Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Controlling Acceptable Internet Access With ISA Server

A reasonably frequently-asked question is:
Can ISA Server 2004 control access to unsavoury sites on the Internet?
The short answer:
Of course!
The slightly less terse answer:
But you might need to use a content filtering add-in dedicated to the task if your need goes beyond a simple allow list. There’s also a non-technology alternative…
The longer answer:
Allow Lists and Deny Lists (Whitelists and Blacklists in oldspeak) can be created by URL, domain name, IP range, you name it. Actually, it’s more accurate to say that sets of URLs, domain names, and IP ranges can be created, and you can then choose whether to deny or allow access to them.
ISA Server’s pretty flexible about that, and oftentimes, if the list is small enough, you can manage it yourself (where “you” are the ISA Server admin that doesn’t want to be doing list management full time).
So, allowing a group of users access to only five or ten (or fifty, or a hundred) well-defined sites: easy enough.
In the situation in which the business comes to you and says that they want to allow unrestricted Internet Access in general, but don’t want employees to see anything that isn’t really appropriate, you suddenly have a vast amount of work cut out for you.
And this is where the content filtering add-ins come into play – some Filtering add-ins are listed here.
These often work on a paid subscription model that buys updates to their category listings, so that you can pick a category of sites and allow or deny access to that entire category – sometimes even with drill-down category capabilities, like Recreation->Gardening->Gnomes – rather than having to manually populate the list yourself, which could be both time-consuming and expose you to hideous, hideous things (teh intarweb can be dangerous, kids).
This is a Good Thing, and is often necessary to achieve no-questions-asked-it’s-just-automatic compliance. The filter provider takes care of the category listings and updates, you just manage the rules. Easy.
The alternative, cheap-cheap-cheap solution:
There’s also the non-technology solution, which appeals to me as an ex-BOFH. It’s the Policy approach.
Publish an employee Internet Use policy, then examine the proxy logs at random intervals (a lot at first, then just a one-off once in a while), and issue stern warnings to those that go to unsavoury sites. You can use ISA Server 2004’s log query capability (Log Parser or FIND on text format/ISA 2000 log files) to pick out URLs containing certain likely-to-be-naughty phrases (like “xxx” or “leprechaun”) to produce a target-rich environment.
Remember: Fear is often cheaper than technology™.