Use IP addresses to prohibit internal users from accessing the Internet

In ISA Server 2004, it is very easy to prohibit customers from accessing the Internet. You can disable IP addresses and prohibit users. This article describes how to use IP addresses to prohibit certain customers from accessing the Internet. It is suitable for environments with fixed IP addresses.
How to use identity verification to prohibit users from accessing the internet is described in another article "How to: use identity verification to prohibit internal users from accessing the Internet" on this site.

Access rule settings can be classified into implicit and explicit prohibitions. Implicit prohibition means that customers are not explicitly allowed to access the external network. It is suitable for environments with strict policy definitions. If only some customers are allowed to access the Internet in the policy, other customers will naturally not be able to access the Internet. Explicitly disabling is to explicitly prohibit some customers from accessing the external network. It is suitable for forbidding some customers from accessing the Internet in a loose-defined environment.
If the IP address is used to prohibit the Internet access, the result is whether the IP address is explicitly or not.

In terms of policy selection, I personally prefer the latter type, probably because I am lazy :). However, I believe that most network environments adopt a loose-defined policy. I will explain how to set a policy to explicitly prohibit customers from accessing the Internet.

1. prohibit using IP addresses

First of all, we will talk about the section prohibiting IP addresses. This is suitable for users with fixed IP addresses.

The procedure is as follows:

1. Create an address set or computer set for customers who want to disable Internet access;

2. Create an address range or domain name set for the target address to be accessed by these prohibited customers. Of course, this step can be omitted if the customer is completely prohibited from accessing the Internet, use the external network provided by ISA.

3. Create an access rule in the firewall policy;

In this article, we take the Client IP address 192.168.0.41 as an example. First, we set a policy to prohibit it from accessing the external network, and then set a policy to prohibit it from accessing the Yahoo website, but it can access other websites.

Open "network object" in the toolbox on the right of the firewall policy, right-click "computer set", and select "new computer set ";

Click "add" in the "Create computer set" dialog box and select "computer ";

In the "add computer" dialog box, enter the computer name and IP address, and click "OK ";

Shows the created computer set. Click "OK ";

Right-click the firewall policy, select create access rule, and enter the rule name on the create access rule Wizard Page;

The rule action is blocking, and then select the created denyed clients in the source network.

Select an external target network;

Follow the prompts, as shown in the figure below. Click "application" to save and modify and update the firewall settings;

Note that the 2nd policy is "unrestricted Internet access", which allows all internal customers to access the external network;

　

Then, perform a test on the customer. For example, the customer is no longer able to access the network.

Now let's try to make this customer unable to access Yahoo's website, but can access other websites.

First, you have to create a set for the target address that the customer is forbidden to access. I want to save time and use the domain name set. If you want to use other sets, you also need to find an IP address. Similarly, in "network object", right-click "Domain Name set" and select "new domain name set ";

I added Yahoo's website to the domain name set;

Then the created denyed
Double-click the clients policy and modify its target network attributes from "external" to "* .yahoo.com ";

Shows the modified policy. Click "Apply ";

Now, you can access the ISA Chinese site on the client;

But Yahoo cannot access it.

　

　

Sorry: in this article, there are English syntax errors for the rules and some objects in the name, without affecting the content of the article. My English is poor. Sorry :(.