To get our hands dirty, we'll set up a simple OAP that prevents users on our internal network from accessing a couple of Web sites. A real-world example might be a school network administrator prohibiting access to chat groups or pornography sites. Let's get started.
First we need to configure a destination seta collection of Web sites, IP addresses, computer names, and/or domain names that client machines on the network will be restricted from accessing over the Internet. (We're only concerned with Web sites, in this example.) To create a destination set, expand the Policy Elements tree in the navigation pane and choose the Destination Sets folder (see Figure 6).
Click the Create a Destination Set icon to launch the wizard (see Figure 7).
Specify a name for the destination set. For this example, I'm using the name Restricted Sites. Click the Add button to bring up the Add/Edit Destination dialog box shown in Figure 8.
In the Destination text box, type the domain name of the web site to which you want to restrict access; then click OK to return to the dialog box shown in Figure 7. To add more sites, just click Add and repeat the process. After adding all the sites you want to restrict, close the wizard. Your destination set will be listed in the right pane of the snap-in. You can double-click this listing anytime to edit it.
Now that you have a destination set policy element, it's time to apply this policy to a new site and content rule. To create this type of rule, expand the Access Policy node in the left pane, and open the Site and Content Rules folder, as shown in Figure 9.
You can edit the default Array Rule, but let's create a new rule for this example. To create a new rule, click the icon in the right pane labeled Create a Site and Content Rule, and type a name for your new rule. I'm using the simple name "Restricted Sites" for this example.
On the next screen, indicate the action that you want the rule to take (see Figure 10). If this rule is meant to block an HTTP request, check the check box and enter the URL for the page that the user will see after the request is denied. For example, you may have a custom page that explains why access is denied to certain sites.
Next, tell the wizard how to apply this ruleto which destination set(s)as shown in Figure 11. If you select the Apply Destination Set option in the drop-down list, another drop-down list becomes active with any destination sets you've created.
On the rule schedule screen, you can define when the rule will be active (only during work hours, for example, or weekends only). In this example, the rule will always be active, which is the default selection. Click Next.
On the Client Type screen, you can indicate which type of requests will be denied. You can deny any, computer, or user and groups requests. Since we want to deny all requests to the restricted web sites on our list, leave the Any Requests option selected, click Next, and then click Finish to wrap it up.
Policy elements are a collection of wizards that define attributes for policies, which are then assigned to rules. After creating a destination set, we'll apply this policy element to a new site and content rule. (Think of a rule as a collection of one or more policy elements. Think of a policy as a collection of rules.)
Figure 6 Configuring a destination set.
Figure 7 Starting a destination set.
Figure 8 Adding destinations.
Figure 9 Setting up site and content rules.
Figure 10 Specifying the action to be taken when the rule kicks in.
Figure 11 Specifying the destination set(s).
In this example, we want to apply the rule to only one destination set. Select the Restricted Sites set and click Next.
You should now be familiar with how to create a destination set and a rule to which the set will apply. If you're an administrator, you'll also want to protect data coming into your network over the Internet, which is enough content for several more articles. You can set up protocol rules, packet filtering, bandwidth prioritization, and more.