Web Filtering for SBS 2003

Scenario: Basic Filtering for two user groups in Active Directory (Management have unrestriced access to the web with the remaining staff having access to only an approved whitelist of work-related web sites). If staff aren't allowed any web access whatsoever then Group Policy can be used to set a "dummy" proxy for members of the Staff Organisational Unit.

Here are the options for a single-server Small Business Server 2003 environment (less than 75 users) in order of preference:

Option 1: Content Filtering for existing firewall devices (Cisco Pix is free, SonicWALL TZ 170 & 180 require a Content Filtering Service licence and the SonicOS Enhanced).

Option 2: Reuse a PC and install a commercial product (eg Websense) or an open-source tool such as Squid or Untangle. A low-spec PC is required (often with two NICs but plugging the PC into a hub, which sniffs all traffic, can work. In the past I have used ISA2000 which can be used in conjunction with Surfcontrol to achieve the sniffing as well.)

Option 3: Filtering on demand by using a commercial product such as Websense (ie requests are routed to an external proxy).

Option 4: Use ISA 2004 on the new server (if SBS Premium has been purchased).

I am adverse to the idea of using ISA 2004 as the product is a full-fledged firewall which I have always found difficult to use ("difficult to use" is not a first for Microsoft unfortunately!). ISA 2004 can be used as a Web Proxy but requires no end of configuring and adds extra overhead to a (most-likely) overloaded server. I notice ISA expert Tom Shinder started a series of articles on this...and didn't conclude it. TBH, I don't use ISA that much but when I do its as a proxy using the ISA 2000 version.

There is a now defunct blog named ISAinSBS by Amy Babinchak. In a post entitled "Filter the Internet?" she states ""If you need to filter the Internet you have an HR problem, not an IT problem" (how true but its also becoming a legal requirement and "we can create a list of allowed websites provided it isn't too long."

Using Open-Source tools can be slightly time-consuming and require a PC but if you have these then its well worth looking at. Using the existing firewall is an option if one is in place. Just to note in a larger environment (several hundred users) I'd recommend Option 2 or 3.


Notes:

Untangle
Open source web filter. More...

Squid
An open source proxy. There is a plug-in available to filer URLs. More...

WebSense
WebSense Express is a new offering for up to 500 users. Also WebSense Enterprise and WebSense HostedWebSecurity More...

Barracuda Web Filter
A hardware appliance, probably too costly for SMEs More...

GFI Web Filtering and control for ISA Server
Provides true filtering for ISA More...

Bluecoat
Have several products: Webfilter , Winproxy : Gateway Anti-Spyware, Firewall, Antivirus, Anti-SPAM, & Web Filtering all in One. Also ProxyRA series for enterprise.

How to move mail between servers

Two completely different servers, in different domains.

SERVER1 in DOMAIN1.LOCAL (responsible for, say, MYCOOLDOMAIN.COM mail).
SERVER2 in DOMAIN2.LOCAL (responsible for, say, MYOTHERCOOLDOMAIN.COM mail...or maybe not could become responsible for MYCOOLDOMAIN.COM mai!).

Create secondary Domain Admin accounts in both domains (eg Admin2).

Give Admin2 Full Control to everyone's mailboxes (this is a right that is denied to the built-in Admin account).

Download EXMERGE and locate the extracted files in the BIN folder for Exchange (otherwise a DLL error).

In Domain1, logon as Admin 2. Run EXMERGE and extract each users mailbox to a PST.
In Domain2, logon as Admin 2. Run EXMERGE and import each users mailbox to a PST.

Often the last step wil faill, so an alterative is to add the PST as a Personal Folder in Outlook and merge the PST into the mailbox.