Microsoft KB Archive/837447

= How to block traffic from an Internet-based music sharing service in ISA Server 2004 =

Article ID: 837447

Article Last Modified on 7/16/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 275237.



INTRODUCTION
This article describes how to prevent traffic from an Internet-based music-sharing resource, such as Napster, from passing through Microsoft Internet Security and Acceleration (ISA) Server 2004.



MORE INFORMATION
You can use several methods to help prevent users from accessing an Internet-based resource through ISA Server 2004. While this article uses Napster.com as an example, you can use the methods that are described in this article to deny access to various Internet-based resources.

Method 1: Use a domain name set
Create an access rule to deny access to a specific destination that the Internet-based service requires for its initial logon process. To create an access rule, first create a domain name set policy element for the destination. Use that domain name set to deny access to the particular domain or to redirect the client request to an internal Internet access policy Web page. To create a domain name set policy element and an access rule, follow these steps:  Start ISA Server Management, and then connect to your ISA Server computer if you are not already connected. Expand  , where  is the name of your ISA Server computer, and then click Firewall Policy. Click the Toolbox tab, click Network Objects, click New, and then click Domain Name Set. In the Name box, type a name for the domain name set policy element. Click New, and then type the domain name that you want this policy element to define. For example, type *.napster.com . Click OK.</li> Click the Tasks tab, and then click Create New Access Rule.</li> Type a name for the access rule, and then click Next.</li> Leave the Deny option selected, and then click Next.</li> Leave the All outbound protocols option selected in the This rule applies to list, and then click Next.</li> Click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from accessing Napster.com, expand Networks, click Internal, click Add, and then click Close.</li> Click Next, and then click Add.</li> Expand Domain Name Sets, click the new domain name set that you created, click Add, and then click Close.</li> Click Next, leave the default All Users user set that is listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.</li> If you want to redirect the client request to an internal Internet access policy Web page, follow these steps: <ol style="list-style-type: lower-alpha;"> Right-click the new access rule that you created, and then click Properties.</li> Click the Action tab, click to select the Redirect HTTP requests to this Web page check box, type the URL of that Web page, and then click OK.</li></ol> </li> Click Apply to save your changes and to update the firewall policy, and then click OK.

Note If you have other access rules that are listed before this rule on the Firewall Policy tab, you might have to move this rule up. This action makes sure that this rule is enforced before other &quot;allow&quot; rules permit access to the Internet service that you want to restrict. To move an access rule up, right-click the rule, and then click Move Up. After you have modified the rule hierarchy, click Apply to save your changes and to update the firewall policy, and then click OK.</li></ol>

Method 2: Use a content type
To create an access rule that denies the .mp3 content type, follow these steps:
 * 1) Start ISA Server Management, and then connect to your ISA Server computer if you are not already connected.
 * 2) Expand  , and then click Firewall Policy.
 * 3) Click the Toolbox tab, click Content Types, and then click New.
 * 4) In the Name box, type a name for the .mp3 content type.
 * 5) In the Available types list, click .mp3, and then click Add.
 * 6) Click OK.
 * 7) Click the Tasks tab, and then click Create New Access Rule.
 * 8) Type a name for the access rule, and then click Next.
 * 9) Leave the Deny option selected, and then click Next.
 * 10) Leave the All outbound protocols option selected in the This rule applies to list, and then click Next.
 * 11) Click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from downloading .mp3 files, expand Networks, click Internal, click Add, and then click Close.
 * 12) Click Next, and then click Add.
 * 13) Expand Networks, click External, click Add, and then click Close.
 * 14) Click Next, leave the default All Users user set listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
 * 15) Right-click the new access rule that you created, and then click Properties.
 * 16) Click the Content Types tab, and then click Selected content types.
 * 17) In the Content types list, click to select the check box that corresponds to the new content type that you created for .mp3 files, and then click OK.
 * 18) Click Apply to save your changes and to the update firewall policy, and then click OK.

Note When you create a content filter, only HTTP traffic is filtered. Therefore, some peer-to-peer file sharing programs may not be blocked.

Method 3: Use a protocol definition
Use a protocol definition to deny access to the Internet-based resource. File sharing services use a particular port for their initial connection. For example, Napster uses TCP port 8875 for the initial connection, and then the local file sharing service port is negotiated for each connection. You can use Network Monitor to determine the ports that are used by a particular program for the initial connection.

Note Determine the correct port that the service uses for its initial connection when you configure the protocol definition. These ports may change.

After you obtain the latest information about the port or ports that are used for the outbound connection, create an access rule to deny access to the particular protocol definition. The protocol definition will have settings that are similar to the following:

Port number: 8875 (or another)

Protocol type: TCP

Direction: Outbound

To create an access rule that is based on a protocol definition, follow these steps:
 * 1) Start ISA Server Management, and then connect to your ISA Server computer if you are not already connected.
 * 2) Expand  , and then click Firewall Policy.
 * 3) Click the Toolbox tab, click Protocols, click New, and then click Protocol.
 * 4) In the Name box, type a name for the protocol definition, and then click Next.
 * 5) Click New, leave the TCP option selected in the Protocol type list, leave the Outbound option selected in the Direction list, type the port number that you want to define in the From box and in the To box, and then click OK.
 * 6) Click Next two times, and then click Finish.
 * 7) Click the Tasks tab, and then click Create New Access Rule.
 * 8) Type a name for the access rule, and then click Next.
 * 9) Leave the Deny option selected, and then click Next.
 * 10) In the This rule applies to list, click Selected protocols, and then click Add.
 * 11) Expand User-Defined, click the new protocol definition that you created, click Add, and then click Close.
 * 12) Click Next, click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from connecting to a particular service port, expand Networks, click Internal, click Add, and then click Close.
 * 13) Click Next, and then click Add.
 * 14) Expand Networks, click External, click Add, and then click Close.
 * 15) Click Next, leave the default All Users user set listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
 * 16) Click Apply to save your changes and to update the firewall policy, and then click OK.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Keywords: kbinfo KB837447

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.