Internet Filtering groups
Hi all,
I run an ISA server, but i think i only brush the surface of what the software is capable of. We use a blacklist and i also have a 'No internet' group that runs in ISA.
Is it possible to set filtering groups in ISA? (we use 2004)
I would like to have two or three groups.
1. A walled garden (approved whitelist sites- very restrictive)
2. A general student site (typical filtered access)
3 Loose filtering. Blocking porn etc but allowing hotmail for our 6th form and boarders.
The next step would be some sort of scheduling.
First question, can ISA do this easily, and can anyone recommend a book that could help a newbie?
If not can ayone recommend any other software that would do this?
Cheers
Andy
Re: Internet Filtering groups
You would be better of in the long run with a Squid/Dansguardian solution.
Re: Internet Filtering groups
steele: If you want to have a look at some of SmoothWall's "Guardian" software, do drop me a line and I will sort you out a demo of some variety.
In a nutshell, we offer a comprehensive, Active-Directory group controlled web filter, which (assuming I read your requirements correctly) should fit exactly.
The issue with ISA is that its not really a filter - the control isnt great, and you have to find a blocklist from somewhere. this is invariably a URL list, which are a bit "chocolate fireguard" in this day & age, you definitely want a content filter, be that ours, or Dansguardian, or some other specialist filtering s/w.
Tom
Re: Internet Filtering groups
ISA does do this.
Basically, create 3 ISA rules; one to allow access only to your whitelist site; another allowing broader access and the third almost unrestricted. You then specify the groups of users to which these rules apply.
the problem as the others have said is that ISA itself won't do the filtering for you. the first is easy - you have a whitelist. The third is easy-ish; you're going to block specific sites but perhaps allow most others but the second needs a big "block list". There are such lists available on the web but it's not easy to maintain them.
Re: Internet Filtering groups
Andy,
I haven't used Microsoft ISA, in a long-long time. But I hear it's a good product. So even if your requirements are not met directly by a feature or config setting, you should be able to realise goals by architectural engineering.
Quite a few of my customers wanted this, and I managed to do it with SafeSquid. Though, let me warn you, this isn't done by mere configuration settings in SafeSquid too!
But this is what we do -
We set-up two instances of SafeSquid, say proxyA & proxyB.
In proxyA we create a "Profile" say 'free-web-sites' for the web-sites, that may be accessed without authentication, by everybody. And then we create a rule in "Request Forwarding" for '!free-web-sites' ( i.e. all requests that are NOTprofiled as free-web-sites ) to be forwarded to proxyB.
Next we simply create a rule in "Access Restrictions" in proxyB to deny all requests, but allow only those that are authenticated.
Now the users will be challenged for authentication whenever they try to access any web-site except for 'free-web-sites' (proxyB will actually do the challenge)
I gave the example via SafeSquid, because when customers demand, content filtering, that's more than mere url filtering, and I am more comfortable with it's design. But I am sure you should be able to do it with any other good proxy server too!
