ISA Firewall Quick Tip: Blocking MSN Messenger Access through the ISA Firewall while Enabling Access to Some Users

By /

ISA Firewall Quick Tip: Blocking MSN Messenger Access through the ISA Firewall while Enabling Access to Some Users
by Thomas W Shinder MD, MVP







Have Questions about the article?
Ask at: http://tinyurl.com/gc84w



One subject that deserves a lot more attention on this site is how to craft a firewall policy. The problem is, everyone’s firewall policy is going to be different, depending on what his corporate network security policy requires. The network security policy I enforce on my ISA firewall may be much more stringent than what you need to enforce, or my policy may be far too liberal for the tough network security requirements dictated by your corporate security team.


Since this is an ISA Firewall Quick Tip article, I’m not going to go through the thought processes involved with configuring an effective network security policy. However, this is a great idea for an article that I’ll do in the future. What I will do this time around is talk about how you can use the ISA firewall’s users “exceptions” feature to block one group of users from accessing content through the ISA firewall while allowing another group of users access to the same content.


This article is inspired by a Web boards post over at http://forums.isaserver.org/Block_MSN_Messenger_7%255/m_2002000253/tm.htm The problem Luciano had was that he wanted to block one group of users from using the MSN Messenger 7.5 while allowing another group of users access to it.


At first blush, this would seem to be a simple problem, since you just create an ISA firewall Group containing users that you want to deny access to MSN Messenger and then create an Access Rule that blocks those users and then you create a second group of users that you want to allow access to MSN Messenger and then create an allow rule that provides those users access.


It seems easy, but what if the users you want to allow access also belong to the group you want to block access to MSN Messenger? For example, suppose you want to block access to MSN Messenger to all authenticated users, but you do not want to block access to a selected group of important users. In this case, it’s not so easy unless you know how to the use the ISA firewall’s Access Rule exceptions feature. This is the scenario on which I’m basing today’s ISA Firewall Quick Tip.


The first thing you must do before carrying out the procedures I describe in this article is create the ISA firewall Groups on the ISA firewall that you want to deny access and allow access. Once you create those groups you’ll be able to use them in the Access Rules. I won’t go over the procedures involved with creating ISA firewall Groups, as I discuss them in detail in our book.


In this article we’ll go over the following procedures:



  • Create the HTTP/HTTPS Access Rule to Deny Access to MSN Messenger
  • Configure the User Group Exception and the HTTP Security Filter on the Deny Rule
  • Create the Allow Rule for the Excepted Users


Create the HTTP/HTTPS Access Rule to Deny Access to MSN Messenger


The first step is to create the rule that will deny access to MSN Messenger to members of the ISA firewall Group that we do not want to use this application over HTTP, but still allows users access to all other HTTP and HTTPS sites:



  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page enter the name for the rule in the Access Rule name text box. In this example we’ll name the rule Deny MSN 7.5 over HTTP and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click the HTTP and HTTPS protocols. Click Close.



Figure 1



  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the Networks folder and then double click Internal, click Close.
  4. Click Next on the Access Rule Sources page.
  5. On the Access Rule Destinations page, click the Add button.
  6. In the Add Network Entities dialog box, click the Networks folder and then double click the External entry. Click Close.
  7. Click Next on the Access Rule Destinations page.
  8. On the User Sets page, click the All Users entry in the This rule applies to requests from the following user sets list and click the Remove button. Click the Add button.
  9. In the Add Users dialog box, double click the All Authenticated Users entry and click Close.



Figure 2



  1. Click Next on the User Sets page.
  2. Click Finish on the Completing the New Access Rule Wizard page.

At this point the rule doesn’t deny anything. In the next step we’ll go into the Properties dialog box of the rule and configure the HTTP security filter to block MSN messenger and then except members of the ISA firewall Group Full Web Access (a group I created that includes users who are allowed to use MSN Messenger) from the rule.







Have Questions about the article?
Ask at: http://tinyurl.com/gc84w



Configure the User Group Exception and the HTTP Security Filter on the Deny Rule


Perform the following steps to configure the HTTP security filter to block MSN Messenger:



  1. Right click the Deny MSN 7.5 over HTTP Access Rule and click Configure HTTP.
  2. In the Configure HTTP policy for rule dialog box, click the Signatures tab.
  3. On the Signatures tab, click the Add button.
  4. In the Signature dialog box, enter a name for the signature in the Name text box. In this example we’ll name the signature MSN 7.5 Request Header. In the Search in drop down list, select the Request headers option. In the HTTP header text box, enter User-Agent: and in the Signature text box, enter MSN Messenger. Your signature should look like that in figure 3. Click OK.



Figure 3



  1. Click OK in the Configure HTTP policy for rule dialog box.



Figure 4


The Access Rule will now allow access to all external HTTP and HTTPS sites, but will block any MSN Messenger connections that attempt to use HTTP to gain outbound access. However, the rule still applies to everyone, so we need to configure the rule to apply to everyone except for those users who we do want to allow access to MSN Messenger 7.5. We do this by creating an exception for this rule so that the rule doesn’t apply to that group of users:



  1. Right click the Deny MSN 7.5 over HTTP rule and click Properties.
  2. In the Deny MSN 7.5 over HTTP Properties dialog box, click the Users tab.
  3. On the Users tab, click the Add button next to the Exceptions list.
  4. In the Add Users dialog box, double click the ISA firewall Group to which you want to exempt from this rule. I have already created an ISA firewall Group named Full Web Access, and populated this group with users located in the Active Directory database. If you don’t know how to create ISA firewall Groups, check out our book or the ISA 2004 Help file. Click Close.



Figure 5



  1. Click OK in the Deny MSN 7.5 over HTTP Properties dialog box.



Figure 6


Create the Allow Rule for the Excepted Users


While the rule we created excepts members of the Full Web Access group from being controlled by that rule, the rule does not automatically provide any type of access to the Full Web Access group. You must create a rule to allow those users access to the Internet. In this example, we’ll create a rule that allows members of the Full Web Access group access to all sites on the Internet using the HTTP and HTTPS protocols, but without the HTTP security filter setting that blocks MSN Messenger 7.5:



  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page enter the name for the rule in the Access Rule name text box. In this example we’ll name the rule Allow HTTP/S to Full Web Access Group and click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  5. In the Add Protocols dialog box, click the Common Protocols folder and then double click the HTTP and HTTPS protocols. Click Close.



Figure 7



  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the Networks folder and then double click Internal, click Close.
  4. Click Next on the Access Rule Sources page.
  5. On the Access Rule Destinations page, click the Add button.
  6. In the Add Network Entities dialog box, click the Networks folder and then double click the External entry. Click Close.
  7. Click Next on the Access Rule Destinations page.
  8. On the User Sets page, click the All Users entry in the This rule applies to requests from the following user sets list and click the Remove button. Click the Add button.
  9. In the Add Users dialog box, double click the Full Web Access entry and click Close.



Figure 8



  1. Click Next on the User Sets page.
  2. Click Finish on the Completing the New Access Rule Wizard page.
  3. Click Apply to save the changes and update the firewall policy.
  4. Click OK in the Apply New Configuration dialog box.

The second rule enables the members of the Full Web Access ISA firewall Group to access any site using the HTTP and HTTPS protocols, and allows them to use the MSN Messenger 7.5 application because they were excepted from the rule blocking them access to MSN Messenger 7.5.


The resulting firewall policy in this scenario looks like that in the figure below. Note that I’ve placed the DNS anonymous access rule first, as anonymous rules should, in most instances, be placed above authenticated access rules.




Figure 9







Have Questions about the article?
Ask at: http://tinyurl.com/gc84w



Conclusion


That’s all you have to do. Now you know how to use the ISA firewall’s Access Rule user exceptions list to block users from accessing control, while allowing other users to access the same content. Remember, you can use the user exceptions list feature for more than just MSN Access Rules, the feature is available for all Access Rules. Have fun!

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top