Understanding and Configuring ISA content groups
In this tutorial I focus on Content groups and how they function. I will also show you how to configure content groups. This will enable you to restrict certain objects on the internet specific to webpage’s that you might want to limit either for security reasons or bandwidth limitations that your organization may have. You also may want to limit access to a specific file types or scripts that may be potentially dangerous to your organization.
What are content groups?
Content groups can be found under the Policy elements object within the ISA server’s MMC console.
Content groups applies to HTTP and tunneled FTP and can be represented as file extensions or MIME types (Multipurpose Internet Mail Extensions), that you can use when creating a site and content rules or a bandwidth rules. Content groups allow you to restrict specific content that is available on a specific website. When using HTTP to browse the web, any inbound HTTP traffic will be identified by its mime type, but when tunneled FTP mode is used the traffic is identified by the file extensions, bear this in mind when using content groups as it can play an important role when creating rules that incorporate HTTP or FTP content groups.
How do content groups work?
Content groups work in the following manner.
- An ISA client requests HTTP/FTP content from ISA (not HTTPS content).
- ISA then checks the file or objects extension.
- The ISA Server then checks if a rule is bound to a content group and if that content group has the file name extension or mime type prescribed within it.
- IF ISA finds the prescribed mime type or file extension ISA will ether allow or deny the object retrieval depending on what you have configured the ISA server rule to do.
The figure below depicts the content group’s communication behavior when Http method is used.
The figure below depicts the content group’s communication behavior when Http method is used.
Configuring ISA content groups.
1.
To create content groups locate the content group ISA server object under Policy elements then right click on the content group object, then click on new, and then click on content group.
2.
Now you should be presented with the screen above. In the name text field type the name below that type the description. For the purposes of this exercise you can select the audio and then the x-pn-realaudio plugin object. Then click add and the audio type will be displayed in the right hand screen under selected types. You have just added a MIME type if you wanted to add a file type you could just type in the extension or you could look for the file extention towards the bottom of the list.
Remember that MIME types are for HTTP and file types or extensions are used for FTP.
Below is a list of the default file associations and extensions that I have gathered together and sorted into four groups.
File Name Extension |
Application MIME Types |
File Name Extension |
Application MIME Types |
|
.hta |
hta |
.ai |
postscript |
|
.isp |
x-internet-signup |
.xls |
vnd.ms-excel |
|
.crd |
x-mscardfile |
.wks |
vnd.ms-works |
|
.pmc |
x-perfmon |
.ins |
x-internet-signup |
|
.spc |
x-pkcs7-certificates |
.pub |
x-mspublisher |
|
.sv4crc |
x-sv4crc |
.wri |
x-mswrite |
|
.bin |
octet-stream |
.spl |
futuresplash |
|
.clp |
x-msclip |
.hqx |
mac-binhex40 |
|
.mny |
x-msmoney |
.p10 |
pkcs10 |
|
.p7r |
x-pkcs7-certreqresp |
.xlc |
vnd.ms-excel |
|
.evy |
envoy |
.xlt |
vnd.ms-excel |
|
.p7s |
pkcs7-signature |
.dxr |
x-director |
|
.eps |
postscript |
.js |
x-javascript |
|
.setreg |
set-registration-initiation |
.m13 |
x-msmediaview |
|
.xlm |
vnd.ms-excel |
.trm |
x-msterminal |
|
.cpio |
x-cpio |
.pml |
x-perfmon |
|
.dvi |
x-dvi |
.me |
x-troff-me |
|
.p7b |
x-pkcs7-certificates |
.wcm |
vnd.ms-works |
|
.doc |
msword |
.latex |
x-latex |
|
.dot |
msword |
.m14 |
x-msmediaview |
|
.p7c |
pkcs7-mime |
.wmf |
x-msmetafile |
|
.ps |
postscript |
.cer |
x-x509-ca-cert |
|
.wps |
vnd.ms-works |
.zip |
x-zip-compressed |
|
.csh |
x-csh |
.p12 |
x-pkcs12 |
|
.iii |
x-iphone |
.pfx |
x-pkcs12 |
|
.pmw |
x-perfmon |
.der |
x-x509-ca-cert |
|
.man |
x-troff-man |
|
|
|
.hdf |
x-hdf |
.xlw |
vnd.ms-excel |
|
.mvb |
x-msmediaview |
.texinfo |
x-texinfo |
|
.texi |
x-texinfo |
.p7m |
pkcs7-mime |
|
.setpay |
set-payment-initiation |
.pps |
vnd.ms-powerpoint |
|
.stl |
vndms-pkistl |
.dcr |
x-director |
|
.mdb |
x-msaccess |
.gtar |
x-gtar |
|
.oda |
oda |
.sct |
text/scriptlet |
|
.hlp |
winhlp |
.fif |
fractals |
|
.nc |
x-netcdf |
.exe |
octet-stream |
|
.sh |
x-sh |
.ppt |
vnd.ms-powerpoint |
|
.shar |
x-shar |
.sst |
vndms-pkicertstore |
|
.tcl |
x-tcl |
.pko |
vndms-pkipko |
|
.ms |
x-troff-ms |
.scd |
x-msschedule |
|
.ods |
oleobject |
.tar |
x-tar |
|
.axs |
olescript |
.roff |
x-troff |
|
.xla |
vnd.ms-excel |
.t |
x-troff |
|
.mpp |
vnd.ms-project |
.prf |
pics-rules |
|
.dir |
x-director |
.rtf |
rtf |
|
.sit |
x-stuffit |
.pot |
vnd.ms-powerpoint |
|
.* |
octet-stream |
.cat |
vndms-pkiseccat |
|
.bcpio |
x-bcpio |
.cdf |
application/x-cdf |
|
.dll |
x-msdownload |
.tgz |
x-compressed |
|
.pma |
x-perfmon |
.sv4cpio |
x-sv4cpio |
|
.pmr |
x-perfmon |
.tex |
x-tex |
|
.tr |
x-troff |
.ustar |
x-ustar |
|
.src |
x-wais-source |
.crt |
x-x509-ca-cert |
|
.acx |
internet-property-stream |
.wbd |
vnd.ms-works |
|
.crl |
pkix-crl |
.z |
application/x-compress |
|
.gz |
application/x-gzip |
|||
File Name Extension |
Audio MIME Types |
File Name Extension |
Audio MIME Types |
|
.ra |
audio/x-pn-realaudio |
.m3u |
audio/x-mpegurl |
|
.mid |
audio/mid |
.ram |
audio/x-pn-realaudio |
|
.au |
audio/basic |
.aiff |
audio/aiff |
|
.snd |
audio/basic |
.rmi |
audio/mid |
|
.wav |
audio/wav |
.aif |
audio/x-aiff |
|
.aifc |
audio/aiff |
.mp3 |
audio/mpeg |
|
File Name Extension |
Text MIME Types |
File Name Extension |
Text MIME Types |
|
.tsv |
text/tab-separated-values |
.stm |
text/html |
|
.xml |
text/xml |
.html |
text/html |
|
.323 |
text/h323 |
.xsl |
text/xml |
|
.htt |
text/webviewhtml |
.htm |
text/html |
|
File Name Extension |
Image MIME Types |
File Name Extension |
Image MIME Types |
|
.cod |
image/cis-cod |
.pnm |
image/x-portable-anymap |
|
.ief |
image/ief |
.jpe |
image/jpeg |
|
.pbm |
image/x-portable-bitmap |
.jfif |
image/pjpeg |
|
.tiff |
image/tiff |
.tif |
image/tiff |
|
.ppm |
image/x-portable-pixmap |
.jpg |
image/jpeg |
|
.rgb |
image/x-rgb |
.xbm |
image/x-xbitmap |
|
.dib |
image/bmp |
.ras |
image/x-cmu-raster |
|
.jpeg |
image/jpeg |
.gif |
image/gif |
|
.cmx |
image/x-cmx |
|||
Summary: In this tutorial I have highlighted and shown you the importance of being able to restrict uses of certain objects or file extensions on the internet. I have also made you more aware of the different file types that can occur and informed you about them to make it easier when deciding what file types may pose a bandwidth bottleneck or security risk. Understanding content groups within ISA can prove to be a powerful tool if used as intended.