How can you block specific users from surfing the Internet with IPSec? Simply by creating a policy element that will tell the computer to block all the specific IP traffic that is configured by those rules. Internet traffic uses HTTP and HTTPS, which use TCP ports 80 and 443 respectively as their destination ports. By blocking this specific traffic you will be able to stop a specific computer from browsing the Internet.
To block all Internet traffic to and from a computer you need to create an IPSec policy that will block HTTP traffic. You can configure this policy for one computer by manipulating that computers' IPSec policy, or, even better, you can configure the policy as a Group Policy Object (GPO) on a Domain or Organization Unit (OU). In order to configure a GPO you must have Active Directory in place.
You can also block web browsing but allow Intranet Traffic with IPSec.
Block a single computer from surfing the internet
To configure a single computer follow these steps:
Configure IP Filter Lists & Filter actions
| 1. | Open an MMC window (Start / Run / MMC) | |
| 2. | Add the IP Security and Policy Management Snap-in | |
| 3. | In the Select which computer this policy will manage window, select the local computer. Click Close then Ok | |
| 4. | Right-click IP Security Policies in the left pane and Select Manage IP Filter Lists and Filter Actions |
| 5. | In the Manage IP Filter Lists and Filter actions click Add | |
| 6. | In the IP Filter List window type a descriptive name such as HTTP or HTTPS and click Add to add the new Filters | |
| 7. | In the Welcome window click Next | |
| 8. | In the description box type a description if you want and click Next | |
| 9. | In the IP Traffic Source window leave My IP Address selected and click Next | |
| 10. | In the IP Traffic Destination window leave Any IP Address selected and click Next | |
| 11. | In the IP Protocol Type scroll to TCP and press Next | |
| 12. | In the IP Protocol Port type in 80 (for HTTP) in the To This Post box and click Next | |
| 13. | In the IP Filter List window notice how a new IP Filter has been added. Now if you want add HTTPS (Any IP to Any IP, Protocol TCP, Destination Port 443) in the same manner | |
| 14. | Now that you have both filters set up click Ok | |
| 15. | Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Manage Filter Actions tab. Now we need to add a filter action that will block our designated traffic, so click Add | |
| 16. | In the Welcome screen click Next | |
| 17. | In the Filter Action Name type Block and click Next | |
| 18. | In the Filter Action General Options click Block then click on Next | |
| 19. | Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Close button. You can add Filter Actions at any time |
Next step is to configure the IPSec Policy and to assign it
Configure the IPSec Policy
| 1. | In the same MMC console right-click IP Security Policies on Local Computer and select Create IP Security Policy | |
| 2. | In the Welcome screen click Next | |
| 3. | In the IP Security Policy Name enter a descriptive name, asuch as "Block HTTP, HTTPS". Click Next | |
| 4. | In the Request for Secure Communication window click to clear the Active the Default Response Rule check-box. Click Next | |
| 5. | In the Completing IP Security Policy Wizard window, click Finish | |
| 6. | We now need to add the various IP Filters and Filter Actions to the new IPSec Policy. In the new IPSec Policy window click Add to being adding the IP Filters and Filter Actions | |
| 7. | In the Welcome window click Next | |
| 8. | In the Tunnel Endpoint make sure the default setting is selected and click Next | |
| 9. | In the Network Type window select All Network Connections and click Next | |
| 10. | In the IP Filter List window select on of the previously configured IP Filters, for example "HTTP, HTTPS" (configured in step 6) If for some reason you did not previously configure the right IP Filter, then you can press Add and begin adding it now. When done, click Next | |
| 11. | In the Filter Action window select one of the previously configured Filter Actions, for example "Block" (configured in step 15). Again, if you did not previously configure the right Filter Action, you can now. Click Add and begin adding it now. When done, click Next |
You can add any combination of IP Filters and Filter Actions you like.
Notice that you cannot change their order like in the other full-featured firewalls. Even so, this configuration works perfectly.
Assigning the IPSec Policy
|
|
1. |
In the same MMC console, right-click the new IPSec Policy and select Assign |
Your all done. You can now test the configuration by trying to surf to restricted and unrestricted websites.
Blocking more than one Computer
Blocking more than one computer can be done in 2 ways:
Both methods can be used to prevent a number of computers from surfing the internet
