Secure Proxy Server  «Prev  Next»

Lesson 5 Restricting outbound traffic with domain filters
ObjectiveDescribe how Proxy Server domain filters prevent unauthorized Internet access.

Restricting outbound Traffic using Domain Filters

You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters. Domain filters provide a way for you to restrict access to Internet content using the DNS names of the destination servers to which you want to restrict access. For example, if you are having problems with users going to aol.com to check the personal ads, you can place a domain filter for aol.com and no resources from that domain will be accessible to internal network users.
  • Why focus on domain filters? Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy. As with packet filters, you can create a combination of domain filters in order to meet the particular security requirements of any organization. Domain filters and packet filters both apply to all Proxy Server services. You cannot selectively apply domain filters to a particular Proxy Server service, and you cannot restrict particular users or groups from accessing specified domains. Again, this is an "all or nothing" situation, as it is with packet filtering.

Windows Server 2022 using Windows Defender Firewall with Advanced Security

On Windows Server 2022, to achieve similar functionality as managing internet access through domain filters and setting default behaviors as you did in the year 2000, you can use the following tools and features:
  1. Windows Defender Firewall with Advanced Security
    • Use the firewall's outbound rules to control access to specific domains or IP addresses.
    • Create a custom rule to deny access to the IP ranges or domains of AOL and allow others by default.
  2. Web Proxy or Reverse Proxy using IIS
    • Configure Internet Information Services (IIS) as a reverse proxy using the Application Request Routing (ARR) module.
    • Define rules to block or allow specific domains.
  3. Group Policy (GPO)
    • Use Group Policy Management to enforce web filtering rules:
      • Navigate to: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > URL Action Rules.
      • Configure allowed or blocked websites.
  4. Microsoft Endpoint Manager (Optional)
    • If your organization uses Microsoft Endpoint Manager or Intune, set up compliance policies to manage which websites can be accessed from company devices.
  5. Third-Party Proxy Software
    • Install and configure third-party software like Squid Proxy or NGINX Proxy Manager to act as a filtering proxy.
    • Set up rules to block or allow specific domains based on your requirements.
  6. DNS Filtering Services
    • Use DNS filtering by configuring the DNS Server role or integrating with services like OpenDNS or Microsoft Defender for DNS:
      • Block or allow specific domains by adding them to the DNS blacklist or whitelist.
      • For DNS Server on Windows Server, you can create custom DNS zones and configure policies to redirect or deny access to specific domains like aol.com.
  7. Windows Firewall Rules and App Control
    • For domain-specific filtering, combine firewall rules with third-party extensions or integrations that allow more granular web filtering capabilities.

Steps for a Simple Proxy Setup (Example: Squid Proxy on Windows)
  1. Install Squid Proxy on Windows Server 2022.
  2. Configure the squid.conf file to:
    • Allow access to all domains by default.
    • Add acl rules to block specific domains like aol.com.

    Example:
    acl BLOCK_AOL dstdomain .aol.com
    http_access deny BLOCK_AOL
    http_access allow all
        
  3. Restart the Squid service to apply changes.

These tools provide robust options for filtering and managing internet access in a modern server environment.

The Web Proxy Service Properties Dialog Box thumbnail
1) Right click any of the Proxy Server services lists in the left pane of the Internet Information Services console and click Properties to view the Web Proxy Service Properties dialog box. The settings under the Shared Services frame apply to all the Proxy Server services. Click on the Security button.

The Web Proxy Service Properties Dialog Box thumbnail
2) The Web Proxy Service Properties Dialog Box thumbnail

The Enable checkbox has been selected. This enables the domain filtering mechanism. At this point, access to all Internet sites will be granted. Notice that there are no exceptions in the list at this time. To add an exception, click the Add button.
The Web Proxy Service Properties Dialog Box thumbnail
3) The Web Proxy Service Properties Dialog Box thumbnail

By default, access to all Internet sites will a) Granted
4) By default, access to all Internet sites will a) Granted. Except to those listed below
The Deny Access To Dialog Box thumbnail

Since you want to deny access to sites in the aol.com domain, you type that domain name into the provided text box
5) Since you want to deny access to sites in the aol.com domain, you type that domain name into the provided text box. Then click OK.

You see now that all Internet sites are available except aol.com. If a user attempts to go to a resource located on the aol.com domain, the Proxy Report informs them that access has been denied.
As a result, you can specify Proxy Server domain filters to:
  1. Reject packets specified in the criteria of the filter and forward all others
  2. Forward packets specified in the criteria of the filter and reject all others

How to define domain-filter criteria

You should define the Proxy Server domain-filter criteria based on the security requirements of the organization. For example, if an organization wants to restrict access to a specific Web site by name, you should define a Proxy Server domain filter that is based upon the domain name of the Web site.
The following image lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.

1) Single Computer, 2) Group of Computers, 3) Domain

  1. Text:
    • Filter on:
    • Single computer
    • Group of Computers
    • Domain
  2. Data (visual context):
    1. Single computer: A purple background with an icon of a single computer.
    2. Group of Computers: A blue background with an icon of multiple computers.
    3. Domain: A green background with an icon resembling a network domain.

1) Single Computer, 2) Group of Computers, 3) Domain


1) Single Computer, 2) Group of computers, 3) Domain
1) Single Computer, 2) Group of computers, 3) Domain

A specific computer on the internet by using the IP address of the computer.
2) A specific computer on the internet by using the IP address of the computer.

A range of IP addresses on the internet by using an IP address and subnet mask to specify the range.
3) A range of IP addresses on the internet by using an IP address and subnet mask to specify the range.

A specific domain name, independent of the IP address, by specifying the fully qualified domain name (FQDN) for the domain.
4) A specific domain name, independent of the IP address, by specifying the fully qualified domain name (FQDN) for the domain.


Your Proxy Server domain filter can be based on only one of the criteria listed in the MouseOver above.
In the next lesson, you will learn how Proxy Server Web Publishing prevents unauthorized access to Web servers on the private network.

Restricting Outbound Traffic - Exercise

Click the Exercise link to check your understanding of the criteria on which to base the use of domain filters.
Restricting Outbound Traffic - Exercise

SEMrush Software 5 SEMrush Banner 5