You may also want to limit the types of content that users can access on the Internet. To do this, create a new content type element, or use one of the existing content type elements when you create an access rule. Content type elements define Multipurpose Internet Mail Extensions (MIME) types and file name extensions. When a client such as Microsoft Internet Explorer downloads information from the Internet using HTTP or File Transfer Protocol (FTP), the content is downloaded in either MIME format or as a file with a specified file name extension.
Content type elements apply only to HTTP and FTP traffic that is tunneled in an HTTP header. When a client requests HTTP content, ISA Server sends the request to the Web server. When the Web server returns the object, ISA Server checks the object’s MIME type or its file name extension, depending on the header information returned by the Web server. ISA Server determines if a rule applies to a content type that includes the requested filename extension, and processes the rule accordingly. FTP traffic is tunneled in an HTTP header when a client is configured as a Web Proxy client. When a client requests FTP content, ISA Server checks the filename extension of the requested object. ISA Server determines if a content type that includes the file extension is linked
to the access rule. If a content type applies, ISA Server applies the rule.
ISA Server is preconfigured with the following content types: Application, Application data files, Audio, Compressed files, Documents, Hypertext Markup Language (HTML) documents, Images, Macro documents, Text, Video, and Virtual Reality Modeling Language (VRML). In most cases, you need not configure additional content types, and can merely apply the existing types.
How to Configure Schedule Elements
In some cases, you may also want to configure access to the Internet based on the time of day. To do this, configure a schedule element and apply it or one of the existing schedules to an access rule. Schedule elements define a schedule that you can use to grant or deny Internet access as part of an access rule.
ISA Server 2004 is preconfigured with the following two schedules:
- Weekends Defines a schedule that includes all times on Saturday and Sunday
- Work Hours Defines a schedule that includes the hours between 09:00 (9:00 A.M.) and 17:00 (5:00 P.M.) on Monday through Friday To create a new schedule element, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Schedules.
3. Click New. In the New Schedule dialog box, fill in the following information:
. Type the content type set name in the Name box.
. Configure the schedule by selecting the times when the rule will be active or inactive and then clicking Active or Inactive.
How to Configure Network Objects
You may also want to define which Web sites or servers users can or cannot access. You can configure this by creating either a domain name set or a URL set and then applying these sets to an access rule. Moreover, you can create groups of computers that you can use when creating access rules. For example, you may want to allow access to specific Internet resources only to certain computers. You can create computer objects, computer sets, address ranges, or subnets to define groups of one or more computers, and then use these objects to allow or deny access to Internet
resources. These computer objects can be used both as the source object and the destination object when defining access rules.
You can use any of these access rule elements when defining access rules. Note the following
configuration restrictions:
- When specifying the domain name, you can use an asterisk (*) to specify a set of computers. For example, to specify all computers in the cohovineyard.com domain, type the domain name as *.cohovineyard.com. The asterisk can appear only at the start of the domain name, and can be specified only once in the name. You must use the FQDN when specifying a domain name.
- When you create a URL set, you can specify one or more URLs in URL format. For example, you specify a URL such as http://www.cohovineyard.com. You can also specify a path and use wildcard characters in the path, but only at the end. For example, www.cohovineyard.com/* is acceptable. However, www.cohovineyard.com/*/ sales is not.
To create a new Network Object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Click New, and then click the type of object that you want to create. All the network objects have a similar configuration interface.To modify an existing network object, click the object in the Network Objects box, and then click Edit.
Content type elements apply only to HTTP and FTP traffic that is tunneled in an HTTP header. When a client requests HTTP content, ISA Server sends the request to the Web server. When the Web server returns the object, ISA Server checks the object’s MIME type or its file name extension, depending on the header information returned by the Web server. ISA Server determines if a rule applies to a content type that includes the requested filename extension, and processes the rule accordingly. FTP traffic is tunneled in an HTTP header when a client is configured as a Web Proxy client. When a client requests FTP content, ISA Server checks the filename extension of the requested object. ISA Server determines if a content type that includes the file extension is linked
to the access rule. If a content type applies, ISA Server applies the rule.
ISA Server is preconfigured with the following content types: Application, Application data files, Audio, Compressed files, Documents, Hypertext Markup Language (HTML) documents, Images, Macro documents, Text, Video, and Virtual Reality Modeling Language (VRML). In most cases, you need not configure additional content types, and can merely apply the existing types.
How to Configure Schedule Elements
In some cases, you may also want to configure access to the Internet based on the time of day. To do this, configure a schedule element and apply it or one of the existing schedules to an access rule. Schedule elements define a schedule that you can use to grant or deny Internet access as part of an access rule.
ISA Server 2004 is preconfigured with the following two schedules:
- Weekends Defines a schedule that includes all times on Saturday and Sunday
- Work Hours Defines a schedule that includes the hours between 09:00 (9:00 A.M.) and 17:00 (5:00 P.M.) on Monday through Friday To create a new schedule element, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Schedules.
3. Click New. In the New Schedule dialog box, fill in the following information:
. Type the content type set name in the Name box.
. Configure the schedule by selecting the times when the rule will be active or inactive and then clicking Active or Inactive.
How to Configure Network Objects
You may also want to define which Web sites or servers users can or cannot access. You can configure this by creating either a domain name set or a URL set and then applying these sets to an access rule. Moreover, you can create groups of computers that you can use when creating access rules. For example, you may want to allow access to specific Internet resources only to certain computers. You can create computer objects, computer sets, address ranges, or subnets to define groups of one or more computers, and then use these objects to allow or deny access to Internet
resources. These computer objects can be used both as the source object and the destination object when defining access rules.
You can use any of these access rule elements when defining access rules. Note the following
configuration restrictions:
- When specifying the domain name, you can use an asterisk (*) to specify a set of computers. For example, to specify all computers in the cohovineyard.com domain, type the domain name as *.cohovineyard.com. The asterisk can appear only at the start of the domain name, and can be specified only once in the name. You must use the FQDN when specifying a domain name.
- When you create a URL set, you can specify one or more URLs in URL format. For example, you specify a URL such as http://www.cohovineyard.com. You can also specify a path and use wildcard characters in the path, but only at the end. For example, www.cohovineyard.com/* is acceptable. However, www.cohovineyard.com/*/ sales is not.
To create a new Network Object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Click New, and then click the type of object that you want to create. All the network objects have a similar configuration interface.To modify an existing network object, click the object in the Network Objects box, and then click Edit.
