Microsoft ISA Server 2006 EN Bueno

Microsoft ISA Server 2006
ISA Server2006: A School Guide

Introduction
Since most networks are connected to Web worldwide, a secure connection is an extremely
important task for any webmaster nowadays. Concerning the security, the two most
important aspects are as follows: First, you have to protect the network against external
intruders to prevent then from causing damages by destroying both, public or internal
information. Second, you must prove a prompt and stable access to all services for internal
network users but prevent them from abusing network resources by any activities that might
not be in accordance with their job description or even might be against the law.
Computers and any other hardware devices or software tools protecting networks are called
firewalls. You can divide firewalls into two basic categories, hardware and software.
Hardware firewalls are specialized devices usually equipped with proprietary systems. The
hardware firewalls are obviously inserted between Web connector and the internal network
and any Web communication goes through them. Thus the communication is under the full
control of the firewall and it can be cancelled in the case of any attack suspicion or violence
the communication rules. The hardware firewall configuration is a complex task for a
webmaster requiring a perfect understanding of the issues and also some experience in
dealing with them.
The second category are the software firewalls. These are the regular PCs with extra
network adapters. The software firewalls are being located at the same positions as the
hardware ones within a network, i. e. one adapter connects a firewall with the internal
network and the second one with Internet (using the ISP1 network). A PC needs to be
equipped by an operating system with a communication module providing the communication
between Web and the internal network. This communication can be monitored, logged,
analyzed and filtered by special applications against any unwanted data exchange. Microsoft
ISA Server, version 2006, is one of the software firewalls. You can administrate it by GUI in a
very simple way. The initial settings are typically made by predefined templates and there are
many how-to's allowing you to set some more services and rules. The support of networks
based on Microsoft Windows Server systems should be considered as a big advantage of
the ISA Server. Furthermore, the integrated support of the Active Directory service allows
you to set the communication based on existing user's accounts or objects from the Active
Directory. The VPN built-in support allows a safe connection between the internal network
and a remote Web user.
This handbook is dedicated especially for both elementary and secondary schools network
administrators with minimum or no experience with firewall administration. It will allow you to
understand the base firewall principles and functions and to install, set and administrate the
Microsoft ISA Server in order to increase the school network security, to protect the network
against student's abuse and to lower the expenses dealing with the network security.
1
ISP = Internet Service Provider
Microsft ISA Server 2006 – A School Guide Page 2

Microsoft ISA Server 2006 is the software designed for building a secure Web gateway from
stations with operating system Microsoft Windows Server 2003.
 First, the ISA Server can protect the internal network against spurious
communication and against targeted attacks and it controls the user's access from
the internal network to Web. Different user groups can be enabled or disabled to
use some Web or particular Web server's services (Web access, e-mail).
 Second, the ISA Server can make available (or public) some internal network
services for Web users. If a school or a company has an own Web server or mail
server, these services can be used for subject presentation, internal mailing,
communicating with Web users and maintaining user's mailboxes.
 Third, the ISA Server can be used for WebCache service. You can configure your
ISA Server so that it can hold the contents of the Web pages being accessed from
the internal network in it's memory for some time period. If any user requests
pages being stored in the WebCache memory during this period, he will be
supplied with it promptly. This is a method how to save the transmission capacity
of the Web lines and to reduce the Web response time for users.
 Last but not least, you can easy set your ISA Server as an integrated VPN
gateway for secure remote connections to the internal network. If needed, these
connections can be encoded and their control is performed by means of the user
accounts or groups in the Active Directory. A remote user can access his private
data on the server such as files with training courses etc. A VPN gateway also
enables transparent network connections (schools, offices etc.), however this
discussion goes above the frame of this handbook describing just common school
networks.
Figure : How to locate the ISA Server
There are two editions of the Microsoft ISA Server 2006. The Standard edition is designed
for users needing to protect their network typically by one firewall. On the other hand, the
Enterprise edition is designed for large companies administrating several groups (or fields) of
firewalls. Each field can be located in a separate part of the network (a complex network
infrastructure with high degree of security) and these fields can be composed from more than
one firewall with identical functionality in order to distribute the network load among several
machines. This handbook discusses just the Standard edition of the ISA Server typically
designed for small networks.

ISA Server as Firewall
A firewall is a device residing between several network segments representing a
communication gateway. We will be discussing two networks in this handbook – such as you
can see on Figure 1. The firewall is set according to the communication rules just to enable
granted communication between two network segments.
ISA Server 2006 plays the role of a firewall. After installing the firewall, no communication is
allowed between networks in the default status. If you place the firewall according to Figure
1, no Web access would be allowed to any internal network user. However, no internal
communication would be affected by the firewall. There are three types of ISA Sever firewall
filtering: packet filtering, statefull filtering and application-layer filtering.
 Packet filtering handles the information in the packet headers. An arriving packet is
opened by ISA Server on the network interface and the IP address and both sender
and receiver port numbers are found. This information is compared with defined rules.
If there is a rule enabling the communication, the packet is being sent to the
destination user. If there is none, the packet is deleted.
 Statefull filtering is used for a more complex network communication restriction. The
ISA Server checks the correct communication process based on TCP protocol. There
are several states in the TCP (establishing the connection, communication, closing
the connection). The different TCP packet types represent different connection
phases (states). So the ISA Secret checks the correct connection establishing and
closing and packets are deleted on any wrong communication (i. e. possible attack).
 Application-Layer filtering performs communication checking and filtering based on
application protocols. Most application level attacks can not be avoided by packet or
statefull filtering. An application filter checks the packet body according to some
protocol (for instance HTTP, POP3, or SMTP). Web server functionality might be
invaded and restricted by some intentionally incorrect HTTP message. HTTP
application filtering can be used for instance for detecting and blocking the Web
communication containing defined key words or transferring the disabled file types
(files with illegal postfixes).
ISA Server and Secure Web Access

You can use the ISA Server to secure the communication between the internal network users
and Web. For this purpose, any communication between clients and Web should pass
through the ISA Server. Then the ISA Server represents a proxy between the internal
network client and the Web server.
Assume that all client requests are being sent to ISA Server. They would be then forwarded
to Web and appropriate replies would be accepted and passed back to the internal network
clients. In such case, no direct connection between the internal network client and Web
server is needed and the client's and the internal network configurations are invisible from
Web. Furthermore, the requests and replies can be filtered and blocked by ISA Server
according to user names, IP addresses, states, contents, or time schedule. You can also

assign selected services (Web, mail) to particular users according to rules defined by the
administrator on selected Web servers.
You can also use the ISA Server as Caching server. Cache is a temporary store for often
used objects and URLs from Web servers. Caching may increase the performance when
returning the information stored in cache rather than searching in on Web. For instance, if
you need data from a Web server you send the request to ISA Server. If the requested page
is not stored in the server cache, the appropriate Web server will be contacted and the reply
will be sent both to requesting user and it will be also stored into cache (which may be
physically the computer memory or space on a hard disk). Any further requests for the same
page will be provided using the ISA Server cache until it gets out-of-date. This helps you to
save the Web lines transmission capacity and also the Web response time for users will be
reduced.
Publishing the Web Services by the ISA Server

You often have to make available the internal network resources for anonymous or known
users. The most common example of such access is a presentation of a subject residing on
the internal network Web server. Next, some subjects need access at least to the e-mail
communication with remote domains. There are special firewall rules for such purpose.
One of the publishing rules is the rule for publishing the Web server. ISA Server is then
waiting for Web client's HTTP requests on it's Web interface. These requests are then being
sent to Web Web server if they are in accordance with the rule. Then, the Web server
response is returned back to the Web request sender.
The Web server publishing rules provided by the ISA Server can be applied just on a single
internal network Web server. You can also use these rules for hiding the internal Web
servers structure so that multiple Web servers can appear as a single presentation on a
single server to the Web users. The Web server publishing rules are also able to publish a
multiple presentations from more than one server on a single external IP address using the
standard Web server port 80.
The obvious feature supported by ISA Server is also using the HTTP application filter for
tracing the application level communication and a communication support between Web
client and ISA Server, between ISA Server and internal Web server, and between both ones
providing HTTPS encrypted connection. If you publish for instance internal Web server with a
company information system that should be available just for internal users, you can
configure the ISA Server so that it asks user's authentication providing user name and
password. The identity of such user is mostly checked providing the Active Directory service
and it can be forwarded to avoid a new logging in to the destination server running the
information system.
ISA Server also offers many wizards for publishing the common services. For instance, a
wizard for publishing the access to mail server can simply make available the Microsoft
Exchange – OWA (Outlook Web Access) Web interface by creating a particular rule for
publishing OWA to make available the Exchange Server from Web. Other wizards gives you
simple rules for a firewall to enable the mail server accept the messages from Web or enable

the mailbox owners to access their mailboxes from their homes using the mail clients and
protocols such as IMAP and POP3.
For publishing other non-Web server services, the rules of server publishing are used which
are more simple when comparing with the complex rules of publishing the Web services. As
for the rules, no authentication or publishing multiple servers on a single port are allowed. As
an example how to publish the protocol of the remote desktop (RDP) of the internal server for
remote administration, the port 3389 is enabled on the ISA Server web interface. When a
connection of a Web user client to ISA Server is established, the communication is forwarded
to the published internal network server. If you want to publish another server or host by the
same RDP protocol, you should make it on some nonstandard port of the ISA Server. These
server publication rules also do not support authentication and access control based on the
user name. The authentication is performed by application protocol. The RDP authentication
would be performed by entering user's name and password on the log-in screen after
connecting the client to the remote desktop, i. e. after enabling the communication by ISA
Server and establishing the connection with the destination service.
ISA Server as VPN Gateway

Publishing the internal network resources on Web might be insufficient sometimes. Some
companies want to make available all network resources for authorized users. VPN is a
secure network connection between a Web client and the internal network. The connection is
implemented on public Web network. Even if a packet of the VPN connection would be
captured, it would remain illegible for an unauthorized person. This is a client-server
connection type.
Second, the VPN gateway allows multiple networks connection, such as two separate offices
of a company. This connection can be established on request to communicate from one
office to another or it can be permanently active. The VPN tunnel connection between two
networks is encrypted and authenticated due to security as well. This is a server-server
connection type.
Both above mentioned ISA Server VPN connection alternatives can be used, i. e. a remote
client connecting and multiple networks (company offices) connection. Then, the rules
allowing the communication between remote clients would be less restrictive when
comparing with the Web communication rules. Or there might be even no communication
restrictions at all between VPN Web client and the internal network.
ISA Server History
Microsoft Proxy Server

The first member of the ISA Server product line was Microsoft Proxy Server placed on the
market in 1996. This was a server making available Web for the internal network clients. It
worked as cache server and, involving Winsock proxy, it enabled access to Web not only for
Web browsers but also for other applications.

In 1999, an enhanced Microsoft Proxy Server 2.0 was placed on the market. It supported
multiple server fields so that the internal network client requests could be spread to particular
servers in a field. Web availability was also improved. In case of a server black-out, other
servers were able to process the requests. Next, as different Web pages were stored on
each server, also the cache feature was improved. The cache was distributed over all
servers representing a single logical cache. Besides HTTP, the FTP protocol was involved
and also reverse caching was introduced in order to store the internal network Web server
requests given from remote clients.

Next product version became a new name. A lot of new or improved features of the ISA
Server 2000 expanded far behind the normal proxy server definition. Also a high quality
firewall solution was added to former proxy and cache functions of the ISA (Web Security
and Acceleration) Server 2000.
Except the ISO/OSI model multilevel network, transport and application layer filtering
(packet, statefull and application filters), ISA Server 2000 supplied many new features. They
include:
 AD integration – ISA Server can cooperate with the Active Directory database. The
firewall rule definitions can be based on users and user groups provided by Active
Directory.
 VPN integration – ISA Sever can be used as a server for remote VPN clients or as a
VPN gateway of another remote network (office).
 Attack detection – This function observes the communication attempts and informs
about any possible attack trials, such as remote ISA Server port scanning.
 SecureNAT clients support – allows to exploit the ISA Server services to the hosts
not having installed a firewall client.
 Monitoring and Reporting – ISA Server allows to trace performance and generates
reports on ISA Server exploiting.
 Email screening – Tracing and filtering the communication between Web and the
internal network email server. However, this tracing was abandoned in the recent
versions and ISA Server 2006 does not support this feature any longer.

ISA Server 2004 supplied a new, more transparent user interface. There are some important
improvings when comparing with ISA Server 2000:
 Multiple networks support – The ISA server administrator can define multiple
networks represented by hosts in multiple LANs. The rules of legal communication
are then set between those networks.
 Networks route and NAT relation – The Network Address Translation (NAT) allows
the communication initiated from one network to another. This involves the identity
hiding by ISA Server. The routing is performed by standard packet relay (as it is done

on routers). The communication can be initiated from both networks and it is
transparent – the network identity is not hidden. When comparing with ISA Server
2000, the communication performed by routing is under full control of the ISA Server
and it is filtered, too.
 VPN Clients Network – The clients being connected to ISA Server through VPN
channel are not a part of the internal network; they are involved in a special VPN
clients network. Their communication with the internal network is a network – network
type of communication that is under full ISA Server control and filtering.
 VPN Quarantine – It protects the internal network against dangerous VPN clients
that can be any host worldwide. This is the reason why you can place any client to
quarantine firstly a verify them. The verification can include detecting the installed
antivirus, it‟s version, personnel firewall gateway verifying (a part of Windows XP SP2
or any third party producers) or any other verification. The internal network access of
clients that fail to pass the quarantine can be limited.
 HTTP application filtering based on rules – Setting the HTTP filter is not only the
global ISA Server level, but it may be configured also for the particular rules. Different
filters can be used for any particular users or for different destination Web servers.
 Executable files HTTP filter blocking – A HTTP filter can be set to block the
executable files HTTP transmission disregarding the file postfix.
 Connectivity verification – Some hosts and services such as Active Directory, DNS,
or Web server may be verified by ISA Server. If a problem appears, the administrator
is informed by email or so.
 Report issue – Automatically generated ISA Server reports may be stored to a
shared folder on some server.
 Logging to MSDE database – This is the default form of the log-in file. The log-in
information can be displayed simply by a database query assembled in a ISA Server
console.
 Administrative role – The selected users can be assigned some roles of the ISA
Server 2004 administrator. The users can be provided access to tracing the ISA
Sever functions this way without changing the server configuration.
 OWA form-based authentication – It is a secure way for obtaining the user‟s
sensitive log-in information from Active Directory for logging in on Exchange mail
server interface from Web public environment.
 Import and export settings – Any components of ISA Server setting or a complete
setting can be retrieved or stored from/to an XML file. You can backup any
configuration or transmit it to other server this way.

ISA Server 2006 is the most recent representative of the Microsoft ISA Server product line in
this moment. Some new functions and improvings when comparing with 2004 version are as
follows:

 Web-Farm load spreading – ISA Server 2006 is able to publish the Web server farm
(the servers with the same contents). The client‟s Web requests are then spread
equally among particular internal Web servers.
 Web server form-based authentication – Using a secure authentication is not
limited just by the OWA (Outlook Web Exchange) service, but it may be used for any
Web server access authentication. A password changing option was added to this
type of authentication and a multiple delegation of authentication was added to the
ISA Server.
 The original wizard improving – It allows publish the newer types of services, such
as Exchange 2007 or Share Point.
 Single Sign-on – It makes available different Web servers requesting authentication
without user‟s individual authentication on each server.
 Improved overload detection – It provides an improved ISA Server protection
against overloading by a great number of false connections.
 LDAP authentication – It allows the ISA Server to verify the user‟s accounts in
Active Directory even in case when the ISA Server is not a member of the domain.
ISA Server Base Concepts
All hosts are divided into multiple networks by ISA Server. The internal network is defined
like the range of IP addresses applied for the internal network hosts. The internal network will
often use some of the IP protocol ranges designed for a local use:
Class First address Last address Default netmask Default netmask shortcut
A 10.0.0.0 10.255.255.255 255.0.0.0 IP_address/8
B 172.16.0.0 172.31.255.255 255.255.0.0 IP_address/16
C 192.168.0.0 192.168.255.255 255.255.255.0 IP_address/24
Table : Private IP address ranges

Figure : Default ISA Severs networks
ISA Server contains some predefined networks. Their meaning summary is Table 2.
Localhost Localhost represents ISA Server itself.
Internal network Internal network includes hosts with the administrator defined
addresses during the ISA Server installation. It is a trusted
network protected by ISA Server against Web attacks. ISA
Server is also connected to this network by a single network
interface with defined IP address from the private network
range.
External network External network is not defined by any IP address range, but
it includes anything that is not defined anyhow. A single ISA
Server interface provides connection to the external network
(i. e. Web or ISP network). The external ISA Server interface
IP address is typically being set according to the agreement
with the ISP.
VPN clients network VPN clients network includes all hosts that are connected by
means of the VPN connection to the ISA Server. The VPN
clients network IP address range should not match the
internal network range or any other network created by the
administrator.
VPN quarantined clients VPN quarantined clients includes VPN clients that have not
passed through the quarantine check if it was requested.
Table : Default ISA Server Networks
Network Rules
The communication within a single network, for instance the internal one, proceeds
autonomously, i. e. independently on the ISA Server. On the other hand, the communication

between two networks should be performed using the ISA Server. There should be a rule
running the communication between two networks using the ISA Server.
A communication from internal network to external network (using access to a Web server on
Web) can serve as an example of such communication, or it can be a communication from
internal network to localhost (for instance a remote control of the ISA Server from the
administrator‟s workstation).
The NAT Network Rule
The first network rule type is the NAT rule. It is the one-way rule, which means that the
communication can be initiated only from one network to another. A network address
translation (NAT) is performed by the ISA Server, which hides the identity of the network
from which was the communication initiated.
The process of such communication for the case of the NAT rule from internal network to
external network is shown on Figure 3. A request will be sent from an internal network host to
a Web server for instance. As the ISA Server provides the Web gateway, the request will be
sent from the host to ISA Server. Since the ISA Server performs the NAT, the sender field
will be replaced by ISA Server external adapter IP address in the IP packet. Because it can
be reached from Web, the request will be made for the Web server. As it receives the
request for some information, a response will be assembled while sending it back to the
sender. Since the Web server received the request from ISA Server, the response will be
addressed to it. The firewall service should find out the record on the original communication
initiator after ISA Server receives the response. As for the Figure 3, in this case it was host
named Pc1 which will be delivered the response from ISA Server. The received page will be
then displayed by the Web browser on Pc1.
Figure : NAT communication
This rule type is mostly used between the internal network and Web. Partly for internal
network identity protecting, partly that the NAT mechanism makes available Web for clients
with private IP addresses being used in the frame of the internal company network. Since
any server would be able to deliver the response on a non-public address, the private IP
addresses can not be used on Web.

The Route Network Rule
The second network rule type is the Route rule. This rule allows the communication between
networks that can be initiated from any network. Since the addresses are not translated, the
sender field would not be changed along the whole path up to the destination place.
For the communication showed on Figure 4 is necessary to have a public IP address unique
in the whole Web for the internal network Pc1 sender. Companies are mostly assigned an IP
address space that is too small to cover the whole internal network for a company because
of the entire lack of the IP addresses worldwide. This problem caused that a massive NAT
has been applied and it also forced the new IP protocol solution called IP6.
Figure : The Route Communication
Routing the communication between the internal network and Web would not be a typical
example of the Route rule. It is mostly used on setting the communication between different
segments of the company network. As a classical example, let‟s take a communication
between internal network and VPN clients network using the Route rule. These networks
mostly apply the Route rule type between each other. Routing can be also applied on private
networks that are not configured with public IP addresses.
Behind the Network Rules
The fact of the network rules attendance between two networks is not sufficient for starting
the mutual communication between hosts. This condition is just one of the necessary
conditions for the communication. The network rule states what kind of communication
access will be applied: routing or NAT. In case of Nat, the communication can be started just
in a single direction and ISA Sever has to keep the information about the host where should
be returned the responses. Firewall access rules have to be still defined for the
communication permission.
Firewall Rules
Firewall rules provide the communication permission between hosts in different networks. If
ISA Server receives a packet on some of it‟s interface, it will be opened an the necessary
sender, receiver and protocol information etc. will be retrieved from the packet. The

information will be consequently compared with the firewall rules according to their order.
The first rule matching the given communication will be applied to enable or disable the
communication.
Each rule may look like this:
1. Action – enable or disable communication
2. Protocol – communication according to a specific application protocol (HTTP,
DNS, POP3, or RDP)
3. Sender – network, IP address or any item to identify the sender
4. Receiver – network, IP address or any item to identify the receiver
5. Time schedule – it specifies if the particular rule is applicable in the given time
6. User – user or user group the rule is valid for
If a rule is found that matches the communication according the points 2 through 6 of the
previous enumeration, the action in the point 1 is applied to enable or to disable the
communication. If there is none, the communication is disabled automatically.
How to Locate ISA Server in a Network

Including the ISA Server into the company network gives you a choice from a few options.
The particular options vary from each other by internal network security level, configuration
complexity, administrator‟s experience level and implementation and maintenance costs
demand.
A simple solution with a single firewall on the internal network and Web boundary would be
sufficient for the simple school networks. This solution is typically called Edge Firewall. The
same name is used for the adjusting template in the ISA Server administrative console.
So the Edge Firewall is standing on the common internal network and Web boundary as the
only company network firewall. If a company network is connected to Web, there is mostly a
router on this location that supplies connection to Web for the internal network hosts
providing NAT. If you substitute this router by ISA Server 2006, you make Web available this
way and furthermore, you configuration may be improved and more secure.
Figure : Edge firewall
Figure 5 shows the Edge Firewall. Since ISA Server works as router and firewall, it should be
equipped with at least two network adapters. This arrangement will be discussed in this
handbook.

A more comprehensive security solution is shown on Figure 6. Here the ISA Server is
provided by three network adapters. The first one is designated for Web connection, the
second on is for internal network, and the third is for the demilitarized zone, where are placed
the servers that should be available from Web. The rules of such solution are defined to
enable the Web user„s communication with the servers in the demilitarized zone without
having access to servers or hosts in the internal network.
Figure : 3-leg firewall
Another solution of the demilitarized zone is shown on Figure 7. ISA Server is used for back-
end firewall and also ISA Server or any other firewall can be used for front-end. The
demilitarized zone is partially available from Web similar to the previous solution, while the
internal network is protected by two firewalls.
Figure : Back-end and front-end firewalls
Assigning ISA Server to a Domain
ISA Server can work as an Active Directory domain member server or as a stand-alone
server in a working group.
ISA Server Clients
Third chapter will be closed by a short list of how to set the clients for using the ISA Server
access to Web in the internal network.
 Web-Proxy client – a host who‟s Web browser (for instance Web Explorer) is set to
use the proxy server. This proxy server is set on ISA Server address.

 SecureNAT client – this client„s IP configuration is set so that the default gateway is
ISA Server. Any communication outside the LAN is being sent to ISA Server.
 Firewall client – a host running a special client application providing the secure
communication with ISA Server.
Any client type has it‟s advantages and drawbacks. Multiple client types can be run on a
single host simultaneously. This configuration including it‟s advantages and drawbacks will
be discussed in the chapter describing the ISA Server clients.

ISA Server Installation
Preparing the Installation
Prior the ISA Server installation itself, some steps need to be performed just to understand
the current network architecture, to get planned a new ISA Server solution, and to consider
the Web services availability for internal network users. The goal is not just to state the
communication rules for particular user groups, but to set the infrastructure to make the
allowed services available for users. An internal network host should have a correct TCP/IP
interface configuration while having access to translation the DNS names to IP addresses.
1. Current network mapping – this is the first step allowing understanding the
current network architecture and supplying the necessary information. You should
have an overview about what IP addresses are being used in the internal network
and information about relevant servers in your internal network. Let‟s have a look
at how the workstations are configured (DHCP Server) and how the DNS names
translation to IP addresses is performed (DNS Server).
2. Necessary network changes – Some changes of the ISA Server should be
performed for launching it. For instance, all internal network hosts should be re-
configured to use the ISA server for communication with Web. Next, you may
want to provide an access to the name-to-IP-address translation and to ensure
the access to the servers published on internal network based on the DNS
company names for the Web users.
3. Access to Web – Prepare a draft of rules that you would use for the firewall
access rules later. These rules should include user groups with access to Web
including lists of available servers and applicable services.
4. Client configurations – A decision based on retrieved information should be
done about what client access type to ISA Server will be used. Each client type
has advantages and drawbacks and they are not exchangeable with each other.
This is the reason why you have to understand the particular client types and to
know when they can be used.
Network Infrastructure
Some other network services should support the ISA Server for correct function of the whole
network. You have to configure the following services correctly:
 DNS
 DHCP
 Active Directory

DNS
Retrieving the IP address from the domain name (which can be entered by a user to network
browser for instance) is a necessary feature for connecting clients to the Web resources. If
you decide to publish some internal network services on Web, there should be a way how to
gain the correct IP address which can be used for connecting to some published server for
Web users.
Using Internal DNS Server A lot of companies have their own DNS server in their internal
network which can be configured to be able to translate the Web domain names, too. If there
is the Active Directory service installed in the company network, the DNS service is mostly
running on the domain controller. This service cares for the domain zone name translations.
Thus, if a domain controller administrates a zone school.com for instance, a DNS server for
translating name translation for the zone school.com is running on the domain controller.
This DNS server can be configured so that it would be able to translate other Web names
besides it‟s own domain names, too. Thus you should set forwarding the requests to
translate the Web names to some other DNS server on your internal DNS server, typically to
the ISP‟s DNS server. The internal domain name translation remains on the current server.
You should use the following process to configure your DNS server for forwarding the
requests:
1. Run the DNS console from the Administrative Tools on the domain controller or on
another server.
2. Click the right mouse button on the server name located in the left part of console and
choose Properties.
3. Choose the pane Forwarders, fill the DNS Server IP address into the appropriate field
and click the button Add. You will get to know the DNS server IP address from your
ISP.

Figure : DNS forwarding settings
4. Click the button OK and close the DNS server console.

Using External DNS Server The second option how to translate the domain names is
the direct using of the Web DNS server. This is used typically if an organization has not it‟s
own DNS server for instance. When using a Web-Proxy client or firewall client, ISA server
can work as a DNS proxy server. This means that using the ISP‟s DNS server for translating
the Web DNS names might be set on the external adapter in the ISA Sever IP configuration.
Thus, the ISA Server will be able the Web-Proxy name translation and firewall clients can
delegate the name translation to ISA Server.
Since no DNS proxy support is available on ISA server for the SecureNAT clients, they
should have set the DNS server on Web DNS server address in the IP configuration (ISP‟s
DNS server).
The firewall access rule allowing DNS communication from the internal network to ISP‟s DNS
server should be set in both following cases: forwarding from the internal DNS server and
using the external DNS server by internal clients. You can use the setting template for the
initial ISA Server configuration which also contains this rule.
If you settle just for the ISA Server DNS proxy services (which is possible only when using
Web-Proxy or firewall client), you need not create the access rule for the DNS
communication because the Web names DNS translation is performed just by ISA Server
which is entitled for access to any DNS server in the default state.

Active Directory
If you want to introduce some Web access restrictions based on user names or user groups
from the internal network, or if you want to introduce some access limitations for
unauthenticated users to published servers, ISA Server integration with Active Directory
domain is suitable. So, if the ISA Server is member of the domain, it can check the domain
users without any extra configuration.
However, ISA Server also offers options to authenticate the domain users in case that ISA
Server is not the domain member. You can use LDAP (Lightweight Directory Access
Protocol) or RADIUS standard (Remote Authentication Dial-In User Service) which is
implemented in the Windows 2003 server IAS (Web Authentication service).
If you want to use the Active Directory service for ISA Server, a DNS server IP configuration
with the internal domain zone has to be set on the internal ISA Server adapter (typically on
the domain controller IP address).
DHCP Service
The DHCP service is not necessary for ISA Server introduction, however it is recommended
for the network configuration of the internal network clients. The advantage of using the
DHCP server is easy client configuration which is made automatically. Thus, you easy set
the clients so that they can work with ISA Server or Web. If you change the Web DNS server
IP address or the default gateway address, you simply modify the DHCP server setting and
the clients hosts IP configuration will be also modified to suit to the new requirements at least
after restarting them.
DHCP server can also be used for clients configuration connected from Web through the
VPN channel. If you enable connecting the VPN clients on ISA server, it will ask DHCP
server for an IP address block to assign these addresses to VPN clients.
Preparing ISA Server
ISA Server 2006 Hardware and Software Requirements

The server for installing the ISA Server should follow the recommendations in the Table 3:
Operating System Windows server 2003 SP1 and higher
just the 32-bit operating system version is supported
733 MHz Pentium III or higher processor.
Processor
Memory 512MB of RAM or more is recommended
NTFS-formatted local partition with 150 MB of available hard-disk
Hard Disk
space; additional space will be required for Web cache content.
Network adapter that is compatible with the computer's operating
Other Devices
system for communication with the internal network; one
additional network adapter, modem, or ISDN adapter for each
additional network connected to the ISA Server computer

One additional network adapter is required for intra-array
communications for ISA Server 2006 Enterprise Edition integrated
NLB
CD-ROM or DVD-ROM drive
VGA or higher-resolution monitor
Keyboard and Microsoft Mouse or compatible pointing device
Figure : Minimum system configuration
Prior to Installation
A computer with the operating system Windows server 2003 will be needed for the ISA
Server installation matching the requirements in the Table 3. It is highly recommended to
update the operating system with all available patches and service packs prior to the
installation.
1. Server operating system update – you should update your system prior to ISA
Server installation.
2. Internal network interface settings – the internal network interface should be
configured by IP address and by the internal network mask. If the ISA Server is going
to be a member of the domain, you should configure the DNS server internal interface
item on the DNS server internal network (domain controller). If you use the DHCP
server on the internal network, you should make sure that the ISA Server internal
interface IP address will be removed from the IP address set assigned by the DHCP
server. You have to prevent the DHCP Server from assigning the ISA Server IP
address to another host.
a. Open Control panel and double-click Network connections
b. Select the adapter being used for the internal network. You can change the
connection name for more transparency, for instance Internal Network or LAN.
c. Open the connection properties, select the item Internet Protocol (TCP/IP) and
click the button Properties. Enter the IP address and network mask for the
internal adapter. Leave the field Default Gateway blank. If you want to
communicate with the domain controller, enter the domain controller (DNS
Server) IP address.

Figure : ISA Server internal interface settings
d. Save the settings and close Control Panes.

3. Connecting to domain – if you want to connect the ISA Server to a domain, it is the
right time now. The only condition is correct setting of the internal adapter according
to point 2 and domain controller availability over the internal network.
4. External network interface settings – you should pay a special attention to
connecting to Web. Concerning the security, a manual configuration is more
appropriate, you shouldn‟t use the ISP‟s DHCP server. Also all network services
should be limited just on TCP/IP protocol, NetBIOS should not supported and DNS
registration should be disabled.
a. Open Control Panes and double-click Network Connections
b. Select the adapter being used for the external network. You can change the
connection name for more transparency, for instance Internet.
c. Check the connection properties. Uncheck all services and protocols that
need not be used on the external adapter, especially Client for Microsoft
Networks and File and Printer Sharing for Microsoft Networks. Leave the
Internet Protocol (TCP/IP) enabled.
Figure : Services limitation on external adapter
d. Select Internet Protocol (TCP/IP) and click Properties. Enter IP address,

network mask and external adapter network gateway. You can also set the

DNS servers addresses. You can ask your ISP admin for this information. If
you choose to get IP settings assigned automatically, you have to change the
ISA Server‟s System Policy after installing the ISA Server.
Figure : External adapter IP configuration example
e. Next, click Advanced in TCP/IP Settings.

f. Uncheck the Register this connection's address in DNS checkbox.

Figure : Unchecking the DNS registration on the ISA Server external adapter
g. Select the WINS tab, uncheck Enable LMHOSTS lookup and check option
Disable NetBIOS over TCP/IP.

Figure : NetBIOS disable on external ISA server adapter
h. Close all property windows by clicking OK on each.

If you decide for automatic configuration providing the DHCP client, though, this
configuration will be blocked after installing the ISA Server. You will have to change
ISA Server System Policy.
Figure : ISA Server network connections renaming
Installation Process
You may come up to installation the ISA Server after having finished network adapters
configurations. For the installation, use the following steps:
1. Log in to the server where should be the ISA Server 2006 installed as administrator.
2. Insert the ISA Server installation medium. Choose the option Install ISA server 2006
after the installation CD-ROM is read and the automatic menu is displayed.

Figure : ISA Server 2006 installation CD-ROM
If the CD-ROM doesn‟t run automatically, or if you are about to install the ISA Server
from a network disk for instance, run the file fpc\setup.exe from the root folder of the
ISA Server installation files.
3. Press Next on the welcome screen. Then approve the License Agreement and press
Next.
4. Fill your name and company name on the next screen. Fill in a valid Microsoft ISA
Server 2006 product license key into the appropriate field. Press Next to continue.
5. Choose a typical installation and continue by pressing the Next. All ISA Server 2006
components will be installed when choosing this option.
6. The IP address range of the internal network should be defined on the next screen.
Press Add to open the Addresses window to enter the IP address range of the
internal network.

Figure : Defining the internal network IP address
7. You can enter the complete IP address range using Add Adapter which is derived
from the ISA Server internal adapter IP configuration. You can enter either the known
IP addresses private ranges, or you can enter your own IP address range using Add
Range button.
Figure : Add adapter, Add private, Add range
The selected IP address range should contain the address of the ISA Server internal
adapter. After finishing the modification, press Next to continue. You can modify the
internal network IP address range also after finishing the ISA Server installation.

8. You can enable the plain connection with the firewall-like client applications. No
encryption between a client and ISA Server is available if such client is installed on
some older operating system (Windows NT4.0, Windows 98SE, Windows Me). So, if
you want to use a firewall client on such systems, you have to allow plain
connections. Otherwise leave the item default, i. e. plain communication disabled.
9. You will be given an information about which operating system services should be
stopped and disabled and which services will be restarted on the next screen.
Figure : Services affected by the ISA Server 2006 installation
10. Press Next and press Install on the next screen. Then, ISA Server installation process
will begin. It will be completed within a few minutes and ISA Servers services will be
run automatically. Restarting the server is not necessary.
Figure : Installation
Work Station Administrative Console Installation
No physical access to the ISA Server itself is necessary when administrating it. You just
need install the management console on the administrator‟s workstation which can connect
to any ISA Server after running it. You don‟t locate your ISA Server often at available
location, so it is comfortable to administrate it from remote places such as manager‟s office.
1. Insert the installation ISA Server 2006 CD-ROM into the administrator‟s workstation.
2. Run the Installation Wizard and follow the steps.
3. You can choose a typical installation on the installation options screen when you
install it on a workstation (Windows XP, Windows 2000 Professional). If you want to
install just a console for administration on another Windows server 2003, choose your

own custom installation and select the item ISA server management from the
available components.
Figure : Installing a single ISA Server console
4. Follow the next steps.

5. The console is available from the Windows menu Start, Programs, Microsoft ISA
server
ISA Server should be set for connecting console to remote ISA Server so that it would accept
the remote connection from the admin‟s workstation. This configuration will be discussed in
the chapter describing the ISA Server Console .
Post Installation Checking

You would make sure after installing the ISA Server that the installation has been performed
correctly and that all necessary components have been installed. You can perform the check
on multiple places.
1. Check availability of the following services in Services console from Administrative
Tools on console. These services should be run and executed automatically.
 Microsoft firewall
 Microsoft ISA Server Control
 Microsoft ISA Server Job Scheduler
 Microsoft ISA Server Storage
2. Check availability and correct configuration of MSDE (Microsoft Data Engine)
services in Services from Administrative Tools on console. These services are used
for logging the ISA Server function.
 MSSQL$MSFW – state - running, type of running - automatic

 MSSQLServerADHelper - state – not running, type of running – manual
Figure : ISA Server 2006 services
3. The logs on the installation procedure are located into the %windir%\temp
(C:\windows\temp) directory.
 ISAFWSV _NNN.log – detail logs on firewall installation
 ISAMSDE_NNN.log – detail logs on MSDE services
 ISAFWUI_NNN.log – installer records
 ISAWRAP_NNN.log – installation procedure short summary of all components
4. Running the firewall services information or error information preventing the running is
in the Event Viewerfrom Administrative Tools.
Default State after ISA Server Installing

The firewall services are run automatically after the ISA Server installation. The ISA Server
configuration is in the default state.
 Networks
Name Description
External External network – Web
Internal network – defined by IP address range during
Internal
the ISA Server installation
Localhost Representing the ISA Server itself
The network for VPN clients not matching the
Quarantined VPN clients
quarantine conditions (if the quarantine is enabled)
VPN clients VPN clients network
 Network rules
Source rule Destination rule Network rule
Internal NAT
Quarantined VPN clients External (valid for External network
VPN clients access direction)
Quarantined VPN clients

Internal Route
VPN clients

Localhost All networks Route
 Firewall rules
o System policy – the rules enabling ISA Server communication with world
o Firewall policy – a single rule disabling any communication between two
networks. This rule can not be modified or removed. The only way how to
enable passing the communication through ISA Server is adding next rules.
 Cache – caching disabled
 VPN access – VPN access disabled
 Web-Proxy clients – Web-proxy clients enabled on the internal network
 Firewall clients – Firewall clients enabled on the internal network
 SecureNAT clients – no extra support from ISA Server is needed, their function is
permanently guaranteed
Any communication which would be about to pass through the ISA Server is blocked after
installing and running it. There is no way how to communicate between two hosts located in
different networks. However, the ISA Server system policy allows common communication
with surrounding hosts such as using DNS server, Active Directory etc. The system policy
will be described later.

Console for ISA Server
Management
The console for managing ISA Server is a part of typical ISA Server 2006 installation. If you
haven‟t chosen this component during the ISA Server installation, you can find it as ISA
Server Management among the other programs in the Start menu.
Figure : Running the ISA Server console

Running this console implies automatic connection to ISA Server running on local host –
server. The console is divided into three panes. The left pane contains a navigation tree used
for immediate switching among the different configuration parts. The navigation tree of the
selected item is displayed in the largest (middle) pane used for ISA Server configuration
modifications. The right pane contains references on frequently used functions in the actual
console location and also the help references.
Figure : ISA Server 2006 console
If you run the ISA Server console from a workstation, you can connect to a remote ISA
Server.
1. Right-click on Microsoft Web Security and Acceleration 2006 in console and select
Connect to.
2. Enter the ISA Server name or find it by the Browse button. You can use either your
account that you use for logging in to the workstation, or choose another.
3. You can connect by click OK to the remote ISA Server.

Figure : Connecting to a remote ISA Server from a workstation
You have to enable the remote access to ISA Server from the admin‟s workstation prior to
connecting. If an admin is going to log in with another (non-administrator‟s) account, you
should assign it an appropriate administrative role for managing ISA Server.
Any ISA Server configuration modifications are not implemented instantly just after making
them. They are being cumulated in the console store, so a multiple item modification can be
made and applied at once later. Click Apply next to the big yellow icon with exclamation mark
in the console after finishing the modifications. In case you don‟t want to apply the
modifications, click Discard.

Figure : Applying or discarding the configuration modifications
Remote Management Enabling
In order to enable the ISA Server remote control, the firewall system policy contains some
rules in the default state which are defined for the remote ISA Server management from the
group Remote Management Computers. You can add any host for remote management to
this group.
1. Log in to ISA Server using the admin's account.
2. Run the ISA Server management console.
3. Select Firewall policy from the tree in the left pane.
4. Select Toolbox, Network objects, and Computer Sets from the right pane.
5. Double-click on groups Remote Management Computers.
6. Press Add and select Computer to open a window for defining the host.
7. Enter the host name, for instance admin workstation and enter it's IP address.
8. Close modifying the group Remote Management Computers and apply the settings
on ISA Server.
9. Now you can manage the ISA Server remotely from your host. Use admin's account
after logging in to the ISA Server from the console (Figure 24).

Figure : Remote management allowing from the 10.0.7.3 host

ISA Server Clients
You have to set the internal network host as ISA Server clients to enable their
communication with ISA Server. Such clients will then communicate through ISA Server
when attempting to communicate outside of the internal network (to Web for instance). There
are three types of clients with specific properties each, so you have to choose an appropriate
type of client.
Firewall Client
The firewall client hosts use the Firewall Client application for communication with ISA
Server. This application should be installed and run for Web access (or to another network).
The Firewall Client application affects the network access behavior on the client host. Any
application attempt (Web browser, email client, messenger) to access a network will be
interrupted by the Firewall Client application and the communication receiver will be checked.
If a local host is determined as the receiver, it leaves it go.
However, if the communication is routed on Web, this will be rerouted on ISA Server. ISA
Server accepts the request to communicate and authenticates the user (the authentication is
transparent – the logged in user's account will be used). Next, the ISA Server checks if the
communication type is allowed – if there is an access rule for such communication. If it is,
ISA Server will complete the request on the destination server and sends a response back to
the client.
The Firewall Client supplies the maximum security and functionality level out of any ISA
Server clients.
Firewall client advantages:
 Web access control and communication logging based on user accounts and groups.
 Automatic and transparent client authentication against ISA Server.
 Web Explorer proxy settings can be configured by the Firewall Client.
 Firewall Client supports all network applications.
 No client configuration of the default gateway and no client access to DNS is
requested. The communication that is not intended for the local network is passed to
ISA Server and it mostly performs the DNS service, too.
Firewall client drawbacks:
 The Firewall Client is an application that has to be installed on the host. A manual
installation process on all hosts might be rather time consuming. Since the client is in
the MSI installation packet format, you can use automatic installation on the domain
workstations according to the domain group rules.

 Firewall Client application is available just for the Microsoft operating systems.
SecureNAT client
The hosts not having the Firewall Client application installed can work as SecureNAT clients.
To enable the Web communication for such clients, you have to set the TCP/IP default
gateway so that their communication should be routed to Web. Typically (in simple
networks), a default gateway will be set on the internal ISA Server IP address. Next, an
access to DNS service for the clients is requested.
SecureNAT client advantages:
 Most applications (protocols) are supported. Concerning the common protocols
having problems with DNS (such as FTP), ISA Server has the built-in application
filters to suppress such problems.
 Support of any operating system providing the TCP/IP protocols.
 Easy client configuration from the DHCP server
SecureNAT client drawbacks:
 SecureNAT client does not support authentication. So, ISA Server is not able to log
the communication based on users or groups. Similarly, if the firewall access rules will
require authentication, no SecureNAT client access would be allowed.
 The client host should have configured the DNS server in order to translate the Web
names into UP addresses.
Web-Proxy Client
Web-Proxy Client is a host with a Web browser HTTP1.1 compatible which is set so that it
would use the proxy server. Most common used browsers enable this, so any host can work
as Web-Proxy client (including the hosts configured by Firewall Client or SecureNAT Client).
In case of any attempt to access Web, this request is sent to proxy server – ISA Server. If
there is a rule for given communication at ISA Server, it will pass the request on Web server
and returns the response back to the Web-Proxy client, which is also able to authenticate
itself when asked from ISA Server. The authentication can be transparent again using the
account of the logged in user if it is a member of the Active Directory domain. If it is not, or if
the host uses a non-Microsoft operating system, the built-in HTTP protocol Basic
authentication can be used.
You can configure the Web browsers en bloc in order to cooperate with ISA Server – no
individual configuration is needed. Web Explorer will be configured for using the ISA Server
for proxy service by Firewall Client application with default settings.
Web-Proxy client advantages:
 All recent Web browsers are supported independently on the operating system used.

 Authentication support – establishing the communication rules can be based on users
and user groups.
Web-proxy client drawback: just the Web protocols are supported. Only the HTTP, HTTPS,
and FTP protocols can be used by a host being configured as a Web-proxy client.
Combining More Than One Client
A single internal network workstation may be used as more than one ISA Server client type.
The workstation can be configured as a Web-proxy client, a Firewall client, and a SecureNAT
client simultaneously. You can get a workstation provided by a complete TCP/IP
configuration including the default gateway and DNS Server for Web names translation,
installed Firewall Client application, and a configured Web browser for proxy server this way.
A host acts as a Web-Proxy client when communicating from a Web browser. If any other
protocol would be used (e. g. connecting to a remote desktop), the communication will be
relayed by the Firewall client application using the ISA Server. However, there might be
some exceptions configured in the Firewall application preventing it from particular activities.
This includes the application Outlook for instance – the Firewall application is set so that it
will not affect any Outlook communication. The Outlook will be using the DNS service
available on the host and the communication will be provided by SecureNAT client through
the default TCP/IP gateway.
If you configure some host with Linux operating system as a Web-Proxy and SecureNAT
client, any Web communication filtering can be based on user names. Any other
communication will be provided by the SecureNAT client, however no control based on users
and user groups will be possible.
Configuring Clients
SecureNAT Client
SecureNAT client type is the simplest one because the correct TCP/IP protocol settings are
sufficient for a client host. The goal of the configuration is to enable the client to send
requests to Web and to make available the DNS service for the client.
Default gateway settings Set the TCP/IP protocol default gateway of the internal network
workstations on internal ISA Server adapter IP address. Modify DHCP server settings when
using the DHCP server for client configurations.
Name translations settings If you have a domain controller in the internal network, you have
got a DNS server, too. You should set it the way to enable the Web names translation for
internal network clients, too. You can find the how-to for DNS server settings in chapter ISA
Server Installation. Besides these settings, you have to allow the communication between
internal DNS server and Web DNS servers by a Firewall rule which might be involved in
some setting template. This template can be used for initial ISA Server configuration, or you
can use the following steps:

1. Run the ISA Server console. Connect it to ISA Server when using a remote access.
2. Right-click Firewall policy on the left pane and choose New Object and Access Rule.
A wizard to create a rule will be run.
3. Enter the rule name, DNS Communication for instance.
4. Choose Allow on the Rule action screen – a rule to enable the communication.
5. Choose the Selected protocols from the drop down menu on the Protocols screen.
Press Add to open the available protocols. Find out the DNS protocol and add it. Go
to the next screen to continue.
Figure : DNS protocol rule
6. Insert the location of where would be the DNS communication initiated from on the
Access Rule sources screen. Press Add to open the list of available locations. You
can select the network Internal.

Figure : Internal network communication source definition
7. Choose the DNS communication target on the Access Rule Destination screen you
want to make available. Add the External network the same way as in the step #6.
8. Leave the next screen – User Sets – unchanged. The rule will hold for all users.
9. Finish the wizard and apply the settings on ISA Server. You have just created a rule
allowing communication to internal network hosts using the DNS protocol with the
external network DNS servers.
Web-Proxy Client
Web-proxy client is the host with a Web browser set the way to use ISA Server as proxy
server. Neither extra TCP/IP protocol configuration (IP address and net mask is enough), nor
Firewall Client application installation are needed. However, a Web browser should be set.
This configuration can be made manually or automatically on each host.
You should ensure that the Web-Proxy service is available on ISA server in the first step.
This service is enabled in the default state on ISA Server after being installed.
Verifying Web-Proxy Service on ISA Server
1. Run the ISA Server console, select Networks in the left pane. Select bookmark
Networks in the middle pane to open the Internal network properties.

Figure : Internal network properties
2. Select the pane Web Proxy in the internal network properties window.
3. Verify checking the Enable Web Proxy client connections for this network option and
that HTTP protocol communication is enabled. ISA Server listens to the internal
adapter connection from Web-Proxy clients on the port 8080.
Figure : Web-Proxy service
Manual Configuration of Clients
Set the Web-Proxy clients on each host manually. Any application, using the proxy server
(Web browser, FTP client, etc.), has it's own settings. Use the following steps to configure
Web-Proxy client in Web Explorer:

1. Open Control Panel and run Internet Options.
2. Select Connections tab and click LAN Settings
3. Select the option Use a proxy server for your LAN and set it's address and service
port. You can use the ISA Server DNS name. Choose port 8080 which is the default
setting of the proxy service.
Figure : Web-Proxy client manual configuration
4. If you still choose Bypass proxy server for local addresses, the requirements for
internal Web servers will be routed directly to the appropriate server without
communicating through ISA Server.
5. Press Advanced to set next items. You can set different address and proxy server
port for each communication protocol type for instance, or address exceptions for
which the proxy server wouldn't be used.

Figure : Proxy client exceptions
Automatic configuration of Web-Proxy clients
If a client is set for automatic configuration, an actual configuration script is downloaded each
time when running the Web Explorer. The script is set by the browser according to it's need.
The automatic settings prevents you from the eventual manual reconfigurations of all hosts
each time the ISA Server configuration changes.
1. Open Control Panel and Internet Options. Click LAN Settings in pane Connections.
2. Select Use automatic configuration script and fill the field Address with configuration
script location. The ISA Server domain name replace according to your own need, or
use the ISA Server IP address.
http://isa1.school.local:8080/Array.dll?Get.Routing.Script
http://10.0.0.10:8080/Array.dll?Get.Routing.Script
3. Save the settings and restart Web Explorer.
Settings according the following figure contains three separate phases. The browser tries to
find out an available ISA Server which is set to be detected in first phase. If it fails, the
browser tries to download the configuration script from a fixed ISA Server in the second
phase. If both previous phases fail, the browser will be set in accordance with the frame
Proxy server in the third phase.

Figure : Automatic configuration
As the configuration settings of the Web browser mostly depends on the user account, it
would be fine if each user sets the Web-Proxy configuration at least on automatic
configuration assignment to let the browser being configured from ISA Server in order to
work as a Web-Proxy client. If the hosts and users are members of the Active Directory
domain, the admin can set the proxy configuration of the Web Explorer to all users centrally
using the Group Policy principles. The second option is to let all clients set the Web-Proxy
client by the Firewall Client application.
Automatic Settings Configuration Script
If you use a configuration script rather than manual settings, you can affect the script
contents in the ISA console.
1. Run the ISA Server console. Choose Networks in the left pane and Network panel in
the middle of the console pane. Open Internal network properties.
2. Pay your attention to Web Browser panel:
a. You enable the clients to contact the LAN Web servers directly without
cooperation with ISA Server by setting Bypass proxy for Web servers in this
network.
b. Directly access computers specified in the Domains tab concerns the Firewall
Clients. You make available the direct connection to domains which are
enumerated in the Domains panel by this option rather than communication
through the proxy server.
c. You enable direct connection with hosts whose IP addresses are defined in
the Addresses panel by setting Directly access computers specified in the
Address rather than connection through proxy server.
d. You can add next server names or domain names for Web-Proxy client by
setting the Directly access these servers or domains. Web-Proxy client will
communicate directly for these servers or domains, without Proxy server.

e. You can enable direct connections with servers using the option Direct
Access, if the proxy server (ISA Server) will not be available.
3. Apply the settings on ISA Server.
Figure : Setting for automatic configuration
If you got installed the Firewall Client application, you can use it for automatic settings the
Web-Proxy clients. Firewall Client application can set Web Explorer to use the proxy server
for a user.
1. Run ISA Server console, find out the network settings and open the properties of the
Internal network.
2. Go to the Firewall Client panel. You can choose how the Firewall application should
set Web-Proxy client in section Web browser configuration on the firewall client
computer in this panel. All three options will be set in accordance with the following
figure:
a. Web-Proxy client will look for ISA Server, which is configured as detectable.
b. Web-Proxy client tries to download configuration script from the server ISA1 if
the a step fails.
c. Browser will use proxy server ISA1 if the step b fails, too.

Figure : Web-Proxy client configuration by Firewall client
Running Support for ISA Server Automatic Detection
You can extend automatic Web-Proxy client configuration by means of settings the network
environment so that the Web-Proxy client would be able to find out ISA Server itself. The
automatic lookup is usable also for a default Firewall Client which tries to find up a published
ISA Server. This lookup feature is called Automatic Discovery in (help) documentation.
Web-Proxy client searches ISA Server providing the protocol WPAD – Web Proxy Automatic
Discovery. Firewall Client application uses the protocol WSPAD – Winsock Proxy
AutoDetect.
You should include a record of type alias with the value WPAD into DNS server zone, which
would be routed on ISA Server DNS name to run the Automatic Discovery feature. The
school.local domain clients are looking for the server named WPAD.school.local when using
the automatic detection. This name should be routed to ISA Server IP address.
ISA Server Configuration
You have to switch on automatic detection support on ISA Server.
1. Run ISA Server console, find up the Internal network and open it's properties.
2. Go Auto Discovery panel. Select the option Publish automatic discovery information
for this network and leave the port number value 80 unchanged.

Figure : AutoDiscovery support
Inserting WPAD record to DNS

1. Log in to domain controller. Run DNS console from Administrative Tools.
2. Unpack the item with server name (DC1), Forward Lookup Zones and an item with
your domain name (school.local).
3. Right-click the domain name (school.local) and choose New Alias (CNAME).
Figure : Inserting a record into DNS

4. Type in WPAD into the Alias name field. Type in fully qualified ISA Server DNS name
into Fully Qualified Domain Name (FQDN) for target host field.
Figure : Inserting a record for WPAD
5. Click OK to close DNS Server console.

From now on, Web-proxy clients and Firewall Client applications can lookup ISA Server
automatically. You can provide this function including DHCP server rather than automatic
lookup with DNS Server support. Thus, the clients can query the DNS service to obtain the
ISA Server identity during automatic detection, or this feature might be configured by DHCP
server. Use ISA Server help for more information on DHCP server automatic detection.
Firewall Client Application (Firewall Client)

Firewall Client provides you with the highest functionality and security level out of the three
clients. The client supports communication filtering authentication while using all
communication protocols. The only drawback is that this application has to be installed.
The Firewall Client application is available in directory Client on the ISA Server installation
CD-ROM, or you can download the actual version from Microsoft Website.
Manual Installation
You can install this application manually using the appropriate wizard on the client host, or
you can use a semi-automatic installation process by running it from the shared network
folder using the configuration arguments.
Installation Process:
1. Log in to an internal network workstation using the admin's account.

2. Run the file Client\setup.exe from the ISA Server installation set (located on the ISA
Sever CD-ROM or in the shared network folder with the installation set that you have
created for that purpose before).
3. Press Next on the installation welcome screen. Confirm the license agreement; you
can modify the location where it should be installed on the next screen. The default
path is usually C:\Program Files\Microsoft Firewall Client 2004.
4. Set the ISA Server used by the application. There are two options:
a. Set ISA Server name or IP address manually
b. Set ISA Server automatic detection. This detection requires enabled detection
support on ISA Server and an appropriate record in DNS server. These
settings are listed in the previous part describing the Web-Proxy client
configuration.
Figure : Appropriate ISA server settings
5. Finish the wizard and press Install to start the installation.

6. After being installed, the application tries to connect to the ISA Server. The activated
application will place it's icon to the system bar next to the clock.
7. Right-click the client icon on the system bar to open the client configuration.
8. Remove the client icon from the system bar at the General panel. Set ISA Server
address manually or using the automatic detection on the Settings panel. Press Test
Server to test ISA Server with manual settings. Press Apply Default Settings Now to
save these settings into the default profile for new users of this host. Saving the
conformation into the profile can be done just by the admin.
9. Enable or disable Web browser configuration on the Web Settings panel using the
Firewall client.

Figure : Firewall client configuration
Non-wizard installation:
You can also run the installation from a command line to set the default client configuration.
Path\Setup.exe /v"[SERVER_NAME_OR_IP=ISA_Server_Name]
[ENABLE_AUTO_DETECT={1|0}] [REFRESH_WEB_PROXY={1|0}] /qn"
 SERVER_NAME_OR_IP ISA Sever name or IP address for connection
 ENABLE_AUTO_DETECT if value =1, automatic detection will be allowed
 REFRESH_WEB_PROXY if value =1, Web browser will be configured on Web-Proxy
client by Firewall application
Multiple Firewall Clients Installation by Group Policy
For multiple hosts, you can use the user group policy for Firewall Clients automatic
installation from a network folder. First, copy the file ms_fwc.msi from the ISA Server Client
directory to some network folder. Then, use the following process to tell the hosts to install
the application from the network folder. For this purpose, it would be suitable to have
installed the Group Policy Management Console on the domain controller (or on admin's
workstation). This console is available as a free installation packet named gpmc.msi on the
Microsoft Website.
1. Locate the file ms_fwc.msi into a shared network folder.
2. Log in to the domain controller and run the console Group Policy Management from
Administrative Tools. Or run the console from a workstation and connect it to the
domain controller.

3. Unpack the domain tree structure down to the organization unit containing the hosts
which should have the application installed. Right-click this unit and select Create and
Link GPO Here.
Figure : Create policy
4. Choose an appropriate name for the new policy being created, such as Install FW
application.
5. Right-click the policy and select Edit.
Figure : Policy editing

6. Open Computer Configuration, Software Settings and select New and Package on
the item Software installation in the policy editor tree structure. A dialog for the MSI
installation packet lookup will be opened. Find it out using the My network places,
domain name, server, shared folder.
7. Choose the deploy method Assigned and press OK.
Figure : Inserting MSI packet
Figure : Automatic installation of the client during the startup
The Firewall Applications will be installed to all hosts under the Active Directory organization
unit with this installation policy, up to the second restart at the latest. The default Firewall
application settings is automatic ISA Server detection. Thus, if the automatic settings
detection support will be enabled on network (in ISA Server and in DNS), the automatically
installed clients will be able communicate directly with the ISA Server without any further
settings.
Firewall Client Configuration from ISA Server
You can set the Firewall Clients configuration in the ISA Server console. This configuration
includes the method how the Web-Proxy client will be set by the Firewall client and what
domain names will be considered as LAN hosts. Another configuration option is to define the
different Firewall function exceptions, such as for which applications will be used SecureNAT
client rather than Firewall client, or modifying the port numbers which will be used for Firewall
Client to ISA Server communication or ISA Server to the destination Web server
communication.

Verifying Firewall Client Support and Local Domain Configuration:
1. Run the console for ISA Server management.
2. Find out the Networks item in the navigation tree. Select the panel Networks in the
middle pane and open the Internal network properties.
3. Select the panel Firewall Client in the internal network properties. The option Enable
Firewall client support for this network should be selected in this panel so that he
Firewall clients could be used. This option is allowed as default in the internal
network. You can affect the user's Web browser settings by Firewall Client at the
bottom of the panel. This setting was discussed in the Web-Proxy client configuration
part.
Figure : Firewall Client network properties panel
4. Enter the name being used for the internal domain in the Domains panel. The Firewall
Client will use the direct connection with those local hosts (or servers) whose IP
address or domain name matches the settings on Addresses or Domains panels
rather than communicating through ISA Server.

Figure : local domain settings
5. The settings apply on ISA Server.

Firewall Client Advanced Settings
You can set the Firewall Client to differ it's behavior when working with different applications.
Some applications will be disabled to use the Firewall Client, for some applications, the DNS
names will be translated directly by client rather than by ISA Server, or pre-defined
communication ports will be used for some applications. This configuration can be performed
from the ISA Server console and it will be reset either on startup or after a time-out expiry.
1. Open the ISA Server console. Select Configuration and General in the tree menu.
Click Define firewall settings in the middle pane.
2. You can enable plain connection between Firewall Client and ISA Server on
Connection panel in Firewall Client setting window. The plain connection would be
allowed only in case of older operating systems (Windows 98, Me, NT4.0) when
necessary.
3. You can set the Firewall Client behavior in relation to different applications on
Application settings panel.

Figure : Firewall Client application settings
Default Firewall Client settings for working with applications are shown on the figure.
Applications such as Outlook or exchng32 are disabled to use the Firewall Client – if
a default TCP/IP protocol gateway is set, SecureNAT client will be used for
communication with internet. You can see that the communication ports that should
be used for TCP and UDP protocols are assigned to realplay application.
Any client's configuration can be extended or modified in the configuration files or in the
profile files All users besides the global settings of Firewall clients on ISA Server. However,
mostly you don't need to change these settings, so it's not necessary to discuss the changes
here any longer. Read http://www.microsoft.com/technet/isa/2006/clients.mspx for more
detailed information on this topic.

Firewall Configuration
The ISA Server Firewall configuration consists of several parts. The main part is the set of
Firewall rules enabling mutual host-to-host communication according to chosen protocols in
different networks. Detections of the well-known attacks and preventing the server
overloading are the other security elements.
Initial Configuration with Template
Any communication that should be passed through the ISA Server is disabled after it has
been installed. For enabling the communication, two conditions are essential.
1. There must be a Network rule between networks. The basic network rules skeleton is
set up after installing the ISA Server.
2. There must be a Firewall rule enabling the given communication type. There is only
one rule after the installation disabling any communication.
ISA Server offers multiple templates involving the typical network and Firewall rules for the
given network security type. You can use Edge firewall template for simple networks with a
single ISA Server. This template is applied automatically after the ISA Server installation, but
it can be used just for network rules settings. The Firewall rules enabling the basic network
access are not applied from this template. Thus, if you want to set the first network rules to
enable the basic HTTP Web access, you can try to set this template on ISA Server using the
Firewall pre-defined rules. Use the following process to apply the template:
1. Log in to the ISA Server and run the ISA Server management console. Select
Configuration and Networks in the navigation tree displayed in the left console pane.
You get to the panel where you can configure the firewall networks and the
communication rules between them. Select the bookmark Templates in on the right
edge of the console.

Figure : Templates for settings
2. Click the icon Edge Firewall. A settings wizard will be run. Press Next on the welcome
screen. You can export the current ISA Server settings on the next screen. The
current settings will be lost by applying a template, so pay attention to the export
option.
3. You can modify the IP address range defining the internal network in the next part of
the wizard. This screen and the similar screen in the ISA Server installation have the
identical functionality.
Figure : Internal network settings

4. Press Next to continue on the next template application wizard screen which is Select
and Firewall Policy. You can choose which Firewall Policy rules will be defined by this
template. There are a few options in this choice:
Figure : Firewall rules in the template
a. Block all – all communication through ISA server will be disabled. This option
is used for the ISA Server installation.
b. Block web access, allow access to ISP network services – this option makes
available the ISP services. In particular, it makes available the external DNS
server for internal network clients and VPN clients.
c. Allow limited Web access – this option sets the Firewall rules so that it will
make available Web for the internal network clients and VPN clients providing
HTTP, HTTPS, and FTP protocols and the VPN clients will be allowed to
communicate with internal network.
d. Allow limited Web access and access to ISP network services – this option
extends point from this list by access to the external DNS server from the
internal network.
e. Allow unrestricted access – this option allows an unlimited communication to
Web from internal network using any protocol. An unlimited communication
from VPN client network to internal network and to Web is allowed, too.
5. Select the pre-defined communication type you want to set and finish the wizard.
Then apply the settings on ISA Server.
6. Check the Firewall rules just having been set up in the ISA Server console. Select
Firewall policy in the navigation tree.

The figure shows the rules for the limited access to Web and to ISP services contained in the
Edge firewall template. Rule 1 makes available HTTP, HTTPS, and FTP communication to
all users to Web from internal and VPN network; rule 2 makes available the DNS server and
rule 3 makes available any communication between VPN clients and internal network.
Figure : Network rules and firewall policy for Edge firewall a Allow limited Web access and access to ISP
network services template.
Firewall Policy
The Firewall policy establish the communication type allowed by Firewall. The policy consists
of a few rules displayed on the following figure. Each item is supplied with how it can be set.
Figure : Firewall policy rule elements
On any attempt to communicate, ISA Server proceeds as follows:

1. Source host, destination host (server) and communication mode (the protocol) will be
detected from the request received by ISA Server. First, the location of source and
destination hosts in particular networks will be detected. If there is a Network Rule
between these networks, ISA Server continues to evaluate the Firewall policy. If not,
any communication request is ignored.
2. ISA Server evaluates the Firewall policy subsequently from the beginning and looks
for the rule applicable for this communication. The rule must match the
communication request in the following points:
a. Communication protocol (such as DNS, HTTP, or FTP)
b. Source entity (such as network, IP address, ...)
c. Destination entity (such as network, IP address, ...)
d. Other conditions (such as user group, time schedule, ...)
3. If the rule being evaluated is applicable for the requested communication (according
to point # ), the rule will be applied for the action involved in the actual rule and the
evaluation will be finished. Thus, the requested communication will be either enabled
or disabled. If the current rule does not match the communication type, the
subsequent rule will be evaluated according to point # . This process is being applied
repeatedly until an applicable rule to enable or disable the communication is found
out.
4. If no applicable rule is found, the evaluating will be finished on the last (default) rule
which cannot be modified or removed. This rule is valid for all communication and any
communication will be disabled.
The approach used comes up to the principle "whatever is not permitted is prohibited".
Access Authentication
While evaluating the rule, if ISA Server finds that it is defined just for stated users (that
means not for All Users), the client will be asked to authenticate – to log in. In case of a
Firewall Client, the logging in will be performed by the user's account transparently. In case
of a Web-Proxy client, the logging in will be also transparent using the Windows Integrated
Authentication in the default settings. However, if a Web-Proxy host is not an Active Directory
member, another authentication should be used – such as the built-in HTTP protocol Basic
Authentication.
After user's identity checking, the validity of the rule being evaluated would be checked. If it is
valid, the action defined by the rule will take place and any other evaluation will be finished.
Otherwise, next ISA Server rules evaluation continues.
Here arise the problem with using the clear SecureNAT client. As mentioned above, no
SecureNAT client user can be detected. Thus, if ISA Server finds out a rule matching the
given communication that requires verifying the user, SecureNAT is not able to authenticate.
Hence ISA Server stops evaluating the rules and drop connection request for the SecureNAT
client.

Objects to Set Up the Policy
ISA Server uses different objects when setting up the policy, such as communication
protocol, hosts, users etc. After installing ISA Server, a default set of such objects is
available. These are especially protocol definitions, user groups representing all users or all
logged in users, types of content for HTTP communication, time schedules for working hours
and for week-end and network objects for the source and destination hosts definitions.
ISA Server admin can further define objects for creating it's own rules. User's objects and
network locations are often set up. These objects can be mostly set up and modified together
with Firewall policy, or they are available from Toolbox.
Toolbox Overview
1. Open the ISA Server console and select Firewall policy in the navigation tree.
2. Select panel Toolbox in the right pane.
3. Preview the pre-defined objects, double-click the object to survey it's definition. You
can modify each user defined object and some pre-defined objects this way.
Figure : Toolbox and network groups All Protected Networks definition
Users
Toolbox users objects provides an user definitions for which the given access rule will be
valid.
Pre-defined users are as follows:
 All Authenticated Users – i.e. logged in users

 All Users – all users including the anonymous ones
 System and Network service – a special user group involving user accounts to run
operating system and network services
Creating a new object Users:
1. Select Users in Toolbox and click New.
2. Enter a name for this group (such as Teachers) on the first screen. Click Next.
3. Add users or user groups into the object being created on the next screen. Click Add
to insert users from the domain Active Directory and select the option Windows Users
and Groups. A window for look up in Active Directory will be opened. Press Locations
to choose the domain which will be users or user groups searched from. Type in user
name or user group name into the text field and press Check names to verify the
included data. Press OK to add the specific users or user groups into the ISA Server
object Users.
Figure : Including an user group from a domain
4. You can include multiple user accounts or groups. Finish the wizard after completing
the modification and apply the setup on ISA Server.
Schedules
The Schedules objects in the Toolbox provide time schedule definition. You can restrain the
validity of Firewall policy onto specific days or fractions of days by these schedules.
Pre-defined time schedules are as follows:

 Weekends
 Work hours
You can modify the pre-defined plans according to your own need or create the new ones.
Figure shows how to define a time schedule. The working area contains a table with 7 rows
and 24 columns. Active time slices set up by the time schedule are represented by the blue
squares.
Time schedule Work Hours editing:
1. Select Schedules in the Toolbox.
2. Select Work Hours plan and click Edit.
3. You can modify plan name and plan legend. You can modify the plan on the Settings
bookmark. Using mouse, select some area in the table and choose Active or Inactive
below the table.
Figure : Work hours plan
Network Objects
Toolbox network objects are used to define communication source and power. These objects
are divided into a few groups:
 Networks – include networks defined on ISA Server. Both default and user defined
networks can be involved.
 Network sets – are used to make the work with networks easier (similarly as for user
groups containing user accounts). Pre-defined networks include All Networks

involving all ISA Server networks and All Protected Networks involving all ISA Server
networks except External.
 Computers – represent objects to define particular hosts. A host is defined by it's IP
address.
 Address Ranges – network object definition based on IP address range using first
and last IP address.
 Subnets – objects defined using subnets
 Computer sets – objects defining a group of multiple hosts using their IP addresses.
ISA Server contains a significant group of hosts called Remote Management
Computers defining IP addresses of host which can be used for remote monitoring
and ISA Server management.
 URL sets – define network locations using URLs (such as http://www.microsoft.com/).
 Domain Name sets – objects defined using DNS domain names which contain pre-
defined objects for communication with Microsoft servers to perform updates and
system errors announcements.
 Web Listeners – these objects are used for publishing the Web services from internal
network to Web.
 Server Farms – used for server farm definition on internal network. Web server farm
is a group of hosts running the identical Web presentation to break-up the
communication load among the particular servers.
You can accommodate most of these objects to your own need, or you can define your own
objects. For instance, when making available just some selected servers for students, you
can set up a group of domain names or URLs that will be used to create Firewall policy as a
communication destination. A group of domain names System Policy Allowed Sites is shown
on the figure. The group defines the Web servers which can be used by ISA Server for HTTP
communication. You can reach no servers but the Microsoft ones from the ISA Server Web
browser in the default settings.

Figure : Example of a defined object Domain Name Sets
Protocols
Protocol objects in Toolbox are used to identify the communication protocol. All common
protocols are pre-defined, so you mostly don't need to amend them.
The protocol definitions are based on identification data typical for given communication. For
instance, HTTP protocol is defined as connection by TCP protocol on destination port 80
which is a standard port where run the Web servers. The mailing protocol POP3 is defined
as TCP connection on port 110.
However, what is important is that protocols have duplicate definitions. For instance, POP3
and POP3 server. Protocols missing the server tag are typically used for setting up the
internal network client access rules to server using the given protocol. Protocols with the
server tag are used for publishing the internal network services on internet.
There are a few protocol categories in Toolbox according to their appliance type. Next figure
shows the DNS protocol definition concerning the outgoing TCP protocol on port 53.

Figure : Protocol categories in Toolbox and DNS protocol definition
Access rules
Firewall Access Rules are used for allowing the communication from internal network to
Web.
To set up the HTTP communication rules from internal to external network, use the following
steps:
1. Open the ISA Server console and select Firewall Policy in the navigation tree.
2. Right-click Firewall Policy item in the tree, select New and Access Rule. Or select
panel Tasks in the right pane and click Create Access Rule.
3. Type in rule name on the first screen, such as Web access, and press Next to
continue.
4. Select the rule action on the next screen. The Deny action will disable the
communication defined by this rule, the Allow action will enable it. Select Allow and
go to the next wizard screen.
5. Select the communication protocols for this rule on the next screen. Press Add to
open the protocol list. Finding out protocols HTTP and HTTPS, add them. Ensure that
the option Selected protocols has been selected indeed in the drop down menu. This
rule will be valid for the specific protocols.

Figure : Access rule – protocols
6. Add network object on the next wizard screen identifying the communication source.
Press Add to add the Internal network. Go to next wizard screen to choose the
communication destination. Add External network.
Figure : Access Rule - communication source and destination
7. You can define for which user group would be the rule applied on the next screen.
Leave the pre-defined value All Users unchanged and finish up the wizard.
9. Right-click on the setup rule to choose Properties. Review the rule properties and
how to modify them.

Figure : Access rule
10. There are a few panels in the rule properties. You can modify rule name and it's
legend on the General panel. Next, you can modify rule action to enable or disable
communication on Action panel. Next, you can modify the communication protocols
for this rule on the Protocols panel. Next, you can change the communication source
and destination on panels From and To. Notice that there are two fields available –
the first for setting the source or destination, the second for setting some exception.
For instance, a rule can be valid for any communication from Internal network except
some group of hosts. Similarly, you can set users on panel Users for which the rule is
valid including exception definitions. Next, you can set or create a time schedule of
this rule on Schedule panel and disable relay of some particular content types using
HTTP protocol (such as pictures, music, videos etc.).
Figure : Rule properties (modification)
You can disable a rule by the icon in console temporary – i. e. such rule will not be
evaluated on any attempt to communicate. Icon enables the disabled rule. When enabling
or disabling a rule, you have to apply the modification on ISA Server. Evaluating the rule is
performed according to the listed order (field Order in the Firewall Policy window). You can
change this order using the icons and (which means increasing or decreasing the rule

priority). These operations can be made also using the context menu (right-clicking) for a
particular rule, or in Tasks panel in the right console pane.
Web Access Limitations
To enable all users the HTTP and HTTPS communication with external network, a rule
based on the above process was set up. Let's consider the case that you would like to
enable all students to communicate with selected servers.
1. Create an user group Students in the Toolbox and insert a group representing all
students from Active Directory.
2. Create a network object URL Sets named student’s URL’s. Include the source URLs
available for students into this object.
Figure : New object URL set
3. Set up a new access rule according to the process of creating the access rule which
will disable the HTTP and HTTPS communication for user group Students from
internal network to external network.
4. After finishing wizard, open rule properties and define the exception from the
destination on panel To. The network External is selected as the destination. Add the
network object student’s URL’s as exception into the lower table.

Figure : Access rule properties - exception from the destination
5. Close rule properties and shift this rule on the position prior to the rule allowing the
HTTP communication for all.
6. Move this rule before another rule allowing web access for all users.
See the following figure for how will be the Firewall Policy set up after finishing both
processes above.
Figure : Example of Web access configuration
This configuration disables the access to Web excepting the allowed URLs for all students.
First rule disabling the communication will be used for the students trying to access the
disabled contents. If a student wants to access to an enabled destination (student’s URL’s),
the first rule cannot be used for this communication because it doesn't match the destination.
Thus, ISA Server takes the second rule. This rule is OK with regard to the source, destination
and protocol used, so the student will be allowed to access Web. The second rule allows the
Web access for the students, though, however the access is allowed just for some particular

destinations (student’s URL’s), because unauthorized accesses are filtered off by the first
rule.
First rule cannot be used for a non-student users because they are not members of the
Students group. ISA Server will go to the second rule enabling the Web access.
System Policy
ISA Server system policy is a special set of the Firewall access rules. These rules have a
higher priority than the rules defined by admin and they are valid just for communication
between the Localhost network and some other network. Thus, these are the rules enabling
the network communication to ISA Server itself. These rules are automatically defined as
default after installing ISA Server.
Figure : System policy
Name Description Default value

DHCP Allow use DHCP protocol for configure ISA Internal
server‟s network adapters in specified
destinations
DNS Allow ISA server to access DNS servers in All Networks
specified destinations
Active Directory Allows communication with domain controller Internal
Microsoft Allows remote ISA Server management using Remote
Management MMC (including ISA Server MMC) Management
Console (MMC) Computers

Terminal Server Allows connecting to ISA Server using Remote Remote
desktop (Terminal services) Management
Computers
ICMP (ping) Allow ICMP (PING) requests from selected Remote
computers to “ping” ISA Server Management
Computers
ICMP Allow ICMP requests from ISA Server to other All Networks
computers
Windows Allow NetBIOS from ISA Server to trusted Internal
Networking servers
SMTP Allow SMTP from ISA Server to trusted servers Internal
Scheduled Allow HTTP from ISA Server to selected Switched off
Download Job computers for Content Download Jobs
Allowed Sites Allow HTTP/HTTPS requests from ISA Server to System Policy
specified sites Allowed Sites
Table : Some system policy properties
Only substantial parts of the system policy are listed in the table rather than complete
content. Any policy component (access rule) might be allowed or disallowed and the source
or destination can be re-defined. If you want to configure an external ISA Server adapter by
ISP‟s DHCP server for instance, add External network still to Internal network in DHCP
System policy, or add the network object Computer representing the ISP's DHCP server by
it's IP address.
Next, notice that the diagnostic and administrative policy components are available for the
Remote Management Computers group. This group of hosts (IP addresses) allows the hosts
for remote ISA Server management using console or remote desktop, or a host from which
you can ping the ISA Server (i.e. verify that it is running). Add hosts which you are about to
perform remote ISA Server management to Remote Management Computers. You can
modify this host group using the Toolbox ISA Server console for instance.
Application Filters
The firewall access rules were considered as rules defining packet and state filtering up to
now. The rules worked on the network and transport layer of the ISO/OSI model. However,
ISA Server contains a support for filtering on the highest level – application layer. Packet and
state filtering allowed you to set up a connection between a client and a server on different
hosts. This connection is then used to data transfer by the application protocol. Thus,
application filters control the communication by the setting up a channel to protect attacks on
particular client or server applications (services).
ISA Server contains a few built-in application filters. The primary purpose of some filters is to
enable communication with a given protocol over the non-standard firewall environment,

because the protocol was not designed to work over filter. FTP access filter or PPTP filter are
examples of such filters. Next filter categories are primarily used to prevent attacks based on
the protocol. DNS filter, SMTP filter or HTTP filters are examples of such filters.
Figure : ISA Server application filters
Application filters are available from ISA Server console. Select Configuration and Add-ins in
the navigation tree. As for configuration, just the SMTP filter is interesting. A list of available
SMTP commands can be modified by editing the filter.
These application filters are mostly modified for server protocol objects in Toolbox to protect
the internal servers published on Web or to protocols requiring a special working approach
when operating over firewall.

Figure : DNS server protocol with application filter
HTTP Application Filter

HTTP application filter provides a wide scope to protect internal Web servers or filtering
spurious documents. HTTP filter configuration is available in access rule properties allowing
HTTP communication or from the context menu of this rule.
Figure : HTTP filter configuration
HTTP application filter is able:

 Restrict the maximum header length and HTTP protocol data
 Restrict maximum allowed URL length
 Restrict executable files relay using HTTP

 Restrict HTTP methods (e.g. GET, POST etc.)
 Restrict the relayed file types using their postfixes
 Restrict documents relay having defined text strings in header or in body.
HTTP Web filter configuration takes place on each rule allowing HTTP communication
separately. Follow the next steps to set the HTTP filter:
1. Select Firewall Policy in ISA Server console. Right-click the selected rule and choose
Configure HTTP. The given rule should allow the HTTP communication.
Figure : HTTP application filter
2. You can modify the maximum header and body length on panel General in section
Request Headers and Request Payload. Checking a box, you can disable
executables relay using HTTP in the Executables section. You can restrict the URL
address maximum length in section URL protection and you can check URL
correctness using options Verify normalization and Block high bit characters.
3. You can disallow selected HTTP methods, or disallow all but chosen. Methods GET
and POST are typically used to pass the parameters from client to Web server.
4. You can disallow transfer of files with selected postfixes, or allow just enumerated
ones.

Figure : Disabling the compressed files relay
5. You can disallow different headers in HTTP queries or responses. Programs using
HTTP to communicate are often inserting special headers into HTTP.
6. On the Signatures panel, you can disable HTTP communication containing certain
text strings in header or in body. Some text strings and data are inserted here by
different applications using HTTP for communication. Those strings may be detected
in headers or in bodies of both HTTP requests and responses and in URL request.
Information about whether the particular application should be enabled arises from
the communication analysis of the respective application. You can perform such
analysis either using the tools for communication monitoring, or you can find out the
typical signatures for common Web applications -
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx.
If searching a signature in request body or in response body, you should provide the
actual lookup range from the start of the document – field Byte Range.

Figure : Blocking the application transferring data using HTTP
7. Apply the settings on ISA Server after modifying the HTTP filter
FTP Application Filter

FTP application filter is defined on FTP in Toolbox used for rules allowing mostly internal
network client communication with Web FTP servers. While read only is the default
communication mode for related rules, you can also define the read/write mode.

Figure : FTP filter
Publishing Internal Servers on Web
Special firewall rules – so called publishing rules – are used for internal server publishing for
external network users. The rules can be divided into two categories:
 Web site publishing rules – for publishing Web servers including the Exchange server
Web interface and SharePiont Services. These rules are rather complex allowing
incoming requirements authentication and HTTP application filter can be applied on
those requirements.
 Non-Web server protocol publishing rules – rules for publishing other (non-Web)
services, such as SMTP, POP3, IMAP, FTP server or terminal server (remote
desktop). No authentication is supported by those rules. Any authentication can be
done by application protocol only after connection setup.
Besides setting up both rule types, ISA Server console provides a wizard allowing to publish
mail services for instance. Some rules of different type for different approach to mail will be
then generated by the wizard.
Non-Web Server Protocol Publishing Rules

Non-Web servers can be published using the Non-Web server protocol publishing rules. FTP
is a typical example of such protocol. This rule makes a communication port available
according to specific protocol for given communication on external interface. It will be TCP
port 21 in case of FTP. Any incoming communication using this port on external ISA Server
adapter will be forwarded by ISA Server on internal server defined by IP address.
FTP Server Publishing
1. Select Firewall Policy in ISA Server console.

2. Select Publish Non-Web server protocol in right pane of the Task panel to run the
wizard.
3. Type in rule name on the first screen, such as Publishing FTP.
4. Type in internal FTP server IP address on the next screen.
5. Select FTP Server from protocol menu on the next screen. Press Ports to modify the
definition of some default FTP properties if needed. Listening to incoming
connections on port 21, ISA Server will forward them on FTP server port 21, too. In
case that ISA Server should listen to incoming connection on another port, or forward
them on another FTP server port, you can modify the settings.
Figure : Publishing FTP server
6. Select the networks for publishing the FTP server on the next wizard screen. For Web
users select External.
7. Finish up the wizard. Verify the proper settings of the FTP application filter on this rule
(configuration item Read-Only).
Some additional items can be amended to set up the rule. For instance, you can finish up the
communication resource or the time schedule for this rule. Next, you should provide correct
DNS translation for Web users. If you want to make FTP server available as ftp.domain.com

for instance, you should insert a record with appropriate name into DNS translating the
domains for Web clients and set it's IP address on the external ISA Server adapter IP
address.
Figure : Publishing rule for FTP Server
You can publish a terminal server – remote desktop – in the same way using RDP Server.
However, you should publish it on non-standard port after publishing next FTP server
because of using port 21 of external ISA Server adapter for the first FTP server.
Web Server Publishing
You can use rules Web Site publishing for publishing Web servers. These rules are used by
Web Listener, which is a network object listening to incoming HTTP requests. Using the
requested URL, Web Listener is able to forward the requests to different internal Web
servers (Web, Exchange), to call for user authentication or to filter by application HTTP filter.
Web Listener is run on a special ISA Server adapter (typically on External network) on the
usual Web server port 80. It will be waiting for incoming requests from Web clients.
How to Create Web Listener
1. Run ISA Server console, go to Firewall Policy. Select Toolbox panel.

2. Select Network Objects and Web Listeners in Toolbox. Press New to run wizard.
3. Enter a name for Web Listener.
4. Select Do not require SSL secured connections on the next screen and continue.
Connection SSL would require SSL certificates installation, which would go far
beyond this book.

Figure : Type of connection between ISA server and Web client
5. Select the networks which Web Listener would be working for on the next screen.
Leave the External network in the choice.
6. Select authentication type for Web Listener usage if necessary on the next screen.
Select authentication HTML form and leave Active Directory as the authentication
supplier.
Figure : Setting Web Listener authentication
7. Check SSO authentication option on the next screen and finish the wizard.
How to Create a Rule
1. Select Firewall Policy in ISA Server console. Select Publish Web Sites in the right
Tasks panel.
2. Enter the rule name and rule action allowing or disallowing communication on the
next screen.
3. Select Publish a single Web site or load balancer on the next screen and continue.

4. Select Use non-secured connection to the published Web server on the next screen.
5. Enter the internal server name or it's internal IP address on the next screen.
Figure : Web server internal name
6. Leave the next screen with the optional item Path unchanged.
7. Enter external (Web) name of the Web server on the Public Name Details screen and
leave the item Accept requests with value This domain name.
Figure : Web server external name
8. Select the set up Web Listener on the next screen.

9. Remove All Authenticated users group and insert All users group on screen User
Sets. Web server will be available for anonymous users, too.

Figure : Published Web server users

Internal Web server (www.school.local) will be available as www.domain.com from Web.
Thus, school domain DNS server has to translate the Web server Web name as IP address
of the external ISA Server adapter.
Mail Server Publishing
Outlook Web Access - OWA
Publishing Web interface of the Exchange mail server on Web, you allow the Web user
access to mailboxes on internal Exchange server using the Web browser. To publish Web
interface for mailing, use the following steps:
1. Select Firewall Policy in the ISA Server console. Select Publish Exchange Web Client
Access in the right panel.
2. Type in rule name.
3. Leave checking the Outlook Web Access option unchanged on the next screen and
choose published Exchange server version.
4. Select Publish a single Web site or load balancer on the next screen.
5. Leave the Publish non-secured connections option unchanged on the next screen.
6. Type in internal name of the mail server or it's IP address on the next screen.

Figure : Server name
7. Leave checking the This domain name option unchanged and type in Web name
of the mail server. Web name (mail.school.com for instance) has to be
translatable on external ISA Server adapter IP address.
Figure : External name of the published server
8. Select network object Web Listener on the next screen being used for incoming
connection. If there is no Web Listener, use a similar way to set it up as in Web server
publishing. Publishing OWA, Web listener with HTML form authentication would be
appropriate for using.
9. Select NTLM authentication on the next screen and finish the wizard.
A pre-defined Web publication rule will be set up to publish the mail server Exchange
interface. The interface will be available for Web users under the defined public name
(mail.domain.com) from Web. If a Web user enters mail.domain.com/Exchange to their Web
browser, an ISA Server log in form will appear. After verifying user's identity, the user will be
logged in to Exchange server and he will be supplied with Web mailing interface.

Figure : Form-Based authentication log in form
SMTP server
To allow the internal network mail server to accept mail, you should publish SMTP server.
SMTP is used for delivering mail between sender's mail server and receiver's mail server.
Use the following steps to publish SMTP server:
1. Select Firewall Policy in the ISA Server console. Choose Publish Mail Servers in the
right Tasks panel.
2. Type in rule name.
3. Select Server to Server communication on the next screen.
Figure : SMTP server publishing for accepting mail.
4. Check SMTP on the next screen.

5. Enter internal mail server IP address on the next screen and continue.
6. Select the network for publishing SMTP server. Choose External.
7. Finish the wizard and apply the settings on ISA Server. The set up rule is shown on
the figure below.
Web DNS server taking care of your domain's name translation should be set up to rout the
email server DNS record onto external ISA Server adapter. Mail being send to internal mail
server from mail senders will be sent to ISA Serve, which will be routing this SMTP
communication onto published Exchange (SMTP) server.
VPN Client Access
VPN clients are used for secure connection to internal network resources through unsecured
public Web. The connection is implemented by an encrypted channel, so monitoring or
modifying it is not very easy.
Clients using VPN connection to internal network are automatically included into VPN clients
network. Using the Firewall access rules, you can define the type of communication being
enabled to VPN clients. As default, any communication with internal network using the
routing network rule is allowed to VPN clients.
How to Set Up VPN Server

To configure VPN gateway on ISA Serve, the following steps should be used:
1. Select Virtual Private Networks (VPN) in the ISA Server console navigation tree. Five
steps to set up VPN server will be displayed on the middle pane.

Figure VPN Server configuration
2. Click the Configure Address Assignment Method reference in the first step. A window
with client configuration TCP/IP protocol options will be opened. If there is a DHCP
server in your internal network, select the Dynamic Host Configuration Protocol
(DHCP) option and choose Internal network which will be contacted by DHCP server.
If there is no DHCP server in your internal network, choose Static address Pool and
press Add to add the IP address range for VPN clients configuration. This range must
not include any defined networks range, especially the Internal network. If it happens,
reduce it's IP range and assign the vacated room to VPN server static range.

Figure : Assigning IP addresses to VPN clients
3. Continue by the first step. Click the Enable VPN Client Access reference. Check the
Enable VPN client access option and choose maximum number of VPN clients. If you
are using internal DHCP server for the configuration, IP addresses from DHCP server
will be allocated by VPN server.
Figure : Running VPN server
4. Apply the settings on ISA Serve and continue by step # 2 – i.e. defining the users
being allowed to connect to the internal network using VPN. Click the Specify
Windows Users reference. Press Add to add the user groups from Active Directory
domain. Select your domain in Locations and type in group name. Press Check
names to verify if correct group was entered and press OK to add the group to VPN
enabled groups. Close the dialogue defining the groups.

Figure : Allowed VPN users
5. Using the Verify VPN properties reference, ensure that the PPTP protocol was
chosen and using the Remote Access Configuration reference verify accepting the
VPN connections from External network in the step # 3.
6. Check if there are network rules and firewall access rules between VPN Clients and
Internal networks (or between other networks eventually).
7. Apply all settings on ISA Serve.
How to Connect Client

Web client hosts should be configured to connect to VPN server as clients. Use the following
steps for hosts with Windows XP operating system:
1. Log in to the host. Select Control Panel from Start menu and choose Network
connections.
2. Run New Connection Wizard. Press Next to go to New Connection Type screen.
3. Select Connect to Network at my workplace and Virtual Private network Connection
on the next screen.
4. Enter the connection name, such as VPN School connection.
5. Enter destination VPN server IP address or name. This address or DNS name should
be routed to external ISA Serve adapter IP address.
6. Finish the wizard.
7. Select Connect To from Start menu and click the set up connection.
8. Enter account name and account password for the account with authorization to
connect to internal network using VPN and log in.

There is an option Monitor VPN clients in the panel Tasks for Virtual Private Networks in ISA
Server console which opens connection monitoring and filters off all but the VPN clients.
Thus, you can monitor current VPN connections to internal networks.
Figure : VPN client
Figure : Currently connected VPN clients
Cache
ISA Server cache is used for temporary storing the HTTP and FTP requests. During the
communication that might be cached, ISA Server stores the received responses. ISA Server
can return the responses contained in it's cache without communicating with the destination
server.
In the default status after being installed, the cache is off. You can easy switch-on the
caching by reserving the required disk space on some local disk with NTFS file system.
Activating Cache
1. Open ISA Server console and select Configuration and Cache in the navigation tree.

2. Click Define cache drives in the right console pane.
3. Select an available hard disk. To reserve the disk space, type in the size in MB into
Maximum cache size field.
Figure : Enabling cache
4. Press Set to confirm.

5. Apply the settings on ISA Server. You should restart the firewall service to run the
cache. Make it by responding the console query.
Cache Rules
Similar to existing firewall rules, there are cache rules, too. The rules contain requested
content definition (the URL address) and how to manipulate with the URL address objects.
The process of evaluating the rules is the same as for the firewall, i. e. from the first
sequentially. A rule matching the given communication is being searched.
There is one rule in the default state allowing to cache the communication with Microsoft
Update servers and a last default rule caching the whole communication. You can display the
cache rules choosing the Cache Rules panel in Cache configuration in the middle pane of
the ISA Server console.
Figure : Cache default rules
There are a few items for a given content (URL) defined by the cache rule:
 Saving to cache – you can enable or disable the caching for a given location.

 Returning the content – how to return it to a client
o If there is valid cache content, it should be returned from cache, or it should be
returned from server (and updated in the cache) otherwise.
o If there is any content in cache (valid or invalid), it should be returned from
cache, or it should be returned from server (and updated in the cache)
otherwise.
o If there is any content in cache (valid or invalid), it should be returned from
cache, or the requirement should be ignored
Own Cache Rule Definition:
1. Select Configuration a Cache in ISA Server console.
2. Right-clicking, select New and Cache Rule.
3. Type in the rule name and go to the next wizard screen.
4. Select the network object representing the information source (servers).
5. Select the method to provide the requirements from the ISA Server cache. Option
one is returning the valid pages from cache, option two is returning any object
version, if there is any. If failed, contact the object server to receive the new content.
Option three is returning the requirements from cache entirely. If there are no
required objects in cache, the client will be given any of them.
Figure : How to work with cache
6. Using option Never, no content will be cached, you can prevent the ISA Server cache
from storing the resource content on the next screen. Option two – If source request
headers indicate to cache allows ISA Server to store the content to cache if it is not
prohibited in the HTTP headers explicitly. Next options allow to save dynamic content
to cache too, offline content and content requiring user authentication.

Figure : Storing to cache
7. You can limit the maximum size of cached objects on the next screen. A screen with
HTTP caching settings follows. Cache objects availability (TTL) is set on 20 % of it's
age, however not less than 15 minutes and not more than 1 day.
Figure : HTTP caching
8. It's allowed to cache FTP objects (files) on the next screen. FTP objects default TTL
available time is 1 day.
9. Finish the wizard and apply the ISA Server settings.
Content Download Jobs

Jobs for automatic content downloading are used for regular storing the particular Web
presentation into cache.
1. Select Content Download Jobs in Cache panel of the ISA Server console.
2. Click on Schedule a Content Download Job in the console right pane. A warning will
be displayed that the Scheduled Download Job item should be allowed in the ISA
Server system policy. Check modifying the policy and apply ISA Server settings.

3. Click the Schedule a Content Download Job item again in Tasks panel.
4. Enter job name.
5. Set the downloading frequency and specify this on the next screen.
6. Enter URL to be downloaded to cache on the next screen. You can specify if other
URL references should be traced, too, and which presentation reference depth
should be downloaded.
Figure : Content automatic downloading
7. You can specify the content to be stored and it's availability on the next screen.
Figure : Content automatic downloading
8. Finish the wizard and apply the settings on ISA Server. The downloading job will be
scheduled according to the plan, or it can be forced right-clicking from the drop down
menu.

Managing and Monitoring ISA
Administrative Role
You can manage and monitor the ISA Server using the ISA Server administrative role. As for
users, there are three administrative roles for ISA Server 2006 Standard.
 ISA server Full Administrator – full ISA Server authorization.
 ISA server Auditor – an user entitled to examine the firewall configuration and
setting/following the monitoring tasks.
 ISA server Monitoring Auditor – an user entitled just to examine the monitoring tasks.
The next figure shows the default ISA Server administrative role settings.
Figure : ISA Server default roles
Both ISA Server admin's local account and BUILTIN\Administrators group representing the
domain admins have the full access to ISA Server – the role ISA server Full Administrator.
Assigning Administrative Role to User
1. Open ISA Server console and select Configuration and General in the left pane of the
navigation tree.
2. Click Assign Administrative Role in the middle pane.
3. Press Add to add user or group you want to assign the administrative role. Press
Browse to choose some user or group account from the Active Directory domain.
Select the administrative role for the particular user on the bottom of the window.

Figure : Administrative role definition

An user with a defined ISA Server role can log in to the ISA Server and perform the allowed
actions from the ISA Server console – monitoring, setting the monitoring, firewall
configuration. Or he can manage the ISA Server from ISA Server console remotely from his
workstation which is a member of the Remote Management Computers group.
Monitoring
Monitoring ISA Server stands for a substantial role when following the communication,
checking the correct functionality of firewall access and publishing rules, or when solving
issues dealing with clients failing the expected access to Web.
You can perform the monitoring from the ISA Server administrative console, part Monitoring.
Dashboard offers a complex overview of the ISA Server available part monitoring. The
Dashboard panel resumes up-to-date status of ISA Server and gives a solid information
about potential issues to the admin. It contains information on connectivity verifiers, ISA
Server functions, actual number of clients or alerts on different events.

Figure : ISA server dashboard
Alerts
Alerts are the configuration items defining the ISA Server behavior on particular situations.
ISA Server contains a rich set of alerts for configuration that can be modified and/or
extended.
There are three categories of alerts – Information, Warning, and Error. Each alert contains an
information saying by which event or by how many events it will be activated in some time
slice. While recording on ISA Server console, the activated alert performs a pre-defined
action. This can be sending an email, running a program/script, recording the event into
Event log, or even ISA Server services can be cancelled.
You can see the activated alerts from Dashboard or Alerts panels in ISA Server console.
Figure : Acknowledge or reset alert
You can acknowledge or reset the recorded alerts from the drop down menu. Acknowledging
the alert, you say you have taken the note of it and the acknowledged alert will not be

displayed in Dashboard any longer Resetting the alert, you will remove it from both
Dashboard and Alerts panels.
Figure : Some ISA server alerts
Sessions
You can trace connecting clients with ISA Server on the Sessions panel.
Figure : Actual connections with ISA server
Since ISA Server records the communication to a database file, this log can be looked up
efficiently. Click Edit Filter for your own view on communication and set the filter displaying
the required information.
Press Start Query on Sessions panel to display all Web-Proxy clients in last 24 hours using
your own filter on ISA Server console.

Figure : Own filter
Services
The Services panel includes a few items, each representing a single ISA Server service. You
can restart the services from here, or you can check their functions.
Figure : Panel of services
Reports
ISA Server reporting facilities are used for making a transparent graphical evaluation ISA
Server activities and communications. ISA Server will set up a short evaluation on per day
and per month basis. These data are used for generating reports in form of HTML
documents including pictures and graphs. A report may be generated on demand or
automatically, let's say on per week base. These reports can be stored automatically to a
shared folder on network or on internal Web server.
A report may contain multiple parts:
 Summary – basic overview of most often used protocols, Web servers, cache
functions or data flow through ISA Server
 Web usage – more detailed information about clients accessing Web
 Application usage – more detailed information about applications accessing Web

 Traffic and Utilization – more detailed information about data flow and ISA Server
load
 Security – information about cancelled connections or failed authentication
Figure A part of repost sample
How to set up a monthly plan of reporting

1. Select Monitoring and Reports panel in ISA Server console.
2. Select Create and Configure Report Job in the right panel Tasks, a window will be
opened with defined reporting plans.
3. Press Add to run the setup report wizard.
4. Enter a report name, such as Monthly Report
5. Select the data that you are concerning about on the next screen.

Figure : Report content
6. Select the frequency of generating the report on the next screen
Figure : Automatic report generation schedule
7. You can publish a report into a shared folder stored on some server on the next
screen. You can also define a user account that provides access to this folder. A
given user account should have edit permission on file system and on the shared
folder of the report destination.
Figure : Publishing report
8. You can send information about a new report on an email address on the next
screen.
9. Finish up the wizard and apply the settings on ISA Server.
You can generate a single report in a similar way. You should use the option Generate a
New Report from the Tasks panel. The generated reports are available on ISA Server

Reports panel. Choosing Publish from the report drop down menu, you can store this report
to a specific location (such as documents or desktop).
Figure : Generated reports
There is also the part Customize Reports in panel Tasks containing several references
allowing to accommodate the particular parts of reports.
Connectivity verifiers
Connectivity verifiers are used for testing the servers and services availability. Verifiers can
be used for checking if a host is on-line (running) using ICMP (PING) or checking a service
availability on a host – establishing a connection with a service. Concerning Web servers,
you can test a server by sending a HTTP GET request to gain a Web content.
Figure : Connectivity verifiers
Logging
Similarly as for Sessions panel, you can gain information from ISA Server log file in the
logging panel. Information available in this part of console deals directly with communication.
A defined default filter shows all active connectivity. You can trace communication source
and destination, protocol used, user name, or a mastering rule (enabling or disabling) to
these connections.
If there are any issues to be solved, such as unavailable network resources for entitled
users, you can find out the blocking rule from here.

Figure Communication logging
The default filter for displaying logging is shown on the figure above. You can display actual
connections Firewall or Web-Proxy clients by applying this filter using Start Query reference.
The real-time logging (i.e. actual communication is shown) might be rather CPU time-
consuming while lowering the ISA Server performance. Thus, you should use on-line logging
just for debugging and trouble shooting while leaving it switched off otherwise.
Figure : Log query sample
Internet Blocking Tool (InetBlocker)
The Internet Blocking Tool application was designed for an easy ISA Server control by
unskilled users. Using this, you can perform a fast disabling or enabling the Web connection
for special host groups. Thus, authorized staff (teachers for instance) is entitled to control the
connection of a classroom to Web using the simple application.

Figure : Web Blocking Tool application
Installation
The Internet Blocking Tool (IBT) application was designed for fast Web disabling/enabling
during lessons. It will be typically installed on workstations such as lecturer's hosts in
classrooms. This application uses ISA Server management console components, so ISA
Server management console should be installed on these workstations.
You should also have installed the component .NET framework 2 on your workstation. If
missing, you can download it from the Microsoft site, or automatically using the Windows
Update.
Process of Installation:
1. Use admin's account to log in to workstation.
2. Verify availability of the ISA Server management console on the workstation. Try to
find it in Start, Programs, Microsoft ISA Server menu. Add it from the ISA Server
installation media if not available.
3. Install .NET framework 2 if not available. Internet Blocking Tool installation program
tests the presence of this component. It will provide you with the Web address for
downloading the component if not available.
4. Run the program Setup.exe from the directory containing installation files of the
application.
5. Click Next on the installation wizard welcome page.
6. You can select the installation target folder and choose if the application should be
installed for the actual user, or for each host user on the next screen. Install it for all
users to include the shortcuts to this application into every host's Start menu.

Figure : Installing IBT
7. Finish the installation wizard.

An item InetBlocker will appear in the Start menu, where 2 versions of this application will be
available.
 InetBlocker – allows fast internet connection disabling/enabling for specified host
groups
 InetBlockerAdmin – besides the previous functions, it allows also set IP address of
managed ISA server and define the host groups being managed by this application.
Figure : InetBlocker shortcuts

ISA Server Settings
The remote ISA Server management should be available for the workstations using Internet
Blocking Tool. You have to include each host IP address used for ISA Server management
into the Remote Management Computers in ISA Server console.
1. Log in to ISA Server and run ISA Server management console.
2. Select Firewall Policy from the navigation tree. Select Toolbox, Network Objects in
the right panel and double click Remote Management Computers to open
modification of this group.
3. Press Add to add the hosts being allowed for the remote ISA Server management
performance. You can also define the host IP addresses, IP address range, or a
subnetwork.
4. Save the Remote Management Computers group modifications and apply the
settings on ISA Server.
Figure : Modifying Remote Management Computers
If other users besides admins would be allowed to block the access to Web (teachers for
instance), you should assign the ISA Server administrative role to these users. Since these
are the ISA Server configuration modifications, the role ISA server Full Administrator should
be assigned to such users.
1. Log in to ISA Server and run the management console.
2. Select Configuration and General in the navigation panel.
3. Click Assign Administrative Roles in the middle panel.

4. Press Add to assign the administrative role to users.
5. Type in user name or user group name in the form domain\name, or press Browse to
find out the user or user group in Active Directory.
6. Choose ISA server Full Administrator administrative role.
7. Save the settings and apply the modifications on ISA Server.
Specified users (teachers) are allowed to modify the ISA Server settings from specified hosts
from now on.
Figure : Assigning the roles
You can also create special (service) user account for ISA server management with defined
ISA server Full Administrator role and then configure InetBlocker application for use this user
account and password for manage ISA server remotely. Teachers or other users, who should
simply enable or disable internet for specified groups of computers, will not be ISA server
Full administrators and they will not be able to manage ISA server in other way than by
simple InetBlocker application. Application will use preset creditionals of this special user
account to make changes to ISA server configuration.
InetBlockerAdmin
Run InetBlockerAdmin under admin's account from the Start menu and insert IP address of
managed ISA server after installing Internet Blocking Tool.
1. Log in to the workstation as admin.
2. Run InetBlockerAdmin from the Start menu.
3. Click Settings to specify ISA server IP address.

4. Type in the internal ISA Server IP address being managed. Next, you can set the
application to gain the actual ISA Server settings after being run, or to log in by
another user name (service account) to ISA Server.
5. If you set the application to log in by another name, you have to assign the Full
Administrator role to this name. The application will log in by actually logged in user
otherwise.
6. Press OK to check the settings.
Figure : IBT settings
Once you have set the ISA Server IP address, you can press Read Rules to download the
Internet blocking rules for specified hosts from ISA Server. These rules are special access
rules set up by the application on ISA Server. There are no rules when using the application
first time, so no rules will be displayed.
Setting up a Group
Using InetBlockerAdmin application, you can create groups of hosts whose access to Web
will be driven by this application.
1. Press Add Group to create a group; assign a name to that group.

Figure : Creating a group
2. Select a created group from the list and click Edit Group. A window will be opened
which can be used to add hosts to that group.
Figure : Modifying the group
3. Press Add to add hosts to this group. You can define them using IP addresses or IP
address range. Press Computer from domain to display the list of hosts being
included to the domain within two weeks; you can select the hosts to be added to that
group.
4. Press OK to finish the modification.
5. Once you have finished creating and modifying the groups, you can apply these
settings by pressing Save Rules on ISA Server.

Figure : Saving the settings
As a result of the application performance, defined groups were created in the ISA Server
Toolbox and a firewall access rule was set up to block the whole Web communication from
the defined host groups on the first place (highest precedence).
Figure : InetBlocker’s firewall access rule
InetBlocker
Second InetBlocker application, a simplified version of InetBlockerAdmin, handles the
defined host groups and settings. Nor managed ISA Server IP address neither creating or
modifying the host groups is allowed. InetBlocker can just allow or disallow Web access for a
specified host groups. Thus, this is an application easy to use for users (teachers) who are
unfamiliar with networking, however who are able to affect access to Web for a specified host
group (classroom). This application manage ISA server by user‟s login account or by
specified service account defined by InerBlockerAdmin.

Figure : Simplified InetBlocker¨
Having been run by Read Rules, the application downloads settings of specified groups from
ISA Server. Then select Yes or No for selected group of computers to block or unblock
internet and press Save rules to apply these settings on ISA Server.
This application is logging in as an actually logged in system user or as the user account
defined in InetBlockerAdmin settings to ISA Server. Should have no appropriate role for ISA
Server management, the user will not be able to download actual configuration and/or to
save the modified configuration on ISA Server.
Figure : User has not ISA Server Full administrator role
Downloading InetBlocker
You can download the InetBlocker application from the following sites:

http://www.codeplex.com/inetblocker , or
http://www.codeplex.com/inetblocker/Release/ProjectReleases.aspx
free of charge.
Summary
The applications InetBlocker and InetBlockerAdmin offer a simplified interface for fast ISA
Server configuration. To work properly, you should ensure:
 The workstations running these tools should have installed the management ISA
Server console, too.
 The workstations must be members of Remote Management Computers group in ISA
Server console Toolbox.
 For a proper function, users applying these tools should be assigned with the ISA
Server administrative role, or the tools themselves have to be run from a user account
with ISA Server configuration facility.

Appendixes
References
www.microsoft.com/isaserver
Microsoft ISA Server home page
http://www.microsoft.com/technet/isa
ISA server TechCenter
http://www.microsoft.com/technet/isa/2006/Upgrade_Guide_SE.mspx
Upgrading ISA Server how-to
http://www.microsoft.com/technet/isa/2006/clients.mspx
Detailed information about ISA Server types of clients
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
HTTP application filter typical settings for blocking the well-known services
http://www.isaserver.org
Independent server with ISA Server products
FAQ
Where can I get an application for a simple Web blocking – Web Blocking Tool?
You can download it from:
http://www.codeplex.com/inetblocker,
or from the site Moderní Správce:
http://www.modernivyuka.cz/spravce


Microsoft ISA Server 2006 EN Bueno

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Microsoft ISA Server 2006 EN Bueno

Încărcat de

Drepturi de autor:

Formate disponibile

Microsoft ISA Server 2006

ISA Server2006: A School Guide

Microsft ISA Server 2006 – A School Guide Page 2

Figure : How to locate the ISA Server

Microsft ISA Server 2006 – A School Guide Page 3

ISA Server and Secure Web Access

Microsft ISA Server 2006 – A School Guide Page 4

Publishing the Web Services by the ISA Server

Microsft ISA Server 2006 – A School Guide Page 5

ISA Server as VPN Gateway

ISA Server History

Microsoft Proxy Server

Microsft ISA Server 2006 – A School Guide Page 6

Microsoft ISA Server 2000

Microsoft ISA Server 2004

Microsft ISA Server 2006 – A School Guide Page 7

Microsoft ISA Server 2006

Microsft ISA Server 2006 – A School Guide Page 8

ISA Server Base Concepts

Microsft ISA Server 2006 – A School Guide Page 9

Microsft ISA Server 2006 – A School Guide Page 10

The NAT Network Rule

Figure : NAT communication

Microsft ISA Server 2006 – A School Guide Page 11

Figure : The Route Communication

Behind the Network Rules

Microsft ISA Server 2006 – A School Guide Page 12

How to Locate ISA Server in a Network

Figure : Edge firewall

Microsft ISA Server 2006 – A School Guide Page 13

Figure : 3-leg firewall

Figure : Back-end and front-end firewalls

Assigning ISA Server to a Domain

ISA Server Clients

Microsft ISA Server 2006 – A School Guide Page 14

Microsft ISA Server 2006 – A School Guide Page 15

Preparing the Installation

Microsft ISA Server 2006 – A School Guide Page 16

Microsft ISA Server 2006 – A School Guide Page 17

4. Click the button OK and close the DNS server console.

Microsft ISA Server 2006 – A School Guide Page 18

Preparing ISA Server

ISA Server 2006 Hardware and Software Requirements

Microsft ISA Server 2006 – A School Guide Page 19

Microsft ISA Server 2006 – A School Guide Page 20

d. Save the settings and close Control Panes.

Figure : Services limitation on external adapter

d. Select Internet Protocol (TCP/IP) and click Properties. Enter IP address,

Microsft ISA Server 2006 – A School Guide Page 21

Figure : External adapter IP configuration example

e. Next, click Advanced in TCP/IP Settings.

Microsft ISA Server 2006 – A School Guide Page 22

Microsft ISA Server 2006 – A School Guide Page 23

h. Close all property windows by clicking OK on each.

Figure : ISA Server network connections renaming

Microsft ISA Server 2006 – A School Guide Page 24

Microsft ISA Server 2006 – A School Guide Page 25

Figure : Add adapter, Add private, Add range

Microsft ISA Server 2006 – A School Guide Page 26

Figure : Services affected by the ISA Server 2006 installation

Work Station Administrative Console Installation

Microsft ISA Server 2006 – A School Guide Page 27