Red Line Software - we help you manage the efficiency of your office operations.

One of the ISA firewallÒs strong suits is its exceptional stateful application layer inspection. In addition to performing the basic task of stateful filtering (which even a simple ÑhardwareÒ firewall can do), the ISA firewallÒs strong application layer inspection feature set allows the ISA firewall to actually understand the protocols passing though the firewall. In contrast to traditional second generation hardware firewalls, the ISA firewall represents a third generation firewall that is not only network aware, but application protocol aware. This article shows you how to leverage the ISA firewalls stateful application layer inspection by using an automated approach to populating Domain Name Sets and URL Sets using scripts.

One of the ISA firewallÒs strong suits is its exceptional stateful application layer inspection. In addition to performing the basic task of stateful filtering (which even a simple ÑhardwareÒ firewall can do), the ISA firewallÒs strong application layer inspection feature set allows the ISA firewall to actually understand the protocols passing though the firewall. In contrast to traditional second generation hardware firewalls, the ISA firewall represents a third generation firewall that is not only network aware, but application protocol aware.

The ISA firewallÒs stateful application inspection mechanism allows you to control access not to "ports", but to the actual protocols moving through those ports. While the conventional "hardware" firewall is adept at passing packets using simple stateful filtering mechanisms that have been available since the mid 1990Òs, the ISA firewallÒs stateful application layer inspection mechanisms bring the ISA firewall into the 21^st century and actually control application layer protocol access. This allows strong inbound and outbound access control based on the firewallÒs application layer awareness and not through simple "opening and closing" of ports.

One powerful example is the ability to control what sites users can access through the ISA firewall. You can combine this ability to control sites users access by adding strong user/group based access control as well as protocol control.

For example, you might have a group of users called "Web Users" and you want to block access to a list of 1500 URLs or domains for those users. You can create an Access Rule that blocks only those 1500 sites and allows access to all other sites when members of that group authenticate with the ISA firewall.

Another example might be that you want to create a block list of 5000 domains you want to prevent all users except for domain admins from reaching via any protocol. You can create a Domain Name Set and then apply this Domain Name Set to an Access Rule blocking these sites.

The trick is to find a way to get those thousands of domains or URLs into Domain Name Sets and URL Sets. You can enter these URLs and domains manually using the built-in tools included in the ISA Management console. The problem with this approach is that youÒll need to get your clicking thumb ready for a long weekend as you click your way through the user interface to add all of these domains and URLs.

A better way is to import the sites you want to include in your URL Sets and Domain Name Sets from a text file. There are a number of places on the Internet where you can find such files (I wonÒt mention any here because I donÒt want to create an implicit endorsement of any of them). Once you have a text file, youÒll want use a script to import the entries in the text file into a URL Set or a Domain Name Set.

First, letÒs start with the scripts. The first script below is used to import the entries in a text file into a URL Set. Copy the information into a text file and then save it as ImportURLs.vbs.

< ------------------Start with the line below this one----------------------- >
Set Isa = CreateObject("FPC.Root")
Set CurArray = Isa.GetContainingArray
Set RuleElements = CurArray.RuleElements
Set URLSets = RuleElements.URLSets
Set URLSet = URLSets.Item("Urls")

Set FileSys = CreateObject("Scripting.FileSystemObject")
Set UrlsFile = FileSys.OpenTextFile("urls.txt", 1)

For i = 1 to URLSet.Count
URLSet.Remove 1
Next
Do While UrlsFile.AtEndOfStream <> True
URLSet.Add UrlsFile.ReadLine
Loop
WScript.Echo "Saving..."
CurArray.Save
WScript.Echo "Done"
< ------------------End with the line above this one----------------------- >

The two entries in this file you need to change for your own setup are highlighted in yellow.

In the line:

Set URLSet = URLSets.Item("Urls")

Change the Urls entry to the name of the URL Set you want to create on the ISA firewall.

In the line:

Set UrlsFile = FileSys.OpenTextFile("urls.txt", 1)

Change the urls.txt entry to the name of the text file that contains the URLs you want to import into the ISA firewallÒs configuration.

The next script is used to import a collections of domains contained in a text file. Save the following information in a text file and name it ImportDomains.vbs.

< ------------------Start with the line below this one----------------------- >
Set Isa = CreateObject("FPC.Root")
Set CurArray = Isa.GetContainingArray
Set RuleElements = CurArray.RuleElements
Set DomainNameSets = RuleElements.DomainNameSets
Set DomainNameSet = DomainNameSets.Item("Domains")
Set FileSys = CreateObject("Scripting.FileSystemObject")
Set DomainsFile = FileSys.OpenTextFile("domains.txt", 1)
For i = 1 to DomainNameSet.Count
DomainNameSet.Remove 1
Next
Do While DomainsFile.AtEndOfStream <> True
DomainNameSet.Add DomainsFile.ReadLine
Loop
WScript.Echo "Saving..."
CurArray.Save
WScript.Echo "Done"
< ------------------End with the line above this one----------------------- >

The two entries in this file you need to change for your own setup are highlighted in yellow.

In the line:

Set DomainNameSet = DomainNameSets.Item("Domains")

Change the Domains entry to the name of the Domain Name Set you want to create on the ISA firewall.

In the line:

Set DomainsFile = FileSys.OpenTextFile("domains.txt", 1)

Change the domains.txt entry to the name of the text file that contains the domains you want to import into the ISA firewallÒs configuration.

Using the Import Scripts

Now letÒs see how the scripts work. The first thing you need to do is create the URL Set and the Domain Name Set in the Microsoft Internet Security and Acceleration Server 2004 management console. This is easy and one involves the few steps.

First, weÒll create a URL Set named URLs, since thatÒs the default name in our script. Remember, you can change the URL Set name in the script if you like, just make sure you first create a URL Set in the Microsoft Internet Security and Acceleration Server 2004 management console with the same name.

Perform the following steps to create a URL Set with the name URLs:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node.
2. In the Firewall Policy node, click the Toolbox tab in the Task Pane. In the Toolbox, click the Network Objects tab.
3. In the Network Objects tab, click the New menu and click URL Set.
4. In the New URL Set Rule Element dialog box, enter URLs in the Name text box. Click OK

5. The URL Set now appears in the list of URL Sets.

The next step is to create a Domain Name Set with the name Domains, which is the default name of the Set used in the ImportDomains script. Remember, you can use a different name for the Domain Name Set, just make sure the name is the same in the one you set in the script.

Perform the following steps to create the Domain Name Set with the name Domains:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node.
2. On the Firewall Policy node, click the Toolbox tab in the Task Pane. In the Toolbox, click the Network Objects tab.
3. In the Network Objects tab, click the New menu and click Domain Name Set.
4. In the New Domain Name Set Policy Element dialog box, enter Domains in the Name text box. Click OK.
5. 
6. The new entry appears in the list of Domain Name Sets.
7. 
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.

Now we need to create two text files: urls.txt and domains.txt. Those are the default names used in the scripts. You can change the names of the files, but make sure they match the names you configure in the scripts.

The domains.txt file will contain the following entries:

stuff.com
blah.com
scumware.com

The urls.txt file will contain the following entries:

http://www.cisco.com
http://www.checkpoint.com
http://www.sonicwall.com

Next, copy the script files and the text files into the same directly. In this example, weÒll copy the script files and text files into the root of the C: drive. Double click on the ImportURLs.vbs file. YouÒll first see a dialog box that says Saving. Click OK.

Depending on how many URLs youÒre importing, it will be a few moments or a few minutes until you see next dialog box, which informs you that the import was completed. Click OK.

Now weÒll import the Domains. Double click the ImportDomains.vbs file. YouÒll see the Saving dialog box again. Click OK. A few moments to a few minutes later, youÒll see the Done dialog box. Click OK.

Close the Microsoft Internet Security and Acceleration Server 2004 management console if it is open. Now open the Microsoft Internet Security and Acceleration Server 2004 management console and go to the Firewall Policy node in the left pane of the console.

Note:
You can avoid opening and closing the Microsoft Internet Security and Acceleration Server 2004 management console is by clicking the Refresh button in the Microsoft Internet Security and Acceleration Server 2004 management consoleÒs button bar.

Click the Toolbox tab in the Task Pane and click the Network Objects bar. Click the URL Sets folder. Double click the URLs URL Set. YouÒll see that the URL Set was populated with the entries in your text file. Cool!

Click on the Domain Name Sets folder. Double click on the Domains entry. YouÒll see that the Domain Name Set is populated with domains you want to block, or allow, depending on your need. In this example I included a set of domains weÒd like to block ;-)

As you obtain more URLs, you can add them to the same text files and run the script again. The new entries will be added without creating duplicates of the domains or URLs that are already included in the Domain Name Set or URL Set.

Conclusion

In this article we detailed one aspect of the ISA firewallÒs strong stateful application layer inspection feature set. The ISA firewall can inspect incoming and outbound requests and control access based on destination URL or domain name. The challenge with controlling access on a per site basis is to populate URL Sets and Domain Name Sets with the dozens, hundreds or thousands of entries you want to block or allow. One way to meet this challenge is to use a script. We went over two scripts you can use to import entries contained in text files into Domain Name Sets and URL Sets.

Author: Thomas Shinder

Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.