Smash Web Scum with LANguard for ISA Server

 

Smash Web Scum with LANguard for ISA Server 2000
By Thomas W Shinder


Get the Book!


We recently had the opportunity to test GFI Software’s (www.gfi.com) LANguard for ISA Server 2000 in a small municipal government network environment. The City Hall has 300 LAN clients which have had free access to the web via the RRAS NAT for the last six months. The LAN administrator installed and configured ISA Server a couple of weeks before he gave me a call and wasn’t having any problems with it.


While he was pleased with ISA Server, he wanted to have more control over outbound access than what Site and Content rules could provide him. He explained to me that the City could be held liable for offensive content that might show up on user’s computers. There were also problems with users downloading virus infected files from the Internet. He needed a dependable and easy to configure method of controlling access to web page content and file downloads. I mentioned LANguard for ISA Server. He asked me to install LANguard for ISA Server and do the initial configuration for his test drive.


In this review of LANguard’s Web filtering features, I’ll explain what LANguard can do, and go through a mini-tutorial on how to configure HTML content checking using the LANguard product.


What is LANguard?


LANguard is an HTTP and tunneled FTP content filter. Unlike the Site and Content rules provided with ISA Server, LANguard is able to examine the HTML content of web pages and make decisions on whether to allow access to a page based on the text contained within the HTML. LANguard can be configured to work like Site and Content rules; where it only examines the destination URL and decides if the URL is approved or unapproved. In fact, LANguard expands on the URL checking provided by ISA Server Site and Content Rules because you can restrict access to a URL based on key words contained within the URL. ISA Server Site and Content Rules don’t have this capacity.


LANguard can check the content of files downloaded through HTTP or HTTP tunneled FTP (FTP through the Web Proxy client). This feature is similar to access control via ISA Server Content Rules. However, LANguard improves significantly on the built-in ISA Server feature because you can notify the user and the user’s manager that the users attempted to access a blocked file. The user’s manager can then examine the file held in quarantine and determine whether the user should receive it. All the manger has to do is click a link in an email message and the quarantined file is either deleted or forwarded via email to the user.


A major piece of coolness LANguard adds to ISA Server is its real-time monitoring of web activity. You can see the user accounts that are accessing web sites in real time. You also get real time reports of the amount of data being downloaded per user. This is a great feature that should have been included with the base ISA Server product.


The LANguard feature we liked the most is the integrated virus checking. The product can be configured to automatically check web and FTP content for viruses. This is an extremely valuable tool as many viruses are downloaded via HTTP and tunneled FTP downloads. LANguard will not only check for traditional viruses and worms, but will also check for dangerous MS Word Macro viruses. LANguard will automatically update its virus definitions once a day, so that you never have to worry about manually checking the GFi site for an updated list and still be confident that you’re always up to date on the latest virus definitions..


Installing LANguard


We found LANguard to be an absolute no-brainer to install. All you need to do is double-click the lanisa.exe file that you can download from the www.gfi.com web site. There are no questions to answer or configuration options during the install. The machine must be a member of a Windows 2000 Active Directory domain or LANguard will not work. The reason is that LANguard uses the Active Directory accounts database and will not work with the ISA Server’s local SAM or a Windows NT 4.0 domain.


The machine was a PIII-533MHz with 512 MB SDRAM. ISA Server was installed in integrated mode as a stand-alone ISA Server. The network ran an Active Directory environment with all networking services located a single machine on the internal network; no extraneous services were installed on the ISA Server itself. The ISA Server was a member of the Active Directory domain. There were already Protocol, Bandwidth, and Site and Content Rules in place and we did not change any of these.


The external interface was a ADSL line that fortunately did not use the dreaded PPPoE.


These hardware requirements are a bit less than what GFI recommends. In their documentation, they recommend a minimum of a PIII 700Mhz and 256 MB RAM. During the 7-day test period, users did not complain of performance issues. However, we did not do any formal throughput assessments.


LANguard is an ISAPI plug in to ISA Server. Its shows up in the ISA Management console as a Web Application Filter, as seen in the figure below:



Because LANguard is installed as a Web Filter, you must install ISA Server in either Integrated or Cache only mode. If you install ISA Server in Firewall Mode, it will not work as it is dependent on the Web Proxy service.


Configuring LANguard


LANguard is very easy to configure and it will do exactly what you want it to do. However, before LANguard does exactly what you want it to do, you’re going to have to think about what content you want blocked. Planning and testing is the key to using LANguard successfully.


Things to configure include:




  • Virus Checking



  • Server Properties



  • Content Checking



  • File Checking


  • Configuring Virus Checking


    Viruses downloaded from the Internet are a major problem on all networks. LANguard for ISA Server is able to scan all files downloaded via HTTP or HTTP tunneled FTP through the browser. Because LANguard doesn’t scan FTP requests that go through the firewall service, you have to make sure that Firewall and SecureNAT clients do not use FTP client applications to access FTP sites on the internet. The easiest way to handle this situation is to install ISA Server is caching mode only.




    However, if you install in Integrated mode, you’ll have to be vigilant and smack down users who use FTP applications. The best way to do this is to install the Firewall client on all computers and then watch the firewall logs. Scan the firewall logs for outbound connections on TCP port 21. Since you’re using the Firewall client, the user name will be in the log. Bring corporate security with you and have the user escorted from the building. You can throw the stuff in his desk out the window later for him to retrieve it.




    You can configure LANguard to scan HTTP traffic, FTP traffic or both. LANguard can also check for Word Macro and block Word files that contain them. Best of all, LANguard automatically updates the virus database, so you don’t have to worry about downloading the files manually and installing them. You do need to create packet filters to allow standard FTP access to the LANguard site from the ISA Server itself.




     


    Configuring Server Properties


    Right click on the LANguard ISA configuration node in the left pane and click properties. You see what appears below:



    There are two things you need to configure in this dialog box:




  • The Default Manager



  • The SMTP Server


  • The Default Manager is the person who will receive notifications that a user has accessed forbidden material. The manager has the option to delete or approve the content downloaded. You can configure different managers for each user or group. This setting sets a default manager that will receive notifications in the event that a user or group does not have a manager assigned in the Active Directory.


    The SMTP server is the mail server that should receive the notifications. This mail server must be able to forward mail to users on your internal network. Our network had an Exchange server, so the IP address of that server is entered in the Server name text box.



    Configuring Content Checking


    To configure HTTP content checking, just click on the New Rule icon in the right pane, as seen in the figure below.



    After clicking the New rule icon, a new entry named New Content Checking Rule is added to the list of content checking rules. If you want to rename the rule, just click on the Rename rule icon. After changing the name, double-click on the new rule. This opens up the rule Properties page as seen in the figure below.



    There are many options in this dialog box. You can configure whether you want to check the text contained in FTP and/or HTTP traffic. You also enter your keywords in this dialog box.


    The first keyword you enter will always have the IF operator. Subsequent keywords have the IF, AND or OR operators. This gives you a lot of control over what’s allowed and isn’t allowed.


    For example, AOL chat rooms are the bane of any company’s existence. However, you can’t just filter out the keyword AOL, because AOL’s name appears on so many tech news sites. However, you could create a rule to block a site that had AOL AND chat on the same page.


    In the same way, if you want to block porno sites, you should require at least a couple of the popular porno words. For example, you don’t want to block the keyword sex because there is a lot of legitimate content that contains that word. However, if you created a rule that had the keywords SEX AND LESBIAN AND HOT, there’s a good chance you’re not going to block anything someone needs to get his work done. But if the user does need to get to the site for legitimate works purposes, you can approve access at a later time after receiving a report that the user attempted to access the page.


    To add a key word, just click the Add word button and you see what appears below.



    The Check URLs option configures LANguard to check only the URL, and not the HTML content of the page. This makes it act more like the ISA Server’s built-in Site and Content rule. The Match whole words only option allows you to enter words like sex and not have words like MSexchange show up as forbidden content.


    When you click the Actions tab, you’ll see what appears below.



    The Block connection and perform action checkbox is where the action is! The goal of content filtering is to insure that users do not access unapproved content. You have the choice to be informed of the user’s indiscretion, or you can just deny the request without being informed.


    In the Notification frame you choose who and how people are notified of a violation. The Notify user via message text notifies the offender immediately that they have accessed unapproved material, as seen in the figure below. (note that for this feature to work, the Messenger service must be running on the ISA Server).



    The user can also be notified by email that they messed up by selecting the Notify user via email. The message they receive will look something like what you see below.



    You can also notify the person’s manager of the violation by selecting the Notify manager via email option. The message will go to the default manager if you do not have a specific manager listed for the user or group in Active Directory Uses and Computers. The message the manager receives looks like the one below.


    You can also notify the person’s manager of the violation by selecting the Notify manager via email option. The message will go to the default manager if you do not have a specific manager listed for the user or group in Active Directory Uses and Computers. The message the manager receives looks like the one below.



    Note that the Action option in the email is only useful if a user tried to download a restricted file. You can approve the URL, but the user will still not be able to access the URL. You will have to change the access policy to allow that. Future updates to LANguard will include the ability of a manager to allow a user access to a particular URL.


    When you click the Users tab, you will see what appears below.



    You can select Users and groups that you want this rule applied to, or you can have the rule applied to everyone and then list exceptions.


    When the user encounters a forbidden page, they will see what appears in the figure below:



    Other LANguard Features


    Other LANguard features include checking the contents of files downloaded via HTTP. The feature expands the on the HTML content checking facilities provided by LANguard. Our experience with the file HTTP file checking facilities has been excellent and we have not experienced any performance issues when file checking is enabled on a well-powered ISA Server machine.


    Get the Book!


    Conclusion


    In this review of LANguard, we covered the basic features available in the product. LANguard provides for HTTP and tunneled FTP content and file checking, checking and real-time reporting of user HTTP protocol activity. You saw how to configure service properties and how to implement content filtering of for HTTP and tunneled FTP access.


    The administrators for our municipal network was impressed! He told us that he planned to request a purchase order for LANguard and implement it not just in City Hall but also in the court house. LANguard for ISA Server left us with another happy customer.


    ISAServer.org gives the LANguard product 5 stars, and I consider LANguard to be the market leader in the Web Filter add-on market for ISA Server 2000.

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top