How to create a policy that enables only Web proxy clients in Internet Security and Acceleration (ISA) Server 2006, in ISA Server 2004, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008

When you create a report in Microsoft Internet Security and Acceleration (ISA) Server 2006, in ISA Server 2004, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008, a section of the report, such as the Top Websites section, lists IP addresses. This section should list the corresponding Domain Name System (DNS) names. This behavior may occur when ISA Server or FTMG is not configured as the Web proxy in client browsers.

This article discusses how to create a policy that enables only Web proxy clients in ISA Server or FTMG.

To create a policy that enables only Web proxy clients in ISA Server 2006, in ISA Server 2004, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008, follow these steps.

Step 1: Create a new outbound protocol

1. In ISA Server Management or in Forefront Threat Management Gateway, Medium Business Edition, expand the Firewall Policy node.
2. In the task pane, click the Toolbox tab.
3. Click Protocols, click New, and then click Protocol.
4. In the New Protocol Definition Wizard, type a name for the new protocol. For example, type MyHttp. Click Next.
5. On the Primary Connection Information page, click New.
6. In the New/Edit Protocol Connection dialog box, verify that Protocol type is TCP and that Direction is Outbound. In the From and To boxes, type 80. Click OK, and then click Next.
7. Click Next on the Secondary Connections page.
8. Click Finish.
9. In the ISA Server details pane, click Apply to save the configuration settings.

Step 2: Create a new access rule

1. In ISA Server Management or in Forefront Threat Management Gateway, Medium Business Edition, expand the Firewall Policy node.
2. On the Tasks tab, click Create New Access Rule to start the New Access Rule Wizard.
   
   Note In ISA Server 2006 or in Forefront Threat Management Gateway, Medium Business Edition, click Create Access Rule to start the New Access Rule Wizard.
3. On the Welcome to the New Access Rule Wizard page of the New Access Rule Wizard, type a name for the access rule. For example, type Deny HTTP transparent access. Click Next.
4. On the Rule Action page, click Deny, and then click Next.
5. On the Protocols page, click Selected Protocols in the This rule applies to list, and then click Add.
6. In the Add Protocols dialog box, expand the User-Defined node, click MyHttp or the name that you created for the new protocol, click Add, click Close, and then click Next.
7. On the Access Rule Sources page, add the entities that will have only Web proxy access. Click Next.
8. On the Access Rule Destination page, add your Web proxy access destination. Click Next.
9. On the User Sets page, click All Users, click Next, and then click Finish.
10. In ISA Server Management or Microsoft Forefront TMG, click Apply to save changes.

Note If there is an existing rule that enables Web proxy clients, you must put the new rule before the existing rule in the ISA Server details pane or in the Forefront Threat Management Gateway, Medium Business Edition details pane. To do this, right-click the rule, and then click Move Up. After you move the rule, click Apply to apply the changes to the firewall policy, and then click OK.