ISA Server Destination Sets for Inbound and Outbound Access
By Thomas W Shinder, M.D.
Destination sets are a very handy tool that allow you control both inbound and outbound access to and from the internal network through the ISA Server. Destination Sets are a pivotal component of your inbound and outbound access policy using Site and Content and Web Publishing Rules. A Destination Set can be used to signal safe sites and can be used to steer your users away from dangerous or illegal sites.
The problem with Destination Sets is that a good number of our ISAserver.org readers doesnít understand them very well! Thatís OK, because by the time youíre done with this article, youíll have a much better understanding of Destination Sets and how they work with ISA Server.
A Destination Set is a collection of Fully Qualified Domain Names (FQDNs) or IP addresses. A Destination Set entry can also contain a path to designate a more specific destination. A single Destination Set can contain a single IP address or FQDN, or it can contain a multiple FQDNs or an entire IP address range.
For example, a destination set could contain the following entries:
*.blah.com PATH: /warez/*
A Destination Set could also contain these entries:
However, you would not want a single Destination Set to contain both FQDNs and IP addresses. For example, the entries in the following Destination Set will cause you troubles:
ISA Server Alert
Never mix IP addresses and FQDNs in the same Destination Set!
Creating Destination Sets
Creating a Destination Set is easy:
- Open the ISA Server Management console, expand your server name, then expand the Policy Elements node.
- Right click the Destination Sets node, point to New and click Set. This brings up the New Destination Set dialog box.
- Click the Add button. This brings up the Add/Edit Destination dialog box. Here you can add a FQDN, an IP address, or a range of IP addresses. If you want to add a FQDN, select the Destination option and type in the FQDN in the text box. You can use a wildcard to the left of the domain to represent multiple servers within a domain, but you canít use two wildcards to cover all subdomains. For example, if you enter *.popupbox.com, the Destination Set entry will cover all servers or subdomains (if the host name isnít included in the subdomainís FQDN). You cannot create an entry like *.*.popupbox.com Ė this entry would cover all host names in all subdomains. Unfortunately you canít create such an entry. If you want to enter an IP address, you select the IP addresses option and enter the IP address in the From text box. If you want to enter a range of IP addresses, enter the first IP address in the From text box and the last IP address in the To (optional) text box.
You can enter a path in the Path text box. The path statement allows you to create an entry for a specific folder, or even a file within a folder. For example, if you wanted the Destination Set entry to apply only to www.somedomain.com/pornofolder, you would enter /pornofolder in the Path text box. If you want the Destination Set entry to apply to a specific file within the folder, you would put /pornofolder/pornofile.htm in the Path text box. If the Destination Set entry needs to apply to a folder and all the files in the specific folder, then you would put /pornofolder/* in the Path text box. Itís not entirely clear what the difference is between the /pornofolder and /pornofolder/*, but I believe the difference is whether the request is for www.somedomain.com/pornofolder and www.somedomain.com/pornofolder/somefile.htm A subtle, but real difference.
- Click OK. Notice that you can put multiple entries in a single Destination Set. When publishing a particular Web site, you might only want one entry in a Destination Set, but if you were creating a Site and Content Rule to block multiple porno sites, you would create a Destination Set with multiple entries.
- Click OK to save the Destination Set.
While Destination Sets are easy to create, their rule power is in how theyíre applied. Destination Sets can be used in:
Site and Content Rules
Site and Content Rules allow you to control which sites users can and cannot access. Destination Sets allow you to designate which sites are affected by the Site and Content Rule. You could also create a Destination Set that contains a collection of sites that users do have access to. In this way, you can prevent users from accessing any site except those sites contained in the list.
For example, if you wanted to prevent access to a collection of porno sites, you can create a Site and Content Rule that denies access to those sites. The procedure works this way:
- Create the Destination Set. If you have many forbidden sites, you might want to import them from a text file into the Destination Set. You can do this by using the banner.txt and banner.vbs files located at ftp://ftp.tacteam.net You can also use Jim Harrisonís XML tool over at http://isatools.org
- After creating the Destination Set, the next step is to create the Site and Content Rule to block the sites contained in the Destination Set. In the ISA Management console, expand your server name and then expand the Access Policies node. Right click on Site and Content Rules, point to New and click Rule.
- On the Welcome to the New Site and Content Rule Wizard page, type in a name for the rule and then click Next.
- On the Rule Action page, select the Deny option. Make sure to put a checkmark in the If HTTP request, redirect request to this site checkbox. Then type in the URL to the site you want to redirect to. The site should be accessible to all internal network clients. The best way to do this is to make a site on the internal network that all machines can access and redirect the users to that site. You can specify a Web page that contains the network usage policy, so users know why they were redirected. Click Next.
- On the Rule Configuration page, select the Deny access based on destination option and click Next.
- On the Destination Sets page, select the Specified destination set option in the Apply this rule to drop down list box. Then select the name of the Destination Set you want this rule to apply to in the Name drop down list box. Click Next.
- On the Completing the New Site and Content Rule Wizard page, review your settings and click Finish.
When a user attempts to go to any of the sites contained in the Destination Set, he will be redirected to the site you configured in the Site and Content Rule.
Bandwidth Rules allow to you control the relative percentage of bandwidth available to a particular connection. Bandwidth Rules do not allow you to hard code the amount of bandwidth dedicated to a connection. For more information on how Bandwidth Rules work, check out my article on this subject at http://www.isaserver.org/pages/newsletters/december.asp
You can use Destination Sets to control the amount of bandwidth dedicated to a site or collection of sites. For example, suppose your company depends on a connection to a partnerís Web site to get information about products or services. Or maybe there is a Web site that contains critical information you need to keep your network up and running (like www.isaserver.org). You can create a Bandwidth Rule that assigns a higher bandwidth priority to these sites.
For example, suppose you wanted to give preference to connections made to www.isaserver.org. You can create the following Bandwidth Rule:
- In the ISA Management console, expand your server name and then right click on the Bandwidth Rule node. Point to New and click Rule.
- On the Welcome to the New Bandwidth Rule Wizard page, type in the name of the new rule. Click Next.
- On the Protocols page, select All IP traffic and click Next.
- On the Schedule page, select Always and click Next.
- On the Client type page, select the any request option. This is an interesting page, because if you select the Specific users and groups option and then configure a bandwidth rule that applies only to particular users and groups, users not contained in the group will not be able to access the site! You might have thought that the default Bandwidth Rule would apply, and allow the users not contained in the group to access the site using the settings in the Default Bandwidth Rule, but that doesnít turn out to be the case. Be careful when assigning a Bandwidth Rule for a particular site to a specific user or group, or you may end up with unexpected results! Click Next.
- On the Destination Sets page, select the Specified destination set option from the Apply this rule to drop down list box. Select the Destination Set for the site in the Name drop down list box. Click Next.
- On the Content Groups page, select the All content groups option. If you donít select the All content groups option, youíll have some interesting issues come up regarding SSL sites . Click Next.
- On the Bandwidth Priority page, select the Custom option. In the Name drop down list box, select the Bandwidth Priority you created for the site. Note that youíll have to create the Bandwidth Priority first, before you create the Bandwidth Rule. The are a number of schemes you can use to create Bandwidth Priorities and I discuss them in the article over at http://www.isaserver.org/pages/newsletters/december.asp After selecting the Bandwidth Priority, youíll be able to see the priority set for Outbound and Inbound bandwidth. Click Next.
- Review your settings and click Finish on the Completing the New Bandwidth Rule Wizard page.
Destination Sets in Web Publishing and Web Routing Rules
In part 2 of this article, Iíll cover how Destination Sets are used in both Web Publishing and Web Routing Rules. Because Web Publishing and Web Routing Rules are some substantial, and important subjects, Iíll dedicated an article Destination Set and these types of Rules.
Destination Sets Works Differently with Different Services
Remember that I mentioned earlier that you can use Destination Sets to control how access is controlled for a particular folder on a site. For example, you might not want to apply access control over the entire microsoft.com domain, but you would like to control access to the subdirectory www.microsoft.com/downloads folder. You can do this by creating s a destination set for www.microsoft.com, and then include the path /downloads/*. With the path statement included in the Destination Set, the rule would apply to all content in the downloads directory at www.microsoft.com site.
Different ISA Server client types use the path statement in the Destination Set differently. The results differ depending on whether you use the SecureNAT, Firewall Client or Web Proxy Client. The following table shows how path statements are processed by the different client types.
|Protocol||Web Proxy Client||SecureNAT Client||Firewall Client|
|HTTP||Yes||Sort of*||Sort of*|
*SecureNAT and Firewall Client computers can process path statements in destination sets if the requests move through the HTTP Redirector Filter. If the filter is disabled and the clients directly access the server on the Internet, then the path entries are ignored.
This chart can be boiled down into two basic observations:
The Web Proxy service handles all HTTP requests from Web Proxy clients and SecureNAT and Firewall clients if the HTTP Redirector Filter is enabled. This includes HTTP and HTTP tunneled (from Web Proxy clients) FTP requests. If you want to apply path statements for Destinations accessed via FTP, then you need to make the client a Web Proxy client.
If a request does not support path processing and the client makes a request for a site that has a Destination Set with a path statement in it, the Destination Set will still have no effect on how the request is handled. Instead of applying the rule to just the path, the client completely ignores that entry.
For example, suppose you created a Destination Set that included the following entries:
After creating the Destination Set, you decide to create a Site and Content rule that denies access to these sites. What would happen when you tried to access the sites contained in this destination set using NNTP?
First, ask yourself if NNTP supports path processing. Look at the above chart. You can see that NNTP does not support path processing. What do you think will happen when you try to access these sites via your newsreader?
When you try to access news://www.potus.net/flotus via your newsreader, you will be able to access the site. The reason is that the NNTP client is either a SecureNAT or Firewall client and the request is never handled by the Web Proxy service. Since SecureNAT and Firewall clients not accessing HTTP site never use the Web Proxy service, the ISA Server ignores the entry for the entire site and allows access. I am assuming that the default Site and Content rule is active, and allows access to all sites that are not denied.
ISA Server Alert
Remember the key concept: only requests that go through the Web Proxy service will evaluate the path statement in an entry in a Destination Set. If the request does not go through the Web Proxy service, the entire entry in the Destination Set is ignored. Web Proxy clients always sent their HTTP requests through the Web Proxy service. Firewall and SecureNAT clients will send requests through the Web Proxy service if the requests are forwarded through the HTTP Redirector Filter.
When you try to access www.sawhorse/comnet via your newsreader, the request will be denied. The reason for this is that the www.sawhorse.net entry in the Destination Set does not have a path statement. Since there is no path statement in the Destination Set entry, the destination is processed and the deny rule is applied.
SSL requests represent a special problem when it comes to destination sets. SSL requests will go through the Web Proxy service for all Web Proxy clients and SecureNAT and Firewall clients if the HTTP Redirector is enabled. If a Site and Content rule denies access to a destination set entry that includes a path statement, and the site is accessed via SSL, not only will the subdirectory be denied, but the entire server or domain will be denied. Be very wary of denying access to a destination set that includes a path if you expect to access any other area of that site.
Iíll talk more about what happens with SSL requests, Destination Sets and Site and Content Rules in part 2 of this article.
In this article we talked about Destination Sets how they work. Destination Sets can be part of Site and Content, Bandwidth, Web Publishing and Web Routing Rules. While Destination Sets are easy to create, its not always easy to interpret the exact effect they will have. Destination Sets have a different influence depending on how the request is processed.
I hope you found this article useful. If you have any questions on this article, please feel free to write to me at firstname.lastname@example.org. When you click the mail link, the subject link will be automatically entered so that Iíll know that it applies to this article.