Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


January 2007

Blocking Web Sites in ISA Server

Scripts import blacklisted domains into ISA for inexpensive content filtering
From the January 2007 Edition
of Windows IT Pro
Jason Fossen
Solutions +
InstantDoc #94079
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    More Web Filtering

Download the Code Here

Step 5: Import Blacklist into Bad-Sites
Download the script named ImportBlacklist.vbs by clicking the 94079.zip link. Unzip the downloaded file and copy the two files it contains to your ISA Server's hard drive. (I'll explain the other file, ScheduledUpdate.bat, in a moment.)

The ImportBlacklist.vbs script imports a text file of domain names into a domain name set on ISA Server 2004 or 2006, either the Standard or Enterprise edition. Copy the porn\domains blacklist file to the folder on your ISA Server system that contains the ImportBlacklist.vbs script, then run the following command in a CMD shell (type the command all on one line) to fill your Bad-Sites list: 

cscript.exe ImportBlacklist.vbs
 Bad-Sites domains

To import domains from multiple files, merge them all together into one large file. For example, to append one file (domains1) to the end of another file (domains2), use the Type command as follows: 

type domains1 >> domains2

Alternatively, you could create multiple BadSites sets, one for each file to be imported, and add all these Bad-Sites sets to the destination in the Site_Blocker rule.

By default, the script deletes the contents of the domain name set first, then imports from the text file, so it's better to do your list management in the text file than in the domain name set itself. When the script finishes, refresh your ISA Server Management console to see the new contents of the Bad-Sites list (or close and reopen the console, which is often faster).

That's it! Now, when a user requests a file from a blocked domain, the user will get an error page instead. As long as the HTTP request is routed through ISA Server, this domain blocking works even when the user's browser isn't configured as a Web proxy client. (But it's better to configure all browsers as proxy clients.) And the performance penalty of ongoing domain blocking is relatively small because it's not regular expression pattern matching, it's just simple string comparisons against the user's requested URL. Very slick.

Step 6: Schedule Updates
Manually downloading blacklist updates and importing them into ISA Server is easy enough, but it can be tedious. Fortunately, it can be scripted. A scheduled batch script that uses a free Windows version of wget.exe (http://www.gnu.org/software/wget) can download the latest version of your favorite blacklist every week or night, then run gunzip.exe, tar.exe, and ImportBlacklist.vbs to update your ISA Server system hands-free.

Listing 1 shows a simple batch script named ScheduledUpdate.bat that performs these tasks. The script downloads a small demo blacklist from URLBlacklist.com and imports its porn list into an ISA Server domain name set named Bad-Sites using the ImportBlacklist.vbs script. In real life, you'll need to edit this script to download the full blacklist for which you've paid and to perform error-checking, logging, and/or administrator notification. Use the Scheduled Tasks applet in Control Panel to schedule the script.

Updating your blacklist is important because new bad sites are found every week. Scheduling this work is important because of the time it takes to import very large lists. On a server with a single 2.2GHz Pentium 4 CPU, for example, it takes less than 10 minutes to import 100,000 domains from a blacklist file, but that same machine requires three hours to import 500,000 domains. And during the import process, the CPU will be pegged at 100 percent. So, schedule the blacklist updates for off-peak hours, and run the ImportBlacklist.vbs script with the \belownormal option (as the last line of Listing 1 shows) to use a lower multitasking priority. Other ISA Server processes will have an easier time getting CPU cycles.

Note that you'll have to allow ISA Server HTTP access to the Internet for the batch script to run. Following the procedure in Step 3, create a rule that gives ISA Server access only to the blacklist download site. Set the source network to Local Host and the destination URL to the location of the blacklist to be downloaded.

Importing blacklists for domain blocking is just one example of ISA Server's scriptability. You can find lots of other scripts at sites such as http://www.isatools.org, http://www.isaserver.bm, and http://www.isascripts.org (my site), and Microsoft has an ISA Server software development kit (SDK) if you want to write your own. Using blacklists and scripts as we've done here won't be as scalable or full-featured as using a commercial content filter, but if you're on a budget, it might be good enough.

SOLUTION STEPS:

  1. Use ISA Server.
  2. Create a domain name set.
  3. Create a blocking rule.
  4. Download a blacklist.
  5. Import blacklist into Bad-Sites domain name set.
  6. Schedule updates.

End of Article

   Previous  1  [2]  Next  


Reader Comments
You can also download a free TAR for Windows from http://gnuwin32.sourceforge.net/packages/tar.htm

And free GZIP and GUNZIP for Windows from http://www.gzip.org

PentonReader January 10, 2007 (Article Rating: )

Where is the file for this document? 94079.zip

I've looked every where.


lbueno AT domitek.net

lbueno February 12, 2007 (Article Rating: )

Where is file (94079.zip)
I find this file every where on this page
why i can not found this link
please show link in place easy i can found

tanakalee March 12, 2007 (Article Rating: )

Where is file 94079.zip

ragtop19 March 12, 2007 (Article Rating: )

Yes, I subscribe to the magazine and it points me here to download the script but it's nowhere in sight...

sysgo March 16, 2007 (Article Rating: )

Here's how to find the zip file - go to "Keyword Search" at the top of the page and enter the file name 94079.zip instead.

sysgo March 16, 2007 (Article Rating: )

http://www.windowsitpro.com/Files/94079/94079.zip

rpos06 March 27, 2007 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement