Blocking Desired Extensions and Content Types

[LEFT][CODE]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type.aspx[/CODE]

[FONT=Arial]Background

[SIZE=2]This is most useful when you need to block streaming media, you can use the combination of blocking Extensions and Content Types.[/SIZE][/FONT]
[SIZE=2] [/SIZE] [SIZE=2] [/SIZE]Configuration

[LIST][*] Open [B]ISA Management Console[/B]
[/LIST]

[LIST][*] Create a new Access rule, Right click [B]Firewall Policy [/B], then click on [B]New[/B] then choose [B] Access Rule[/B][/LIST]
[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/new_Access_Rule.JPG[/IMG]

This also can be done from the [B]Right Pane[/B], under the [B]Tasks[/B] bar :

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/New_Access_Rule_2.JPG[/IMG]


[LIST][*] The [B]New Access Rule Wizard[/B] will be launched, give a name to your new rule , in this example we will name it Allow Internet, then click [B] Next[/B]

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/New_access_rule.JPG[/IMG][/LIST]

[LIST][*] In the [B]Rule Action[/B] page, we choose which action we want to grant for our users, first we need to create the allow rule that will allow them to have internet access, so we choose [B]Allow[/B], then click [B] Next
[/B][*] I always prefer not to grant users an open rule, in this I mean a rule with all outbound protocols, that's why I always prefer to grant my users a selected protocols for each rule. [FONT=Arial] In the [B]Protocols[/B] page, From the drop down list of [B]This Rule Applies To[/B], choose [B] Selected Protocols[/B],

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/New_Access_Rule_Wizard_protocol.JPG[/IMG]

click on [B]Add[/B] button, the [B]Add Protocol[/B] page will open, expand the [B]Common Protocols [/B] container[B], [/B]choose the HTTP, HTTPS, POP3 & SMTP ( these are the most common protocols used, you can have any other protocols as desired ) protocols and click on [B]Add[/B] , then click [B]Close[/B]

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Selected_Protocols.JPG[/IMG]

The selected protocols will be displayed in the [B] Protocols[/B] page, click Next
[/FONT][*] On the [B]Access Rule Sources[/B] page, click the [B] Add[/B] button. In the [B]Add Network Entities[/B] dialog box, click on the [B]Networks[/B] folder. Double click on the [B]Internal[/B] network, then click the [B]Close[/B] button in the [B]Add Network Entities[/B] dialog box. Click [B]Next[/B] in the [B] Access Rule Sources[/B] dialog box.

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/choose_internal_network_source.JPG[/IMG]

[*] Click the [B]Add[/B] button on the [B]Access Rule Destinations[/B] page. In the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder. Double click the [B]External[/B] entry and click [B]Close[/B] in the [B]Add Network Entities [/B]dialog box. Click [B]Next[/B] on the [B]Access Rule Destinations[/B] page.

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/choose_external_network_destination.JPG[/IMG][*] On the [B]User Sets[/B] page, accept the default setting of [B]All Users[/B].

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/All_Users_Condition.JPG[/IMG][*] Review your settings and click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Review_Rule.JPG[/IMG][*] Click the [B]Apply[/B] button to save the changes and update the firewall policy. This button is located at the top of the Details pane
(the middle pane) of the console.

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/Apply_button.JPG[/IMG][*] [FONT=Arial] Your rule will look this :

[/FONT] [IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Rule_After_Creation.JPG[/IMG]
[*] The rule you have just created will permit your users to surf the Internet with only the selected protocols, but your users will be able to download whatever they want !! so what you need to do is to filter such ability by File Extension and/or Content Type.
[*] Right click your Allow Rule, then click on [B] Configure HTTP[/B]

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Configure_Http.JPG[/IMG][*] [SIZE=2][FONT=Arial]The [B]Configure HTTP Policy[/B] page will open
[/FONT][/SIZE] [FONT=Arial] [SIZE=2]
[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Configure_Http2.JPG[/IMG]


In this article we will only discuss the [B]Extensions[/B] Tab , for more info on the[B] Configure HTTP Policy [/B] check the related links at the end of this article.
[/SIZE][/FONT][*] [SIZE=2][FONT=Arial] Click on the Extensions Tab, then from the drop down list choose [B]Block specified extensions (allow all others)[/B].
[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/block_selected_extensions.JPG[/IMG]

[/FONT][/SIZE][*] Click on the [B]Add[/B] button

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/add_block_selected_extensions.JPG[/IMG]

In this page, start adding the extension you desire to block, such as wmv, avi and so on.

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/block_selected_extensions2.JPG[/IMG]

After you finish from filling the extensions you desire to block , click on [B]OK[/B]
[*] Click the [B]Apply[/B] button to save the changes and update the firewall policy.

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/Apply_button.JPG[/IMG][*] We finished now with the [B]Extensions[/B] part, now if you need also to block by [B]Content Type[/B], double click on the [B]Allow Internet[/B] rule

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/Rule_After_Creation.JPG[/IMG]

Then click on the [B]Content Types[/B] Tab

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/rule_properties.JPG[/IMG][*] [SIZE=2][FONT=Arial]By default, all Content types are enabled, what we need to do now is to select only the ones we need to be enabled on this rule,
that's why we need to enable the radio button beside the [B]Selected content types ( with this option selected , the rule is applicable only to HTTP traffic ) [/B]under the[B] This rule applies to [/B]

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/content_types%20properties.JPG[/IMG][/FONT][/SIZE][FONT=Arial][SIZE=2]
[/SIZE][/FONT][*] [SIZE=2][FONT=Arial] Start selecting the content types you want to enable, in this article, we do not want to enable streaming content types, so we leave the audio and video content types deselected. After you finish from selecting, click on [B]OK[/B]

[IMG]http://www.elmajdal.net/ISAServer/Block_Desired_Extension_Content_Type/seelcted_content_types%20properties.JPG[/IMG]
[/FONT][/SIZE][*] Click the [B]Apply[/B] button to save the changes and update the firewall policy.

[IMG]http://www.elmajdal.net/ISAServer/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006/Apply_button.JPG[/IMG]
[/LIST]
[FONT=Arial] Summary

[/FONT] In this article, we learned how to create a new Access Rule, and how to filter this allow to block selected extensions and content types.

[/LEFT]