Site and content rules are an integral part of ISA server, and require a good understanding in order to configure ISA server to perform the functions described below. These rules are a very powerful part of ISA and mastering them will help you to get the results required by your organization.
ISA server’s site and content rules can be used to grant or deny access to Internet resources. Site and content rules determine if and when content on specific destination sets can be accessed by users or client address sets.
a) This diagram displays where Site and content rules can be found within the ISA MMC.
Destination sets: are collections of one or more computers or directories on specific computers. When designing access policy rules destination sets may include computers that are not on the internal network. The contra is so when designing Web and server publishing rules, these destination sets normally reside within your internal network.
Client address sets: can include one or more computers. Rules can apply to one or more specific client address sets, or to all addresses except the specified client address sets.
The following rules specify client address sets within them:
Site and content rules
Server publishing rules
Web publishing rules
b) This diagram displays where Destination sets and Client address sets can be found
Site and content rule processing.
An ISA client will request an object form the ISA server.
ISA server checks the site and content rules.
Explicit access denial rules will be processed first.
The request is then allowed or denied depending what is specified in the site and content rule, and the information will be relayed to the client to that accord.
Site and content rules can be configured to only be applicable during specific times of days or during particular full days. This is useful when the typical scenario arises that users flood specific websites during lunch time or when they arrive at work.
An example of this would be Internet mail websites. These websites can cause problems for some organizations, creating severe problems with Internet bandwidth. The bandwidth appears to be exhausted, because users are visiting these websites at high volumes during lunch and early in the morning when they arrive at work. This is where schedules will help as you can create a site and content rule that only allows access to the Internet based e-mail websites after hours or at times when the business internet traffic is at its lowest utilization. Schedules work really well in these types of environments and it is recommended that you make use of this ISA technology as it can improve your network significantly.
Figure A: This is figure shows a typical Schedule window.
Access to the internet using site and content rules.
To access the internet, a Site and content rule must be created where specific clients are selected to access the Internet, the protocol that they will be using to access specific destinations must also be specified.
Please note: with out a site and content rule no access to the Internet will be processed by ISA server.
Site and content rules can be used to either allow or deny access to specific web sites. If access is denied, for HTTP objects or resources, the request can then be redirected to an alternate URL (Uniform Resource Locator) this normally being a web page on an internal web server explaining why access is denied.
For example: Your company has strict policies that users may not access websites with pornographic materials, while they are at work or when using company computers. You the administrator can create a site and content rule that denies specific websites that you know users are visiting, and that you found when you inspected the logs. The site and content rule that you create redirects the user to a web page on the Intranet that has the policy typed up on it, and also what actions will be taken by management for those who break the rules.
Please Note: http:// has to be typed in before the URL to your internal web page where the request will be redirected.
c) This diagram shows the type of URL that you can use to redirect the request once denied.
The result will be when the user tries to access the unscrupulous website, access will be denied and he will then be redirected to the company policy webpage.
What I normally do is send management a list of the users that have been redirected to the internal website. This is not the best way to catch users that are breaking the policy as they could be going to new websites that look like they are not pornographic but in fact are. There is no ways that an Administrator can know all the name of these websites and that is why I recommend that if you have this type of policy in your organization, you should be reading the logs regularly.
Please note: that users need access to the website that they are redirected to, it is best to test this rule before announcing that it is going to be live on your network.
Path processing and destination sets.
When a site and content rule is created, it is specified which destinations are accessible. Destination sets can include IP (Internet protocol) addresses of various computers or computer names. ISA Server processes site and content rules differently, depending on what type of client requests the web object and what type of web content is requested.
ISA Server may ignore whichever path specified in the destination set, for particular clients and protocols used.
|Web Proxy client|
|Secure NAT (Secure network address translation) client|
|HTTPS (Secure HTTP)|
|FTP (File Transfer Protocol)|
d) This table shows whether ISA Server processes the path specified for the computers in the destination set.
The above table is clearer than the text explained below
Please Note: The above is only true when HTTP is enabled and configured to redirect to the local Web Proxy service.
When a request for which path processing is not supported by ISA server, ISA Server will ignore all destinations for which a path is specified. It is not implied that ISA Server ignores the rule that references the destination.
HTTPS requests function in a way that when a rule denies requests to a destination that specifies a path, ISA Server will deny all content from the resource computer, not limited to the path.
How Site and content rules function at the Array and enterprise-level
Site and content rules can be created at both array and at the enterprise levels. When an array policy is allowed (this is the type of policy that propagated throughout the whole array), then its site and content rules can only further restrict enterprise-level site and content rules. The array-level site and content rules can only deny access to specific sites or content.
Ability to deny web content
If you want to deny access to web content, it can be achieved by using site and content rules. Below is a list of content that can be denied using site and content rules.
This can be useful when denying specific content that you do not want users to access on a particular website.
Summary: Site and content rules are very useful when allowing and denying access to specific web site resources using ISA server. In this tutorial I have shown you the various ways that site and content rules can be applied in an ISA environment.