Documente Academic
Documente Profesional
Documente Cultură
1
ISP = Internet Service Provider
Microsoft ISA Server 2006 is the software designed for building a secure Web gateway from
stations with operating system Microsoft Windows Server 2003.
First, the ISA Server can protect the internal network against spurious
communication and against targeted attacks and it controls the user's access from
the internal network to Web. Different user groups can be enabled or disabled to
use some Web or particular Web server's services (Web access, e-mail).
Second, the ISA Server can make available (or public) some internal network
services for Web users. If a school or a company has an own Web server or mail
server, these services can be used for subject presentation, internal mailing,
communicating with Web users and maintaining user's mailboxes.
Third, the ISA Server can be used for WebCache service. You can configure your
ISA Server so that it can hold the contents of the Web pages being accessed from
the internal network in it's memory for some time period. If any user requests
pages being stored in the WebCache memory during this period, he will be
supplied with it promptly. This is a method how to save the transmission capacity
of the Web lines and to reduce the Web response time for users.
Last but not least, you can easy set your ISA Server as an integrated VPN
gateway for secure remote connections to the internal network. If needed, these
connections can be encoded and their control is performed by means of the user
accounts or groups in the Active Directory. A remote user can access his private
data on the server such as files with training courses etc. A VPN gateway also
enables transparent network connections (schools, offices etc.), however this
discussion goes above the frame of this handbook describing just common school
networks.
There are two editions of the Microsoft ISA Server 2006. The Standard edition is designed
for users needing to protect their network typically by one firewall. On the other hand, the
Enterprise edition is designed for large companies administrating several groups (or fields) of
firewalls. Each field can be located in a separate part of the network (a complex network
infrastructure with high degree of security) and these fields can be composed from more than
one firewall with identical functionality in order to distribute the network load among several
machines. This handbook discusses just the Standard edition of the ISA Server typically
designed for small networks.
All hosts are divided into multiple networks by ISA Server. The internal network is defined
like the range of IP addresses applied for the internal network hosts. The internal network will
often use some of the IP protocol ranges designed for a local use:
Class First address Last address Default netmask Default netmask shortcut
A 10.0.0.0 10.255.255.255 255.0.0.0 IP_address/8
B 172.16.0.0 172.31.255.255 255.255.0.0 IP_address/16
C 192.168.0.0 192.168.255.255 255.255.255.0 IP_address/24
Table : Private IP address ranges
ISA Server contains some predefined networks. Their meaning summary is Table 2.
Localhost Localhost represents ISA Server itself.
Internal network Internal network includes hosts with the administrator defined
addresses during the ISA Server installation. It is a trusted
network protected by ISA Server against Web attacks. ISA
Server is also connected to this network by a single network
interface with defined IP address from the private network
range.
External network External network is not defined by any IP address range, but
it includes anything that is not defined anyhow. A single ISA
Server interface provides connection to the external network
(i. e. Web or ISP network). The external ISA Server interface
IP address is typically being set according to the agreement
with the ISP.
VPN clients network VPN clients network includes all hosts that are connected by
means of the VPN connection to the ISA Server. The VPN
clients network IP address range should not match the
internal network range or any other network created by the
administrator.
VPN quarantined clients VPN quarantined clients includes VPN clients that have not
passed through the quarantine check if it was requested.
Table : Default ISA Server Networks
Network Rules
The communication within a single network, for instance the internal one, proceeds
autonomously, i. e. independently on the ISA Server. On the other hand, the communication
The first network rule type is the NAT rule. It is the one-way rule, which means that the
communication can be initiated only from one network to another. A network address
translation (NAT) is performed by the ISA Server, which hides the identity of the network
from which was the communication initiated.
The process of such communication for the case of the NAT rule from internal network to
external network is shown on Figure 3. A request will be sent from an internal network host to
a Web server for instance. As the ISA Server provides the Web gateway, the request will be
sent from the host to ISA Server. Since the ISA Server performs the NAT, the sender field
will be replaced by ISA Server external adapter IP address in the IP packet. Because it can
be reached from Web, the request will be made for the Web server. As it receives the
request for some information, a response will be assembled while sending it back to the
sender. Since the Web server received the request from ISA Server, the response will be
addressed to it. The firewall service should find out the record on the original communication
initiator after ISA Server receives the response. As for the Figure 3, in this case it was host
named Pc1 which will be delivered the response from ISA Server. The received page will be
then displayed by the Web browser on Pc1.
This rule type is mostly used between the internal network and Web. Partly for internal
network identity protecting, partly that the NAT mechanism makes available Web for clients
with private IP addresses being used in the frame of the internal company network. Since
any server would be able to deliver the response on a non-public address, the private IP
addresses can not be used on Web.
The second network rule type is the Route rule. This rule allows the communication between
networks that can be initiated from any network. Since the addresses are not translated, the
sender field would not be changed along the whole path up to the destination place.
For the communication showed on Figure 4 is necessary to have a public IP address unique
in the whole Web for the internal network Pc1 sender. Companies are mostly assigned an IP
address space that is too small to cover the whole internal network for a company because
of the entire lack of the IP addresses worldwide. This problem caused that a massive NAT
has been applied and it also forced the new IP protocol solution called IP6.
Routing the communication between the internal network and Web would not be a typical
example of the Route rule. It is mostly used on setting the communication between different
segments of the company network. As a classical example, let‟s take a communication
between internal network and VPN clients network using the Route rule. These networks
mostly apply the Route rule type between each other. Routing can be also applied on private
networks that are not configured with public IP addresses.
The fact of the network rules attendance between two networks is not sufficient for starting
the mutual communication between hosts. This condition is just one of the necessary
conditions for the communication. The network rule states what kind of communication
access will be applied: routing or NAT. In case of Nat, the communication can be started just
in a single direction and ISA Sever has to keep the information about the host where should
be returned the responses. Firewall access rules have to be still defined for the
communication permission.
Firewall Rules
Firewall rules provide the communication permission between hosts in different networks. If
ISA Server receives a packet on some of it‟s interface, it will be opened an the necessary
sender, receiver and protocol information etc. will be retrieved from the packet. The
Figure 5 shows the Edge Firewall. Since ISA Server works as router and firewall, it should be
equipped with at least two network adapters. This arrangement will be discussed in this
handbook.
Another solution of the demilitarized zone is shown on Figure 7. ISA Server is used for back-
end firewall and also ISA Server or any other firewall can be used for front-end. The
demilitarized zone is partially available from Web similar to the previous solution, while the
internal network is protected by two firewalls.
ISA Server can work as an Active Directory domain member server or as a stand-alone
server in a working group.
Third chapter will be closed by a short list of how to set the clients for using the ISA Server
access to Web in the internal network.
Web-Proxy client – a host who‟s Web browser (for instance Web Explorer) is set to
use the proxy server. This proxy server is set on ISA Server address.
Prior the ISA Server installation itself, some steps need to be performed just to understand
the current network architecture, to get planned a new ISA Server solution, and to consider
the Web services availability for internal network users. The goal is not just to state the
communication rules for particular user groups, but to set the infrastructure to make the
allowed services available for users. An internal network host should have a correct TCP/IP
interface configuration while having access to translation the DNS names to IP addresses.
1. Current network mapping – this is the first step allowing understanding the
current network architecture and supplying the necessary information. You should
have an overview about what IP addresses are being used in the internal network
and information about relevant servers in your internal network. Let‟s have a look
at how the workstations are configured (DHCP Server) and how the DNS names
translation to IP addresses is performed (DNS Server).
2. Necessary network changes – Some changes of the ISA Server should be
performed for launching it. For instance, all internal network hosts should be re-
configured to use the ISA server for communication with Web. Next, you may
want to provide an access to the name-to-IP-address translation and to ensure
the access to the servers published on internal network based on the DNS
company names for the Web users.
3. Access to Web – Prepare a draft of rules that you would use for the firewall
access rules later. These rules should include user groups with access to Web
including lists of available servers and applicable services.
4. Client configurations – A decision based on retrieved information should be
done about what client access type to ISA Server will be used. Each client type
has advantages and drawbacks and they are not exchangeable with each other.
This is the reason why you have to understand the particular client types and to
know when they can be used.
Network Infrastructure
Some other network services should support the ISA Server for correct function of the whole
network. You have to configure the following services correctly:
DNS
DHCP
Active Directory
Retrieving the IP address from the domain name (which can be entered by a user to network
browser for instance) is a necessary feature for connecting clients to the Web resources. If
you decide to publish some internal network services on Web, there should be a way how to
gain the correct IP address which can be used for connecting to some published server for
Web users.
Using Internal DNS Server A lot of companies have their own DNS server in their internal
network which can be configured to be able to translate the Web domain names, too. If there
is the Active Directory service installed in the company network, the DNS service is mostly
running on the domain controller. This service cares for the domain zone name translations.
Thus, if a domain controller administrates a zone school.com for instance, a DNS server for
translating name translation for the zone school.com is running on the domain controller.
This DNS server can be configured so that it would be able to translate other Web names
besides it‟s own domain names, too. Thus you should set forwarding the requests to
translate the Web names to some other DNS server on your internal DNS server, typically to
the ISP‟s DNS server. The internal domain name translation remains on the current server.
You should use the following process to configure your DNS server for forwarding the
requests:
1. Run the DNS console from the Administrative Tools on the domain controller or on
another server.
2. Click the right mouse button on the server name located in the left part of console and
choose Properties.
3. Choose the pane Forwarders, fill the DNS Server IP address into the appropriate field
and click the button Add. You will get to know the DNS server IP address from your
ISP.
If you want to introduce some Web access restrictions based on user names or user groups
from the internal network, or if you want to introduce some access limitations for
unauthenticated users to published servers, ISA Server integration with Active Directory
domain is suitable. So, if the ISA Server is member of the domain, it can check the domain
users without any extra configuration.
However, ISA Server also offers options to authenticate the domain users in case that ISA
Server is not the domain member. You can use LDAP (Lightweight Directory Access
Protocol) or RADIUS standard (Remote Authentication Dial-In User Service) which is
implemented in the Windows 2003 server IAS (Web Authentication service).
If you want to use the Active Directory service for ISA Server, a DNS server IP configuration
with the internal domain zone has to be set on the internal ISA Server adapter (typically on
the domain controller IP address).
DHCP Service
The DHCP service is not necessary for ISA Server introduction, however it is recommended
for the network configuration of the internal network clients. The advantage of using the
DHCP server is easy client configuration which is made automatically. Thus, you easy set
the clients so that they can work with ISA Server or Web. If you change the Web DNS server
IP address or the default gateway address, you simply modify the DHCP server setting and
the clients hosts IP configuration will be also modified to suit to the new requirements at least
after restarting them.
DHCP server can also be used for clients configuration connected from Web through the
VPN channel. If you enable connecting the VPN clients on ISA server, it will ask DHCP
server for an IP address block to assign these addresses to VPN clients.
Prior to Installation
A computer with the operating system Windows server 2003 will be needed for the ISA
Server installation matching the requirements in the Table 3. It is highly recommended to
update the operating system with all available patches and service packs prior to the
installation.
1. Server operating system update – you should update your system prior to ISA
Server installation.
2. Internal network interface settings – the internal network interface should be
configured by IP address and by the internal network mask. If the ISA Server is going
to be a member of the domain, you should configure the DNS server internal interface
item on the DNS server internal network (domain controller). If you use the DHCP
server on the internal network, you should make sure that the ISA Server internal
interface IP address will be removed from the IP address set assigned by the DHCP
server. You have to prevent the DHCP Server from assigning the ISA Server IP
address to another host.
a. Open Control panel and double-click Network connections
b. Select the adapter being used for the internal network. You can change the
connection name for more transparency, for instance Internal Network or LAN.
c. Open the connection properties, select the item Internet Protocol (TCP/IP) and
click the button Properties. Enter the IP address and network mask for the
internal adapter. Leave the field Default Gateway blank. If you want to
communicate with the domain controller, enter the domain controller (DNS
Server) IP address.
g. Select the WINS tab, uncheck Enable LMHOSTS lookup and check option
Disable NetBIOS over TCP/IP.
Installation Process
You may come up to installation the ISA Server after having finished network adapters
configurations. For the installation, use the following steps:
1. Log in to the server where should be the ISA Server 2006 installed as administrator.
2. Insert the ISA Server installation medium. Choose the option Install ISA server 2006
after the installation CD-ROM is read and the automatic menu is displayed.
If the CD-ROM doesn‟t run automatically, or if you are about to install the ISA Server
from a network disk for instance, run the file fpc\setup.exe from the root folder of the
ISA Server installation files.
3. Press Next on the welcome screen. Then approve the License Agreement and press
Next.
4. Fill your name and company name on the next screen. Fill in a valid Microsoft ISA
Server 2006 product license key into the appropriate field. Press Next to continue.
5. Choose a typical installation and continue by pressing the Next. All ISA Server 2006
components will be installed when choosing this option.
6. The IP address range of the internal network should be defined on the next screen.
Press Add to open the Addresses window to enter the IP address range of the
internal network.
7. You can enter the complete IP address range using Add Adapter which is derived
from the ISA Server internal adapter IP configuration. You can enter either the known
IP addresses private ranges, or you can enter your own IP address range using Add
Range button.
The selected IP address range should contain the address of the ISA Server internal
adapter. After finishing the modification, press Next to continue. You can modify the
internal network IP address range also after finishing the ISA Server installation.
10. Press Next and press Install on the next screen. Then, ISA Server installation process
will begin. It will be completed within a few minutes and ISA Servers services will be
run automatically. Restarting the server is not necessary.
Figure : Installation
No physical access to the ISA Server itself is necessary when administrating it. You just
need install the management console on the administrator‟s workstation which can connect
to any ISA Server after running it. You don‟t locate your ISA Server often at available
location, so it is comfortable to administrate it from remote places such as manager‟s office.
1. Insert the installation ISA Server 2006 CD-ROM into the administrator‟s workstation.
2. Run the Installation Wizard and follow the steps.
3. You can choose a typical installation on the installation options screen when you
install it on a workstation (Windows XP, Windows 2000 Professional). If you want to
install just a console for administration on another Windows server 2003, choose your
3. The logs on the installation procedure are located into the %windir%\temp
(C:\windows\temp) directory.
ISAFWSV _NNN.log – detail logs on firewall installation
ISAMSDE_NNN.log – detail logs on MSDE services
ISAFWUI_NNN.log – installer records
ISAWRAP_NNN.log – installation procedure short summary of all components
4. Running the firewall services information or error information preventing the running is
in the Event Viewerfrom Administrative Tools.
If you run the ISA Server console from a workstation, you can connect to a remote ISA
Server.
1. Right-click on Microsoft Web Security and Acceleration 2006 in console and select
Connect to.
2. Enter the ISA Server name or find it by the Browse button. You can use either your
account that you use for logging in to the workstation, or choose another.
3. You can connect by click OK to the remote ISA Server.
You have to enable the remote access to ISA Server from the admin‟s workstation prior to
connecting. If an admin is going to log in with another (non-administrator‟s) account, you
should assign it an appropriate administrative role for managing ISA Server.
Any ISA Server configuration modifications are not implemented instantly just after making
them. They are being cumulated in the console store, so a multiple item modification can be
made and applied at once later. Click Apply next to the big yellow icon with exclamation mark
in the console after finishing the modifications. In case you don‟t want to apply the
modifications, click Discard.
In order to enable the ISA Server remote control, the firewall system policy contains some
rules in the default state which are defined for the remote ISA Server management from the
group Remote Management Computers. You can add any host for remote management to
this group.
1. Log in to ISA Server using the admin's account.
2. Run the ISA Server management console.
3. Select Firewall policy from the tree in the left pane.
4. Select Toolbox, Network objects, and Computer Sets from the right pane.
5. Double-click on groups Remote Management Computers.
6. Press Add and select Computer to open a window for defining the host.
7. Enter the host name, for instance admin workstation and enter it's IP address.
8. Close modifying the group Remote Management Computers and apply the settings
on ISA Server.
9. Now you can manage the ISA Server remotely from your host. Use admin's account
after logging in to the ISA Server from the console (Figure 24).
Firewall Client
The firewall client hosts use the Firewall Client application for communication with ISA
Server. This application should be installed and run for Web access (or to another network).
The Firewall Client application affects the network access behavior on the client host. Any
application attempt (Web browser, email client, messenger) to access a network will be
interrupted by the Firewall Client application and the communication receiver will be checked.
If a local host is determined as the receiver, it leaves it go.
However, if the communication is routed on Web, this will be rerouted on ISA Server. ISA
Server accepts the request to communicate and authenticates the user (the authentication is
transparent – the logged in user's account will be used). Next, the ISA Server checks if the
communication type is allowed – if there is an access rule for such communication. If it is,
ISA Server will complete the request on the destination server and sends a response back to
the client.
The Firewall Client supplies the maximum security and functionality level out of any ISA
Server clients.
Firewall client advantages:
Web access control and communication logging based on user accounts and groups.
Automatic and transparent client authentication against ISA Server.
Web Explorer proxy settings can be configured by the Firewall Client.
Firewall Client supports all network applications.
No client configuration of the default gateway and no client access to DNS is
requested. The communication that is not intended for the local network is passed to
ISA Server and it mostly performs the DNS service, too.
Firewall client drawbacks:
The Firewall Client is an application that has to be installed on the host. A manual
installation process on all hosts might be rather time consuming. Since the client is in
the MSI installation packet format, you can use automatic installation on the domain
workstations according to the domain group rules.
SecureNAT client
The hosts not having the Firewall Client application installed can work as SecureNAT clients.
To enable the Web communication for such clients, you have to set the TCP/IP default
gateway so that their communication should be routed to Web. Typically (in simple
networks), a default gateway will be set on the internal ISA Server IP address. Next, an
access to DNS service for the clients is requested.
SecureNAT client advantages:
Most applications (protocols) are supported. Concerning the common protocols
having problems with DNS (such as FTP), ISA Server has the built-in application
filters to suppress such problems.
Support of any operating system providing the TCP/IP protocols.
Easy client configuration from the DHCP server
SecureNAT client drawbacks:
SecureNAT client does not support authentication. So, ISA Server is not able to log
the communication based on users or groups. Similarly, if the firewall access rules will
require authentication, no SecureNAT client access would be allowed.
The client host should have configured the DNS server in order to translate the Web
names into UP addresses.
Web-Proxy Client
Web-Proxy Client is a host with a Web browser HTTP1.1 compatible which is set so that it
would use the proxy server. Most common used browsers enable this, so any host can work
as Web-Proxy client (including the hosts configured by Firewall Client or SecureNAT Client).
In case of any attempt to access Web, this request is sent to proxy server – ISA Server. If
there is a rule for given communication at ISA Server, it will pass the request on Web server
and returns the response back to the Web-Proxy client, which is also able to authenticate
itself when asked from ISA Server. The authentication can be transparent again using the
account of the logged in user if it is a member of the Active Directory domain. If it is not, or if
the host uses a non-Microsoft operating system, the built-in HTTP protocol Basic
authentication can be used.
You can configure the Web browsers en bloc in order to cooperate with ISA Server – no
individual configuration is needed. Web Explorer will be configured for using the ISA Server
for proxy service by Firewall Client application with default settings.
Web-Proxy client advantages:
All recent Web browsers are supported independently on the operating system used.
A single internal network workstation may be used as more than one ISA Server client type.
The workstation can be configured as a Web-proxy client, a Firewall client, and a SecureNAT
client simultaneously. You can get a workstation provided by a complete TCP/IP
configuration including the default gateway and DNS Server for Web names translation,
installed Firewall Client application, and a configured Web browser for proxy server this way.
A host acts as a Web-Proxy client when communicating from a Web browser. If any other
protocol would be used (e. g. connecting to a remote desktop), the communication will be
relayed by the Firewall client application using the ISA Server. However, there might be
some exceptions configured in the Firewall application preventing it from particular activities.
This includes the application Outlook for instance – the Firewall application is set so that it
will not affect any Outlook communication. The Outlook will be using the DNS service
available on the host and the communication will be provided by SecureNAT client through
the default TCP/IP gateway.
If you configure some host with Linux operating system as a Web-Proxy and SecureNAT
client, any Web communication filtering can be based on user names. Any other
communication will be provided by the SecureNAT client, however no control based on users
and user groups will be possible.
Configuring Clients
SecureNAT Client
SecureNAT client type is the simplest one because the correct TCP/IP protocol settings are
sufficient for a client host. The goal of the configuration is to enable the client to send
requests to Web and to make available the DNS service for the client.
Default gateway settings Set the TCP/IP protocol default gateway of the internal network
workstations on internal ISA Server adapter IP address. Modify DHCP server settings when
using the DHCP server for client configurations.
Name translations settings If you have a domain controller in the internal network, you have
got a DNS server, too. You should set it the way to enable the Web names translation for
internal network clients, too. You can find the how-to for DNS server settings in chapter ISA
Server Installation. Besides these settings, you have to allow the communication between
internal DNS server and Web DNS servers by a Firewall rule which might be involved in
some setting template. This template can be used for initial ISA Server configuration, or you
can use the following steps:
6. Insert the location of where would be the DNS communication initiated from on the
Access Rule sources screen. Press Add to open the list of available locations. You
can select the network Internal.
7. Choose the DNS communication target on the Access Rule Destination screen you
want to make available. Add the External network the same way as in the step #6.
8. Leave the next screen – User Sets – unchanged. The rule will hold for all users.
9. Finish the wizard and apply the settings on ISA Server. You have just created a rule
allowing communication to internal network hosts using the DNS protocol with the
external network DNS servers.
Web-Proxy Client
Web-proxy client is the host with a Web browser set the way to use ISA Server as proxy
server. Neither extra TCP/IP protocol configuration (IP address and net mask is enough), nor
Firewall Client application installation are needed. However, a Web browser should be set.
This configuration can be made manually or automatically on each host.
You should ensure that the Web-Proxy service is available on ISA server in the first step.
This service is enabled in the default state on ISA Server after being installed.
1. Run the ISA Server console, select Networks in the left pane. Select bookmark
Networks in the middle pane to open the Internal network properties.
2. Select the pane Web Proxy in the internal network properties window.
3. Verify checking the Enable Web Proxy client connections for this network option and
that HTTP protocol communication is enabled. ISA Server listens to the internal
adapter connection from Web-Proxy clients on the port 8080.
Set the Web-Proxy clients on each host manually. Any application, using the proxy server
(Web browser, FTP client, etc.), has it's own settings. Use the following steps to configure
Web-Proxy client in Web Explorer:
4. If you still choose Bypass proxy server for local addresses, the requirements for
internal Web servers will be routed directly to the appropriate server without
communicating through ISA Server.
5. Press Advanced to set next items. You can set different address and proxy server
port for each communication protocol type for instance, or address exceptions for
which the proxy server wouldn't be used.
If a client is set for automatic configuration, an actual configuration script is downloaded each
time when running the Web Explorer. The script is set by the browser according to it's need.
The automatic settings prevents you from the eventual manual reconfigurations of all hosts
each time the ISA Server configuration changes.
1. Open Control Panel and Internet Options. Click LAN Settings in pane Connections.
2. Select Use automatic configuration script and fill the field Address with configuration
script location. The ISA Server domain name replace according to your own need, or
use the ISA Server IP address.
http://isa1.school.local:8080/Array.dll?Get.Routing.Script
http://10.0.0.10:8080/Array.dll?Get.Routing.Script
3. Save the settings and restart Web Explorer.
Settings according the following figure contains three separate phases. The browser tries to
find out an available ISA Server which is set to be detected in first phase. If it fails, the
browser tries to download the configuration script from a fixed ISA Server in the second
phase. If both previous phases fail, the browser will be set in accordance with the frame
Proxy server in the third phase.
As the configuration settings of the Web browser mostly depends on the user account, it
would be fine if each user sets the Web-Proxy configuration at least on automatic
configuration assignment to let the browser being configured from ISA Server in order to
work as a Web-Proxy client. If the hosts and users are members of the Active Directory
domain, the admin can set the proxy configuration of the Web Explorer to all users centrally
using the Group Policy principles. The second option is to let all clients set the Web-Proxy
client by the Firewall Client application.
If you use a configuration script rather than manual settings, you can affect the script
contents in the ISA console.
1. Run the ISA Server console. Choose Networks in the left pane and Network panel in
the middle of the console pane. Open Internal network properties.
2. Pay your attention to Web Browser panel:
a. You enable the clients to contact the LAN Web servers directly without
cooperation with ISA Server by setting Bypass proxy for Web servers in this
network.
b. Directly access computers specified in the Domains tab concerns the Firewall
Clients. You make available the direct connection to domains which are
enumerated in the Domains panel by this option rather than communication
through the proxy server.
c. You enable direct connection with hosts whose IP addresses are defined in
the Addresses panel by setting Directly access computers specified in the
Address rather than connection through proxy server.
d. You can add next server names or domain names for Web-Proxy client by
setting the Directly access these servers or domains. Web-Proxy client will
communicate directly for these servers or domains, without Proxy server.
If you got installed the Firewall Client application, you can use it for automatic settings the
Web-Proxy clients. Firewall Client application can set Web Explorer to use the proxy server
for a user.
1. Run ISA Server console, find out the network settings and open the properties of the
Internal network.
2. Go to the Firewall Client panel. You can choose how the Firewall application should
set Web-Proxy client in section Web browser configuration on the firewall client
computer in this panel. All three options will be set in accordance with the following
figure:
a. Web-Proxy client will look for ISA Server, which is configured as detectable.
b. Web-Proxy client tries to download configuration script from the server ISA1 if
the a step fails.
c. Browser will use proxy server ISA1 if the step b fails, too.
3. Apply the settings on ISA Server.
You can extend automatic Web-Proxy client configuration by means of settings the network
environment so that the Web-Proxy client would be able to find out ISA Server itself. The
automatic lookup is usable also for a default Firewall Client which tries to find up a published
ISA Server. This lookup feature is called Automatic Discovery in (help) documentation.
Web-Proxy client searches ISA Server providing the protocol WPAD – Web Proxy Automatic
Discovery. Firewall Client application uses the protocol WSPAD – Winsock Proxy
AutoDetect.
You should include a record of type alias with the value WPAD into DNS server zone, which
would be routed on ISA Server DNS name to run the Automatic Discovery feature. The
school.local domain clients are looking for the server named WPAD.school.local when using
the automatic detection. This name should be routed to ISA Server IP address.
ISA Server Configuration
You have to switch on automatic detection support on ISA Server.
1. Run ISA Server console, find up the Internal network and open it's properties.
2. Go Auto Discovery panel. Select the option Publish automatic discovery information
for this network and leave the port number value 80 unchanged.
3. Apply the settings on ISA Server.
Manual Installation
You can install this application manually using the appropriate wizard on the client host, or
you can use a semi-automatic installation process by running it from the shared network
folder using the configuration arguments.
Installation Process:
1. Log in to an internal network workstation using the admin's account.
Non-wizard installation:
You can also run the installation from a command line to set the default client configuration.
Path\Setup.exe /v"[SERVER_NAME_OR_IP=ISA_Server_Name]
[ENABLE_AUTO_DETECT={1|0}] [REFRESH_WEB_PROXY={1|0}] /qn"
SERVER_NAME_OR_IP ISA Sever name or IP address for connection
ENABLE_AUTO_DETECT if value =1, automatic detection will be allowed
REFRESH_WEB_PROXY if value =1, Web browser will be configured on Web-Proxy
client by Firewall application
For multiple hosts, you can use the user group policy for Firewall Clients automatic
installation from a network folder. First, copy the file ms_fwc.msi from the ISA Server Client
directory to some network folder. Then, use the following process to tell the hosts to install
the application from the network folder. For this purpose, it would be suitable to have
installed the Group Policy Management Console on the domain controller (or on admin's
workstation). This console is available as a free installation packet named gpmc.msi on the
Microsoft Website.
1. Locate the file ms_fwc.msi into a shared network folder.
2. Log in to the domain controller and run the console Group Policy Management from
Administrative Tools. Or run the console from a workstation and connect it to the
domain controller.
4. Choose an appropriate name for the new policy being created, such as Install FW
application.
5. Right-click the policy and select Edit.
The Firewall Applications will be installed to all hosts under the Active Directory organization
unit with this installation policy, up to the second restart at the latest. The default Firewall
application settings is automatic ISA Server detection. Thus, if the automatic settings
detection support will be enabled on network (in ISA Server and in DNS), the automatically
installed clients will be able communicate directly with the ISA Server without any further
settings.
You can set the Firewall Clients configuration in the ISA Server console. This configuration
includes the method how the Web-Proxy client will be set by the Firewall client and what
domain names will be considered as LAN hosts. Another configuration option is to define the
different Firewall function exceptions, such as for which applications will be used SecureNAT
client rather than Firewall client, or modifying the port numbers which will be used for Firewall
Client to ISA Server communication or ISA Server to the destination Web server
communication.
4. Enter the name being used for the internal domain in the Domains panel. The Firewall
Client will use the direct connection with those local hosts (or servers) whose IP
address or domain name matches the settings on Addresses or Domains panels
rather than communicating through ISA Server.
Default Firewall Client settings for working with applications are shown on the figure.
Applications such as Outlook or exchng32 are disabled to use the Firewall Client – if
a default TCP/IP protocol gateway is set, SecureNAT client will be used for
communication with internet. You can see that the communication ports that should
be used for TCP and UDP protocols are assigned to realplay application.
Any client's configuration can be extended or modified in the configuration files or in the
profile files All users besides the global settings of Firewall clients on ISA Server. However,
mostly you don't need to change these settings, so it's not necessary to discuss the changes
here any longer. Read http://www.microsoft.com/technet/isa/2006/clients.mspx for more
detailed information on this topic.
Any communication that should be passed through the ISA Server is disabled after it has
been installed. For enabling the communication, two conditions are essential.
1. There must be a Network rule between networks. The basic network rules skeleton is
set up after installing the ISA Server.
2. There must be a Firewall rule enabling the given communication type. There is only
one rule after the installation disabling any communication.
ISA Server offers multiple templates involving the typical network and Firewall rules for the
given network security type. You can use Edge firewall template for simple networks with a
single ISA Server. This template is applied automatically after the ISA Server installation, but
it can be used just for network rules settings. The Firewall rules enabling the basic network
access are not applied from this template. Thus, if you want to set the first network rules to
enable the basic HTTP Web access, you can try to set this template on ISA Server using the
Firewall pre-defined rules. Use the following process to apply the template:
1. Log in to the ISA Server and run the ISA Server management console. Select
Configuration and Networks in the navigation tree displayed in the left console pane.
You get to the panel where you can configure the firewall networks and the
communication rules between them. Select the bookmark Templates in on the right
edge of the console.
2. Click the icon Edge Firewall. A settings wizard will be run. Press Next on the welcome
screen. You can export the current ISA Server settings on the next screen. The
current settings will be lost by applying a template, so pay attention to the export
option.
3. You can modify the IP address range defining the internal network in the next part of
the wizard. This screen and the similar screen in the ISA Server installation have the
identical functionality.
a. Block all – all communication through ISA server will be disabled. This option
is used for the ISA Server installation.
b. Block web access, allow access to ISP network services – this option makes
available the ISP services. In particular, it makes available the external DNS
server for internal network clients and VPN clients.
c. Allow limited Web access – this option sets the Firewall rules so that it will
make available Web for the internal network clients and VPN clients providing
HTTP, HTTPS, and FTP protocols and the VPN clients will be allowed to
communicate with internal network.
d. Allow limited Web access and access to ISP network services – this option
extends point from this list by access to the external DNS server from the
internal network.
e. Allow unrestricted access – this option allows an unlimited communication to
Web from internal network using any protocol. An unlimited communication
from VPN client network to internal network and to Web is allowed, too.
5. Select the pre-defined communication type you want to set and finish the wizard.
Then apply the settings on ISA Server.
6. Check the Firewall rules just having been set up in the ISA Server console. Select
Firewall policy in the navigation tree.
Figure : Network rules and firewall policy for Edge firewall a Allow limited Web access and access to ISP
network services template.
Firewall Policy
The Firewall policy establish the communication type allowed by Firewall. The policy consists
of a few rules displayed on the following figure. Each item is supplied with how it can be set.
Users
Toolbox users objects provides an user definitions for which the given access rule will be
valid.
Pre-defined users are as follows:
All Authenticated Users – i.e. logged in users
4. You can include multiple user accounts or groups. Finish the wizard after completing
the modification and apply the setup on ISA Server.
Schedules
The Schedules objects in the Toolbox provide time schedule definition. You can restrain the
validity of Firewall policy onto specific days or fractions of days by these schedules.
Pre-defined time schedules are as follows:
Network Objects
Toolbox network objects are used to define communication source and power. These objects
are divided into a few groups:
Networks – include networks defined on ISA Server. Both default and user defined
networks can be involved.
Network sets – are used to make the work with networks easier (similarly as for user
groups containing user accounts). Pre-defined networks include All Networks
Protocols
Protocol objects in Toolbox are used to identify the communication protocol. All common
protocols are pre-defined, so you mostly don't need to amend them.
The protocol definitions are based on identification data typical for given communication. For
instance, HTTP protocol is defined as connection by TCP protocol on destination port 80
which is a standard port where run the Web servers. The mailing protocol POP3 is defined
as TCP connection on port 110.
However, what is important is that protocols have duplicate definitions. For instance, POP3
and POP3 server. Protocols missing the server tag are typically used for setting up the
internal network client access rules to server using the given protocol. Protocols with the
server tag are used for publishing the internal network services on internet.
There are a few protocol categories in Toolbox according to their appliance type. Next figure
shows the DNS protocol definition concerning the outgoing TCP protocol on port 53.
Access rules
Firewall Access Rules are used for allowing the communication from internal network to
Web.
To set up the HTTP communication rules from internal to external network, use the following
steps:
1. Open the ISA Server console and select Firewall Policy in the navigation tree.
2. Right-click Firewall Policy item in the tree, select New and Access Rule. Or select
panel Tasks in the right pane and click Create Access Rule.
3. Type in rule name on the first screen, such as Web access, and press Next to
continue.
4. Select the rule action on the next screen. The Deny action will disable the
communication defined by this rule, the Allow action will enable it. Select Allow and
go to the next wizard screen.
5. Select the communication protocols for this rule on the next screen. Press Add to
open the protocol list. Finding out protocols HTTP and HTTPS, add them. Ensure that
the option Selected protocols has been selected indeed in the drop down menu. This
rule will be valid for the specific protocols.
6. Add network object on the next wizard screen identifying the communication source.
Press Add to add the Internal network. Go to next wizard screen to choose the
communication destination. Add External network.
7. You can define for which user group would be the rule applied on the next screen.
Leave the pre-defined value All Users unchanged and finish up the wizard.
8. Apply the settings on ISA Server.
9. Right-click on the setup rule to choose Properties. Review the rule properties and
how to modify them.
10. There are a few panels in the rule properties. You can modify rule name and it's
legend on the General panel. Next, you can modify rule action to enable or disable
communication on Action panel. Next, you can modify the communication protocols
for this rule on the Protocols panel. Next, you can change the communication source
and destination on panels From and To. Notice that there are two fields available –
the first for setting the source or destination, the second for setting some exception.
For instance, a rule can be valid for any communication from Internal network except
some group of hosts. Similarly, you can set users on panel Users for which the rule is
valid including exception definitions. Next, you can set or create a time schedule of
this rule on Schedule panel and disable relay of some particular content types using
HTTP protocol (such as pictures, music, videos etc.).
You can disable a rule by the icon in console temporary – i. e. such rule will not be
evaluated on any attempt to communicate. Icon enables the disabled rule. When enabling
or disabling a rule, you have to apply the modification on ISA Server. Evaluating the rule is
performed according to the listed order (field Order in the Firewall Policy window). You can
change this order using the icons and (which means increasing or decreasing the rule
3. Set up a new access rule according to the process of creating the access rule which
will disable the HTTP and HTTPS communication for user group Students from
internal network to external network.
4. After finishing wizard, open rule properties and define the exception from the
destination on panel To. The network External is selected as the destination. Add the
network object student’s URL’s as exception into the lower table.
5. Close rule properties and shift this rule on the position prior to the rule allowing the
HTTP communication for all.
6. Move this rule before another rule allowing web access for all users.
7. Apply the settings on ISA Server.
See the following figure for how will be the Firewall Policy set up after finishing both
processes above.
This configuration disables the access to Web excepting the allowed URLs for all students.
First rule disabling the communication will be used for the students trying to access the
disabled contents. If a student wants to access to an enabled destination (student’s URL’s),
the first rule cannot be used for this communication because it doesn't match the destination.
Thus, ISA Server takes the second rule. This rule is OK with regard to the source, destination
and protocol used, so the student will be allowed to access Web. The second rule allows the
Web access for the students, though, however the access is allowed just for some particular
System Policy
ISA Server system policy is a special set of the Firewall access rules. These rules have a
higher priority than the rules defined by admin and they are valid just for communication
between the Localhost network and some other network. Thus, these are the rules enabling
the network communication to ISA Server itself. These rules are automatically defined as
default after installing ISA Server.
Only substantial parts of the system policy are listed in the table rather than complete
content. Any policy component (access rule) might be allowed or disallowed and the source
or destination can be re-defined. If you want to configure an external ISA Server adapter by
ISP‟s DHCP server for instance, add External network still to Internal network in DHCP
System policy, or add the network object Computer representing the ISP's DHCP server by
it's IP address.
Next, notice that the diagnostic and administrative policy components are available for the
Remote Management Computers group. This group of hosts (IP addresses) allows the hosts
for remote ISA Server management using console or remote desktop, or a host from which
you can ping the ISA Server (i.e. verify that it is running). Add hosts which you are about to
perform remote ISA Server management to Remote Management Computers. You can
modify this host group using the Toolbox ISA Server console for instance.
Application Filters
The firewall access rules were considered as rules defining packet and state filtering up to
now. The rules worked on the network and transport layer of the ISO/OSI model. However,
ISA Server contains a support for filtering on the highest level – application layer. Packet and
state filtering allowed you to set up a connection between a client and a server on different
hosts. This connection is then used to data transfer by the application protocol. Thus,
application filters control the communication by the setting up a channel to protect attacks on
particular client or server applications (services).
ISA Server contains a few built-in application filters. The primary purpose of some filters is to
enable communication with a given protocol over the non-standard firewall environment,
Application filters are available from ISA Server console. Select Configuration and Add-ins in
the navigation tree. As for configuration, just the SMTP filter is interesting. A list of available
SMTP commands can be modified by editing the filter.
These application filters are mostly modified for server protocol objects in Toolbox to protect
the internal servers published on Web or to protocols requiring a special working approach
when operating over firewall.
2. You can modify the maximum header and body length on panel General in section
Request Headers and Request Payload. Checking a box, you can disable
executables relay using HTTP in the Executables section. You can restrict the URL
address maximum length in section URL protection and you can check URL
correctness using options Verify normalization and Block high bit characters.
3. You can disallow selected HTTP methods, or disallow all but chosen. Methods GET
and POST are typically used to pass the parameters from client to Web server.
4. You can disallow transfer of files with selected postfixes, or allow just enumerated
ones.
5. You can disallow different headers in HTTP queries or responses. Programs using
HTTP to communicate are often inserting special headers into HTTP.
6. On the Signatures panel, you can disable HTTP communication containing certain
text strings in header or in body. Some text strings and data are inserted here by
different applications using HTTP for communication. Those strings may be detected
in headers or in bodies of both HTTP requests and responses and in URL request.
Information about whether the particular application should be enabled arises from
the communication analysis of the respective application. You can perform such
analysis either using the tools for communication monitoring, or you can find out the
typical signatures for common Web applications -
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx.
If searching a signature in request body or in response body, you should provide the
actual lookup range from the start of the document – field Byte Range.
7. Apply the settings on ISA Server after modifying the HTTP filter
Special firewall rules – so called publishing rules – are used for internal server publishing for
external network users. The rules can be divided into two categories:
Web site publishing rules – for publishing Web servers including the Exchange server
Web interface and SharePiont Services. These rules are rather complex allowing
incoming requirements authentication and HTTP application filter can be applied on
those requirements.
Non-Web server protocol publishing rules – rules for publishing other (non-Web)
services, such as SMTP, POP3, IMAP, FTP server or terminal server (remote
desktop). No authentication is supported by those rules. Any authentication can be
done by application protocol only after connection setup.
Besides setting up both rule types, ISA Server console provides a wizard allowing to publish
mail services for instance. Some rules of different type for different approach to mail will be
then generated by the wizard.
6. Select the networks for publishing the FTP server on the next wizard screen. For Web
users select External.
7. Finish up the wizard. Verify the proper settings of the FTP application filter on this rule
(configuration item Read-Only).
8. Apply the settings on ISA Server.
Some additional items can be amended to set up the rule. For instance, you can finish up the
communication resource or the time schedule for this rule. Next, you should provide correct
DNS translation for Web users. If you want to make FTP server available as ftp.domain.com
You can publish a terminal server – remote desktop – in the same way using RDP Server.
However, you should publish it on non-standard port after publishing next FTP server
because of using port 21 of external ISA Server adapter for the first FTP server.
You can use rules Web Site publishing for publishing Web servers. These rules are used by
Web Listener, which is a network object listening to incoming HTTP requests. Using the
requested URL, Web Listener is able to forward the requests to different internal Web
servers (Web, Exchange), to call for user authentication or to filter by application HTTP filter.
Web Listener is run on a special ISA Server adapter (typically on External network) on the
usual Web server port 80. It will be waiting for incoming requests from Web clients.
5. Select the networks which Web Listener would be working for on the next screen.
Leave the External network in the choice.
6. Select authentication type for Web Listener usage if necessary on the next screen.
Select authentication HTML form and leave Active Directory as the authentication
supplier.
7. Check SSO authentication option on the next screen and finish the wizard.
8. Apply the settings on ISA Server.
1. Select Firewall Policy in ISA Server console. Select Publish Web Sites in the right
Tasks panel.
2. Enter the rule name and rule action allowing or disallowing communication on the
next screen.
3. Select Publish a single Web site or load balancer on the next screen and continue.
6. Leave the next screen with the optional item Path unchanged.
7. Enter external (Web) name of the Web server on the Public Name Details screen and
leave the item Accept requests with value This domain name.
Publishing Web interface of the Exchange mail server on Web, you allow the Web user
access to mailboxes on internal Exchange server using the Web browser. To publish Web
interface for mailing, use the following steps:
1. Select Firewall Policy in the ISA Server console. Select Publish Exchange Web Client
Access in the right panel.
2. Type in rule name.
3. Leave checking the Outlook Web Access option unchanged on the next screen and
choose published Exchange server version.
4. Select Publish a single Web site or load balancer on the next screen.
5. Leave the Publish non-secured connections option unchanged on the next screen.
6. Type in internal name of the mail server or it's IP address on the next screen.
7. Leave checking the This domain name option unchanged and type in Web name
of the mail server. Web name (mail.school.com for instance) has to be
translatable on external ISA Server adapter IP address.
8. Select network object Web Listener on the next screen being used for incoming
connection. If there is no Web Listener, use a similar way to set it up as in Web server
publishing. Publishing OWA, Web listener with HTML form authentication would be
appropriate for using.
9. Select NTLM authentication on the next screen and finish the wizard.
10. Apply the settings on ISA Server.
A pre-defined Web publication rule will be set up to publish the mail server Exchange
interface. The interface will be available for Web users under the defined public name
(mail.domain.com) from Web. If a Web user enters mail.domain.com/Exchange to their Web
browser, an ISA Server log in form will appear. After verifying user's identity, the user will be
logged in to Exchange server and he will be supplied with Web mailing interface.
SMTP server
To allow the internal network mail server to accept mail, you should publish SMTP server.
SMTP is used for delivering mail between sender's mail server and receiver's mail server.
Use the following steps to publish SMTP server:
1. Select Firewall Policy in the ISA Server console. Choose Publish Mail Servers in the
right Tasks panel.
2. Type in rule name.
3. Select Server to Server communication on the next screen.
Web DNS server taking care of your domain's name translation should be set up to rout the
email server DNS record onto external ISA Server adapter. Mail being send to internal mail
server from mail senders will be sent to ISA Serve, which will be routing this SMTP
communication onto published Exchange (SMTP) server.
VPN clients are used for secure connection to internal network resources through unsecured
public Web. The connection is implemented by an encrypted channel, so monitoring or
modifying it is not very easy.
Clients using VPN connection to internal network are automatically included into VPN clients
network. Using the Firewall access rules, you can define the type of communication being
enabled to VPN clients. As default, any communication with internal network using the
routing network rule is allowed to VPN clients.
2. Click the Configure Address Assignment Method reference in the first step. A window
with client configuration TCP/IP protocol options will be opened. If there is a DHCP
server in your internal network, select the Dynamic Host Configuration Protocol
(DHCP) option and choose Internal network which will be contacted by DHCP server.
If there is no DHCP server in your internal network, choose Static address Pool and
press Add to add the IP address range for VPN clients configuration. This range must
not include any defined networks range, especially the Internal network. If it happens,
reduce it's IP range and assign the vacated room to VPN server static range.
3. Continue by the first step. Click the Enable VPN Client Access reference. Check the
Enable VPN client access option and choose maximum number of VPN clients. If you
are using internal DHCP server for the configuration, IP addresses from DHCP server
will be allocated by VPN server.
4. Apply the settings on ISA Serve and continue by step # 2 – i.e. defining the users
being allowed to connect to the internal network using VPN. Click the Specify
Windows Users reference. Press Add to add the user groups from Active Directory
domain. Select your domain in Locations and type in group name. Press Check
names to verify if correct group was entered and press OK to add the group to VPN
enabled groups. Close the dialogue defining the groups.
5. Using the Verify VPN properties reference, ensure that the PPTP protocol was
chosen and using the Remote Access Configuration reference verify accepting the
VPN connections from External network in the step # 3.
6. Check if there are network rules and firewall access rules between VPN Clients and
Internal networks (or between other networks eventually).
7. Apply all settings on ISA Serve.
Cache
ISA Server cache is used for temporary storing the HTTP and FTP requests. During the
communication that might be cached, ISA Server stores the received responses. ISA Server
can return the responses contained in it's cache without communicating with the destination
server.
In the default status after being installed, the cache is off. You can easy switch-on the
caching by reserving the required disk space on some local disk with NTFS file system.
Activating Cache
1. Open ISA Server console and select Configuration and Cache in the navigation tree.
Cache Rules
Similar to existing firewall rules, there are cache rules, too. The rules contain requested
content definition (the URL address) and how to manipulate with the URL address objects.
The process of evaluating the rules is the same as for the firewall, i. e. from the first
sequentially. A rule matching the given communication is being searched.
There is one rule in the default state allowing to cache the communication with Microsoft
Update servers and a last default rule caching the whole communication. You can display the
cache rules choosing the Cache Rules panel in Cache configuration in the middle pane of
the ISA Server console.
There are a few items for a given content (URL) defined by the cache rule:
Saving to cache – you can enable or disable the caching for a given location.
6. Using option Never, no content will be cached, you can prevent the ISA Server cache
from storing the resource content on the next screen. Option two – If source request
headers indicate to cache allows ISA Server to store the content to cache if it is not
prohibited in the HTTP headers explicitly. Next options allow to save dynamic content
to cache too, offline content and content requiring user authentication.
7. You can limit the maximum size of cached objects on the next screen. A screen with
HTTP caching settings follows. Cache objects availability (TTL) is set on 20 % of it's
age, however not less than 15 minutes and not more than 1 day.
8. It's allowed to cache FTP objects (files) on the next screen. FTP objects default TTL
available time is 1 day.
9. Finish the wizard and apply the ISA Server settings.
7. You can specify the content to be stored and it's availability on the next screen.
8. Finish the wizard and apply the settings on ISA Server. The downloading job will be
scheduled according to the plan, or it can be forced right-clicking from the drop down
menu.
Administrative Role
You can manage and monitor the ISA Server using the ISA Server administrative role. As for
users, there are three administrative roles for ISA Server 2006 Standard.
ISA server Full Administrator – full ISA Server authorization.
ISA server Auditor – an user entitled to examine the firewall configuration and
setting/following the monitoring tasks.
ISA server Monitoring Auditor – an user entitled just to examine the monitoring tasks.
The next figure shows the default ISA Server administrative role settings.
Both ISA Server admin's local account and BUILTIN\Administrators group representing the
domain admins have the full access to ISA Server – the role ISA server Full Administrator.
Assigning Administrative Role to User
1. Open ISA Server console and select Configuration and General in the left pane of the
navigation tree.
2. Click Assign Administrative Role in the middle pane.
3. Press Add to add user or group you want to assign the administrative role. Press
Browse to choose some user or group account from the Active Directory domain.
Select the administrative role for the particular user on the bottom of the window.
Monitoring
Monitoring ISA Server stands for a substantial role when following the communication,
checking the correct functionality of firewall access and publishing rules, or when solving
issues dealing with clients failing the expected access to Web.
You can perform the monitoring from the ISA Server administrative console, part Monitoring.
Dashboard offers a complex overview of the ISA Server available part monitoring. The
Dashboard panel resumes up-to-date status of ISA Server and gives a solid information
about potential issues to the admin. It contains information on connectivity verifiers, ISA
Server functions, actual number of clients or alerts on different events.
Alerts
Alerts are the configuration items defining the ISA Server behavior on particular situations.
ISA Server contains a rich set of alerts for configuration that can be modified and/or
extended.
There are three categories of alerts – Information, Warning, and Error. Each alert contains an
information saying by which event or by how many events it will be activated in some time
slice. While recording on ISA Server console, the activated alert performs a pre-defined
action. This can be sending an email, running a program/script, recording the event into
Event log, or even ISA Server services can be cancelled.
You can see the activated alerts from Dashboard or Alerts panels in ISA Server console.
You can acknowledge or reset the recorded alerts from the drop down menu. Acknowledging
the alert, you say you have taken the note of it and the acknowledged alert will not be
Sessions
You can trace connecting clients with ISA Server on the Sessions panel.
Since ISA Server records the communication to a database file, this log can be looked up
efficiently. Click Edit Filter for your own view on communication and set the filter displaying
the required information.
Press Start Query on Sessions panel to display all Web-Proxy clients in last 24 hours using
your own filter on ISA Server console.
Services
The Services panel includes a few items, each representing a single ISA Server service. You
can restart the services from here, or you can check their functions.
Reports
ISA Server reporting facilities are used for making a transparent graphical evaluation ISA
Server activities and communications. ISA Server will set up a short evaluation on per day
and per month basis. These data are used for generating reports in form of HTML
documents including pictures and graphs. A report may be generated on demand or
automatically, let's say on per week base. These reports can be stored automatically to a
shared folder on network or on internal Web server.
A report may contain multiple parts:
Summary – basic overview of most often used protocols, Web servers, cache
functions or data flow through ISA Server
Web usage – more detailed information about clients accessing Web
Application usage – more detailed information about applications accessing Web
7. You can publish a report into a shared folder stored on some server on the next
screen. You can also define a user account that provides access to this folder. A
given user account should have edit permission on file system and on the shared
folder of the report destination.
8. You can send information about a new report on an email address on the next
screen.
9. Finish up the wizard and apply the settings on ISA Server.
You can generate a single report in a similar way. You should use the option Generate a
New Report from the Tasks panel. The generated reports are available on ISA Server
There is also the part Customize Reports in panel Tasks containing several references
allowing to accommodate the particular parts of reports.
Connectivity verifiers
Connectivity verifiers are used for testing the servers and services availability. Verifiers can
be used for checking if a host is on-line (running) using ICMP (PING) or checking a service
availability on a host – establishing a connection with a service. Concerning Web servers,
you can test a server by sending a HTTP GET request to gain a Web content.
Logging
Similarly as for Sessions panel, you can gain information from ISA Server log file in the
logging panel. Information available in this part of console deals directly with communication.
A defined default filter shows all active connectivity. You can trace communication source
and destination, protocol used, user name, or a mastering rule (enabling or disabling) to
these connections.
If there are any issues to be solved, such as unavailable network resources for entitled
users, you can find out the blocking rule from here.
The default filter for displaying logging is shown on the figure above. You can display actual
connections Firewall or Web-Proxy clients by applying this filter using Start Query reference.
The real-time logging (i.e. actual communication is shown) might be rather CPU time-
consuming while lowering the ISA Server performance. Thus, you should use on-line logging
just for debugging and trouble shooting while leaving it switched off otherwise.
The Internet Blocking Tool application was designed for an easy ISA Server control by
unskilled users. Using this, you can perform a fast disabling or enabling the Web connection
for special host groups. Thus, authorized staff (teachers for instance) is entitled to control the
connection of a classroom to Web using the simple application.
Installation
The Internet Blocking Tool (IBT) application was designed for fast Web disabling/enabling
during lessons. It will be typically installed on workstations such as lecturer's hosts in
classrooms. This application uses ISA Server management console components, so ISA
Server management console should be installed on these workstations.
You should also have installed the component .NET framework 2 on your workstation. If
missing, you can download it from the Microsoft site, or automatically using the Windows
Update.
Process of Installation:
1. Use admin's account to log in to workstation.
2. Verify availability of the ISA Server management console on the workstation. Try to
find it in Start, Programs, Microsoft ISA Server menu. Add it from the ISA Server
installation media if not available.
3. Install .NET framework 2 if not available. Internet Blocking Tool installation program
tests the presence of this component. It will provide you with the Web address for
downloading the component if not available.
4. Run the program Setup.exe from the directory containing installation files of the
application.
5. Click Next on the installation wizard welcome page.
6. You can select the installation target folder and choose if the application should be
installed for the actual user, or for each host user on the next screen. Install it for all
users to include the shortcuts to this application into every host's Start menu.
If other users besides admins would be allowed to block the access to Web (teachers for
instance), you should assign the ISA Server administrative role to these users. Since these
are the ISA Server configuration modifications, the role ISA server Full Administrator should
be assigned to such users.
1. Log in to ISA Server and run the management console.
2. Select Configuration and General in the navigation panel.
3. Click Assign Administrative Roles in the middle panel.
You can also create special (service) user account for ISA server management with defined
ISA server Full Administrator role and then configure InetBlocker application for use this user
account and password for manage ISA server remotely. Teachers or other users, who should
simply enable or disable internet for specified groups of computers, will not be ISA server
Full administrators and they will not be able to manage ISA server in other way than by
simple InetBlocker application. Application will use preset creditionals of this special user
account to make changes to ISA server configuration.
InetBlockerAdmin
Run InetBlockerAdmin under admin's account from the Start menu and insert IP address of
managed ISA server after installing Internet Blocking Tool.
1. Log in to the workstation as admin.
2. Run InetBlockerAdmin from the Start menu.
3. Click Settings to specify ISA server IP address.
Once you have set the ISA Server IP address, you can press Read Rules to download the
Internet blocking rules for specified hosts from ISA Server. These rules are special access
rules set up by the application on ISA Server. There are no rules when using the application
first time, so no rules will be displayed.
Setting up a Group
Using InetBlockerAdmin application, you can create groups of hosts whose access to Web
will be driven by this application.
1. Press Add Group to create a group; assign a name to that group.
2. Select a created group from the list and click Edit Group. A window will be opened
which can be used to add hosts to that group.
3. Press Add to add hosts to this group. You can define them using IP addresses or IP
address range. Press Computer from domain to display the list of hosts being
included to the domain within two weeks; you can select the hosts to be added to that
group.
4. Press OK to finish the modification.
5. Once you have finished creating and modifying the groups, you can apply these
settings by pressing Save Rules on ISA Server.
As a result of the application performance, defined groups were created in the ISA Server
Toolbox and a firewall access rule was set up to block the whole Web communication from
the defined host groups on the first place (highest precedence).
InetBlocker
Second InetBlocker application, a simplified version of InetBlockerAdmin, handles the
defined host groups and settings. Nor managed ISA Server IP address neither creating or
modifying the host groups is allowed. InetBlocker can just allow or disallow Web access for a
specified host groups. Thus, this is an application easy to use for users (teachers) who are
unfamiliar with networking, however who are able to affect access to Web for a specified host
group (classroom). This application manage ISA server by user‟s login account or by
specified service account defined by InerBlockerAdmin.
Having been run by Read Rules, the application downloads settings of specified groups from
ISA Server. Then select Yes or No for selected group of computers to block or unblock
internet and press Save rules to apply these settings on ISA Server.
This application is logging in as an actually logged in system user or as the user account
defined in InetBlockerAdmin settings to ISA Server. Should have no appropriate role for ISA
Server management, the user will not be able to download actual configuration and/or to
save the modified configuration on ISA Server.
Downloading InetBlocker
You can download the InetBlocker application from the following sites:
Summary
The applications InetBlocker and InetBlockerAdmin offer a simplified interface for fast ISA
Server configuration. To work properly, you should ensure:
The workstations running these tools should have installed the management ISA
Server console, too.
The workstations must be members of Remote Management Computers group in ISA
Server console Toolbox.
For a proper function, users applying these tools should be assigned with the ISA
Server administrative role, or the tools themselves have to be run from a user account
with ISA Server configuration facility.
References
www.microsoft.com/isaserver
Microsoft ISA Server home page
http://www.microsoft.com/technet/isa
ISA server TechCenter
http://www.microsoft.com/technet/isa/2006/Upgrade_Guide_SE.mspx
Upgrading ISA Server how-to
http://www.microsoft.com/technet/isa/2006/clients.mspx
Detailed information about ISA Server types of clients
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
HTTP application filter typical settings for blocking the well-known services
http://www.isaserver.org
Independent server with ISA Server products
FAQ
Where can I get an application for a simple Web blocking – Web Blocking Tool?
You can download it from:
http://www.codeplex.com/inetblocker,
or from the site Moderní Správce:
http://www.modernivyuka.cz/spravce