.

2.

Make sure that Deny is selected then click Next.

3.

Make sure that All Outbound Traffic is selected and click Next.

4.

On the Access Rules Sources page, click the Add button. A pop-up box called Add Network entities opens. Expand Network and select Internal; then click Close and click Next.

5.

In the Access Rule Destinations screen, click the Add button. In the Add Network Entities pop-up window, click New and select URL Set. Enter a descriptive name into the Name box such as Restricted URLs. Then click the New button and enter the URL of the website that you want to restrict access to. Click New again to add additional sites to the list. When your list is complete, click OK.

6.

The URL set that you just created is now listed under URL Sets. Select it and click the Add button. Click Close. The URL set now is listed in the This Rule Applies to Traffic Sent to These Destinations box. Click Next.

7.

In the This Rule Applies to Requests from the Following User Sets, either click Add to restrict access to these sites to only a few people or click Next.

8.

If you want to restrict these sites to only a few people, click the Add button, and in the Add Users pop-up window click New and select User Set. (see Figure 24.9) A user set is like an Active Directory group, and you assign users to this group. Enter a name for your user group, such as Internet Restricted Users, and click Next. Click the Add button and select Windows Users and Groups from the list. This opens the familiar Select Users or Groups from Active Directory in a pop-up window. Enter the first username in the box and click the Check Name button. Click OK to add this name to your group. Repeat this procedure until all the users you want to restrict Internet access for are members of the group and click Next. Click Finish to save the user set. The new user set will be listed in the available user sets. Select it and click the Add button. Click Close to continue with the wizard. Highlight All Users and click Remove if you do not want to restrict access for all users. Click Next and then click Finish.

Figure 24.9. New user sets or URL sets can be created during the configuration of the rule.


9.

Right-click on the Restrict Websites rule and select Properties. Move to the Schedule tab. Click the New button to create a new schedule for this rule. (see Figure 24.10) Type a descriptive name for the schedule, such as When Internet Restrictions are in effect, into the Name box. In the Schedule box all blue areas represent when the rule is in effect and therefore certain websites are restricted. All white areas represent when the rule is not in effect and users will be able to access the websites. The blue, Rule in Effect, areas are already selected for you. Click and drag to highlight the times when you do not want this rule in effectfor example, before and after office hours and during lunch. When finished creating the schedule, click OK. In the Schedule drop-down box, select the schedule you just created and click OK. Click Apply when you are ready to have the rule take effect.

Figure 24.10. A schedule can be created and assigned to a rule, which will turn the rule on and off at designated times.


Create a Rule to Always Deny Particular Websites

If you also have a list of websites that you never want any of your users visiting. The same procedure used to create the rule to restrict sites based on time of day and username can be followed. Only this time there is no need to create a user set because by default all users are denied access to these websites and there is no need to modify the schedule because by default the rule is always active. To configure a rule to always deny access to certain websites, follow these steps:

1.

In Firewall Policy highlight the SBS Internet Access Rule and then select Create New Access Rule from the Tasks pane. Give the rule a descriptive name such as Websites Never to Be Visited and click Next.

2.

Make sure that Deny is selected and click Next.

3.

Make sure that All Outbound Traffic is selected and click Next.

4.

Click the Add button, expand Networks, select Internal, and click Add. Click Close to return to the wizard and click Next.

5.

Click Add; then click New and select URL Set. In the Name box enter a descriptive name, such as Never Allow These URLs. Click New to add a URL. Repeat until your list is complete. Then click OK to return to the wizard.

6.

Select the URL set you just created from the list and click Add. Click Close to return to the wizard. Click Next.

7.

Click Next and click Finish. Click Apply when you are ready to have this rule take effect.

Best Practice: Using Scripts for Blocking Sites

If you have a long list of websites that you want to restrict, it's time to employ scripts. Some industrious people have made a hobby of collecting lists of advertising websites, pornography, and other plagues of the Internet. Several companies have as well, and these lists can be purchased from them. Two good sources for software add-ons both free and for fee are http://www.isaserver.org/software/ and http://isatools.org.


Configure Websites for Direct Access

Occasionally you run into a website that requires a helper application that isn't proxy aware. In these cases you'll be denied access to the site. Often the support staff for these websites doesn't have a clue how to help you. They'll simply say that they don't support client computers behind a proxy. If you need to access a website where this is the case, you'll need to enable the site for direct access.

Direct access enables the client computer to access only the specified site directly, whereas all other sites continue to be accessed more securely from behind the proxy. To enable a site for direct access, follow these steps:

1.

Expand Configuration; then click on Networks.

2.

Right-click on Internal and select Properties.

3.

Move to the Web Browser tab. Bypass Proxy for Web Servers in This Network and Directly Access Computers Specified in the Domains Tab should both be checked.

4.

In the Directly Access These Servers or Domains box, (see Figure 24.11) you see the Internet IP address of your SBS server. Click the Add button and enter the IP address of the site that you need to directly access in the From and To box; if the support staff has given you a range, enter the beginning of the range in the From box and the end of the range in the To box. The support staff should be able to give you this information. If all you have available is the URL for the site, select the Domain or Computer radio button and click Browse, or enter the URL. Click OK to finish and click Apply.

Figure 24.11. Websites that require direct access can be specified by IP address or name.


5.

If you want to have this policy change take place immediately, you'll need to update the Firewall Client manually. To do this, at the workstation right-click on the Firewall Client and select Configure.

6.

Move to the Web Browser tab, check the Enable Web Browser Automatic Configuration box and click the Configure Now button. You get a Web Browser Settings Update pop-up box indicating that the web browser settings were successfully configured. Click OK to close it. Then click OK to close the Microsoft Firewall Client for ISA Server 2004 configuration screen.

Direct Access Required = Nonconforming Website

One of the most frustrating things about having to configure direct access to certain websites is that it would be completely unnecessary if those websites would conform to industry standards or understood that more and more businesses are using sophisticated firewalls that won't tolerate nonauthenticated network use or poor coding. The only solution is to complain to the company with the problematic website and then allow direct access to it. Recognize that this is a compromise in your security that you have to make to accommodate this website.





Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net