Amy Babinchak's ISA/SBS Series:
Controlling Internet Access: Denying Access to Certain Websites During Business Hours v.1.01
by Amy Babinchak
Harbor Computer Services
Small Business Computer Specialists
Office (248) 546-6056
Mobile (248) 890-1794
Got Questions? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014530 and ask!
As small businesses become more sophisticated Internet citizens, they may wish to control who has access to the Internet, when they can access it and what locations they can and can not view. Fortunately what sounds daunting is really rather simple using ISA Server 2000. Once setup, I generally let the boss take the reigns on maintaining it.
ISA has some great tools for controlling Internet access. Schedules let you decide when users can access the Internet. Destination Sets let you control where users can go on the Internet. Site and Content Rules are where you set the rules that apply to the destination sets that you’ve configured. A good Internet Access Policy will often use all three elements.
In my consulting practice I’ve been asked to setup this scenario several times. Boss: "I don’t like people visiting eBay during work hours. No more eBay!" Employees: "What about lunch hour?" Boss: "Fine, I don’t care what you do during lunch." Boss to IT: "Make sure no one can access eBay during work hours."
As an Internet freedom loving IT professional, I was at first appalled by this request but I’ve come to realize that if the boss bans a few websites, let’s everyone know what the web use policy is, then Internet usage becomes more business centric in a hurry and this is good for IT as well as productivity.
Here is how you go about setting it up:
- Open the ISA Management Console
- Expand the Access Policy and Policy Elements groups
- Right click on Destination Sets and Select New, then Set.
- Give the new Set a Name, like Limited Access Sites. This destination set will hold the list of websites that the boss doesn’t want anyone to access during work hours.
- Select the Destinations tab and enter in the websites that the boss wants to limit access to.
- Click OK to finish creating the destination set.
Next right click on Schedules and select New, then Schedule. Create a schedule called "When limited access sites are banned". This schedule will do exactly what it says; it will define the hours when the boss wants to limit web access.
In the example below, white represents the hours when websites are not limited and blue indicates that the website ban is in effect. There are two hours before the standard work day, lunch hour and two hours after the standard work day that the websites listed in our destination set are not banned. Create the times as appropriate for your business.
Finally we need to create a Site and Content Rule. It is this rule that tells the ISA Server what to do with the information we just added. To create the rule, right click on Site and Content Rules and select New, Rule. Give the rule the same name that you gave the Destination Set. This makes it easier to keep track of which rules go with which destination sets.
On the General Tab, be sure to enable the rule by checking the Enable box.
On the Destinations tab, in the This rule applies to: drop down list, choose Selected destination set. Then select your destination set in the Name: drop down list. This tells ISA what websites this rule applies to.
Go to the Schedule tab. In the Schedule: drop down list select the schedule you created above. This tells ISA the times of day you want this rule to be in effect.
On the Action tab, select the Denied radio button. This tells ISA to deny these requests.
On the Applies To tab, select the Any request to apply this rule to everyone in the company. Or select one of the other options to apply the rule to a specific individual or group of users.
It really is as simple as that. When you want to limit access to additional websites, just add them to the Limited Access Websites destination set.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014530 and post a message.
If you would like us to email you when Amy Babinchak releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.