Strong Outbound Access Control using the ISA Firewall (2004): Using Scripts to Populate URL Sets and Domain Name Sets

Strong Outbound Access Control using the ISA Firewall (2004):
Using Scripts to Populate URL Sets and Domain Name Sets



By Thomas W Shinder MD, MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000218

One of the ISA firewall’s strong suits is its exceptional stateful application layer inspection. In addition to performing the basic task of stateful filtering (which even a simple ‘hardware’ firewall can do), the ISA firewall’s strong application layer inspection feature set allows the ISA firewall to actually understand the protocols passing though the firewall. In contrast to traditional second generation hardware firewalls, the ISA firewall represents a third generation firewall that is not only network aware, but application protocol aware.

Get the New Book!

The ISA firewall’s stateful application inspection mechanism allows you to control access not to “ports”, but to the actual protocols moving through those ports. While the conventional “hardware” firewall is adept at passing packets using simple stateful filtering mechanisms that have been available since the mid 1990’s, the ISA firewall’s stateful application layer inspection mechanisms bring the ISA firewall into the 21st century and actually control application layer protocol access. This allows strong inbound and outbound access control based on the firewall’s application layer awareness and not through simple “opening and closing” of ports.

One powerful example is the ability to control what sites users can access through the ISA firewall. You can combine this ability to control sites users access by adding strong user/group based access control as well as protocol control.

For example, you might have a group of users called “Web Users” and you want to block access to a list of 1500 URLs or domains for those users. You can create an Access Rule that blocks only those 1500 sites and allows access to all other sites when members of that group authenticate with the ISA firewall.

Another example might be that you want to create a block list of 5000 domains you want to prevent all users except for domain admins from reaching via any protocol. You can create a Domain Name Set and then apply this Domain Name Set to an Access Rule blocking these sites.

The trick is to find a way to get those thousands of domains or URLs into Domain Name Sets and URL Sets. You can enter these URLs and domains manually using the built-in tools included in the ISA Management console. The problem with this approach is that you’ll need to get your clicking thumb ready for a long weekend as you click your way through the user interface to add all of these domains and URLs.

A better way is to import the sites you want to include in your URL Sets and Domain Name Sets from a text file. There are a number of places on the Internet where you can find such files (I won’t mention any here because I don’t want to create an implicit endorsement of any of them). Once you have a text file, you’ll want use a script to import the entries in the text file into a URL Set or a Domain Name Set.

First, let’s start with the scripts. The first script below is used to import the entries in a text file into a URL Set. Copy the information into a text file and then save it as ImportURLs.vbs.

< ——————Start with the line below this one———————– >

Set Isa = CreateObject(“FPC.Root”)

Set CurArray = Isa.GetContainingArray

Set RuleElements = CurArray.RuleElements

Set URLSets = RuleElements.URLSets

Set URLSet = URLSets.Item(“Urls“)

Set FileSys = CreateObject(“Scripting.FileSystemObject”)

Set UrlsFile = FileSys.OpenTextFile(“urls.txt“, 1)

For i = 1 to URLSet.Count

URLSet.Remove 1

Next

Do While UrlsFile.AtEndOfStream <> True

URLSet.Add UrlsFile.ReadLine

Loop

WScript.Echo “Saving…”

CurArray.Save

WScript.Echo “Done”

< ——————End with the line above this one———————– >

The two entries in this file you need to change for your own setup are highlighted in yellow.

In the line:

Set URLSet = URLSets.Item(“Urls“)

Change the Urls entry to the name of the URL Set you want to create on the ISA firewall.

In the line:

Set UrlsFile = FileSys.OpenTextFile(“urls.txt“, 1)

Change the urls.txt entry to the name of the text file that contains the URLs you want to import into the ISA firewall’s configuration.

The next script is used to import a collections of domains contained in a text file. Save the following information in a text file and name it ImportDomains.vbs.

< ——————Start with the line below this one———————– >

Set Isa = CreateObject(“FPC.Root”)

Set CurArray = Isa.GetContainingArray

Set RuleElements = CurArray.RuleElements

Set DomainNameSets = RuleElements.DomainNameSets

Set DomainNameSet = DomainNameSets.Item(“Domains“)

Set FileSys = CreateObject(“Scripting.FileSystemObject”)

Set DomainsFile = FileSys.OpenTextFile(“domains.txt“, 1)

For i = 1 to DomainNameSet.Count

DomainNameSet.Remove 1

Next

Do While DomainsFile.AtEndOfStream <> True

DomainNameSet.Add DomainsFile.ReadLine

Loop

WScript.Echo “Saving…”

CurArray.Save

WScript.Echo “Done”

< ——————End with the line above this one———————– >

The two entries in this file you need to change for your own setup are highlighted in yellow.

In the line:

Set DomainNameSet = DomainNameSets.Item(“Domains“)

Change the Domains entry to the name of the Domain Name Set you want to create on the ISA firewall.

In the line:

Set DomainsFile = FileSys.OpenTextFile(“domains.txt“, 1)

Change the domains.txt entry to the name of the text file that contains the domains you want to import into the ISA firewall’s configuration.

Using the Import Scripts

Now let’s see how the scripts work. The first thing you need to do is create the URL Set and the Domain Name Set in the Microsoft Internet Security and Acceleration Server 2004 management console. This is easy and one involves the few steps.

First, we’ll create a URL Set named URLs, since that’s the default name in our script. Remember, you can change the URL Set name in the script if you like, just make sure you first create a URL Set in the Microsoft Internet Security and Acceleration Server 2004 management console with the same name.

Perform the following steps to create a URL Set with the name URLs:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node.
  2. In the Firewall Policy node, click the Toolbox tab in the Task Pane. In the Toolbox, click the Network Objects tab.
  3. In the Network Objects tab, click the New menu and click URL Set.
  4. In the New URL Set Rule Element dialog box, enter URLs in the Name text box. Click OK

  1. The URL Set now appears in the list of URL Sets.

The next step is to create a Domain Name Set with the name Domains, which is the default name of the Set used in the ImportDomains script. Remember, you can use a different name for the Domain Name Set, just make sure the name is the same in the one you set in the script.

Perform the following steps to create the Domain Name Set with the name Domains:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node.
  2. On the Firewall Policy node, click the Toolbox tab in the Task Pane. In the Toolbox, click the Network Objects tab.
  3. In the Network Objects tab, click the New menu and click Domain Name Set.
  4. In the New Domain Name Set Policy Element dialog box, enter Domains in the Name text box. Click OK.

  1. The new entry appears in the list of Domain Name Sets.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Now we need to create two text files: urls.txt and domains.txt. Those are the default names used in the scripts. You can change the names of the files, but make sure they match the names you configure in the scripts.

The domains.txt file will contain the following entries:

stuff.com

blah.com

scumware.com

The urls.txt file will contain the following entries:

http://www.cisco.com

http://www.checkpoint.com

http://www.sonicwall.com

Next, copy the script files and the text files into the same directly. In this example, we’ll copy the script files and text files into the root of the C: drive. Double click on the ImportURLs.vbs file. You’ll first see a dialog box that says Saving. Click OK.

Depending on how many URLs you’re importing, it will be a few moments or a few minutes until you see next dialog box, which informs you that the import was completed. Click OK.

Now we’ll import the Domains. Double click the ImportDomains.vbs file. You’ll see the Saving dialog box again. Click OK. A few moments to a few minutes later, you’ll see the Done dialog box. Click OK.

Close the Microsoft Internet Security and Acceleration Server 2004 management console if it is open. Now open the Microsoft Internet Security and Acceleration Server 2004 management console and go to the Firewall Policy node in the left pane of the console.

Note:


You can avoid opening and closing the Microsoft Internet Security and Acceleration Server 2004 management console is by clicking the Refresh button in the Microsoft Internet Security and Acceleration Server 2004 management console’s button bar.

Click the Toolbox tab in the Task Pane and click the Network Objects bar. Click the URL Sets folder. Double click the URLs URL Set. You’ll see that the URL Set was populated with the entries in your text file. Cool!

Click on the Domain Name Sets folder. Double click on the Domains entry. You’ll see that the Domain Name Set is populated with domains you want to block, or allow, depending on your need. In this example I included a set of domains we’d like to block 😉

As you obtain more URLs, you can add them to the same text files and run the script again. The new entries will be added without creating duplicates of the domains or URLs that are already included in the Domain Name Set or URL Set.

Test Yourself

  1. Is the ISA firewall a stateful firewall? What types of stateful firewalling does the ISA firewall perform?
  2. What elements must you first create in the Microsoft Internet Security and Acceleration Server 2004 management console before running the scripts?
  3. If the new entries don’t appear in the URL Set or the Domain Name Set, what should you do to fix the problem?

Find the answers to these questions at the discussion link: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000218

For More Information

The ISA Server 2004 Software Development Kit

(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isastart_6d9h.asp?frame=true)

Jim Harrison’s ISA Firewall Tools Site

– (www.isatools.org)

Using URL and Domain Name Sets

– (http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-urldomainnamesets.mspx)

Get the New Book!

Conclusion

In this article we detailed one aspect of the ISA firewall’s strong stateful application layer inspection feature set. The ISA firewall can inspect incoming and outbound requests and control access based on destination URL or domain name. The challenge with controlling access on a per site basis is to populate URL Sets and Domain Name Sets with the dozens, hundreds or thousands of entries you want to block or allow. One way to meet this challenge is to use a script. We went over two scripts you can use to import entries contained in text files into Domain Name Sets and URL Sets.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000218 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top