ISA Server has Web filtering features other
than the ability to block a list of sites that you might find useful. To experiment with
these features, follow the same procedure
as in Step 3 in the main article to create
another blocking rule, but this time, name it
File_Blocker and set the destination to the
external network instead of to Bad-Sites.
Move the File_Blocker rule to sit just above the
Site_Blocker rule in the firewall policy.
Right-click your File_Blocker rule, select
Properties, then go to the Content Types tab.
By default, the rule applies to all content types,
hence, the rule is now preventing all file downloads from the Web, which isn't what we want.
Instead, choose the Selected content types
option and select only the Audio and Video
check boxes, as Figure A shows. Now ISA Server
will prevent your users from downloading any
audio or video files from the Web via HTTP,
which could save you a lot of bandwidth.
ISA Server determines a file's type by
using its filename extension (e.g., .mp3) and
MIME description (e.g., audio/mpeg). You
can highlight a file type on the tab in Figure
A and click Details to see the list of filename
extensions and MIME descriptors that make up that content type. You can also create
your own custom content type by clicking
New.
Note, however, that specifying file types on
a rule's Content Types tab causes that rule to
apply only to HTTP traffic. This is true even if the Proto-cols tab says that the rule applies to all traffic. If you want to block protocols other than HTTP, you'll have to create additional rules,but even if you do, you won't be able to block file downloads by filename extension or MIME type for those non-HTTP protocols—this feature is only for HTTP. Moreover, unless you purchase a third-party extension such as Collective
Software's ClearTunnel, you won't be able to
limit HTTP Secure (HTTPS) traffic because the
channel is encrypted.
Next, go to the Action tab. On this tab
(which Figure B shows), you can enter the
URL for an internal Web server that hosts a
custom Denied Access page that contains
your official acceptable use policy. If you don't
enter a URL, denied HTTP requests will get a
generic-looking error page. You could configure both your File_Blocker and Site_Blocker
rules to show your custom page when access
is denied.
Finally, to do even more advanced HTTP
filtering, open the Properties dialog box of
the rule that allows Internet access (not the
blocking rules), go to the Protocols tab, click
Filtering, and select Configure HTTP. You'll
see a set of tabs for doing application-layer filtering of HTTP. I can't discuss all the available
HTTP filtering options in this article, but as an
example of what's possible, go to the Extensions tab, select Block specified extensions,
and add .wmf to the list. This is an alternative
to using the Content Types tab for blocking unwanted file types. In this case, you're
blocking the image file type associated with
the nasty graphics rendering engine vulnerability published in January 2006 (Microsoft
Security Bulletin MS06-001—Vulnerability
in Graphics Rendering Engine Could Allow
Remote Code Execution). Click OK and Apply
to save your changes.