Block website with ISA Server 2006

A Webfilter in ISA Server 2006 is a set of Dynamic Link Libraries (DLLs) which are based on the IIS ISAPI (Internet Server Application Programming Interface) Model. Webfilter in ISA Server 2006 will be loaded from the Webproxy Filter. If the Webfilter is loaded, all information will be forwarded to the Webproxy Filter. The Webproxy Filter is responsible for determining which type of events should be monitored. Each time such events occur the Webproxy Filter will be notified. The following figure shows the HTTP Filter Add-in from ISA Server 2006.

Figure 1: ISA Server 2006 HTTP filter add-in

Webfilter functionality
The Webfilter in ISA Server 2006 is responsible for the following tasks:

Scanning and modifying HTTP requests Analyzing network traffic Scanning and modifying HTTP responses Blocking of specific HTTP responses Data encryption and compression

and many more. Important: The HTTP Filter in ISA Server 2006 is rule specific except for the Maximum Header length setting. The Maximum Header length is the same for all Firewall rules with HTTP protocol definitions.

Attention: The HTTP Filter in ISA Server 2006 is also capable of filtering HTTPS traffic but only in reverse web server publishing scenarios where HTTPS Bridging is used. If you want to use outgoing HTTPS inspection through ISA Server 2006 HTTP filter you have to use third party software.

HTTP Filter configuration

ad verti seme nt

If you want to start configuring the HTTP filter, right click a rule that contains an HTTP protocol definition and select Configure HTTP from the context menu.

Figure 2: ISA Server 2006 HTTP filter general settings Request Header: Maximum Headers length (bytes):

The maximum Header length specifies the maximum number of bytes in the URL and HTTP Header for an HTTP request until ISA Server blocks the request. Request Payload: Maximum payload length (bytes): With this option it is possible to restrict the maximum length in bytes a user can send via an HTTP POST in a Web server publishing scenario. URL-Protection: Maximum URL Length (Bytes): The maximum length of an allowed URL Maximum Query length (Bytes): The maximum length of a URL in the HTTP request Verify normalization You can select this checkbox to specify that requests with URLs containing escaped characters after normalization will be blocked. Normalization is the process where URL coded requests will be decoded. After decoding the URL the URL will be normalized again to be sure that no process is using the % character to encode a URL. If the HTTP Filter finds a difference in the URL after the second normalization, the requests will be rejected. Block High bit character URLs that contain Double Byte Characters (DBCS) or Latin1 will be blocked if this setting is active. An active setting regulary blocks languages that require more than eight bits to display all language specific characters. Executables Block responses containing Windows executable content. This option blocks the download and executing of executable content like EXE files. Next we should configure the allowed or blocked HTTP methods.

Figure 3: HTTP Methods In this example we are blocking the HTTP POST command so that nobody can upload content on external websites.

Figure 4

Block executables

With this option it is possible to block or allow some specific file extensions in the specific Firewall rule.

Figure 5: Using ISA Server 2006 to block some file extensions

Block requests containing ambiguous extensions

This option instructs the HTTP filter to block all file extensions which ISA Server 2006 cannot determine. In this example we are blocking access to the .EXE file extension.

Figure 6: Blocking the .EXE file extension

HTTP Header handling

When a web client sends requests to a web server or the Web server is answering queries, the first part of an answer is an HTTP request or an HTTP response. After the HTTP request or HTTP response, the client or Server sends an HTTP Header. The request Header field allows the client to send additional information to the server. HTTP Header contains information about the Browser, operating system information, and authorization details and more. The client Header uses the attribute User-Agent which determines which application is responsible for the request. With the help of the HTTP filter it is possible to block specific HTTP Headers.

Figure 7: HTTP filter Header section The settings in the Server Header field give Administrators the control to remove the HTTP header from the response or to modify the HTTP Header in the response and some other settings. In the following example we are using the HTTP Header feature in ISA Server 2006 to block Kazaa, information of which resides in the request header.

Figure 8: Blocking Kazaa

HTTP Filter signatures

An HTTP signature can exist in the HTTP body or HTTP header. You can use HTTP signatures to deny the execution from specific applications. To find a specific HTTP signature you must know which signature the application is using. There are some documents on the Internet that can give you some information about specific HTTP signatures but it is also possible to use a network sniffer to determine HTTP signatures. I will show you how to use a network sniffer later in this article. Important: Filtering HTTP signatures in ISA Server 2006 only works when the requests and responses are UTF-8 coded.

Figure 9: Blocking HTTP signatures In the following example we are blocking the access for the Windows Live Messenger protocol.

Figure 10: Windows Live Messenger Block If you want to know more about application signatures click here. Important: ISA Server 2006 inspects only the first 100 Bytes of the request and response body. It is possible to expand the maximum number of bytes but this can result in some Server performance degradation.

HTTP error message if the HTTP filter blocks some content

Figure 11: HTTP Filter access message

How to discover specific HTTP Headers

To determine HTTP signatures that are unknown to you, it is possible to use a network sniffer like Windows Netmon 3.0 to trace the HTTP network traffic. The following frigure shows a sample network trace output from Microsoft Netmon 2.0, but you can use any other Network monitor like Wireshark (former Ethereal).

Figure 12: Netmon HTTP trace This example shows the request type (GET), the HTTP request Header (HTTP/1.1) the UserAgent (Mozilla/4.0) and the signature (MSIE 6.0). HTTPFILTERCONFIG.VBS

You can use HTTPFILTERCONFIG.VBS from the directory C:\PROGRAMME\MICROSOFT ISA SERVER 2006 SDK\SDK\SAMPLES\ADMIN from the ISA Server 2006 SDK to import and export HTTP-Filter configurations.

Figure 13: HTTPFILTERCONFIG.VBS from the ISA 2006 SDK

Conclusion
XML files that we imported. Start by creating a new rule. Ive named my rule as Block Custom Sites.

In the Access Rule, choose Deny.

Under protocols, choose HTTP and HTTPS.

Under Sources, choose Internal and VPN Clients.

Under Destinations, choose the XML lists that we imported. You can add multiple XML files.

ello, I have downloaded the EVAL version of ISA Server 2006 and now want to configure with proxy with some block sites. My machine Configuration : Windows Server 2003 R2 with 2-NIC. and My IP is 192.168.0.99, 192.168.0.98. 192.168.0.98 is connected to RV042 (192.168.0.100 with DHCP enabled) router for net. All user in our LAN are connected through 192.168.0.100.

Now I want to configure My machine as server and all others clients, Client will permitted to use selected sites only. I have tried to install ISA 2006 with default configuration, but while accessing any web page get "Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)" error, Have tried after stop "Microsoft Firewall" service, net working fine. So now I am not sure that, this is working fine, I think "Microsoft Firewall" service is running with ISa services. Can any one shows me how can I configure it with my network. Thanks in advance, Laxmilal Post #: 1

Featured Links*
Web filtering and security for ISA Server Manage user internet access, block websites by category, AV scan downloads, prevent spyware infection, block phishing scams, block/restrict the use of IM and more! IP Binder - Outbound One-to-One NAT support for ISA/TMG Server - Static NAT With IP Binder you can select which external IP address to use for traffic going out your access rules. Works with outbound HTTP, SMTP, and all TCP protocols. Web monitoring and multi-layered anti-virus protection for ISA Server Control your Internet users' browsing habits, monitor downloads in real-time and protect your network from viruses, spyware, malware & phishing attacks.

RE: Configure ISA Server 2006 with proxy with block sites 10.Apr.2008 6:55:15 AM matt.jones Super Member Hi, Am I right in saying that the two NICs are configured with addresses on the same subnet, 192.168.0.99 and 192.168.0.98? Posts: 72 _____________________________ Joined: 16.Aug.2007 From: Poznan, Status: offline (in reply to lmenaria Matthew Jones MCSA/MCSE:M+S/VCP/CCA/CCNA

Post #: 2 RE: Configure ISA Server 2006 with proxy with block sites 10.Apr.2008 9:40:36 AM lmenaria New Member Yes, in same range. Can you tell me what can I do ?, or send me configuration steps. Posts: 9 Joined: 9.Apr.2008 Status: offline My Issue is : How to check NTLM authentication with my application(.NET Application) (in reply to matt.jones) Post #: 3 RE: Configure ISA Server 2006 with proxy with block sites 10.Apr.2008 10:10:53 AM elmajdal Moderator quote: My machine Configuration : Windows Server 2003 R2 with 2NIC. and My IP is 192.168.0.99, 192.168.0.98.

Posts: 5758 Joined: 16.Sep.2004 From: Lebanese in Kuwait Each NIC should be on a different subnet !!! Status: offline

192.168.0.98 is connected to RV042 (192.168.0.100 with DHCP enabled) router for net. All user in our LAN are connected through 192.168.0.100.

read this article : http://www.isaserver.org/tutorials/Configuring_ISA_Server_Inter face_Settings.html HTH, Tarek _____________________________ Tarek Majdalani MS Forefront Edge Security MVP Website : http://www.elmajdal.net Covering ISA Server/TMG, Windows Server 2008 & Windows 7 (in reply to lmenaria) Post #: 4 RE: Configure ISA Server 2006 with proxy with block sites 10.Apr.2008 10:24:43 AM lmenaria New Member Have updated the range: Ethernet adapter External LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.100 DNS Servers . . . . . . . . . . . : 218.248.240.79

Posts: 9 Joined: 9.Apr.2008 Status: offline

218.248.240.141 Ethernet adapter Internal LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 PM Network Connection DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.0.98 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 192.168.1.98 is it okay ? (in reply to elmajdal) Post #: 5 RE: Configure ISA Server 2006 with proxy with block sites 10.Apr.2008 10:25:22 AM

lmenaria New Member

Have updated the range: Ethernet adapter External LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.100 DNS Servers . . . . . . . . . . . : 218.248.240.79 218.248.240.141 Ethernet adapter Internal LAN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 PM Network

Posts: 9 Joined: 9.Apr.2008 Status: offline

Connection DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.0.98 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 192.168.1.98 is it okay ?