Controlling Acceptable Internet Access With ISA Server

A reasonably frequently-asked question is:
Can ISA Server 2004 control access to unsavoury sites on the Internet?
The short answer:
Of course!
The slightly less terse answer:
But you might need to use a content filtering add-in dedicated to the task if your need goes beyond a simple allow list. There’s also a non-technology alternative…
The longer answer:
Allow Lists and Deny Lists (Whitelists and Blacklists in oldspeak) can be created by URL, domain name, IP range, you name it. Actually, it’s more accurate to say that sets of URLs, domain names, and IP ranges can be created, and you can then choose whether to deny or allow access to them.
ISA Server’s pretty flexible about that, and oftentimes, if the list is small enough, you can manage it yourself (where “you” are the ISA Server admin that doesn’t want to be doing list management full time).
So, allowing a group of users access to only five or ten (or fifty, or a hundred) well-defined sites: easy enough.
In the situation in which the business comes to you and says that they want to allow unrestricted Internet Access in general, but don’t want employees to see anything that isn’t really appropriate, you suddenly have a vast amount of work cut out for you.
And this is where the content filtering add-ins come into play – some Filtering add-ins are listed here.
These often work on a paid subscription model that buys updates to their category listings, so that you can pick a category of sites and allow or deny access to that entire category – sometimes even with drill-down category capabilities, like Recreation->Gardening->Gnomes – rather than having to manually populate the list yourself, which could be both time-consuming and expose you to hideous, hideous things (teh intarweb can be dangerous, kids).
This is a Good Thing, and is often necessary to achieve no-questions-asked-it’s-just-automatic compliance. The filter provider takes care of the category listings and updates, you just manage the rules. Easy.
The alternative, cheap-cheap-cheap solution:
There’s also the non-technology solution, which appeals to me as an ex-BOFH. It’s the Policy approach.
Publish an employee Internet Use policy, then examine the proxy logs at random intervals (a lot at first, then just a one-off once in a while), and issue stern warnings to those that go to unsavoury sites. You can use ISA Server 2004’s log query capability (Log Parser or FIND on text format/ISA 2000 log files) to pick out URLs containing certain likely-to-be-naughty phrases (like “xxx” or “leprechaun”) to produce a target-rich environment.
Remember: Fear is often cheaper than technology™.

Office 2003 SP2 Just Installed Itself!

Along with Visio 2003 SP2, OneNote 2003 SP2 and an Outlook Junk Email filter update. I remember signing up for Microsoft Update, and I intellectually knew that programs other than Windows could be patched on my computer, but hadn’t yet seen it happen via Automatic Updates. That’s just cool. My parents are getting that as soon as I’m there next, if I didn’t do that last time.

Post-update (I’ve had this happen to me before, possibly when I installed SP1 for OneNote?) – OneNote seems to have this habit of doubling up its tray icon, and disabling one disables both, so you have to go back in to OneNote options and turn it on again – easier to just end task the errant ONENOTEM process, I reckon. Operations on x64

The Microsoft.Com Operations blog just posted about their experiences moving from x86 to x64, most notably the increase in performance they achieved by doing this.

The numbers are compelling:

To give you a quick comparison:

X86 ASP  req/sec 7.85, Response time 244ms
X86 ISAPI req/sec 110.85, Response time 248ms
X86 Static req/sec 41.9, Response time 135ms
X86 Static (cached) req/sec 47.11 Response time 1ms

X64 ASP  req/sec 7.41, Response time 53ms
X64 ISAPI req/sec 125.43, Response time 18ms
X64 Static req/sec 31.01, Response time 3ms
X64 Static (cached) req/sec 54.51 Response time 1ms

And this is performance gained just by running a 32 bit application (ASP.Net 1.1) on x64, via the WOW64 emulation layer (WOW indeed!) 

Worth a read.

Mental Note: Serenity Party Friday

I bought the Firefly DVD set a week ago, and my girlfriend and I chewed through them in three nights flat. I’m typically quite critical when it comes to TV shows, but Firefly won me instantly with its charm, intelligence, character and the fact that there was no sound in space (that’s not to say that the physics etc are perfect, but boy, did they ever try). The series visual effects still look better than most CG done today, and they were done three years ago. It’s amazing. It’s compelling. I love it.

This Thursday night, Serenity opens in cinemas nationally, and I can’t wait. Well, I can perhaps wait until Friday night, and try to book a Gold Class session with as many warm bodies as I can drag in. If it’s good, I imagine I’ll be watching it again shortly thereafter too…

If you haven’t seen the series, go get it on DVD – whether the movie is any good, the series is fantastic (and very reasonably priced – $38 AUD in JB HiFi for all 14 episodes).

After the good-but-only-so-good Revenge of the Sith, it’s the movie I’m pinning my “Sci Fi Movie of the Year” hopes on. Should be something very special. Shiny.

x64-friendly Smartcard Reader

I’ve had a Gemplus 430 USB card reader since we started using Smart Cards for RAS, all those years ago.

Since the upgrade to X64 at home, I’ve been essentially VPNless. No X64 drivers.

But finally, as if by magic, I came across (and successfully bartered for) a 433. I know X64 drivers exist for this. This makes me happy: I prefer Remote Desktop to web-based protocols by a longshot (especially as half my email-borne life needs to end up in a PST file – if Outlook isn’t running for a day, I bust my mailbox allowance).

Subtleties of Denying Traffic

In ISA Server 2004, if you’re using custom ports as part of a publishing rule for a protocol, an Access Rule won’t be able to block that protocol on a non-default port.

To try to illustrate: 

Say you’re Server Publishing RDP for two internal servers using two rules that publish RDP (Terminal Server) Server, one on port 3390 using the Ports button and one on the default 3389.

You want to temporarily disable access to both, so you create an Access Rule specifying to Deny RDP from External to Anywhere, with higher priority than other rules.

And as this is sounding so much like an MCSE question, I think I’ll multi-choice the answers!

(the screenshot shows a disabled access rule, but assume it would be enabled.)

Does this solution:

A. Meet the intended objective?

B. Block only the server on the custom RDP port?

C. Block only the server on the default RDP port?

D. Not block RDP to either server?

Show working, and if this doesn’t meet the stated objective, propose an alternative solution.

Answers on a postcard or the back of an envelope to this address. Er, or just hit Comment and have a crack.

A Plea To WPF/Avalon Developers

Don’t make me hate you.

Now that Windows Presentation Foundation (the vector monkey formerly known as Avalon) is really starting to excite people (myself included), tools like Expression (Sparkle flavour) are around the corner, and the ability to animate user interfaces is so readily exposed, I offer up my solemn plea to all coders-come-would-be-designers that want to animate their interfaces: Don’t. Go. Overboard.

Please, by all means animate something the first time around. Show me what I’m meant to be doing in gliding, graceful steps. Even take a couple of seconds to transition from one state to another. I’m sure it’ll help me understand better.

But every time thereafter, if your animations prevent me from clicking on things as quickly as is humanly possible, please, make sure you provide an option to disable them.

Example: I now “get” how the taskbar works, so I turn off window animation, so I have a snappier task switching experience.

Animations can be a lot like jokes. They’re often great the first time, only produce a small reaction the next time or two, and with every telling thereafter, your audience is progressively more likely to try to throttle you with a pool cue, or, say, to try to stuff an airline life jacket down your throat and then pull one of the tags (if the jacket does not inflate, attempt manual inflation with the handy tube). Getting the picture here? Animation causes grumpiness.

To reduce it to a nice, simple axiom for designers and coders alike: If the animation in your interface is delaying my use of that interface, your design is costing me time and money.

So please, keep impatient click-click-clicketty people like me in mind, and implement a “Type-A Switch” in any delay-causing animated user interface.

Live Logging FTW! An Example

(for the over-15s reading this blog, FTW means “for the win”, and means something/someone is really good, according to my human-subhuman interface, and is popular with teh Kids Online. Never say I don’t try to bridge the generation gap for y’all.)

I’ve mentioned before that “Live Logging is win” – Amy’s Harbor (while ranting about something tangential) demonstrate the utility of it in a troubleshooting situation with a VOIP/SIP thingummy.

It’s cool.

Try it! (Logging tab of the Monitoring tree thing).

Miscellaneous extra information: Live logging display works with all log types, but historical log queries from the ISA interface work only with MSDE.

Support Terms #891: Frisbee Moment

The Frisbee Moment

This phrase is coined from the episode of the Simpsons where Bart is going to lose his disobedient dog, Santa’s Little Helper.

There’s a touching scene in which Bart plays a last game of frisbee with him. Bart throws a large plastic frisbee at SLH. It sails through the air and bounces hard directly off the dog’s open eyeballs. Santa’s Little Helper doesn’t even blink.

Frisbee moments happen when a person doesn’t actually register that they’ve been hit in the eye with a hard, unforgiving frisbee. They look a lot like this:

Consultant: Users are finding that authentication performance is slow.

SP: Let’s look at the event logs… oh my, there are tons of events saying they can’t reach a Domain Controller. (frisbee thrown)

Consultant: Yes, we removed all the DCs last week, because they had errors in their event logs. (frisbee bouncing off open eyeballs)



Recovery from a frisbee moment: Tricky. Often, you need to explain that frisbees are hard plastic objects that hurt when they connect with your eyeball, and a little bit about basic physics and the nervous system, then hit them in the eye with the frisbee again so that they get the idea. You may need to strike the subject in the eyes repeatedly with slightly different frisbees from varying angles to induce the appropriate response.

Last-ditch recovery from a frisbee moment: If all else fails, try using a larger object: hit the hapless victim with a (metaphorical!) car/bus/train, and some well-placed histrionics.

Another IT Pro OPML Update

I’m sure I’ve missed someone, but either way, the grand total of Aussie IT Pro bloggers (that’s people that design, deploy and maintain the stuff, and blog about it!) is 15. The most recent additions were (as I recall): Dugie, Parky, Angus (Dev/IT Pro overlap is fine) and today’s new victim contributor, Jonathan.

Wondering out loud: Do any of the aggregators out there auto-update server-based OPML lists?