Secure Proxy Server  «Prev  Next»

Lesson 5 Restricting outbound traffic with domain filters
ObjectiveDescribe how Proxy Server domain filters prevent unauthorized Internet access.

Restricting outbound Traffic using Domain Filters

You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters. Domain filters provide a way for you to restrict access to Internet content using the DNS names of the destination servers to which you want to restrict access. For example, if you are having problems with users going to to check the personal ads, you can place a domain filter for and no resources from that domain will be accessible to internal network users.

Why focus on domain filters?

Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy. As with packet filters, you can create a combination of domain filters in order to meet the particular security requirements of any organization. Domain filters and packet filters both apply to all Proxy Server services. You cannot selectively apply domain filters to a particular Proxy Server service, and you cannot restrict particular users or groups from accessing specified domains. Again, this is an "all or nothing" situation, as it is with packet filtering.

Granting or denying access with Exceptions

To grant or deny access to all Internet sites, you will set the default behavior of Proxy Server domain filters. You can then build a list of Internet sites that are the exceptions to the default behavior.
Suppose, as mentioned above, you want to allow access to all Internet domains except for You need to selectively deny access to AOL because of the large amount of wasted bandwidth. The table below describes the process. Click on the thumbnails to see full-sized images of the GUI.

Right click any of the Proxy Server services lists in the left pane of the Internet Information Services console and click Properties to view the Web Proxy Service Properties dialog box. The settings under the Shared Services frame apply to all the Proxy Server services. Click on the Security button.

The Web Proxy Service Properties Dialog Box thumbnail

The Enable checkbox has been selected. This enables the domain filtering mechanism. At this point, access to all Internet sites will be granted. Notice that there are no exceptions in the list at this time. To add an exception, click the Add button.
The Web Proxy Service Properties Dialog Box thumbnail

By default, access to all Internet sites will a) Granted
Except to those listed below
The Deny Access To Dialog Box thumbnail

Since you want to deny access to sites in the domain, you type that domain name into the provided text box. Then click OK.

You see now that all Internet sites are available except If a user attempts to go to a resource located on the domain, the Proxy Report informs them that access has been denied.
As a result, you can specify Proxy Server domain filters to:
  1. Reject packets specified in the criteria of the filter and forward all others
  2. Forward packets specified in the criteria of the filter and reject all others

How to define domain-filter criteria

You should define the Proxy Server domain-filter criteria based on the security requirements of the organization. For example, if an organization wants to restrict access to a specific Web site by name, you should define a Proxy Server domain filter that is based upon the domain name of the Web site.
The following image lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.

1) Single Computer, 2) Group of Computers, 3) Domain

Proxy Server Domain Filter
Your Proxy Server domain filter can be based on only one of the criteria listed in the MouseOver above.
In the next lesson, you will learn how Proxy Server Web Publishing prevents unauthorized access to Web servers on the private network.

Restricting Outbound Traffic - Exercise

Click the Exercise link to check your understanding of the criteria on which to base the use of domain filters. Restricting Outbound Traffic - Exercise