One of the requests we get is to place a restriction on which Internet sites that users would commonly visit during working hours or at all.
In ISA 2004, we would do the following:
- Open the ISA Management Console
- Right click on Firewall Policy -->New --> Access Rule
- We call them Workhours Deny
- Rule Action: Deny
- Selected Protocols: HTTP, HTTPS, MSN Messenger
- Access Rule Sources: Internal & Local Host
- Access Rule Destination: Add
- New: URL Set
- Name: Workhours Deny
- Add: http://*.rad.msn.com/*
- Some sites at the bottom of this post.
- OK
- Click on + beside URL Sets and double click on "Workhours Deny"
- Close
- Next
- All Users -->Next
- Finish
- In the ISA Console, double click on the Rule before clicking Apply in there
- Click the Action Tab: Tick "Redirect HTTP requests to this Web page:"
- We create an AUP page for Companyweb: http://companyweb/General%20Documents/AcceptableUsePolicy.aspx?PageView=Shared
- Click the Schedule Tab
- New button
- Name ClientName Workhours and set the active times.
- We set 0800 to 1800 for the times as a rule for all 7 days.
- Click OK
- Click Apply and OK in the Workhours Deny Properties window
- Click Apply and OK in the ISA Console.
During the working hours specified, if the user tries to connect to the Web sites that are listed in the Deny List, they will be greeted with the following:
Here is a partial list of sites that we tend to restrict out of the box as part of the SBS Premium setup:
- http://*.ebuddy.com/*
- http://*.get.live.com/*
- http://*.login.live.com/*
- http://*.shared.live.com/*
- http://*.webmail.usersisp.com/*
- http://*.gmail.com/*
- http://*.hotmail.com/*
- http://*.login.yahoo.com/*
Any site that would essentially waste a user's time or open the network to possible compromise would normally make the list.
In almost all cases, most people figure it out and there is not a problem. Once in a while a little more is needed, so with the Client Contact's approval, a simple email with a screen shot of an ISA report showing the user name and sites being visited is sent to the problematic user. This usually kills the behaviour immediately.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.
No comments:
Post a Comment
NOTE: All comments are moderated.