Blocking Explicit Bing with ISA Server

Mike from Bing posted on some SafeSearch updates to Bing, particularly around image search and video preview.

So, with the new explicit domain name (, a block is easy enough to implement with ISA Server and nothing extra.

If you’ve already got a site blocking rule enabled, all you need to do is add:


To your blocked sites URL Set, and/or


To your blocked sites Domain Name Set, if you’re using one.

If you haven’t yet configured a blocking rule for explicit Bing traffic, here’s how I just did it.


First, create a new Access Rule.


I’m calling mine “Block Explicit Sites”


Next – we want to Deny access to these locations.


Protocol selection: I’ve selected HTTP and HTTPS (not sure if HTTPS is ever used, but it’s coverage, innit?)


I’m picking All Protected Networks as the source, which covers every non-External ISA network (click Add… to see the list, then Add and Close the All Protected Networks Network Set).


For the target, we want to create a new URL set, which is probably enough to stop accidental browsing of the target domains for Web Proxy clients that aren’t doing their own name resolution, and won’t have a huge amount of DNS traffic associated with it.


I’ll call it Explicit Bing, and set the path to http://**

This should apply to all subdomains, so if we end up with more specific categorization within the explicit domain at some point, it’ll automatically cover it.


Once that’s there, click OK, then add the Explicit Bing URL Set to the rule (find it under URL sets, click Add and then Close).


The Wizard should look like this:


From here, it’s just Next to apply to All Users (so it’s an anonymous blocking rule – doesn’t require authentication first in order to block someone) until the Wizard finishes.

There’s my rule:


My rule ended up at #16  in my list, so a little trick with reordering: Shift-select all 15 rules above it, and then right-click any of the selected rules, and choose Move Down.


And now, my new block rule is at #1. I do want it to be first as far as anonymous web traffic rules go, but I might, for example, want to position the Xbox rule or other rules ahead of it, depending on my traffic policy.


Enter the Change Tracking reason for later auditing…


And now it’s test time…


Right, well I can’t exactly show you the full search terms or the test results, but the images served from the explicit Bing domains were certainly blocked.

As a note – test from a client computer. The ISA Server itself may well have an “Allow CRL Downloads from any network using HTTP” System Policy rule in place which will run before any block lists. Disabling the System Policy rules and creating equivalent Access Rules that run after block lists will fix this.

ISA Server 2006 on Windows Server 2008: Nup

Update 6 May 2010: Hello! If you’re reading this, it’s now at least 2010, and the answer to your question is: the version of ISA Server that works on Windows 2008 is called Microsoft Forefront Threat Management Gateway 2010. Also, it’s exclusively 64-bit. ISA 2006 doesn’t have a 64-bit flavour (though the Firewall Client does).

Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here:

Can I install ISA 2006 on 32-bit Windows Server 2008 ?

No, it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man.

Why not ISA Server 2006 on Windows 2008?

Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible, so I let it slide.

Well can I install ISA 2006 on 64-bit Windows Server 2008 ?

No. Wait – sort of, not really. Do you count virtualization?

What do you mean?

Hyper-V or an SVVP-validated platform. (Details on security. And the inimitable “Jim Harris” apparently pretending to be Jim Harrison. Giggle.)

Er, if I do count virtual machines?

Yes. You run it in a 32-bit Windows Server 2003 guest.

Isn’t that cheating?!

No. Well, maybe. Sorry, did you have a point there?

What about Windows Server 2003, x64 Edition?

Installing ISA on it? No. It’s 32-bit only and uses kernel-mode software; you can’t mix and match 32-bit with 64-bit k-mode drivers. Hint: I just helped you study for 070-351.

What about Service Pack 2?

X64 Edition?



You’re not being helpful.

Oh really? Your eyes are the wrong shape.

The next version of ISA Server, called Forefront Threat Management Gateway (TMG, or, I guess, Timmy to his friends (yep, I’m betting the G ends up semi-silent)), is available in its initial release in the Windows 2008 Essential Business Server thingo, which is 64-bit only.

The next standalone (i.e. non-EBS-integrated) release is currently available in Beta form, and runs exclusively on Windows Server 2008, x64 edition.

That was more helpful.

You still look funny.

Hey, why don’t your links open in new windows?

Because I think it’s nice for the reader to be able to choose whether an informational link should appear in the current frame or a new tab (or a new window).

Sometimes (probably quite often on this blog), you’ll be done with the content at the current page you’re reading, and just want to replace it with something else. Forcing a new window isn’t polite in the age of tabbed browsing.

Let the user choose.

I agree, that’s so wise. You’re like, amazing.

I know.