Re: GFI Download Security for ISA Server as Spyware Blocker?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ross (Ross_at_discussions.microsoft.com)
Date: 02/02/05 

Date: Wed, 2 Feb 2005 01:13:02 -0800

No problem, but I should point out that there is apparently a bug in ISA
2004's content filtering that affects ASP pages. I'm waiting to hear from
Microsoft at the moment regarding this. If you implement filtering in this
way, bear in mind that there are occasional glitches with ASP pages:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000168

The other downside to this configuration is that ISA is *very* strict about
filtering. The filtering does not just affect file downloads, it affects
every request made through ISA. So if you don't allow .asp file extensions,
your users will not even be able to browse to .asp pages. We're pretty happy
that we've identified all the common extensions we use, but there may be a
few more you need to add for some sites.

Also, bear in mind that MIME types take precidence over file extensions, so
always check whether your ISA server has a MIME type registered for the
particular type of file you want to allow.

Cautions aside, in essence, we have two rules granting staff access to the
internet:

One is an allow rule for HTTPS traffic, and grants access to a domain name
set of trusted sites. ISA cannot filter content over HTTPS so we simply
prevent it's use to untrusted sites.

The second rule allows FTP and HTTP access, again to a list of trusted sites
(in our case managed by Futuresoft's i:Filter, but ISA's domain sets would
work fine). This rule only allows set types of content. We use the two
default groups of HTML Document and Images, but then have two groups of our
own in addition:

Allowed Web Content
application/x-javascript
text/css
.aspx
.cgi
.css
.js
.jsp
.pl
.shtml
.srf

Allowed Files
application/msword
application/pdf
application/vnd.ms-excel
image/gif
image/tiff
text/plain
.doc
.dwf
.dxf
.enc
.gif
.msl
.mso
.pdf
.plt
.sdf
.tif
.tiff
.txt
.xls

Some of those extensions are specific to u. DWF files are AutoCAD drawings
for example, but it should give you a good idea of our approach.

Ross

Relevant Pages

  • Re: GFI Download Security for ISA Server as Spyware Blocker?
    ... but I should point out that there is apparently a bug in ISA ... 2004's content filtering that affects ASP pages. ... Also, bear in mind that MIME types take precidence over file extensions, so ...
    (microsoft.public.isa)
  • Re: Bloking dangerous file types with ISA 2004
    ... Click the Filtering Button at the bottom and choose HTTP ... I had also experimented with blocking other MIME types such as ... Understanding the ISA 2004 Access Rule Processing ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ...
    (microsoft.public.isa)
  • Re: Have Autodetect Proxy for just HTTPs:
    ... RAM on the ISA and is configured based on the settings in the MMC GUI. ... Usually the filtering device goes inline on the outside of the ISA. ... However the viruses and such are not found in the outbound ... just the HTTPS protocol. ...
    (microsoft.public.isa)
  • Re: HTTP Filter not working for Firewall Clients
    ... Is the Web proxy filter bound to the HTTP protocol definition? ... MVP -- ISA Firewalls ... browse via the firewall client, the HTTP filtering is bypassed. ...
    (microsoft.public.isa)
  • Re: Why are Veteran, Experienced Pipers not into ASP?
    ... I get ASP just the way I want it: posts marked with OT or AD get ... Even if one doesn't use an advanced reader, all the common, more ... or less free readers have a filtering mechanism. ... violates a FAQ practice respectfully and politely inform them on-list. ...
    (alt.smokers.pipes)