Microsoft ISA Server, Part I –
introduction, installation, configuration,
Web caching and Internet access
What happened before ISA Server?
The history of ISA Server goes back to a product named Proxy Server 1.0. At the time,
the m fast and secure Internet access market saw one more player - the Microsoft
Corporation. Proxy Server 1.0, however, was merely a means for the effective
conduct of initial market research. The market responded favourably to this product
being integrated within the existing Windows NT 4.0 enterprise networking systems.
The first edition of MS Proxy Server had many limitations. It supported only a few
basic Internet protocols and its implemented security tool functions were rather
Microsoft‟s second try at a Proxy Server 2.0 was a natural evolution with many useful
and expected functions. One great application of this tool is to use Windows NT
account databases. Therefore, user management within the enterprise has been
considerably simplified. Many more protocols are supported, as well as caching
services, packet filtering capability and considerably enhanced security performance
have also been incorporated. Although it was an improved version, Proxy Server 2.0
still suffered from a limited range of functions compared to third-party products.
This is surely not Microsoft‟s last word. In the time of Windows NT 4.0 successors,
i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows
XP, new possibilities have emerged in the sphere of implementation of the
technologies they incorporate.
New concepts created by ISA Server
ISA Server carries new terms that need to be understood before attempting product
deployment on the network.
· Array – a group of ISA computers that are located close together, for example a
department, office, and region. There are two types of arrays:
Domain Arrays – that use Active Directory. A domain array can encompass
computers located within a single domain.
Independent Arrays – allow storage of information not in the Active Directory, but
in a local configuration database. This array is mainly used in NT 4.0 based networks.
· Rule – with rules, the system administrator can set up a series of protocols to govern
sites, contents, protocols, and IP packet filters.
· Array policy – a set of rules that define the array policy. Such a policy can be
applied to any specific (and single) array.
· Enterprise policy – enterprise-level policies contain similar rules to those
established in array policies but they are applied to multiple arrays.
With ISA Server, array policies can be used to modify enterprise policies making
them more restrictive. However, it is not possible for an array policy to ease
restrictions imposed by the enterprise policy.
ISA Server Components
ISA Server supports many more functions than its predecessor. The following options
are available with this new product:
Firewall – the Firewall client is an extension to the ISA Server that
features an enhanced set of functions allowing it to compete with
other similar products available on the IT market. With Firewall
client, Active Directory can be supported from Windows 2000 (or
the SAM databases from NT). These are used to provide specific
security functions at user or group level. This feature is not
supported by a majority of third-party products that use either
separate user databases or IP addressing. Firewall functions are
enhanced to support so called stateful packet inspection, i.e. a
solution for improved security where data packets passing through
the firewall are intercepted and analyzed at either a protocol or
Policy-based administration – ISA Server lets the administrators
manage using predefined policy rules. Policies can include a set of
consistent rules regarding users, groups of users, protocols etc. A
specific policy may apply to a single array or globally, to the whole
enterprise. For businesses that use networks with Active Directory
enhancements, multi-tiered enterprise policies are those that match
their needs to have a comprehensive IT system, to facilitate
management of the entire enterprise and its infrastructure.
Virtual Private Network Support – ISA Server provides an easy
solution to create VPN – based networks. The wizards supplied
with ISA Server help to configure VPN tunneling and may activate
the RRAS service if not already initialized.
Dynamic IP filtering – depending on the security policy used, an
enterprise can dynamically open firewall ports for authorized
Internet users on a session-by-session basis. This considerably
simplifies the administrator‟s duties in situations where there are
applications that frequently change ports though they communicate
with each other.
IDS (Intrusion Detection System) – Microsoft has equipped the
ISA Server with an Intrusion Detection System. This module had
been purchased from Internet Security Systems, the leading
developer in these IT solutions. Thus, ISA offers out-of-box
support for preventing several types of attacks including WinNuke,
Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan
Attack. Once an attack has been detected and identified, ISA may
decide either to disable the attack or notify administrators about the
Web Cache – ISA Server provides fast Web caching performance.
Administrators are allowed to automatically refresh frequently
requested www pages on reverse and scheduled caching basis.
Reports – the major point of contrast between ISA and its
predecessor i.e. Proxy Server 2.0 is that ISA features numerous
report generating possibilities. By scheduling report generation
connected. for example, with the users‟ actions or security related
events, managing ISA Server based networks is a simple task.
Gatekeeper H.323 – this component allows ISA Server to manage
IP telephony calls or H.323-based VoIP applications (for example
Microsoft NetMeeting 3.0). The DNS SRV record must be
registered in order to have gatekeeper enabled.
Client Deployment – with SecureNAT (Network Address
Translation) feature, ISA Server delivers to clients and servers a
transparent and secure access to the Internet with no need to
configure extra software on client machines. SecureNAT allows
monitoring of all traffic in ISA Server.
Therefore, instead of being a simple product improvement, Microsoft Internet
Security and Acceleration Server fills a gap in the range of this type of products
available at the Redmond colossus and is trying to jump aggressively into the mass
market sector associated with Web security and fast Web access. The new potential
implemented in ISA Server is expected to allow Microsoft to compete effectively in
this business area.
It should be noted that Microsoft‟s engineers carefully integrate all products together
to bring the Company‟s vision of a .NET platform to businesses.
Software and hardware requirements
The minimum hardware requirements recommended by Microsoft for this product are:
300MHz or higher Pentium II compatible CPU,
256 MB of RAM,
2 GB hard-disk space on NTFS formatted partition,
200 MB of available hard-disk space for installation.
ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or
Problems with insufficient server capacity may occur with this type of configuration.
Thus, for various ISA Server usage scenarios, the hardware should be adequately
If ISA Server is to be used as a firewall, one will need to consider how powerful the
CPU should be in terms of throughput requirements.
Throughput requirements Recommended CPU
Less than 25 Mbyte/s Pentium II 300 MHz – 500 MHz
From 25 Mbyte/s to 50 Mbyte/s Pentium III 550 MHz or better
More than 50 Mbyte/s Pentium III 550 MHz or better for each 50Mb
Table 1 CPU capacity requirements vs. throughput
Obviously these values can only be used as a reference when planning the ISA
Server‟s hardware to meet the expected load. This may vary in function or various
usage scenarios (such as the type of transmitted data).
In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate
CPU capacity consider also requirements for RAM and high free disk space available
for caching purposes.
Number of Minimal RAM Recommended disk space
users capacity (Mb) allocated for caching
Up to 250 Pentium II 300 MHz 256 4 GB
250 – 2000 Pentium III 550 MHZ 256 10 GB
More than Pentium III 550 MHz for 256 for every
10 GB for every 2,000 users
2000 every 2,000 users 2000 users
Table 2 – Capacity planning for forward caching server applications
If you want to use ISA Server in Integrated Mode (see Installation), these values will
be further augmented. Therefore, the performance of any computer intended to
operate as an ISA server will be completely utilised.
Installing ISA Server
A Windows 2000 Server with a full implementation of Active Directory is the
minimum on which it is possible to install Microsoft ISA Server. Before installing
ISA Server, one must configure Active Directory (adding required classes and
selecting object properties).
Fig. 1 ISA Server setup screen with selected AD schema modification option
Before the system attempts to update the schema you will be warned that this action is
Fig. 2 Active Directory’s modification-related warning
When modifying the schema, it is necessary to determine what the intended extent of
modifications to the existing policies integrated in AD would be. In case of problems
with the modification of Active Directory, one should consult the Ldif.log file.
Fig. 3 Modifying Active Directory
Once the Active Directory has been updated, you can attempt to install ISA Server. In
the first step, you will be requested to supply the information about the installation
mode (Typical, Full, Custom).
Fig. 4 ISA Server installation options
After this step, the set-up wizard checks whether Active Directory has already been
installed or not and if any settings have been modified. Next, you will be prompted to
determine if the server should be a part of a domain or be used as a standalone unit. In
the next step, select the mode of operation from the following three options:
· Firewall – with this option, ISA Server will function as a very powerful firewall,
· Web Cache – will establish the ISA Server as a cache server and give access to „Net
· Integrated Mode – when in integrated mode, all ISA Server implemented and
initialized features will be available.
Fig. 5 selecting the functional mode
Once the required mode has been selected, the next dialog box stops the Internet
Information Services (if any are already installed) and prompts you to either deinstall
IIS or re-configure it not to listen in on ports 80 and 8080 that are required for ISA
Server. Despite possible joint operation, Microsoft recommends relocating the IIS
Server to another machine.
In the next step, you will be prompted to specify the cache size for the Web Cache
Fig. 6 Configuring the cache size for WWW caching
If it is a multiple-disk server, one may benefit by distributing caches onto a few disks.
This would accelerate the process of accessing cacheable information.
Having configured appropriate cache sizes for WWW Web services one may attempt
to configure LAT (Local Address Table).
Fig. 7 LAT setup utility
LAT (Local Address Table) – these are tables that define all internal IP address
ranges. If one selects this Table (Fig. 7), either the private IP address ranges as
defined in RFC 1918 (10.X.X.X, 172.16.X.X, 192.168.X.X) or the external Windows
2000 routing tables will be used.
Fig. 8 A default LAT
Once this step is successful, you will get a screen with the end of LAT configuration.
Remember to ensure that all network cards are connected to the Internet while
installing ISA Server. Should any network card be inactive, LAT tables will probably
not be created.
Fig. 9 Completing the LAT setup procedures
After completing the setup procedures, you can attempt to replicate the content of all
files to the ISA Server directory. After installation, the ISA Server Administration
utility will start.
Fig. 10 Microsoft ISA Server Administrator utility and Getting Started Wizard
To manage this utility, use the Microsoft Management Console (MMC) feature. The
left dialog box contains all options that are necessary for setup whilst the right box
provides the settings available for such options.
Getting Started Wizard
Because ISA Server is completely different from Proxy Server 2.0, Microsoft
recommends that even experienced administrators become acquainted with the
Wizard that will help in the initial steps of product configuration and customization.
The Getting Started Wizard works with a set of options that will aid
users through the process of customizing the product and will also clarify the effects
of specific modifications when introduced to the ISA Server.
The Wizard is split into two sections (see Fig. 10):
After you have finished the initial configuration of ISA Server with help from the
Getting Started Wizard, you can fully adapt the product to the working environment
by finally re-adjusting certain settings.
Creating protocol rules
Administering an ISA Server means creation of suitable arrays, rules and policies.
Arrays and policies have already been explained so let us examine the term “rules”.
ISA Server uses two types of rules:
Site and content rule – determines if and when content from
specific Internet destinations can be accessed by users,
Protocol rule – determines which packets may or may not access
the ISA server.
Apart from the above rules, the following rules can also be defined for ISA server:
Bandwidth (Capacity) rule – this will prioritise different types of
services using ISA server. This allows administrators to verify
which specific www traffic or business-related traffic will be
allocated to the available bandwidth.
Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP
requests and map them as services on the ISA Server.
Server publishing – with this feature, clients from the public
Internet are directed to the ISA Server instead of to the web server.
Moreover, the ISA Server may act as the proxy for inbound and
outbound traffic between the public Internet clients and the internal
Web Cache functions
ISA Server features high-performance Web Cache functions. With Cache
Configuration tab the user is guided through Web service configuring. In addition to a
variety of settings, the possibility exists to set up the size of the cache memory per
hard disk and configure the schedule of caching tasks (TTL utility).
Fig. 11 Configuring caching services
When ISA Server is set up as a Web caching server, two situations are possible:
Forward Web Caching Server – this is the most popular use of
the Web caching server. Its function is as follows:
Fig. 12 Forward Web Caching Server
1. User No. 1 (Client 1) forwards a request to the Web server for an object;
2. The ISA Server approves the request and checks if the object already exists in the
local cache. If the content does not already exist in the cache, the ISA Server contacts
the Web server to fetch the requested object (on behalf of the user);
3. The Web server returns the object in question to the ISA Server;
4. ISA Server returns the Web object to the original client No. 1, and saves this object
to cache it locally.
5. User No. 2 forwards the request for the same Web object;
6. ISA Server will send the object cached locally to user No. 2.
Reverse Web Caching Server – Reverse Proxy by an ISA Server
offers security for one or more Web servers located on the internal
network. This ensures secure Web publishing, which is of
particular concern if sensitive data is to be sent from the servers.
Fig. 13 Reverse Web Caching Server
In addition to the security offered by both forward and reverse caching, ISA Server
could be configured to give administrators the possibility to manage various Web
caching solutions such as:
Scheduled Content Download – ISA Server can be configured to
provide tools for downloading/refreshing web pages at appropriate
intervals. In this way, the most popular web objects may be
refreshed at night instead of during the day without risking
Active caching – when active caching is used, ISA Server itself
will evaluate and rank the cache and refresh it as necessary. This is
a particularly useful option in situations where employees must use
specific url sites to fetch necessary information several times
during the day, from sites that are frequently updated, and
especially if it is risky to fetch non updated versions.
On Demand – the most popular configuration of a caching server:
upon an initial request for on-demand content, the server acquires
requested Web files and stores them locally in its cache.
Secure Internet Access through ISA Server
Secure Internet Access is one of the fundamental features provided by ISA Server. It
is increasingly necessary to improve security tools and check users that access the
network from outside, especially in a situation where the Global Web is vulnerable to
outside interference from viruses, trojan horses or hacker attacks. One may also wish
to improve security to monitor network users and protect the network from potential
Internet threats. To face this challenge and provide solutions for a broad landscape of
users, Microsoft has implemented three types of clients in ISA Server:
Firewall clients – all computers that have Firewall Client software
installed and active,
SecureNat clients – all computers that do not have Firewall Client
Web Proxy clients – all Web browser clients are configured to use
Feature SecureNat Client Firewall Client Web Proxy Client
No, but some network
Installation No, requires Web
configuration changes Yes
required? browser configuration
Operating Any OS that supports Only Windows
System support TCP/IP platforms
Requires application HTTP,SHTTP,FTP,
Protocol support filters for multi-
connection protocols Gopher
No Yes Yes
Server No installation or
applications configuration required
Table 3 Comparison of ISA Server Clients
Both Firewall and SecureNat clients include WebProxy client service, since all Web
client requests are passed to WebProxy. All other requests sent by either Firewall or
SecureNAT clients are redirected to other modules within ISA server.
Before selecting the client type to be used in a specific enterprise, it is necessary to
recognize what particular applications and protocols are to be used in the network. A
proper evaluation will help to have trouble-free use of Web services without
continuous changes to the configuration. Choosing reliable clients is also the
foundation for all network security since a more liberal access policy to Internet
facilities may threaten not only e-privacy but also e-access. It is enough to realise that
a few users who are downloading MP3 or AVI files from the Net and have a few
Internet sessions open will be sufficient to occupy an enterprise connection at nearly
100 percent utilisation.
Network need Reason
To avoid deploying client SecureNAT clients do not require any
software or configuring SecureNAT software or specific configuration on
client computers. client machines.
If one uses ISA Server as a Web caching
To use ISA Server only
SecureNAT server, one will not have to deploy any
for forward Web caching.
One wants to create user- If one uses Firewall clients, one may
based access rules to configure access rules for non-Web
control non-Web Internet sessions. However, these rules will be
access. effective only if one configures ISA
Server to require authentication
information with each session.
SecureNat clients do not support
automatic discovery of ISA server. When
The network supports
one configures automatic discovery,
many roaming users and Firewall Client
roaming users or computers cannot
connect to the Internet server as
The clients need access
(outside of Web browsers)
SecureNat clients do not support
to protocols with Firewall Client
protocols with secondary connections.
secondary connections to
the Internet via FTP.
To support dial-in- Though SecureNat supports dial-out, only
demand for non-Web Firewall Client Firewall clients support dial-in-demand
sessions from the clients. for non-Web sessions.
Table 4 Choosing an ISA Server Client Type
Table 4 represents the choice that may be useful to benefit from a proper selection of
clients accessing the network in a specific enterprise. For more detailed specification
of the particular types of clients see the files attached to the program.
Because many extras are included with ISA Server, additional information may be
required that can be found on the Internet at the following sites
Microsoft Press Publishing:
MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000
Microsoft ISA Server, Part II – Firewall
Functions, Publishing Policy Rules
ISA Server Security Configuration
It is recommended to define the server security level before beginning the ISA Server security
configuration. To configure the appropriate security level, right-click the server icon in the
Servers and Arrays -> Server name -> Computers and select “Secure…” to start the wizard.
After the wizard starts, a warning message will appear saying that any changes made to the
settings cannot be undone.
Fig. 1 ISA Server Configuration Wizard warning
There are three levels of security that are available using the wizard, so in the next step,
configure the security level that is appropriate for your ISA Server. When selecting security
options, consider primarily the service to be provided by your server, for instance, whether it is
intended to perform firewall-only services or also domain controller or file server roles.
Depending on the choice the access level will then be granted to the server.
Fig. 2 Choosing ISA Server security level
To configure the chosen and appropriate security level, run one of the files (templates) below
(see Table), which are available for this purpose.
Table 1 ISA Server Security scenarios
Security Level Security Template Domain Controller Security
Secure Basicsv.inf Basicdc.inf
Limited Services Securews.inf Securedc.inf
Dedicated Hisecws.inf Hisecdc.inf
All these templates are available at the directory %SystemRoot%\security\Templates\. If
necessary the security scenarios can be modified. Knowledgeable administrators may try to
create their own security schemes to meet the requirements established in the company’s IT
Security Policies and provide maximum control over access to the server and to the files it
contains and manages.
Once these procedures are completed, the Active Directory schema will be updated and you will
be prompted to restart the computer.
Policy-based Access Control
As with most firewalls, ISA Server provides the administrator with the possibility to configure
detailed usage policies. These rules apply for both outgoing traffic (e.g. local users) and
incoming traffic (e.g. external users, teleworkers or potential hackers). Each packet that passes
through ISA Server can be recorded, and may then be followed by a log with details of Internet
connection usage, attack attempts etc. Prior to configuring the access policy rules, one should
define the access policy elements to be followed. These are available at the tab: Servers and
Arrays -> Server Name -> Policy Elements.
These rules include:
Schedules – these determine when the rule is in effect. They allow configuration of a
very flexible security policy. For example, a group of users can be restricted to access
specific Web pages during working hours and to have full Internet access at all other
Bandwidth priorities – to prioritize ISA Server-based network connections. There is a
default bandwidth rule – all connections have the same priority.
Destination sets – this set may contain the IP address, the IP range, computer name
and a specific path on the destination server and may give access, for example, to the
following destination only: www.faq.net.pl/binaries. You can use an asterisk (*) to
specify a group of all computers in the domain. E.g., if there is a need to create a group
encompassing all computers from the domain bsi.net.pl, produce the destination set
containing “*.bsi.net.pl”. Destination sets can be further used when configuring the
following access policy elements: Site and Content Rules, Bandwidth Rules, Web
Publishing Rules and Routing Rules.
Client Address Sets – the client sets containing the IP address ranges. These can also
be used when configuring the following access policy elements: Site and Content Rules,
Bandwidth Rules, Web Publishing Rules, Server Publishing Rules and Routing Rules.
Protocol Definitions – these include a list of preconfigured protocol definitions
available on ISA Server that are further used to create Protocol Rules and Server
Publishing Rules. In addition to predefined protocols, customisable protocols can be
created and used. In order to create a customised protocol, one must specify the
following information: the number (between 1 and 65535) of the port that will be used
for communication, the protocol type (TCP or UDP), and the direction of the traffic
(Inbound or Outbound). There is also an option called “secondary connections”, which is
the range of port numbers, protocol, and direction used for additional connections or
packets that follow the initial connection.
Content Groups – include groups of file types subdivided in eleven categories:
Applications, Application Data Files, Audio, Compressed Files, Documents, HTML
Documents, Images, Macro Documents, Text, Video, and VRML.
Dial-Up Entries – these specify the connectivity between the ISA Server computer and
the Internet (or other Dial-Up servers) for dial-up connections. In order to configure
this feature properly, specify the name of the Windows 2000 connection and then the
login and the password of the authorized user.
Once these policy elements have been defined, one can attempt to configure the access rules
that are provided in the “Access Policy” tab and include the following three elements:
Site and Content Rules – which control access to specific destination servers and
certain contents, objects and locations,
Protocol Rules – define which protocol clients can use to access the Internet,
IP Packet Filters – rules that govern packet filtering.
Fig. 3 when configuring Access Rules one will go through Policy Elements and Access
Site and Content Rules
With these rules, the network administrator determines access to contents outside the firewall.
They include information about if and when a client/user, or a client set can access certain
One can allow or deny access to the Internet by creating site and content rules as appropriate.
ISA Server by default disables the use of any protocol.
The illustration below is an example configuration for rules that allow the internal network users
to access the URL: www.securitynet.pl during office hours (09.00-17.00).
Prior to attempting to configure access rules, one must create the following three access policy
Client Address Sets,
All three elements are to be created using a wizard that appears after opening the “Policy
Elements” menu. Right-click “Site and Content Rules” and select “New” to start the New Site
and Content Wizard allowing easy creation of a new filter.
The New Site and Content Wizard
1. Rule Action screen. One can select either of two possible server actions in relation to an
Allow – permits to access the external sites,
Deny – clients using that definition will be denied access to the external sites. For HTTP
contents there is the possibility to redirect requests on another server, specifying also
the reasons one cannot access the site.
In this example, Allow will be selected:
2. How to apply the rule. There are four options to select from:
Allow access based on destination,
Allow access only on certain times,
Allow some clients access to all external sites,
Custom – allows for a detailed definition of all three parameters contained in a single
In this example, Custom will be selected:
3. Destination Sets screen. There are three options to select from:
All internal destinations,
All external destinations,
Specified destination sets – (from the drop-down box select the destination set created
in the policy elements).
All destinations except selected sets.
From the drop-down box select the destination set corresponding to the address
4. Schedule screen. – to define the times when the user will have access to the specified
external sites. At this point, select the option from the drop-down box, as appropriate (same as
Fig. 4 Scheduling access times
5. Client type screen. There are two options to select from:
Specific computers (client address sets) – one must specify IP addresses of the
computers, the rule you create will apply to,
Specific users and groups – one must specify users from a group of users (through
Active Directory), and the rule you create will apply.
6. Determining the external sites to which the rule applies. In ISA Server, these sites are
subdivided in eleven groups:
Application Data Files,
The contents for individual groups can be viewed at Policy Elements -> Content Groups.
Right-click the tab and select “New” to start the wizard and customize the group “Content”.
Specify the set of documents accessible by the external users.
Fig. 5 On the Content Groups screen one can specify the types to which the rule
created will apply.
Protocol rules the types of Internet connections that clients are allowed to make. One must
adhere strictly to the configuration principles when defining rules of communication with
external networks. When a client requests communication with a specific object in the external
network, ISA Server checks whether the rule allowing communication based on this specific
protocol, has been created or not. If such a rule does not exist or permission to access a
particular protocol is denied, the request will be rejected. Otherwise, the server will check if the
administrator has permitted the user to access this specific site (in the Site and Content Rules).
Since the protocol rules and the content rule work hand in hand, the user will be allowed to
access the site, if both “agree”.
When creating rules be aware that the sequence in which they appear is irrelevant, however the
rules that deny protocols are processed before the rules that allow access. More specifically, if
you configure two conflicting rules, one that allows access and the other that denies access
along SMTP protocol, the whole SMTP traffic will be disabled.
Note also, that selecting “All protocols” means that only the protocols defined in the Protocol
Definitions will be selected. In other words, if any non-standard protocols are used in the
network, they must be added to the protocol definitions. Otherwise, even with “All Protocols” a
non-standard protocol will be denied.
Continuing on the previous example, if one wants to allow the users to enter the site
www.securitynet.pl. Then the HTTP protocol must be enabled.
Following that step, proceed as follows:
1. Start the “Protocol Rules” wizard,
2. Select the specific users to (Allow), or (Deny) using the protocol,
3. Select the protocol.
Fig. 6 Configuring the protocol to which the rule applies
4. On the Schedule screen, select the times for accessing the protocol, for example from
09.00 a.m. to 05.00. p.m.
5. Similarly to Site and Content Rules, select users or groups of computers to access the
Once the above filters are properly configured, the users will be allowed to access the site
IP Packet Filters
The last group of filters available for the Microsoft ISA Server administrator are Packet Filters. IP
packet filters combined with IP packets routing allow creation of a secure perimeter network
(also known as a DMZ, DeMilitarized Zone). As in the previous two types of rules, there is a
wizard available to help with the configuration.
1. When creating an IP packet, one must first set the criteria for packets transferred
through the firewall:
- Allow packet transmission,
- Block packet transmission.
2. In “Filter Type” dialog box select either a predefined filter suitable for a few basic
communication purposes or click “Custom”.
3. In the “Filter Settings” box set the following parameters:
- IP Protocol
i. Custom Protocol – one must specify a protocol number,
ii. Any (encompasses all protocols),
- Local Port
i. All Ports,
ii. Fixed Port,
iii. Dynamic Ports.
- Remote Port
i. All Ports,
ii. Fixed Port,
iii. Dynamic Ports.
4. Specify the IP address of the computer to which the rule will apply. One may select
from the following options:
- Default IP addresses for each external interface on the ISA Server computer,
- This ISA server’s external IP,
- This computer (on the perimeter network) - (DMZ).
5. In the final step, one must define remote computers or a range of remote computers to
which the rule you create will apply.
Publishing Policy Rules
Nowadays, having a registered web site and email facility is becoming a standard for all types of
businesses throughout the world. Many organisations decide to outsource networking services
from ISPs assuming that such services are always secure and always available. However, such a
solution may be somewhat inconvenient for the users. If, for example, one needs a new email
account, a specific request should be made and sent to the ISP for this service. However, it
seems that just for this reason, there is a tendency among network managers in many
companies, to relocate servers to their corporate networks, but few are aware of how
threatening such a decision may be. A server – whether a Web server, email server or any other
service, is as secure for publishing policy as the system administrator is capable of defining the
ports, over which a specific service is to be passed. With ISA Server, publishing policy rules
consist of two categories of rules that allow information to be securely published to the external
Web Publishing Rules – for publishing Web servers only
Server Publishing Rules – for publishing other Web sites.
In line with Microsoft’s tendency for newly introduced products, the configuration procedure is
simplified by providing suitable wizards.
There are built-in three configuration wizards:
Web Publishing Rule wizard.
1. In order to create a Web publishing rule, right-click Servers & Arrays -> Server Name -
> Publishing -> Web Publishing Rules and from the context menu select New -> Rule.
2. In the next step, select the destination set to which the rule you are creating will apply.
If this is a corporate network Web server, select the computer in the internal network to
make it available to the hosts.
3. Next, one must configure the hosts, which will provide the requests that are to be
governed by the rule being created. For instance, in the case of a Web server where the
organisation’s web site is published, select “Any request”. If it is an Intranet service
that will be accessed by remote users, one may define the range of IP addresses to
which the rule will apply, or select users that, after authentication, will be allowed to
access the Web server.
4. In the final step, one must define what would happen when a request matches the
parameters mentioned above. For example, one may define that such a request would
be ignored, or decide on which server located behind the ISA Server computer such a
request would be redirected to. Once this rule is created, any incoming requests sent on
the ISA Server address as HTTP requests, will be redirected to a corporate Web server.
This will enhance security because Internet users will be not allowed to access the Web
server directly. ISA Server will cache all requests.
Fig. 7 The Web Publishing Rules Wizard
The Secure Mail Server Wizard.
1. In order to configure a secure email internal server, on the “Servers & Arrays ->
Server Name -> Publishing -> Server Publishing Rules” tab, right-click “Secure Mail
2. In the next step, define communication protocols (SMTP incoming, SMTP outgoing,
Exchange/Outlook, IMAP, POP, NNTP) and the certificate for authenticating to the SSL
server (no encryption or SSL encrypted).
3. Next, specify the IP internal address (from those IP addresses that belong to the ISA
Server), to redirect requests to the internal server.
4. In the final step, one must specify the IP address of the internal server (located behind
the ISA Server computer) to handle requests defined in 2 above.
Fig. 8 The Secure Server Publishing Rules Wizard
Naturally, it is not necessary to place all these services on a single ISA Server, although the
Internet is only aware of one IP address through the connection.
The New Server Publishing Rules Wizard
1. Using the server publishing service, allow an internal server to be accessible to external
clients. To start the configuration, on the “Servers & Arrays -> Server Name ->
Publishing -> Server Publishing Rules” tab, right-click “New -> Rule”.
2. Specify two IP addresses, one for the IP server in the internal network (IP address of
internal server), and one for the IP address of the ISA Server that will be visible to
external Internet clients, for whom the service you create will be available.
3. In the final step, one must define the protocol that will followed by the external
Internet clients when accessing the internal server located behind a firewall. From the
default menu in a drop-down box, you can select any filter that is predefined in the
“Protocol Rules” tab and is marked “Inbound” in the “Direction” tab.