Share Knowledge to the world: ISA Server 2006

ISA Server 2006

1-Create Rule To Allow Internet Access for ISA and User

-----------------------------------------------------------------

-Open ISA Server => Array => Server name => Firewall Policy => Right-Click

=>News-Access Rule ... - Access rule name: Allow internet access for ISA

and Users => Action: Allow => All Outbound Traffice - From Source:

Local Host and Internal => Next => To Destination: External => Finish

=>Apply-Test Open internet both at ISA machine and User PC.

------------------------------------------------------------------------

2-Creat Rule to Block Yahoo Messanger

-Open ISA Server=> Array => Server Name => Firewall Policy => Right-click

=> New =>Access Rule... - Access rule name: Block yahooMSG => New

=> Choose the following:

-Protocol type : TCP

-Direction : Outbound

-Port Range : From: 5000 To: 5050

=2 Next => Finish => Expand User-Defined => Double click on protocol name:

Yahoo MSG => Close - from Source: interal => next => to Destination External

=>Finish =>Apply - Test Sign in yahoo messanger at User PC

------------------------------------------------------------------------

3- Creat Rule to Block User download software

-Open ISA Server => array => Server name => Firewall Policy => Right-click

=>New=>Access Rule... - Access rule name: Block download => Action: Allow

Outbound Traffic - From Source: Internet => Next => To Destination : External

=>Finish => Apply - Right-Click on this rule => Configure HTTP => Extension

Tab => Block specified extensions => Add file extensions you want to block :

"exe, bat, com, dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv, swf ..."

-Test downloads software at User PC with allthesoft.com

------------------------------------------------------------------------

4- Creat Rule to Block URL website Google.com

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Block Google.com => Action: Deny

=> All Outbound Traffic - FROM Source: Internal => Next => To Destination :

Add => new => URL Set => Name: Google => Add: http://google.com => OK

=> Expand: URL Sets => Double click Google URL => Close => Finish

-Test open website google.com at User PC.

------------------------------------------------------------------------

5- Creat Rule to Block User IP

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Block User IP => Action: Deny

-All Outbound Traffic-From Source: Add =>New =>computer-Name:XP1 =>Computer

IP Address :10.0.0.5 - Expand Computer => Double click on XP1 - Close - next

-To Destination: External - Test open internet on User PC name XP1

------------------------------------------------------------------------

6- Creat Rule for restricted and unrestricted users

*For Restricted User rule:

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Restricted Users => Action: Allow

-Selected protocols -add-chose the protocols: HTTP, HTTPS, DNS, POP3, POP3S,

SMTP, SMTPS, Yahoo MSG

=>FROM Source: Internal - Next - To Destination: External - finish - Apply

-Right-Click on this rule - Configure HTTP - Extensions Tab

- Block Specification extensions - add file extensions you want to block:

exe, bat,com,dll, ocx, cab, rar, zip, tar, pif, js, vbs, flv, swf...

*For Unrestricted User rule:

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Unrestricted Users => Action: Allow

All Outbound Traffics

=>FROM Source: Add => New - Computer - name: ITPC - Computer IP Address :

10.0.0.10 -Expand computer - Double click on ITPC - close - next - To Destination:

External - Finish - Apply

=>Test Open internet both at IT Computer and User PC

------------------------------------------------------------------------

7- Bandwidth Splitter for ISA

*Install Software: bspliter2006.exe

-Open ISA Server => Array => Server Name => Expand Bandwidth Splitter-Right-

Click on Shaping Rule - new - rule - Shaping rule name: 64/128=> next - choose

"IP address sets specified below" => Add: Internal - next - Destination: External

=>2 next - choose "Shape incoming and outgoing trafic" - Incoming (kbits/s):64

and Outgoing(kbits/s): 128-next choose "Assign bandwidth individually to each

applicable user/ address"-next - finish - click Monitor to view who download

and where it gets address from ...

------------------------------------------------------------------------

8- Creat Rule to Block User IP Range

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Block User IP Range => Action: Deny

-All Outbound Traffic-From Source: Add =>New =>computer Set -Name:Accounting Range

=>Computer IP Address :10.0.0.2 -10.0.0.15 - Expand Computer => Double click

on Accounting Range - Close - next

=>To Destination: External

=>Test open internet on User PC Computer IP Address :10.0.0.2 -10.0.0.15

Work?

---------------------------------

=> Block Content:

-Right-click (Block User IP Range)-Properties- Content types- Selected content types ...

-Check HTML Documents, Text ... => ok

- Test open internet on Client Computer IP Address :10.0.0.16

---------------------------------

9- Restricted Internal Network to Other Web (facebook.com => iic.edu.kh):

-Open ISA Server => Array => Server Name => Firewall Policy => Right-click

-New => Access Rule ... - Access rule name: Deny Access facebook => Action: Deny

-All Outbound Traffic-From Source: Internal - next

-To Destination: new - URL set - name: facebook - new - http://*.facebook.com - ok

-add - facebook - 2 next - finish - Right-click (Firewall Policy "Deny Access facebook")

-properties- Action - Deny - Check (Redirect HTTP Re...) - http://www.iic.edu.kh - ok

-Test open internet on Client

---------------------------------

10- Setup VPN Server and Client :

=>Creat new group: VPN_Group and User: vpn_user1

-Open ISA Server => Array => Server Name => Virtual Private Networks( VPN ):

=> Step1: Configure address Assignment Methode and Enable VPN Clients:

-Click Add => Select Server Name

-Set private IP range: From 172.16.0.1 To 172.16.0.10 =>ok

-Click "Enable VPN Client Access" => 10

=> Step2: Specify Windows Users => Add Group: VPN_Group

=> Step3: Verify VPN Properties => Tick "Enable PPTP" =>Ok

Remote Access Config => Tick "External" =>Ok

=>Step4: View Firewall Policy for VPN Client Network:

-Right-click on Firewall Policy => New => Access Rule

-Access rule name: Allow VPN Users to access Internal => Action: Allow

-All Outbound Traffics - From Source: VPN Clients - next

-To Destination: Internal => Finish

=>Step5: View Network Rule:

-Creat new VPN Connection in user PC on the internet as below:

.Username:vpn_user1

.Password:123

.Gateway :192.168.1.253 (public IP of ISA WAN Interface)

-Test connect VPN on internet to dial to internal via ISA VPN on Client

IP-Cop:

----------------------------------------------

1.Enable Web-Proxylog to monitor Users

=>Click Menu Service - Advance Proxy - Tick " Enable on green"

and "Transparent on green" and "Log Enable" => Save & Restart

=>Test open website: yahoo.com, google.com

=>To see who is opening any website => click menu logs

=>Proxy logs in IPCop web interface

----------------------------------------------

2.Ban IP and MAC Address

=>Click Menu Service - Advance proxy - In the box: "ban IP address (on per line)"

-typ the IP of User computer that you want to block or in the box:

"banned MAC address (00:24:8C:E9:97:A6 "on per line")" => Type the MAC of user computer that you want to

block => save and restart

=> Test setup IP or MAC address same to the rule => Try to open website ....

****Note: if you want to avoide the rule, just add your IP in the box:

"Unrestrict IP address (one per line)" or "Unrestrict MAC address (one per line)"

---------------------------------------------

3.Block MIME Contents

http://www.utoronto.ca/web/htmldocs/book/book-3ed/appb/mimetype.html#arch

=>Click menu services - Advanced proxy =>at the "MIME type filter" => Tick "Enable"

-Type any application you want to block like:

.application/octet-streams (*.exe)

.application/zip

.application/x-tar

.application/rar

(google "MIME content" )

save & restart

=Test dowloads software...

------------------------------------------

4.Block or Ublock Outbound ports

=>Click Menu Sevices => Advanced Proxy => In the box "Allowed standard ports (one per line)"

-To block port:80 => Remove "80 #http" => Can not open any website

-To allow port:80 => Add "80 #http" => So that users can open any website

---------------------------------------------

5.Limit Download Sizes

=>Click Menu Sevices => Advanced Proxy => In the box "MAX download size (KB)" => Set 2000MB

and in the box: "MAX upload size (KB)" => Set 1000MB

*** Note: if you want to avoid the rule above =>mean NO Restrict (Unlimite download), just add

your IP in the box: "Unrestrict IP addresses (one per line)" or "Unrestricted MAC address (one per line)"

---------------------------------------------

6.Limit Internet Bandwidth

=>Click Menu Sevices => Traffic Shaping => Tick "Traffic Shaping" =>Downlink speed (kbit/sec)=256

and Uplink speed (kbit/sec) = 128 =>it means that users can only download with the speed 256 kbps

and upload speed 128 kbps.

---------------------------------------------

7.Allow only Firefox and IE User

=>Click Menu Sevices => Advanced Proxy =>Tick "Enable Browser check" => Tick "Firefox and IE"

=>So Only Firefox and IE user can browse the website, others can not.

---------------------------------------------

8.Block Website Facebook

=>Click Menu Sevices => URL FiLTER => in the box "block domain (one per line)" => Type website:

facebook.com => Tick "Enable custom blacklist"

=>Test Open Facebook.com

Pages

ISA Server 2006