Web Filtering for SBS 2003

Scenario: Basic Filtering for two user groups in Active Directory (Management have unrestriced access to the web with the remaining staff having access to only an approved whitelist of work-related web sites). If staff aren't allowed any web access whatsoever then Group Policy can be used to set a "dummy" proxy for members of the Staff Organisational Unit.

Here are the options for a single-server Small Business Server 2003 environment (less than 75 users) in order of preference:

Option 1: Content Filtering for existing firewall devices (Cisco Pix is free, SonicWALL TZ 170 & 180 require a Content Filtering Service licence and the SonicOS Enhanced).

Option 2: Reuse a PC and install a commercial product (eg Websense) or an open-source tool such as Squid or Untangle. A low-spec PC is required (often with two NICs but plugging the PC into a hub, which sniffs all traffic, can work. In the past I have used ISA2000 which can be used in conjunction with Surfcontrol to achieve the sniffing as well.)

Option 3: Filtering on demand by using a commercial product such as Websense (ie requests are routed to an external proxy).

Option 4: Use ISA 2004 on the new server (if SBS Premium has been purchased).

I am adverse to the idea of using ISA 2004 as the product is a full-fledged firewall which I have always found difficult to use ("difficult to use" is not a first for Microsoft unfortunately!). ISA 2004 can be used as a Web Proxy but requires no end of configuring and adds extra overhead to a (most-likely) overloaded server. I notice ISA expert Tom Shinder started a series of articles on this...and didn't conclude it. TBH, I don't use ISA that much but when I do its as a proxy using the ISA 2000 version.

There is a now defunct blog named ISAinSBS by Amy Babinchak. In a post entitled "Filter the Internet?" she states ""If you need to filter the Internet you have an HR problem, not an IT problem" (how true but its also becoming a legal requirement and "we can create a list of allowed websites provided it isn't too long."

Using Open-Source tools can be slightly time-consuming and require a PC but if you have these then its well worth looking at. Using the existing firewall is an option if one is in place. Just to note in a larger environment (several hundred users) I'd recommend Option 2 or 3.


Notes:

Untangle
Open source web filter. More...

Squid
An open source proxy. There is a plug-in available to filer URLs. More...

WebSense
WebSense Express is a new offering for up to 500 users. Also WebSense Enterprise and WebSense HostedWebSecurity More...

Barracuda Web Filter
A hardware appliance, probably too costly for SMEs More...

GFI Web Filtering and control for ISA Server
Provides true filtering for ISA More...

Bluecoat
Have several products: Webfilter , Winproxy : Gateway Anti-Spyware, Firewall, Antivirus, Anti-SPAM, & Web Filtering all in One. Also ProxyRA series for enterprise.