Microsoft ISA Server 2006 en

Microsoft ISA Server 2006
ISA Server2006: A School Guide
Introduction
Since most networks are connected to Web worldwide, a secure connection is an extremely important task for any webmaster nowadays. Concerning the security, the two most important aspects are as follows: First, you have to protect the network against external intruders to prevent then from causing damages by destroying both, public or internal information. Second, you must prove a prompt and stable access to all services for internal network users but prevent them from abusing network resources by any activities that might not be in accordance with their job description or even might be against the law. Computers and any other hardware devices or software tools protecting networks are called firewalls. You can divide firewalls into two basic categories, hardware and software. Hardware firewalls are specialized devices usually equipped with proprietary systems. The hardware firewalls are obviously inserted between Web connector and the internal network and any Web communication goes through them. Thus the communication is under the full control of the firewall and it can be cancelled in the case of any attack suspicion or violence the communication rules. The hardware firewall configuration is a complex task for a webmaster requiring a perfect understanding of the issues and also some experience in dealing with them. The second category are the software firewalls. These are the regular PCs with extra network adapters. The software firewalls are being located at the same positions as the hardware ones within a network, i. e. one adapter connects a firewall with the internal network and the second one with Internet (using the ISP1 network). A PC needs to be equipped by an operating system with a communication module providing the communication between Web and the internal network. This communication can be monitored, logged, analyzed and filtered by special applications against any unwanted data exchange. Microsoft ISA Server, version 2006, is one of the software firewalls. You can administrate it by GUI in a very simple way. The initial settings are typically made by predefined templates and there are many how-to's allowing you to set some more services and rules. The support of networks based on Microsoft Windows Server systems should be considered as a big advantage of the ISA Server. Furthermore, the integrated support of the Active Directory service allows you to set the communication based on existing user's accounts or objects from the Active Directory. The VPN built-in support allows a safe connection between the internal network and a remote Web user. This handbook is dedicated especially for both elementary and secondary schools network administrators with minimum or no experience with firewall administration. It will allow you to understand the base firewall principles and functions and to install, set and administrate the Microsoft ISA Server in order to increase the school network security, to protect the network against student's abuse and to lower the expenses dealing with the network security.
ISP = Internet Service Provider
Microsft ISA Server 2006 A School Guide
Page 2

Microsoft ISA Server 2006 is the software designed for building a secure Web gateway from stations with operating system Microsoft Windows Server 2003. First, the ISA Server can protect the internal network against spurious communication and against targeted attacks and it controls the user's access from the internal network to Web. Different user groups can be enabled or disabled to use some Web or particular Web server's services (Web access, e-mail). Second, the ISA Server can make available (or public) some internal network services for Web users. If a school or a company has an own Web server or mail server, these services can be used for subject presentation, internal mailing, communicating with Web users and maintaining user's mailboxes. Third, the ISA Server can be used for WebCache service. You can configure your ISA Server so that it can hold the contents of the Web pages being accessed from the internal network in it's memory for some time period. If any user requests pages being stored in the WebCache memory during this period, he will be supplied with it promptly. This is a method how to save the transmission capacity of the Web lines and to reduce the Web response time for users. Last but not least, you can easy set your ISA Server as an integrated VPN gateway for secure remote connections to the internal network. If needed, these connections can be encoded and their control is performed by means of the user accounts or groups in the Active Directory. A remote user can access his private data on the server such as files with training courses etc. A VPN gateway also enables transparent network connections (schools, offices etc.), however this discussion goes above the frame of this handbook describing just common school networks.
Figure : How to locate the ISA Server
There are two editions of the Microsoft ISA Server 2006. The Standard edition is designed for users needing to protect their network typically by one firewall. On the other hand, the Enterprise edition is designed for large companies administrating several groups (or fields) of firewalls. Each field can be located in a separate part of the network (a complex network infrastructure with high degree of security) and these fields can be composed from more than one firewall with identical functionality in order to distribute the network load among several machines. This handbook discusses just the Standard edition of the ISA Server typically designed for small networks. Microsft ISA Server 2006 A School Guide Page 3
ISA Server as Firewall

A firewall is a device residing between several network segments representing a communication gateway. We will be discussing two networks in this handbook such as you can see on Figure 1. The firewall is set according to the communication rules just to enable granted communication between two network segments. ISA Server 2006 plays the role of a firewall. After installing the firewall, no communication is allowed between networks in the default status. If you place the firewall according to Figure 1, no Web access would be allowed to any internal network user. However, no internal communication would be affected by the firewall. There are three types of ISA Sever firewall filtering: packet filtering, statefull filtering and application-layer filtering. Packet filtering handles the information in the packet headers. An arriving packet is opened by ISA Server on the network interface and the IP address and both sender and receiver port numbers are found. This information is compared with defined rules. If there is a rule enabling the communication, the packet is being sent to the destination user. If there is none, the packet is deleted. Statefull filtering is used for a more complex network communication restriction. The ISA Server checks the correct communication process based on TCP protocol. There are several states in the TCP (establishing the connection, communication, closing the connection). The different TCP packet types represent different connection phases (states). So the ISA Secret checks the correct connection establishing and closing and packets are deleted on any wrong communication (i. e. possible attack). Application-Layer filtering performs communication checking and filtering based on application protocols. Most application level attacks can not be avoided by packet or statefull filtering. An application filter checks the packet body according to some protocol (for instance HTTP, POP3, or SMTP). Web server functionality might be invaded and restricted by some intentionally incorrect HTTP message. HTTP application filtering can be used for instance for detecting and blocking the Web communication containing defined key words or transferring the disabled file types (files with illegal postfixes).
ISA Server and Secure Web Access

You can use the ISA Server to secure the communication between the internal network users and Web. For this purpose, any communication between clients and Web should pass through the ISA Server. Then the ISA Server represents a proxy between the internal network client and the Web server. Assume that all client requests are being sent to ISA Server. They would be then forwarded to Web and appropriate replies would be accepted and passed back to the internal network clients. In such case, no direct connection between the internal network client and Web server is needed and the client's and the internal network configurations are invisible from Web. Furthermore, the requests and replies can be filtered and blocked by ISA Server according to user names, IP addresses, states, contents, or time schedule. You can also
Page 4
assign selected services (Web, mail) to particular users according to rules defined by the administrator on selected Web servers. You can also use the ISA Server as Caching server. Cache is a temporary store for often used objects and URLs from Web servers. Caching may increase the performance when returning the information stored in cache rather than searching in on Web. For instance, if you need data from a Web server you send the request to ISA Server. If the requested page is not stored in the server cache, the appropriate Web server will be contacted and the reply will be sent both to requesting user and it will be also stored into cache (which may be physically the computer memory or space on a hard disk). Any further requests for the same page will be provided using the ISA Server cache until it gets out-of-date. This helps you to save the Web lines transmission capacity and also the Web response time for users will be reduced.
Publishing the Web Services by the ISA Server

You often have to make available the internal network resources for anonymous or known users. The most common example of such access is a presentation of a subject residing on the internal network Web server. Next, some subjects need access at least to the e-mail communication with remote domains. There are special firewall rules for such purpose. One of the publishing rules is the rule for publishing the Web server. ISA Server is then waiting for Web client's HTTP requests on it's Web interface. These requests are then being sent to Web Web server if they are in accordance with the rule. Then, the Web server response is returned back to the Web request sender. The Web server publishing rules provided by the ISA Server can be applied just on a single internal network Web server. You can also use these rules for hiding the internal Web servers structure so that multiple Web servers can appear as a single presentation on a single server to the Web users. The Web server publishing rules are also able to publish a multiple presentations from more than one server on a single external IP address using the standard Web server port 80. The obvious feature supported by ISA Server is also using the HTTP application filter for tracing the application level communication and a communication support between Web client and ISA Server, between ISA Server and internal Web server, and between both ones providing HTTPS encrypted connection. If you publish for instance internal Web server with a company information system that should be available just for internal users, you can configure the ISA Server so that it asks user's authentication providing user name and password. The identity of such user is mostly checked providing the Active Directory service and it can be forwarded to avoid a new logging in to the destination server running the information system. ISA Server also offers many wizards for publishing the common services. For instance, a wizard for publishing the access to mail server can simply make available the Microsoft Exchange OWA (Outlook Web Access) Web interface by creating a particular rule for publishing OWA to make available the Exchange Server from Web. Other wizards gives you simple rules for a firewall to enable the mail server accept the messages from Web or enable
Page 5
the mailbox owners to access their mailboxes from their homes using the mail clients and protocols such as IMAP and POP3. For publishing other non-Web server services, the rules of server publishing are used which are more simple when comparing with the complex rules of publishing the Web services. As for the rules, no authentication or publishing multiple servers on a single port are allowed. As an example how to publish the protocol of the remote desktop (RDP) of the internal server for remote administration, the port 3389 is enabled on the ISA Server web interface. When a connection of a Web user client to ISA Server is established, the communication is forwarded to the published internal network server. If you want to publish another server or host by the same RDP protocol, you should make it on some nonstandard port of the ISA Server. These server publication rules also do not support authentication and access control based on the user name. The authentication is performed by application protocol. The RDP authentication would be performed by entering user's name and password on the log-in screen after connecting the client to the remote desktop, i. e. after enabling the communication by ISA Server and establishing the connection with the destination service.
ISA Server as VPN Gateway

Publishing the internal network resources on Web might be insufficient sometimes. Some companies want to make available all network resources for authorized users. VPN is a secure network connection between a Web client and the internal network. The connection is implemented on public Web network. Even if a packet of the VPN connection would be captured, it would remain illegible for an unauthorized person. This is a client-server connection type. Second, the VPN gateway allows multiple networks connection, such as two separate offices of a company. This connection can be established on request to communicate from one office to another or it can be permanently active. The VPN tunnel connection between two networks is encrypted and authenticated due to security as well. This is a server-server connection type. Both above mentioned ISA Server VPN connection alternatives can be used, i. e. a remote client connecting and multiple networks (company offices) connection. Then, the rules allowing the communication between remote clients would be less restrictive when comparing with the Web communication rules. Or there might be even no communication restrictions at all between VPN Web client and the internal network.
ISA Server History

Microsoft Proxy Server
The first member of the ISA Server product line was Microsoft Proxy Server placed on the market in 1996. This was a server making available Web for the internal network clients. It worked as cache server and, involving Winsock proxy, it enabled access to Web not only for Web browsers but also for other applications.
Page 6
In 1999, an enhanced Microsoft Proxy Server 2.0 was placed on the market. It supported multiple server fields so that the internal network client requests could be spread to particular servers in a field. Web availability was also improved. In case of a server black-out, other servers were able to process the requests. Next, as different Web pages were stored on each server, also the cache feature was improved. The cache was distributed over all servers representing a single logical cache. Besides HTTP, the FTP protocol was involved and also reverse caching was introduced in order to store the internal network Web server requests given from remote clients.

Next product version became a new name. A lot of new or improved features of the ISA Server 2000 expanded far behind the normal proxy server definition. Also a high quality firewall solution was added to former proxy and cache functions of the ISA (Web Security and Acceleration) Server 2000. Except the ISO/OSI model multilevel network, transport and application layer filtering (packet, statefull and application filters), ISA Server 2000 supplied many new features. They include: AD integration ISA Server can cooperate with the Active Directory database. The firewall rule definitions can be based on users and user groups provided by Active Directory. VPN integration ISA Sever can be used as a server for remote VPN clients or as a VPN gateway of another remote network (office). Attack detection This function observes the communication attempts and informs about any possible attack trials, such as remote ISA Server port scanning. SecureNAT clients support allows to exploit the ISA Server services to the hosts not having installed a firewall client. Monitoring and Reporting ISA Server allows to trace performance and generates reports on ISA Server exploiting. Email screening Tracing and filtering the communication between Web and the internal network email server. However, this tracing was abandoned in the recent versions and ISA Server 2006 does not support this feature any longer.

ISA Server 2004 supplied a new, more transparent user interface. There are some important improvings when comparing with ISA Server 2000: Multiple networks support The ISA server administrator can define multiple networks represented by hosts in multiple LANs. The rules of legal communication are then set between those networks. Networks route and NAT relation The Network Address Translation (NAT) allows the communication initiated from one network to another. This involves the identity hiding by ISA Server. The routing is performed by standard packet relay (as it is done Page 7
on routers). The communication can be initiated from both networks and it is transparent the network identity is not hidden. When comparing with ISA Server 2000, the communication performed by routing is under full control of the ISA Server and it is filtered, too. VPN Clients Network The clients being connected to ISA Server through VPN channel are not a part of the internal network; they are involved in a special VPN clients network. Their communication with the internal network is a network network type of communication that is under full ISA Server control and filtering. VPN Quarantine It protects the internal network against dangerous VPN clients that can be any host worldwide. This is the reason why you can place any client to quarantine firstly a verify them. The verification can include detecting the installed antivirus, its version, personnel firewall gateway verifying (a part of Windows XP SP2 or any third party producers) or any other verification. The internal network access of clients that fail to pass the quarantine can be limited. HTTP application filtering based on rules Setting the HTTP filter is not only the global ISA Server level, but it may be configured also for the particular rules. Different filters can be used for any particular users or for different destination Web servers. Executable files HTTP filter blocking A HTTP filter can be set to block the executable files HTTP transmission disregarding the file postfix. Connectivity verification Some hosts and services such as Active Directory, DNS, or Web server may be verified by ISA Server. If a problem appears, the administrator is informed by email or so. Report issue Automatically generated ISA Server reports may be stored to a shared folder on some server. Logging to MSDE database This is the default form of the log-in file. The log-in information can be displayed simply by a database query assembled in a ISA Server console. Administrative role The selected users can be assigned some roles of the ISA Server 2004 administrator. The users can be provided access to tracing the ISA Sever functions this way without changing the server configuration. OWA form-based authentication It is a secure way for obtaining the users sensitive log-in information from Active Directory for logging in on Exchange mail server interface from Web public environment. Import and export settings Any components of ISA Server setting or a complete setting can be retrieved or stored from/to an XML file. You can backup any configuration or transmit it to other server this way.

ISA Server 2006 is the most recent representative of the Microsoft ISA Server product line in this moment. Some new functions and improvings when comparing with 2004 version are as follows: Microsft ISA Server 2006 A School Guide Page 8
Web-Farm load spreading ISA Server 2006 is able to publish the Web server farm (the servers with the same contents). The clients Web requests are then spread equally among particular internal Web servers. Web server form-based authentication Using a secure authentication is not limited just by the OWA (Outlook Web Exchange) service, but it may be used for any Web server access authentication. A password changing option was added to this type of authentication and a multiple delegation of authentication was added to the ISA Server. The original wizard improving It allows publish the newer types of services, such as Exchange 2007 or Share Point. Single Sign-on It makes available different Web servers requesting authentication without users individual authentication on each server. Improved overload detection It provides an improved ISA Server protection against overloading by a great number of false connections. LDAP authentication It allows the ISA Server to verify the users accounts in Active Directory even in case when the ISA Server is not a member of the domain.
ISA Server Base Concepts

All hosts are divided into multiple networks by ISA Server. The internal network is defined like the range of IP addresses applied for the internal network hosts. The internal network will often use some of the IP protocol ranges designed for a local use: Class A B C First address 10.0.0.0 172.16.0.0 192.168.0.0 Last address 10.255.255.255 172.31.255.255 192.168.255.255 Default netmask 255.0.0.0 255.255.0.0 255.255.255.0 Default netmask shortcut IP_address/8 IP_address/16 IP_address/24
Table : Private IP address ranges
Page 9
Figure : Default ISA Severs networks
ISA Server contains some predefined networks. Their meaning summary is Table 2. Localhost Internal network Localhost represents ISA Server itself. Internal network includes hosts with the administrator defined addresses during the ISA Server installation. It is a trusted network protected by ISA Server against Web attacks. ISA Server is also connected to this network by a single network interface with defined IP address from the private network range. External network is not defined by any IP address range, but it includes anything that is not defined anyhow. A single ISA Server interface provides connection to the external network (i. e. Web or ISP network). The external ISA Server interface IP address is typically being set according to the agreement with the ISP. VPN clients network includes all hosts that are connected by means of the VPN connection to the ISA Server. The VPN clients network IP address range should not match the internal network range or any other network created by the administrator. VPN quarantined clients includes VPN clients that have not passed through the quarantine check if it was requested.
External network
VPN clients network
VPN quarantined clients
Table : Default ISA Server Networks
Network Rules
The communication within a single network, for instance the internal one, proceeds autonomously, i. e. independently on the ISA Server. On the other hand, the communication Microsft ISA Server 2006 A School Guide
Page 10
between two networks should be performed using the ISA Server. There should be a rule running the communication between two networks using the ISA Server. A communication from internal network to external network (using access to a Web server on Web) can serve as an example of such communication, or it can be a communication from internal network to localhost (for instance a remote control of the ISA Server from the administrators workstation). The NAT Network Rule The first network rule type is the NAT rule. It is the one-way rule, which means that the communication can be initiated only from one network to another. A network address translation (NAT) is performed by the ISA Server, which hides the identity of the network from which was the communication initiated. The process of such communication for the case of the NAT rule from internal network to external network is shown on Figure 3. A request will be sent from an internal network host to a Web server for instance. As the ISA Server provides the Web gateway, the request will be sent from the host to ISA Server. Since the ISA Server performs the NAT, the sender field will be replaced by ISA Server external adapter IP address in the IP packet. Because it can be reached from Web, the request will be made for the Web server. As it receives the request for some information, a response will be assembled while sending it back to the sender. Since the Web server received the request from ISA Server, the response will be addressed to it. The firewall service should find out the record on the original communication initiator after ISA Server receives the response. As for the Figure 3, in this case it was host named Pc1 which will be delivered the response from ISA Server. The received page will be then displayed by the Web browser on Pc1.
Figure : NAT communication
This rule type is mostly used between the internal network and Web. Partly for internal network identity protecting, partly that the NAT mechanism makes available Web for clients with private IP addresses being used in the frame of the internal company network. Since any server would be able to deliver the response on a non-public address, the private IP addresses can not be used on Web.
Page 11
The Route Network Rule The second network rule type is the Route rule. This rule allows the communication between networks that can be initiated from any network. Since the addresses are not translated, the sender field would not be changed along the whole path up to the destination place. For the communication showed on Figure 4 is necessary to have a public IP address unique in the whole Web for the internal network Pc1 sender. Companies are mostly assigned an IP address space that is too small to cover the whole internal network for a company because of the entire lack of the IP addresses worldwide. This problem caused that a massive NAT has been applied and it also forced the new IP protocol solution called IP6.
Figure : The Route Communication
Routing the communication between the internal network and Web would not be a typical example of the Route rule. It is mostly used on setting the communication between different segments of the company network. As a classical example, lets take a communication between internal network and VPN clients network using the Route rule. These networks mostly apply the Route rule type between each other. Routing can be also applied on private networks that are not configured with public IP addresses. Behind the Network Rules The fact of the network rules attendance between two networks is not sufficient for starting the mutual communication between hosts. This condition is just one of the necessary conditions for the communication. The network rule states what kind of communication access will be applied: routing or NAT. In case of Nat, the communication can be started just in a single direction and ISA Sever has to keep the information about the host where should be returned the responses. Firewall access rules have to be still defined for the communication permission.
Firewall Rules
Firewall rules provide the communication permission between hosts in different networks. If ISA Server receives a packet on some of its interface, it will be opened an the necessary sender, receiver and protocol information etc. will be retrieved from the packet. The Microsft ISA Server 2006 A School Guide Page 12
information will be consequently compared with the firewall rules according to their order. The first rule matching the given communication will be applied to enable or disable the communication. Each rule may look like this: 1. Action enable or disable communication 2. Protocol communication according to a specific application protocol (HTTP, DNS, POP3, or RDP) 3. Sender network, IP address or any item to identify the sender 4. Receiver network, IP address or any item to identify the receiver 5. Time schedule it specifies if the particular rule is applicable in the given time 6. User user or user group the rule is valid for If a rule is found that matches the communication according the points 2 through 6 of the previous enumeration, the action in the point 1 is applied to enable or to disable the communication. If there is none, the communication is disabled automatically.
How to Locate ISA Server in a Network

Including the ISA Server into the company network gives you a choice from a few options. The particular options vary from each other by internal network security level, configuration complexity, administrators experience level and implementation and maintenance costs demand. A simple solution with a single firewall on the internal network and Web boundary would be sufficient for the simple school networks. This solution is typically called Edge Firewall. The same name is used for the adjusting template in the ISA Server administrative console. So the Edge Firewall is standing on the common internal network and Web boundary as the only company network firewall. If a company network is connected to Web, there is mostly a router on this location that supplies connection to Web for the internal network hosts providing NAT. If you substitute this router by ISA Server 2006, you make Web available this way and furthermore, you configuration may be improved and more secure.
Figure : Edge firewall
Figure 5 shows the Edge Firewall. Since ISA Server works as router and firewall, it should be equipped with at least two network adapters. This arrangement will be discussed in this handbook. Microsft ISA Server 2006 A School Guide Page 13
A more comprehensive security solution is shown on Figure 6. Here the ISA Server is provided by three network adapters. The first one is designated for Web connection, the second on is for internal network, and the third is for the demilitarized zone, where are placed the servers that should be available from Web. The rules of such solution are defined to enable the Web users communication with the servers in the demilitarized zone without having access to servers or hosts in the internal network.
Figure : 3-leg firewall
Another solution of the demilitarized zone is shown on Figure 7. ISA Server is used for backend firewall and also ISA Server or any other firewall can be used for front-end. The demilitarized zone is partially available from Web similar to the previous solution, while the internal network is protected by two firewalls.
Figure : Back-end and front-end firewalls
Assigning ISA Server to a Domain ISA Server can work as an Active Directory domain member server or as a stand-alone server in a working group. ISA Server Clients Third chapter will be closed by a short list of how to set the clients for using the ISA Server access to Web in the internal network. Web-Proxy client a host whos Web browser (for instance Web Explorer) is set to use the proxy server. This proxy server is set on ISA Server address. Page 14
SecureNAT client this clients IP configuration is set so that the default gateway is ISA Server. Any communication outside the LAN is being sent to ISA Server. Firewall client a host running a special client application providing the secure communication with ISA Server.
Any client type has its advantages and drawbacks. Multiple client types can be run on a single host simultaneously. This configuration including its advantages and drawbacks will be discussed in the chapter describing the ISA Server clients.
Page 15
ISA Server Installation

Preparing the Installation
Prior the ISA Server installation itself, some steps need to be performed just to understand the current network architecture, to get planned a new ISA Server solution, and to consider the Web services availability for internal network users. The goal is not just to state the communication rules for particular user groups, but to set the infrastructure to make the allowed services available for users. An internal network host should have a correct TCP/IP interface configuration while having access to translation the DNS names to IP addresses. 1. Current network mapping this is the first step allowing understanding the current network architecture and supplying the necessary information. You should have an overview about what IP addresses are being used in the internal network and information about relevant servers in your internal network. Lets have a look at how the workstations are configured (DHCP Server) and how the DNS names translation to IP addresses is performed (DNS Server). 2. Necessary network changes Some changes of the ISA Server should be performed for launching it. For instance, all internal network hosts should be reconfigured to use the ISA server for communication with Web. Next, you may want to provide an access to the name-to-IP-address translation and to ensure the access to the servers published on internal network based on the DNS company names for the Web users. 3. Access to Web Prepare a draft of rules that you would use for the firewall access rules later. These rules should include user groups with access to Web including lists of available servers and applicable services. 4. Client configurations A decision based on retrieved information should be done about what client access type to ISA Server will be used. Each client type has advantages and drawbacks and they are not exchangeable with each other. This is the reason why you have to understand the particular client types and to know when they can be used.
Network Infrastructure
Some other network services should support the ISA Server for correct function of the whole network. You have to configure the following services correctly: DNS DHCP Active Directory
Page 16
DNS Retrieving the IP address from the domain name (which can be entered by a user to network browser for instance) is a necessary feature for connecting clients to the Web resources. If you decide to publish some internal network services on Web, there should be a way how to gain the correct IP address which can be used for connecting to some published server for Web users. Using Internal DNS Server A lot of companies have their own DNS server in their internal network which can be configured to be able to translate the Web domain names, too. If there is the Active Directory service installed in the company network, the DNS service is mostly running on the domain controller. This service cares for the domain zone name translations. Thus, if a domain controller administrates a zone school.com for instance, a DNS server for translating name translation for the zone school.com is running on the domain controller. This DNS server can be configured so that it would be able to translate other Web names besides its own domain names, too. Thus you should set forwarding the requests to translate the Web names to some other DNS server on your internal DNS server, typically to the ISPs DNS server. The internal domain name translation remains on the current server. You should use the following process to configure your DNS server for forwarding the requests: 1. Run the DNS console from the Administrative Tools on the domain controller or on another server. 2. Click the right mouse button on the server name located in the left part of console and choose Properties. 3. Choose the pane Forwarders, fill the DNS Server IP address into the appropriate field and click the button Add. You will get to know the DNS server IP address from your ISP.
Page 17
Figure : DNS forwarding settings
4. Click the button OK and close the DNS server console. Using External DNS Server The second option how to translate the domain names is the direct using of the Web DNS server. This is used typically if an organization has not its own DNS server for instance. When using a Web-Proxy client or firewall client, ISA server can work as a DNS proxy server. This means that using the ISPs DNS server for translating the Web DNS names might be set on the external adapter in the ISA Sever IP configuration. Thus, the ISA Server will be able the Web-Proxy name translation and firewall clients can delegate the name translation to ISA Server. Since no DNS proxy support is available on ISA server for the SecureNAT clients, they should have set the DNS server on Web DNS server address in the IP configuration (ISPs DNS server). The firewall access rule allowing DNS communication from the internal network to ISPs DNS server should be set in both following cases: forwarding from the internal DNS server and using the external DNS server by internal clients. You can use the setting template for the initial ISA Server configuration which also contains this rule. If you settle just for the ISA Server DNS proxy services (which is possible only when using Web-Proxy or firewall client), you need not create the access rule for the DNS communication because the Web names DNS translation is performed just by ISA Server which is entitled for access to any DNS server in the default state.
Page 18
Active Directory If you want to introduce some Web access restrictions based on user names or user groups from the internal network, or if you want to introduce some access limitations for unauthenticated users to published servers, ISA Server integration with Active Directory domain is suitable. So, if the ISA Server is member of the domain, it can check the domain users without any extra configuration. However, ISA Server also offers options to authenticate the domain users in case that ISA Server is not the domain member. You can use LDAP (Lightweight Directory Access Protocol) or RADIUS standard (Remote Authentication Dial-In User Service) which is implemented in the Windows 2003 server IAS (Web Authentication service). If you want to use the Active Directory service for ISA Server, a DNS server IP configuration with the internal domain zone has to be set on the internal ISA Server adapter (typically on the domain controller IP address). DHCP Service The DHCP service is not necessary for ISA Server introduction, however it is recommended for the network configuration of the internal network clients. The advantage of using the DHCP server is easy client configuration which is made automatically. Thus, you easy set the clients so that they can work with ISA Server or Web. If you change the Web DNS server IP address or the default gateway address, you simply modify the DHCP server setting and the clients hosts IP configuration will be also modified to suit to the new requirements at least after restarting them. DHCP server can also be used for clients configuration connected from Web through the VPN channel. If you enable connecting the VPN clients on ISA server, it will ask DHCP server for an IP address block to assign these addresses to VPN clients.
Preparing ISA Server

ISA Server 2006 Hardware and Software Requirements
The server for installing the ISA Server should follow the recommendations in the Table 3: Operating System Processor Memory Hard Disk Other Devices Windows server 2003 SP1 and higher just the 32-bit operating system version is supported 733 MHz Pentium III or higher processor. 512MB of RAM or more is recommended NTFS-formatted local partition with 150 MB of available hard-disk space; additional space will be required for Web cache content. Network adapter that is compatible with the computer's operating system for communication with the internal network; one additional network adapter, modem, or ISDN adapter for each additional network connected to the ISA Server computer Page 19
One additional network adapter is required for intra-array communications for ISA Server 2006 Enterprise Edition integrated NLB CD-ROM or DVD-ROM drive VGA or higher-resolution monitor Keyboard and Microsoft Mouse or compatible pointing device
Figure : Minimum system configuration
Prior to Installation
A computer with the operating system Windows server 2003 will be needed for the ISA Server installation matching the requirements in the Table 3. It is highly recommended to update the operating system with all available patches and service packs prior to the installation. 1. Server operating system update you should update your system prior to ISA Server installation. 2. Internal network interface settings the internal network interface should be configured by IP address and by the internal network mask. If the ISA Server is going to be a member of the domain, you should configure the DNS server internal interface item on the DNS server internal network (domain controller). If you use the DHCP server on the internal network, you should make sure that the ISA Server internal interface IP address will be removed from the IP address set assigned by the DHCP server. You have to prevent the DHCP Server from assigning the ISA Server IP address to another host. a. Open Control panel and double-click Network connections b. Select the adapter being used for the internal network. You can change the connection name for more transparency, for instance Internal Network or LAN. c. Open the connection properties, select the item Internet Protocol (TCP/IP) and click the button Properties. Enter the IP address and network mask for the internal adapter. Leave the field Default Gateway blank. If you want to communicate with the domain controller, enter the domain controller (DNS Server) IP address.
Page 20
Figure : ISA Server internal interface settings
d. Save the settings and close Control Panes. 3. Connecting to domain if you want to connect the ISA Server to a domain, it is the right time now. The only condition is correct setting of the internal adapter according to point 2 and domain controller availability over the internal network. 4. External network interface settings you should pay a special attention to connecting to Web. Concerning the security, a manual configuration is more appropriate, you shouldnt use the ISPs DHCP server. Also all network services should be limited just on TCP/IP protocol, NetBIOS should not supported and DNS registration should be disabled. a. Open Control Panes and double-click Network Connections b. Select the adapter being used for the external network. You can change the connection name for more transparency, for instance Internet. c. Check the connection properties. Uncheck all services and protocols that need not be used on the external adapter, especially Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Leave the Internet Protocol (TCP/IP) enabled.
Figure : Services limitation on external adapter
d. Select Internet Protocol (TCP/IP) and click Properties. Enter IP address, network mask and external adapter network gateway. You can also set the Microsft ISA Server 2006 A School Guide Page 21
DNS servers addresses. You can ask your ISP admin for this information. If you choose to get IP settings assigned automatically, you have to change the ISA Servers System Policy after installing the ISA Server.
Figure : External adapter IP configuration example
e. Next, click Advanced in TCP/IP Settings. f. Uncheck the Register this connection's address in DNS checkbox.
Page 22
Figure : Unchecking the DNS registration on the ISA Server external adapter
g. Select the WINS tab, uncheck Enable LMHOSTS lookup and check option Disable NetBIOS over TCP/IP.
Page 23
Figure : NetBIOS disable on external ISA server adapter
h. Close all property windows by clicking OK on each. If you decide for automatic configuration providing the DHCP client, though, this configuration will be blocked after installing the ISA Server. You will have to change ISA Server System Policy.
Figure : ISA Server network connections renaming
Installation Process
You may come up to installation the ISA Server after having finished network adapters configurations. For the installation, use the following steps: 1. Log in to the server where should be the ISA Server 2006 installed as administrator. 2. Insert the ISA Server installation medium. Choose the option Install ISA server 2006 after the installation CD-ROM is read and the automatic menu is displayed. Microsft ISA Server 2006 A School Guide Page 24
Figure : ISA Server 2006 installation CD-ROM
If the CD-ROM doesnt run automatically, or if you are about to install the ISA Server from a network disk for instance, run the file fpc\setup.exe from the root folder of the ISA Server installation files. 3. Press Next on the welcome screen. Then approve the License Agreement and press Next. 4. Fill your name and company name on the next screen. Fill in a valid Microsoft ISA Server 2006 product license key into the appropriate field. Press Next to continue. 5. Choose a typical installation and continue by pressing the Next. All ISA Server 2006 components will be installed when choosing this option. 6. The IP address range of the internal network should be defined on the next screen. Press Add to open the Addresses window to enter the IP address range of the internal network.
Page 25
Figure : Defining the internal network IP address
7. You can enter the complete IP address range using Add Adapter which is derived from the ISA Server internal adapter IP configuration. You can enter either the known IP addresses private ranges, or you can enter your own IP address range using Add Range button.
Figure : Add adapter, Add private, Add range
The selected IP address range should contain the address of the ISA Server internal adapter. After finishing the modification, press Next to continue. You can modify the internal network IP address range also after finishing the ISA Server installation.
Page 26
8. You can enable the plain connection with the firewall-like client applications. No encryption between a client and ISA Server is available if such client is installed on some older operating system (Windows NT4.0, Windows 98SE, Windows Me). So, if you want to use a firewall client on such systems, you have to allow plain connections. Otherwise leave the item default, i. e. plain communication disabled. 9. You will be given an information about which operating system services should be stopped and disabled and which services will be restarted on the next screen.
Figure : Services affected by the ISA Server 2006 installation
10. Press Next and press Install on the next screen. Then, ISA Server installation process will begin. It will be completed within a few minutes and ISA Servers services will be run automatically. Restarting the server is not necessary.
Figure : Installation
Work Station Administrative Console Installation No physical access to the ISA Server itself is necessary when administrating it. You just need install the management console on the administrators workstation which can connect to any ISA Server after running it. You dont locate your ISA Server often at available location, so it is comfortable to administrate it from remote places such as managers office. 1. Insert the installation ISA Server 2006 CD-ROM into the administrators workstation. 2. Run the Installation Wizard and follow the steps. 3. You can choose a typical installation on the installation options screen when you install it on a workstation (Windows XP, Windows 2000 Professional). If you want to install just a console for administration on another Windows server 2003, choose your Microsft ISA Server 2006 A School Guide Page 27
own custom installation and select the item ISA server management from the available components.
Figure : Installing a single ISA Server console
4. Follow the next steps. 5. The console is available from the Windows menu Start, Programs, Microsoft ISA server ISA Server should be set for connecting console to remote ISA Server so that it would accept the remote connection from the admins workstation. This configuration will be discussed in the chapter describing the ISA Server Console .
Post Installation Checking

You would make sure after installing the ISA Server that the installation has been performed correctly and that all necessary components have been installed. You can perform the check on multiple places. 1. Check availability of the following services in Services console from Administrative Tools on console. These services should be run and executed automatically. Microsoft firewall Microsoft ISA Server Control Microsoft ISA Server Job Scheduler Microsoft ISA Server Storage
2. Check availability and correct configuration of MSDE (Microsoft Data Engine) services in Services from Administrative Tools on console. These services are used for logging the ISA Server function. MSSQL$MSFW state - running, type of running - automatic Page 28
MSSQLServerADHelper - state not running, type of running manual
Figure : ISA Server 2006 services
3. The logs on the installation procedure are located into the %windir%\temp (C:\windows\temp) directory. ISAFWSV _NNN.log detail logs on firewall installation ISAMSDE_NNN.log detail logs on MSDE services ISAFWUI_NNN.log installer records ISAWRAP_NNN.log installation procedure short summary of all components
4. Running the firewall services information or error information preventing the running is in the Event Viewerfrom Administrative Tools.
Default State after ISA Server Installing

The firewall services are run automatically after the ISA Server installation. The ISA Server configuration is in the default state. Networks Name External Internal Localhost Quarantined VPN clients VPN clients Network rules Source rule Internal Quarantined VPN clients VPN clients Quarantined VPN clients Internal VPN clients Route External Destination rule Network rule NAT (valid for External network access direction) Description External network Web Internal network defined by IP address range during the ISA Server installation Representing the ISA Server itself The network for VPN clients not matching the quarantine conditions (if the quarantine is enabled) VPN clients network
Page 29
Localhost Firewall rules o o
All networks
Route
System policy the rules enabling ISA Server communication with world Firewall policy a single rule disabling any communication between two networks. This rule can not be modified or removed. The only way how to enable passing the communication through ISA Server is adding next rules.
Cache caching disabled VPN access VPN access disabled Web-Proxy clients Web-proxy clients enabled on the internal network Firewall clients Firewall clients enabled on the internal network SecureNAT clients no extra support from ISA Server is needed, their function is permanently guaranteed
Any communication which would be about to pass through the ISA Server is blocked after installing and running it. There is no way how to communicate between two hosts located in different networks. However, the ISA Server system policy allows common communication with surrounding hosts such as using DNS server, Active Directory etc. The system policy will be described later.
Page 30
Console for ISA Server Management

The console for managing ISA Server is a part of typical ISA Server 2006 installation. If you havent chosen this component during the ISA Server installation, you can find it as ISA Server Management among the other programs in the Start menu.
Figure : Running the ISA Server console
Page 31
Running this console implies automatic connection to ISA Server running on local host server. The console is divided into three panes. The left pane contains a navigation tree used for immediate switching among the different configuration parts. The navigation tree of the selected item is displayed in the largest (middle) pane used for ISA Server configuration modifications. The right pane contains references on frequently used functions in the actual console location and also the help references.
Figure : ISA Server 2006 console
If you run the ISA Server console from a workstation, you can connect to a remote ISA Server. 1. Right-click on Microsoft Web Security and Acceleration 2006 in console and select Connect to. 2. Enter the ISA Server name or find it by the Browse button. You can use either your account that you use for logging in to the workstation, or choose another. 3. You can connect by click OK to the remote ISA Server.
Page 32
Figure : Connecting to a remote ISA Server from a workstation
You have to enable the remote access to ISA Server from the admins workstation prior to connecting. If an admin is going to log in with another (non-administrators) account, you should assign it an appropriate administrative role for managing ISA Server. Any ISA Server configuration modifications are not implemented instantly just after making them. They are being cumulated in the console store, so a multiple item modification can be made and applied at once later. Click Apply next to the big yellow icon with exclamation mark in the console after finishing the modifications. In case you dont want to apply the modifications, click Discard.
Page 33
Figure : Applying or discarding the configuration modifications
Remote Management Enabling In order to enable the ISA Server remote control, the firewall system policy contains some rules in the default state which are defined for the remote ISA Server management from the group Remote Management Computers. You can add any host for remote management to this group. 1. Log in to ISA Server using the admin's account. 2. Run the ISA Server management console. 3. Select Firewall policy from the tree in the left pane. 4. Select Toolbox, Network objects, and Computer Sets from the right pane. 5. Double-click on groups Remote Management Computers. 6. Press Add and select Computer to open a window for defining the host. 7. Enter the host name, for instance admin workstation and enter it's IP address. 8. Close modifying the group Remote Management Computers and apply the settings on ISA Server. 9. Now you can manage the ISA Server remotely from your host. Use admin's account after logging in to the ISA Server from the console (Figure 24).
Page 34
Figure : Remote management allowing from the 10.0.7.3 host
Page 35
ISA Server Clients

You have to set the internal network host as ISA Server clients to enable their communication with ISA Server. Such clients will then communicate through ISA Server when attempting to communicate outside of the internal network (to Web for instance). There are three types of clients with specific properties each, so you have to choose an appropriate type of client.
Firewall Client
The firewall client hosts use the Firewall Client application for communication with ISA Server. This application should be installed and run for Web access (or to another network). The Firewall Client application affects the network access behavior on the client host. Any application attempt (Web browser, email client, messenger) to access a network will be interrupted by the Firewall Client application and the communication receiver will be checked. If a local host is determined as the receiver, it leaves it go. However, if the communication is routed on Web, this will be rerouted on ISA Server. ISA Server accepts the request to communicate and authenticates the user (the authentication is transparent the logged in user's account will be used). Next, the ISA Server checks if the communication type is allowed if there is an access rule for such communication. If it is, ISA Server will complete the request on the destination server and sends a response back to the client. The Firewall Client supplies the maximum security and functionality level out of any ISA Server clients. Firewall client advantages: Web access control and communication logging based on user accounts and groups. Automatic and transparent client authentication against ISA Server. Web Explorer proxy settings can be configured by the Firewall Client. Firewall Client supports all network applications. No client configuration of the default gateway and no client access to DNS is requested. The communication that is not intended for the local network is passed to ISA Server and it mostly performs the DNS service, too.
Firewall client drawbacks: The Firewall Client is an application that has to be installed on the host. A manual installation process on all hosts might be rather time consuming. Since the client is in the MSI installation packet format, you can use automatic installation on the domain workstations according to the domain group rules. Page 36
Firewall Client application is available just for the Microsoft operating systems.
SecureNAT client
The hosts not having the Firewall Client application installed can work as SecureNAT clients. To enable the Web communication for such clients, you have to set the TCP/IP default gateway so that their communication should be routed to Web. Typically (in simple networks), a default gateway will be set on the internal ISA Server IP address. Next, an access to DNS service for the clients is requested. SecureNAT client advantages: Most applications (protocols) are supported. Concerning the common protocols having problems with DNS (such as FTP), ISA Server has the built-in application filters to suppress such problems. Support of any operating system providing the TCP/IP protocols. Easy client configuration from the DHCP server
SecureNAT client drawbacks: SecureNAT client does not support authentication. So, ISA Server is not able to log the communication based on users or groups. Similarly, if the firewall access rules will require authentication, no SecureNAT client access would be allowed. The client host should have configured the DNS server in order to translate the Web names into UP addresses.
Web-Proxy Client
Web-Proxy Client is a host with a Web browser HTTP1.1 compatible which is set so that it would use the proxy server. Most common used browsers enable this, so any host can work as Web-Proxy client (including the hosts configured by Firewall Client or SecureNAT Client). In case of any attempt to access Web, this request is sent to proxy server ISA Server. If there is a rule for given communication at ISA Server, it will pass the request on Web server and returns the response back to the Web-Proxy client, which is also able to authenticate itself when asked from ISA Server. The authentication can be transparent again using the account of the logged in user if it is a member of the Active Directory domain. If it is not, or if the host uses a non-Microsoft operating system, the built-in HTTP protocol Basic authentication can be used. You can configure the Web browsers en bloc in order to cooperate with ISA Server no individual configuration is needed. Web Explorer will be configured for using the ISA Server for proxy service by Firewall Client application with default settings. Web-Proxy client advantages: All recent Web browsers are supported independently on the operating system used.
Page 37
Authentication support establishing the communication rules can be based on users and user groups.
Web-proxy client drawback: just the Web protocols are supported. Only the HTTP, HTTPS, and FTP protocols can be used by a host being configured as a Web-proxy client.
Combining More Than One Client

A single internal network workstation may be used as more than one ISA Server client type. The workstation can be configured as a Web-proxy client, a Firewall client, and a SecureNAT client simultaneously. You can get a workstation provided by a complete TCP/IP configuration including the default gateway and DNS Server for Web names translation, installed Firewall Client application, and a configured Web browser for proxy server this way. A host acts as a Web-Proxy client when communicating from a Web browser. If any other protocol would be used (e. g. connecting to a remote desktop), the communication will be relayed by the Firewall client application using the ISA Server. However, there might be some exceptions configured in the Firewall application preventing it from particular activities. This includes the application Outlook for instance the Firewall application is set so that it will not affect any Outlook communication. The Outlook will be using the DNS service available on the host and the communication will be provided by SecureNAT client through the default TCP/IP gateway. If you configure some host with Linux operating system as a Web-Proxy and SecureNAT client, any Web communication filtering can be based on user names. Any other communication will be provided by the SecureNAT client, however no control based on users and user groups will be possible.
Configuring Clients
SecureNAT Client
SecureNAT client type is the simplest one because the correct TCP/IP protocol settings are sufficient for a client host. The goal of the configuration is to enable the client to send requests to Web and to make available the DNS service for the client. Default gateway settings Set the TCP/IP protocol default gateway of the internal network workstations on internal ISA Server adapter IP address. Modify DHCP server settings when using the DHCP server for client configurations. Name translations settings If you have a domain controller in the internal network, you have got a DNS server, too. You should set it the way to enable the Web names translation for internal network clients, too. You can find the how-to for DNS server settings in chapter ISA Server Installation. Besides these settings, you have to allow the communication between internal DNS server and Web DNS servers by a Firewall rule which might be involved in some setting template. This template can be used for initial ISA Server configuration, or you can use the following steps: Microsft ISA Server 2006 A School Guide Page 38
1. Run the ISA Server console. Connect it to ISA Server when using a remote access. 2. Right-click Firewall policy on the left pane and choose New Object and Access Rule. A wizard to create a rule will be run. 3. Enter the rule name, DNS Communication for instance. 4. Choose Allow on the Rule action screen a rule to enable the communication. 5. Choose the Selected protocols from the drop down menu on the Protocols screen. Press Add to open the available protocols. Find out the DNS protocol and add it. Go to the next screen to continue.
Figure : DNS protocol rule
6. Insert the location of where would be the DNS communication initiated from on the Access Rule sources screen. Press Add to open the list of available locations. You can select the network Internal.
Page 39
Figure : Internal network communication source definition
7. Choose the DNS communication target on the Access Rule Destination screen you want to make available. Add the External network the same way as in the step #6. 8. Leave the next screen User Sets unchanged. The rule will hold for all users. 9. Finish the wizard and apply the settings on ISA Server. You have just created a rule allowing communication to internal network hosts using the DNS protocol with the external network DNS servers.
Web-Proxy Client
Web-proxy client is the host with a Web browser set the way to use ISA Server as proxy server. Neither extra TCP/IP protocol configuration (IP address and net mask is enough), nor Firewall Client application installation are needed. However, a Web browser should be set. This configuration can be made manually or automatically on each host. You should ensure that the Web-Proxy service is available on ISA server in the first step. This service is enabled in the default state on ISA Server after being installed. Verifying Web-Proxy Service on ISA Server 1. Run the ISA Server console, select Networks in the left pane. Select bookmark Networks in the middle pane to open the Internal network properties.
Page 40
Figure : Internal network properties
2. Select the pane Web Proxy in the internal network properties window. 3. Verify checking the Enable Web Proxy client connections for this network option and that HTTP protocol communication is enabled. ISA Server listens to the internal adapter connection from Web-Proxy clients on the port 8080.
Figure : Web-Proxy service
Manual Configuration of Clients Set the Web-Proxy clients on each host manually. Any application, using the proxy server (Web browser, FTP client, etc.), has it's own settings. Use the following steps to configure Web-Proxy client in Web Explorer: Microsft ISA Server 2006 A School Guide Page 41
1. Open Control Panel and run Internet Options. 2. Select Connections tab and click LAN Settings 3. Select the option Use a proxy server for your LAN and set it's address and service port. You can use the ISA Server DNS name. Choose port 8080 which is the default setting of the proxy service.
Figure : Web-Proxy client manual configuration
4. If you still choose Bypass proxy server for local addresses, the requirements for internal Web servers will be routed directly to the appropriate server without communicating through ISA Server. 5. Press Advanced to set next items. You can set different address and proxy server port for each communication protocol type for instance, or address exceptions for which the proxy server wouldn't be used.
Page 42
Figure : Proxy client exceptions
Automatic configuration of Web-Proxy clients If a client is set for automatic configuration, an actual configuration script is downloaded each time when running the Web Explorer. The script is set by the browser according to it's need. The automatic settings prevents you from the eventual manual reconfigurations of all hosts each time the ISA Server configuration changes. 1. Open Control Panel and Internet Options. Click LAN Settings in pane Connections. 2. Select Use automatic configuration script and fill the field Address with configuration script location. The ISA Server domain name replace according to your own need, or use the ISA Server IP address. http://isa1.school.local:8080/Array.dll?Get.Routing.Script http://10.0.0.10:8080/Array.dll?Get.Routing.Script 3. Save the settings and restart Web Explorer. Settings according the following figure contains three separate phases. The browser tries to find out an available ISA Server which is set to be detected in first phase. If it fails, the browser tries to download the configuration script from a fixed ISA Server in the second phase. If both previous phases fail, the browser will be set in accordance with the frame Proxy server in the third phase.
Page 43
Figure : Automatic configuration
As the configuration settings of the Web browser mostly depends on the user account, it would be fine if each user sets the Web-Proxy configuration at least on automatic configuration assignment to let the browser being configured from ISA Server in order to work as a Web-Proxy client. If the hosts and users are members of the Active Directory domain, the admin can set the proxy configuration of the Web Explorer to all users centrally using the Group Policy principles. The second option is to let all clients set the Web-Proxy client by the Firewall Client application. Automatic Settings Configuration Script If you use a configuration script rather than manual settings, you can affect the script contents in the ISA console. 1. Run the ISA Server console. Choose Networks in the left pane and Network panel in the middle of the console pane. Open Internal network properties. 2. Pay your attention to Web Browser panel: a. You enable the clients to contact the LAN Web servers directly without cooperation with ISA Server by setting Bypass proxy for Web servers in this network. b. Directly access computers specified in the Domains tab concerns the Firewall Clients. You make available the direct connection to domains which are enumerated in the Domains panel by this option rather than communication through the proxy server. c. You enable direct connection with hosts whose IP addresses are defined in the Addresses panel by setting Directly access computers specified in the Address rather than connection through proxy server. d. You can add next server names or domain names for Web-Proxy client by setting the Directly access these servers or domains. Web-Proxy client will communicate directly for these servers or domains, without Proxy server. Microsft ISA Server 2006 A School Guide Page 44
e. You can enable direct connections with servers using the option Direct Access, if the proxy server (ISA Server) will not be available. 3. Apply the settings on ISA Server.
Figure : Setting for automatic configuration
If you got installed the Firewall Client application, you can use it for automatic settings the Web-Proxy clients. Firewall Client application can set Web Explorer to use the proxy server for a user. 1. Run ISA Server console, find out the network settings and open the properties of the Internal network. 2. Go to the Firewall Client panel. You can choose how the Firewall application should set Web-Proxy client in section Web browser configuration on the firewall client computer in this panel. All three options will be set in accordance with the following figure: a. Web-Proxy client will look for ISA Server, which is configured as detectable. b. Web-Proxy client tries to download configuration script from the server ISA1 if the a step fails. c. Browser will use proxy server ISA1 if the step b fails, too. 3. Apply the settings on ISA Server.
Page 45
Figure : Web-Proxy client configuration by Firewall client
Running Support for ISA Server Automatic Detection You can extend automatic Web-Proxy client configuration by means of settings the network environment so that the Web-Proxy client would be able to find out ISA Server itself. The automatic lookup is usable also for a default Firewall Client which tries to find up a published ISA Server. This lookup feature is called Automatic Discovery in (help) documentation. Web-Proxy client searches ISA Server providing the protocol WPAD Web Proxy Automatic Discovery. Firewall Client application uses the protocol WSPAD Winsock Proxy AutoDetect. You should include a record of type alias with the value WPAD into DNS server zone, which would be routed on ISA Server DNS name to run the Automatic Discovery feature. The school.local domain clients are looking for the server named WPAD.school.local when using the automatic detection. This name should be routed to ISA Server IP address. ISA Server Configuration You have to switch on automatic detection support on ISA Server. 1. Run ISA Server console, find up the Internal network and open it's properties. 2. Go Auto Discovery panel. Select the option Publish automatic discovery information for this network and leave the port number value 80 unchanged. 3. Apply the settings on ISA Server.
Page 46
Figure : AutoDiscovery support
Inserting WPAD record to DNS 1. Log in to domain controller. Run DNS console from Administrative Tools. 2. Unpack the item with server name (DC1), Forward Lookup Zones and an item with your domain name (school.local). 3. Right-click the domain name (school.local) and choose New Alias (CNAME).
Figure : Inserting a record into DNS
Page 47
4. Type in WPAD into the Alias name field. Type in fully qualified ISA Server DNS name into Fully Qualified Domain Name (FQDN) for target host field.
Figure : Inserting a record for WPAD
5. Click OK to close DNS Server console. From now on, Web-proxy clients and Firewall Client applications can lookup ISA Server automatically. You can provide this function including DHCP server rather than automatic lookup with DNS Server support. Thus, the clients can query the DNS service to obtain the ISA Server identity during automatic detection, or this feature might be configured by DHCP server. Use ISA Server help for more information on DHCP server automatic detection.
Firewall Client Application (Firewall Client)

Firewall Client provides you with the highest functionality and security level out of the three clients. The client supports communication filtering authentication while using all communication protocols. The only drawback is that this application has to be installed. The Firewall Client application is available in directory Client on the ISA Server installation CD-ROM, or you can download the actual version from Microsoft Website. Manual Installation You can install this application manually using the appropriate wizard on the client host, or you can use a semi-automatic installation process by running it from the shared network folder using the configuration arguments. Installation Process: 1. Log in to an internal network workstation using the admin's account. Microsft ISA Server 2006 A School Guide Page 48
2. Run the file Client\setup.exe from the ISA Server installation set (located on the ISA Sever CD-ROM or in the shared network folder with the installation set that you have created for that purpose before). 3. Press Next on the installation welcome screen. Confirm the license agreement; you can modify the location where it should be installed on the next screen. The default path is usually C:\Program Files\Microsoft Firewall Client 2004. 4. Set the ISA Server used by the application. There are two options: a. Set ISA Server name or IP address manually b. Set ISA Server automatic detection. This detection requires enabled detection support on ISA Server and an appropriate record in DNS server. These settings are listed in the previous part describing the Web-Proxy client configuration.
Figure : Appropriate ISA server settings
5. Finish the wizard and press Install to start the installation. 6. After being installed, the application tries to connect to the ISA Server. The activated application will place it's icon to the system bar next to the clock.
7. Right-click the client icon on the system bar to open the client configuration. 8. Remove the client icon from the system bar at the General panel. Set ISA Server address manually or using the automatic detection on the Settings panel. Press Test Server to test ISA Server with manual settings. Press Apply Default Settings Now to save these settings into the default profile for new users of this host. Saving the conformation into the profile can be done just by the admin. 9. Enable or disable Web browser configuration on the Web Settings panel using the Firewall client.
Page 49
Figure : Firewall client configuration
Non-wizard installation: You can also run the installation from a command line to set the default client configuration. Path\Setup.exe /v"[SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={1|0}] [REFRESH_WEB_PROXY={1|0}] /qn" SERVER_NAME_OR_IP ISA Sever name or IP address for connection ENABLE_AUTO_DETECT if value =1, automatic detection will be allowed REFRESH_WEB_PROXY if value =1, Web browser will be configured on Web-Proxy client by Firewall application
Multiple Firewall Clients Installation by Group Policy For multiple hosts, you can use the user group policy for Firewall Clients automatic installation from a network folder. First, copy the file ms_fwc.msi from the ISA Server Client directory to some network folder. Then, use the following process to tell the hosts to install the application from the network folder. For this purpose, it would be suitable to have installed the Group Policy Management Console on the domain controller (or on admin's workstation). This console is available as a free installation packet named gpmc.msi on the Microsoft Website. 1. Locate the file ms_fwc.msi into a shared network folder. 2. Log in to the domain controller and run the console Group Policy Management from Administrative Tools. Or run the console from a workstation and connect it to the domain controller. Microsft ISA Server 2006 A School Guide Page 50
3. Unpack the domain tree structure down to the organization unit containing the hosts which should have the application installed. Right-click this unit and select Create and Link GPO Here.
Figure : Create policy
4. Choose an appropriate name for the new policy being created, such as Install FW application. 5. Right-click the policy and select Edit.
Figure : Policy editing
Page 51
6. Open Computer Configuration, Software Settings and select New and Package on the item Software installation in the policy editor tree structure. A dialog for the MSI installation packet lookup will be opened. Find it out using the My network places, domain name, server, shared folder. 7. Choose the deploy method Assigned and press OK.
Figure : Inserting MSI packet
Figure : Automatic installation of the client during the startup
The Firewall Applications will be installed to all hosts under the Active Directory organization unit with this installation policy, up to the second restart at the latest. The default Firewall application settings is automatic ISA Server detection. Thus, if the automatic settings detection support will be enabled on network (in ISA Server and in DNS), the automatically installed clients will be able communicate directly with the ISA Server without any further settings. Firewall Client Configuration from ISA Server You can set the Firewall Clients configuration in the ISA Server console. This configuration includes the method how the Web-Proxy client will be set by the Firewall client and what domain names will be considered as LAN hosts. Another configuration option is to define the different Firewall function exceptions, such as for which applications will be used SecureNAT client rather than Firewall client, or modifying the port numbers which will be used for Firewall Client to ISA Server communication or ISA Server to the destination Web server communication.
Page 52
Verifying Firewall Client Support and Local Domain Configuration: 1. Run the console for ISA Server management. 2. Find out the Networks item in the navigation tree. Select the panel Networks in the middle pane and open the Internal network properties. 3. Select the panel Firewall Client in the internal network properties. The option Enable Firewall client support for this network should be selected in this panel so that he Firewall clients could be used. This option is allowed as default in the internal network. You can affect the user's Web browser settings by Firewall Client at the bottom of the panel. This setting was discussed in the Web-Proxy client configuration part.
Figure : Firewall Client network properties panel
4. Enter the name being used for the internal domain in the Domains panel. The Firewall Client will use the direct connection with those local hosts (or servers) whose IP address or domain name matches the settings on Addresses or Domains panels rather than communicating through ISA Server.
Page 53
Figure : local domain settings
5. The settings apply on ISA Server. Firewall Client Advanced Settings You can set the Firewall Client to differ it's behavior when working with different applications. Some applications will be disabled to use the Firewall Client, for some applications, the DNS names will be translated directly by client rather than by ISA Server, or pre-defined communication ports will be used for some applications. This configuration can be performed from the ISA Server console and it will be reset either on startup or after a time-out expiry. 1. Open the ISA Server console. Select Configuration and General in the tree menu. Click Define firewall settings in the middle pane. 2. You can enable plain connection between Firewall Client and ISA Server on Connection panel in Firewall Client setting window. The plain connection would be allowed only in case of older operating systems (Windows 98, Me, NT4.0) when necessary. 3. You can set the Firewall Client behavior in relation to different applications on Application settings panel.
Page 54
Figure : Firewall Client application settings
Default Firewall Client settings for working with applications are shown on the figure. Applications such as Outlook or exchng32 are disabled to use the Firewall Client if a default TCP/IP protocol gateway is set, SecureNAT client will be used for communication with internet. You can see that the communication ports that should be used for TCP and UDP protocols are assigned to realplay application. Any client's configuration can be extended or modified in the configuration files or in the profile files All users besides the global settings of Firewall clients on ISA Server. However, mostly you don't need to change these settings, so it's not necessary to discuss the changes here any longer. Read http://www.microsoft.com/technet/isa/2006/clients.mspx for more detailed information on this topic.
Page 55
Firewall Configuration
The ISA Server Firewall configuration consists of several parts. The main part is the set of Firewall rules enabling mutual host-to-host communication according to chosen protocols in different networks. Detections of the well-known attacks and preventing the server overloading are the other security elements.
Initial Configuration with Template

Any communication that should be passed through the ISA Server is disabled after it has been installed. For enabling the communication, two conditions are essential. 1. There must be a Network rule between networks. The basic network rules skeleton is set up after installing the ISA Server. 2. There must be a Firewall rule enabling the given communication type. There is only one rule after the installation disabling any communication. ISA Server offers multiple templates involving the typical network and Firewall rules for the given network security type. You can use Edge firewall template for simple networks with a single ISA Server. This template is applied automatically after the ISA Server installation, but it can be used just for network rules settings. The Firewall rules enabling the basic network access are not applied from this template. Thus, if you want to set the first network rules to enable the basic HTTP Web access, you can try to set this template on ISA Server using the Firewall pre-defined rules. Use the following process to apply the template: 1. Log in to the ISA Server and run the ISA Server management console. Select Configuration and Networks in the navigation tree displayed in the left console pane. You get to the panel where you can configure the firewall networks and the communication rules between them. Select the bookmark Templates in on the right edge of the console.
Page 56
Figure : Templates for settings
2. Click the icon Edge Firewall. A settings wizard will be run. Press Next on the welcome screen. You can export the current ISA Server settings on the next screen. The current settings will be lost by applying a template, so pay attention to the export option. 3. You can modify the IP address range defining the internal network in the next part of the wizard. This screen and the similar screen in the ISA Server installation have the identical functionality.
Figure : Internal network settings
Page 57
4. Press Next to continue on the next template application wizard screen which is Select and Firewall Policy. You can choose which Firewall Policy rules will be defined by this template. There are a few options in this choice:
Figure : Firewall rules in the template
a. Block all all communication through ISA server will be disabled. This option is used for the ISA Server installation. b. Block web access, allow access to ISP network services this option makes available the ISP services. In particular, it makes available the external DNS server for internal network clients and VPN clients. c. Allow limited Web access this option sets the Firewall rules so that it will make available Web for the internal network clients and VPN clients providing HTTP, HTTPS, and FTP protocols and the VPN clients will be allowed to communicate with internal network. d. Allow limited Web access and access to ISP network services this option extends point from this list by access to the external DNS server from the internal network. e. Allow unrestricted access this option allows an unlimited communication to Web from internal network using any protocol. An unlimited communication from VPN client network to internal network and to Web is allowed, too. 5. Select the pre-defined communication type you want to set and finish the wizard. Then apply the settings on ISA Server. 6. Check the Firewall rules just having been set up in the ISA Server console. Select Firewall policy in the navigation tree.
Page 58
The figure shows the rules for the limited access to Web and to ISP services contained in the Edge firewall template. Rule 1 makes available HTTP, HTTPS, and FTP communication to all users to Web from internal and VPN network; rule 2 makes available the DNS server and rule 3 makes available any communication between VPN clients and internal network.
Figure : Network rules and firewall policy for Edge firewall a Allow limited Web access and access to ISP network services template.
Firewall Policy
The Firewall policy establish the communication type allowed by Firewall. The policy consists of a few rules displayed on the following figure. Each item is supplied with how it can be set.
Figure : Firewall policy rule elements
On any attempt to communicate, ISA Server proceeds as follows:
Page 59
1. Source host, destination host (server) and communication mode (the protocol) will be detected from the request received by ISA Server. First, the location of source and destination hosts in particular networks will be detected. If there is a Network Rule between these networks, ISA Server continues to evaluate the Firewall policy. If not, any communication request is ignored. 2. ISA Server evaluates the Firewall policy subsequently from the beginning and looks for the rule applicable for this communication. The rule must match the communication request in the following points: a. Communication protocol (such as DNS, HTTP, or FTP) b. Source entity (such as network, IP address, ...) c. Destination entity (such as network, IP address, ...) d. Other conditions (such as user group, time schedule, ...) 3. If the rule being evaluated is applicable for the requested communication (according to point # ), the rule will be applied for the action involved in the actual rule and the evaluation will be finished. Thus, the requested communication will be either enabled or disabled. If the current rule does not match the communication type, the subsequent rule will be evaluated according to point # . This process is being applied repeatedly until an applicable rule to enable or disable the communication is found out. 4. If no applicable rule is found, the evaluating will be finished on the last (default) rule which cannot be modified or removed. This rule is valid for all communication and any communication will be disabled. The approach used comes up to the principle "whatever is not permitted is prohibited". Access Authentication While evaluating the rule, if ISA Server finds that it is defined just for stated users (that means not for All Users), the client will be asked to authenticate to log in. In case of a Firewall Client, the logging in will be performed by the user's account transparently. In case of a Web-Proxy client, the logging in will be also transparent using the Windows Integrated Authentication in the default settings. However, if a Web-Proxy host is not an Active Directory member, another authentication should be used such as the built-in HTTP protocol Basic Authentication. After user's identity checking, the validity of the rule being evaluated would be checked. If it is valid, the action defined by the rule will take place and any other evaluation will be finished. Otherwise, next ISA Server rules evaluation continues. Here arise the problem with using the clear SecureNAT client. As mentioned above, no SecureNAT client user can be detected. Thus, if ISA Server finds out a rule matching the given communication that requires verifying the user, SecureNAT is not able to authenticate. Hence ISA Server stops evaluating the rules and drop connection request for the SecureNAT client.
Page 60
Objects to Set Up the Policy

ISA Server uses different objects when setting up the policy, such as communication protocol, hosts, users etc. After installing ISA Server, a default set of such objects is available. These are especially protocol definitions, user groups representing all users or all logged in users, types of content for HTTP communication, time schedules for working hours and for week-end and network objects for the source and destination hosts definitions. ISA Server admin can further define objects for creating it's own rules. User's objects and network locations are often set up. These objects can be mostly set up and modified together with Firewall policy, or they are available from Toolbox. Toolbox Overview 1. Open the ISA Server console and select Firewall policy in the navigation tree. 2. Select panel Toolbox in the right pane. 3. Preview the pre-defined objects, double-click the object to survey it's definition. You can modify each user defined object and some pre-defined objects this way.
Figure : Toolbox and network groups All Protected Networks definition
Users Toolbox users objects provides an user definitions for which the given access rule will be valid. Pre-defined users are as follows: All Authenticated Users i.e. logged in users
Page 61
All Users all users including the anonymous ones System and Network service a special user group involving user accounts to run operating system and network services
Creating a new object Users: 1. Select Users in Toolbox and click New. 2. Enter a name for this group (such as Teachers) on the first screen. Click Next. 3. Add users or user groups into the object being created on the next screen. Click Add to insert users from the domain Active Directory and select the option Windows Users and Groups. A window for look up in Active Directory will be opened. Press Locations to choose the domain which will be users or user groups searched from. Type in user name or user group name into the text field and press Check names to verify the included data. Press OK to add the specific users or user groups into the ISA Server object Users.
Figure : Including an user group from a domain
4. You can include multiple user accounts or groups. Finish the wizard after completing the modification and apply the setup on ISA Server. Schedules The Schedules objects in the Toolbox provide time schedule definition. You can restrain the validity of Firewall policy onto specific days or fractions of days by these schedules. Pre-defined time schedules are as follows: Microsft ISA Server 2006 A School Guide Page 62
Weekends Work hours
You can modify the pre-defined plans according to your own need or create the new ones. Figure shows how to define a time schedule. The working area contains a table with 7 rows and 24 columns. Active time slices set up by the time schedule are represented by the blue squares. Time schedule Work Hours editing: 1. Select Schedules in the Toolbox. 2. Select Work Hours plan and click Edit. 3. You can modify plan name and plan legend. You can modify the plan on the Settings bookmark. Using mouse, select some area in the table and choose Active or Inactive below the table.
Figure : Work hours plan
Network Objects Toolbox network objects are used to define communication source and power. These objects are divided into a few groups: Networks include networks defined on ISA Server. Both default and user defined networks can be involved. Network sets are used to make the work with networks easier (similarly as for user groups containing user accounts). Pre-defined networks include All Networks
Page 63
involving all ISA Server networks and All Protected Networks involving all ISA Server networks except External. Computers represent objects to define particular hosts. A host is defined by it's IP address. Address Ranges network object definition based on IP address range using first and last IP address. Subnets objects defined using subnets Computer sets objects defining a group of multiple hosts using their IP addresses. ISA Server contains a significant group of hosts called Remote Management Computers defining IP addresses of host which can be used for remote monitoring and ISA Server management. URL sets define network locations using URLs (such as http://www.microsoft.com/). Domain Name sets objects defined using DNS domain names which contain predefined objects for communication with Microsoft servers to perform updates and system errors announcements. Web Listeners these objects are used for publishing the Web services from internal network to Web. Server Farms used for server farm definition on internal network. Web server farm is a group of hosts running the identical Web presentation to break-up the communication load among the particular servers.
You can accommodate most of these objects to your own need, or you can define your own objects. For instance, when making available just some selected servers for students, you can set up a group of domain names or URLs that will be used to create Firewall policy as a communication destination. A group of domain names System Policy Allowed Sites is shown on the figure. The group defines the Web servers which can be used by ISA Server for HTTP communication. You can reach no servers but the Microsoft ones from the ISA Server Web browser in the default settings.
Page 64
Figure : Example of a defined object Domain Name Sets
Protocols Protocol objects in Toolbox are used to identify the communication protocol. All common protocols are pre-defined, so you mostly don't need to amend them. The protocol definitions are based on identification data typical for given communication. For instance, HTTP protocol is defined as connection by TCP protocol on destination port 80 which is a standard port where run the Web servers. The mailing protocol POP3 is defined as TCP connection on port 110. However, what is important is that protocols have duplicate definitions. For instance, POP3 and POP3 server. Protocols missing the server tag are typically used for setting up the internal network client access rules to server using the given protocol. Protocols with the server tag are used for publishing the internal network services on internet. There are a few protocol categories in Toolbox according to their appliance type. Next figure shows the DNS protocol definition concerning the outgoing TCP protocol on port 53.
Page 65
Figure : Protocol categories in Toolbox and DNS protocol definition
Access rules
Firewall Access Rules are used for allowing the communication from internal network to Web. To set up the HTTP communication rules from internal to external network, use the following steps: 1. Open the ISA Server console and select Firewall Policy in the navigation tree. 2. Right-click Firewall Policy item in the tree, select New and Access Rule. Or select panel Tasks in the right pane and click Create Access Rule. 3. Type in rule name on the first screen, such as Web access, and press Next to continue. 4. Select the rule action on the next screen. The Deny action will disable the communication defined by this rule, the Allow action will enable it. Select Allow and go to the next wizard screen. 5. Select the communication protocols for this rule on the next screen. Press Add to open the protocol list. Finding out protocols HTTP and HTTPS, add them. Ensure that the option Selected protocols has been selected indeed in the drop down menu. This rule will be valid for the specific protocols.
Page 66
Figure : Access rule protocols
6. Add network object on the next wizard screen identifying the communication source. Press Add to add the Internal network. Go to next wizard screen to choose the communication destination. Add External network.
Figure : Access Rule - communication source and destination
7. You can define for which user group would be the rule applied on the next screen. Leave the pre-defined value All Users unchanged and finish up the wizard. 8. Apply the settings on ISA Server. 9. Right-click on the setup rule to choose Properties. Review the rule properties and how to modify them.
Page 67
Figure : Access rule
10. There are a few panels in the rule properties. You can modify rule name and it's legend on the General panel. Next, you can modify rule action to enable or disable communication on Action panel. Next, you can modify the communication protocols for this rule on the Protocols panel. Next, you can change the communication source and destination on panels From and To. Notice that there are two fields available the first for setting the source or destination, the second for setting some exception. For instance, a rule can be valid for any communication from Internal network except some group of hosts. Similarly, you can set users on panel Users for which the rule is valid including exception definitions. Next, you can set or create a time schedule of this rule on Schedule panel and disable relay of some particular content types using HTTP protocol (such as pictures, music, videos etc.).
Figure : Rule properties (modification)
You can disable a rule by the
icon in console temporary i. e. such rule will not be
evaluated on any attempt to communicate. Icon enables the disabled rule. When enabling or disabling a rule, you have to apply the modification on ISA Server. Evaluating the rule is performed according to the listed order (field Order in the Firewall Policy window). You can change this order using the icons and (which means increasing or decreasing the rule Microsft ISA Server 2006 A School Guide Page 68
priority). These operations can be made also using the context menu (right-clicking) for a particular rule, or in Tasks panel in the right console pane. Web Access Limitations To enable all users the HTTP and HTTPS communication with external network, a rule based on the above process was set up. Let's consider the case that you would like to enable all students to communicate with selected servers. 1. Create an user group Students in the Toolbox and insert a group representing all students from Active Directory. 2. Create a network object URL Sets named students URLs. Include the source URLs available for students into this object.
Figure : New object URL set
3. Set up a new access rule according to the process of creating the access rule which will disable the HTTP and HTTPS communication for user group Students from internal network to external network. 4. After finishing wizard, open rule properties and define the exception from the destination on panel To. The network External is selected as the destination. Add the network object students URLs as exception into the lower table.
Page 69
Figure : Access rule properties - exception from the destination
5. Close rule properties and shift this rule on the position prior to the rule allowing the HTTP communication for all. 6. Move this rule before another rule allowing web access for all users. 7. Apply the settings on ISA Server. See the following figure for how will be the Firewall Policy set up after finishing both processes above.
Figure : Example of Web access configuration
This configuration disables the access to Web excepting the allowed URLs for all students. First rule disabling the communication will be used for the students trying to access the disabled contents. If a student wants to access to an enabled destination (students URLs), the first rule cannot be used for this communication because it doesn't match the destination. Thus, ISA Server takes the second rule. This rule is OK with regard to the source, destination and protocol used, so the student will be allowed to access Web. The second rule allows the Web access for the students, though, however the access is allowed just for some particular Microsft ISA Server 2006 A School Guide
Page 70
destinations (students URLs), because unauthorized accesses are filtered off by the first rule. First rule cannot be used for a non-student users because they are not members of the Students group. ISA Server will go to the second rule enabling the Web access.
System Policy
ISA Server system policy is a special set of the Firewall access rules. These rules have a higher priority than the rules defined by admin and they are valid just for communication between the Localhost network and some other network. Thus, these are the rules enabling the network communication to ISA Server itself. These rules are automatically defined as default after installing ISA Server.
Figure : System policy
Name DHCP
Description Allow use DHCP protocol for configure ISA servers network adapters in specified destinations Allow ISA server to access DNS servers in specified destinations Allows communication with domain controller Allows remote ISA Server management using MMC (including ISA Server MMC)
Default value Internal
DNS Active Directory Microsoft Management Console (MMC)
All Networks Internal Remote Management Computers Page 71
Terminal Server
Allows connecting to ISA Server using Remote desktop (Terminal services) Allow ICMP (PING) requests from selected computers to ping ISA Server Allow ICMP requests from ISA Server to other computers Allow NetBIOS from ISA Server to trusted servers Allow SMTP from ISA Server to trusted servers Allow HTTP from ISA Server to selected computers for Content Download Jobs Allow HTTP/HTTPS requests from ISA Server to specified sites
Remote Management Computers Remote Management Computers All Networks Internal Internal Switched off System Policy Allowed Sites
ICMP (ping)
ICMP Windows Networking SMTP Scheduled Download Job Allowed Sites
Table : Some system policy properties
Only substantial parts of the system policy are listed in the table rather than complete content. Any policy component (access rule) might be allowed or disallowed and the source or destination can be re-defined. If you want to configure an external ISA Server adapter by ISPs DHCP server for instance, add External network still to Internal network in DHCP System policy, or add the network object Computer representing the ISP's DHCP server by it's IP address. Next, notice that the diagnostic and administrative policy components are available for the Remote Management Computers group. This group of hosts (IP addresses) allows the hosts for remote ISA Server management using console or remote desktop, or a host from which you can ping the ISA Server (i.e. verify that it is running). Add hosts which you are about to perform remote ISA Server management to Remote Management Computers. You can modify this host group using the Toolbox ISA Server console for instance.
Application Filters
The firewall access rules were considered as rules defining packet and state filtering up to now. The rules worked on the network and transport layer of the ISO/OSI model. However, ISA Server contains a support for filtering on the highest level application layer. Packet and state filtering allowed you to set up a connection between a client and a server on different hosts. This connection is then used to data transfer by the application protocol. Thus, application filters control the communication by the setting up a channel to protect attacks on particular client or server applications (services). ISA Server contains a few built-in application filters. The primary purpose of some filters is to enable communication with a given protocol over the non-standard firewall environment, Microsft ISA Server 2006 A School Guide Page 72
because the protocol was not designed to work over filter. FTP access filter or PPTP filter are examples of such filters. Next filter categories are primarily used to prevent attacks based on the protocol. DNS filter, SMTP filter or HTTP filters are examples of such filters.
Figure : ISA Server application filters
Application filters are available from ISA Server console. Select Configuration and Add-ins in the navigation tree. As for configuration, just the SMTP filter is interesting. A list of available SMTP commands can be modified by editing the filter. These application filters are mostly modified for server protocol objects in Toolbox to protect the internal servers published on Web or to protocols requiring a special working approach when operating over firewall.
Page 73
Figure : DNS server protocol with application filter
HTTP Application Filter

HTTP application filter provides a wide scope to protect internal Web servers or filtering spurious documents. HTTP filter configuration is available in access rule properties allowing HTTP communication or from the context menu of this rule.
Figure : HTTP filter configuration
HTTP application filter is able: Restrict the maximum header length and HTTP protocol data Restrict maximum allowed URL length Restrict executable files relay using HTTP
Page 74
Restrict HTTP methods (e.g. GET, POST etc.) Restrict the relayed file types using their postfixes Restrict documents relay having defined text strings in header or in body.
HTTP Web filter configuration takes place on each rule allowing HTTP communication separately. Follow the next steps to set the HTTP filter: 1. Select Firewall Policy in ISA Server console. Right-click the selected rule and choose Configure HTTP. The given rule should allow the HTTP communication.
Figure : HTTP application filter
2. You can modify the maximum header and body length on panel General in section Request Headers and Request Payload. Checking a box, you can disable executables relay using HTTP in the Executables section. You can restrict the URL address maximum length in section URL protection and you can check URL correctness using options Verify normalization and Block high bit characters. 3. You can disallow selected HTTP methods, or disallow all but chosen. Methods GET and POST are typically used to pass the parameters from client to Web server. 4. You can disallow transfer of files with selected postfixes, or allow just enumerated ones.
Page 75
Figure : Disabling the compressed files relay
5. You can disallow different headers in HTTP queries or responses. Programs using HTTP to communicate are often inserting special headers into HTTP. 6. On the Signatures panel, you can disable HTTP communication containing certain text strings in header or in body. Some text strings and data are inserted here by different applications using HTTP for communication. Those strings may be detected in headers or in bodies of both HTTP requests and responses and in URL request. Information about whether the particular application should be enabled arises from the communication analysis of the respective application. You can perform such analysis either using the tools for communication monitoring, or you can find out the typical signatures for common Web applications http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx. If searching a signature in request body or in response body, you should provide the actual lookup range from the start of the document field Byte Range.
Page 76
Figure : Blocking the application transferring data using HTTP
7. Apply the settings on ISA Server after modifying the HTTP filter
FTP Application Filter

FTP application filter is defined on FTP in Toolbox used for rules allowing mostly internal network client communication with Web FTP servers. While read only is the default communication mode for related rules, you can also define the read/write mode.
Page 77
Figure : FTP filter
Publishing Internal Servers on Web

Special firewall rules so called publishing rules are used for internal server publishing for external network users. The rules can be divided into two categories: Web site publishing rules for publishing Web servers including the Exchange server Web interface and SharePiont Services. These rules are rather complex allowing incoming requirements authentication and HTTP application filter can be applied on those requirements. Non-Web server protocol publishing rules rules for publishing other (non-Web) services, such as SMTP, POP3, IMAP, FTP server or terminal server (remote desktop). No authentication is supported by those rules. Any authentication can be done by application protocol only after connection setup.
Besides setting up both rule types, ISA Server console provides a wizard allowing to publish mail services for instance. Some rules of different type for different approach to mail will be then generated by the wizard.
Non-Web Server Protocol Publishing Rules

Non-Web servers can be published using the Non-Web server protocol publishing rules. FTP is a typical example of such protocol. This rule makes a communication port available according to specific protocol for given communication on external interface. It will be TCP port 21 in case of FTP. Any incoming communication using this port on external ISA Server adapter will be forwarded by ISA Server on internal server defined by IP address. FTP Server Publishing 1. Select Firewall Policy in ISA Server console.
Page 78
2. Select Publish Non-Web server protocol in right pane of the Task panel to run the wizard. 3. Type in rule name on the first screen, such as Publishing FTP. 4. Type in internal FTP server IP address on the next screen. 5. Select FTP Server from protocol menu on the next screen. Press Ports to modify the definition of some default FTP properties if needed. Listening to incoming connections on port 21, ISA Server will forward them on FTP server port 21, too. In case that ISA Server should listen to incoming connection on another port, or forward them on another FTP server port, you can modify the settings.
Figure : Publishing FTP server
6. Select the networks for publishing the FTP server on the next wizard screen. For Web users select External. 7. Finish up the wizard. Verify the proper settings of the FTP application filter on this rule (configuration item Read-Only). 8. Apply the settings on ISA Server. Some additional items can be amended to set up the rule. For instance, you can finish up the communication resource or the time schedule for this rule. Next, you should provide correct DNS translation for Web users. If you want to make FTP server available as ftp.domain.com Microsft ISA Server 2006 A School Guide Page 79
for instance, you should insert a record with appropriate name into DNS translating the domains for Web clients and set it's IP address on the external ISA Server adapter IP address.
Figure : Publishing rule for FTP Server
You can publish a terminal server remote desktop in the same way using RDP Server. However, you should publish it on non-standard port after publishing next FTP server because of using port 21 of external ISA Server adapter for the first FTP server.
Web Server Publishing

You can use rules Web Site publishing for publishing Web servers. These rules are used by Web Listener, which is a network object listening to incoming HTTP requests. Using the requested URL, Web Listener is able to forward the requests to different internal Web servers (Web, Exchange), to call for user authentication or to filter by application HTTP filter. Web Listener is run on a special ISA Server adapter (typically on External network) on the usual Web server port 80. It will be waiting for incoming requests from Web clients. How to Create Web Listener 1. Run ISA Server console, go to Firewall Policy. Select Toolbox panel. 2. Select Network Objects and Web Listeners in Toolbox. Press New to run wizard. 3. Enter a name for Web Listener. 4. Select Do not require SSL secured connections on the next screen and continue. Connection SSL would require SSL certificates installation, which would go far beyond this book.
Page 80
Figure : Type of connection between ISA server and Web client
5. Select the networks which Web Listener would be working for on the next screen. Leave the External network in the choice. 6. Select authentication type for Web Listener usage if necessary on the next screen. Select authentication HTML form and leave Active Directory as the authentication supplier.
Figure : Setting Web Listener authentication
7. Check SSO authentication option on the next screen and finish the wizard. 8. Apply the settings on ISA Server. How to Create a Rule 1. Select Firewall Policy in ISA Server console. Select Publish Web Sites in the right Tasks panel. 2. Enter the rule name and rule action allowing or disallowing communication on the next screen. 3. Select Publish a single Web site or load balancer on the next screen and continue.
Page 81
4. Select Use non-secured connection to the published Web server on the next screen. 5. Enter the internal server name or it's internal IP address on the next screen.
Figure : Web server internal name
6. Leave the next screen with the optional item Path unchanged. 7. Enter external (Web) name of the Web server on the Public Name Details screen and leave the item Accept requests with value This domain name.
Figure : Web server external name
8. Select the set up Web Listener on the next screen. 9. Remove All Authenticated users group and insert All users group on screen User Sets. Web server will be available for anonymous users, too.
Page 82
Figure : Published Web server users
10. Apply the settings on ISA Server. Internal Web server (www.school.local) will be available as www.domain.com from Web. Thus, school domain DNS server has to translate the Web server Web name as IP address of the external ISA Server adapter.
Mail Server Publishing

Outlook Web Access - OWA Publishing Web interface of the Exchange mail server on Web, you allow the Web user access to mailboxes on internal Exchange server using the Web browser. To publish Web interface for mailing, use the following steps: 1. Select Firewall Policy in the ISA Server console. Select Publish Exchange Web Client Access in the right panel. 2. Type in rule name. 3. Leave checking the Outlook Web Access option unchanged on the next screen and choose published Exchange server version. 4. Select Publish a single Web site or load balancer on the next screen. 5. Leave the Publish non-secured connections option unchanged on the next screen. 6. Type in internal name of the mail server or it's IP address on the next screen.
Page 83
Figure : Server name
7. Leave checking the This domain name option unchanged and type in Web name of the mail server. Web name (mail.school.com for instance) has to be translatable on external ISA Server adapter IP address.
Figure : External name of the published server
8. Select network object Web Listener on the next screen being used for incoming connection. If there is no Web Listener, use a similar way to set it up as in Web server publishing. Publishing OWA, Web listener with HTML form authentication would be appropriate for using. 9. Select NTLM authentication on the next screen and finish the wizard. 10. Apply the settings on ISA Server. A pre-defined Web publication rule will be set up to publish the mail server Exchange interface. The interface will be available for Web users under the defined public name (mail.domain.com) from Web. If a Web user enters mail.domain.com/Exchange to their Web browser, an ISA Server log in form will appear. After verifying user's identity, the user will be logged in to Exchange server and he will be supplied with Web mailing interface.
Page 84
Figure : Form-Based authentication log in form
SMTP server To allow the internal network mail server to accept mail, you should publish SMTP server. SMTP is used for delivering mail between sender's mail server and receiver's mail server. Use the following steps to publish SMTP server: 1. Select Firewall Policy in the ISA Server console. Choose Publish Mail Servers in the right Tasks panel. 2. Type in rule name. 3. Select Server to Server communication on the next screen.
Figure : SMTP server publishing for accepting mail.
4. Check SMTP on the next screen.
Page 85
5. Enter internal mail server IP address on the next screen and continue. 6. Select the network for publishing SMTP server. Choose External. 7. Finish the wizard and apply the settings on ISA Server. The set up rule is shown on the figure below.
Web DNS server taking care of your domain's name translation should be set up to rout the email server DNS record onto external ISA Server adapter. Mail being send to internal mail server from mail senders will be sent to ISA Serve, which will be routing this SMTP communication onto published Exchange (SMTP) server.
VPN Client Access

VPN clients are used for secure connection to internal network resources through unsecured public Web. The connection is implemented by an encrypted channel, so monitoring or modifying it is not very easy. Clients using VPN connection to internal network are automatically included into VPN clients network. Using the Firewall access rules, you can define the type of communication being enabled to VPN clients. As default, any communication with internal network using the routing network rule is allowed to VPN clients.
How to Set Up VPN Server

To configure VPN gateway on ISA Serve, the following steps should be used: 1. Select Virtual Private Networks (VPN) in the ISA Server console navigation tree. Five steps to set up VPN server will be displayed on the middle pane.
Page 86
Figure VPN Server configuration
2. Click the Configure Address Assignment Method reference in the first step. A window with client configuration TCP/IP protocol options will be opened. If there is a DHCP server in your internal network, select the Dynamic Host Configuration Protocol (DHCP) option and choose Internal network which will be contacted by DHCP server. If there is no DHCP server in your internal network, choose Static address Pool and press Add to add the IP address range for VPN clients configuration. This range must not include any defined networks range, especially the Internal network. If it happens, reduce it's IP range and assign the vacated room to VPN server static range.
Page 87
Figure : Assigning IP addresses to VPN clients
3. Continue by the first step. Click the Enable VPN Client Access reference. Check the Enable VPN client access option and choose maximum number of VPN clients. If you are using internal DHCP server for the configuration, IP addresses from DHCP server will be allocated by VPN server.
Figure : Running VPN server
4. Apply the settings on ISA Serve and continue by step # 2 i.e. defining the users being allowed to connect to the internal network using VPN. Click the Specify Windows Users reference. Press Add to add the user groups from Active Directory domain. Select your domain in Locations and type in group name. Press Check names to verify if correct group was entered and press OK to add the group to VPN enabled groups. Close the dialogue defining the groups.
Page 88
Figure : Allowed VPN users
5. Using the Verify VPN properties reference, ensure that the PPTP protocol was chosen and using the Remote Access Configuration reference verify accepting the VPN connections from External network in the step # 3. 6. Check if there are network rules and firewall access rules between VPN Clients and Internal networks (or between other networks eventually). 7. Apply all settings on ISA Serve.
How to Connect Client

Web client hosts should be configured to connect to VPN server as clients. Use the following steps for hosts with Windows XP operating system: 1. Log in to the host. Select Control Panel from Start menu and choose Network connections. 2. Run New Connection Wizard. Press Next to go to New Connection Type screen. 3. Select Connect to Network at my workplace and Virtual Private network Connection on the next screen. 4. Enter the connection name, such as VPN School connection. 5. Enter destination VPN server IP address or name. This address or DNS name should be routed to external ISA Serve adapter IP address. 6. Finish the wizard. 7. Select Connect To from Start menu and click the set up connection. 8. Enter account name and account password for the account with authorization to connect to internal network using VPN and log in.
Page 89
There is an option Monitor VPN clients in the panel Tasks for Virtual Private Networks in ISA Server console which opens connection monitoring and filters off all but the VPN clients. Thus, you can monitor current VPN connections to internal networks.
Figure : VPN client
Figure : Currently connected VPN clients
Cache
ISA Server cache is used for temporary storing the HTTP and FTP requests. During the communication that might be cached, ISA Server stores the received responses. ISA Server can return the responses contained in it's cache without communicating with the destination server. In the default status after being installed, the cache is off. You can easy switch-on the caching by reserving the required disk space on some local disk with NTFS file system.
Activating Cache
1. Open ISA Server console and select Configuration and Cache in the navigation tree. Microsft ISA Server 2006 A School Guide Page 90
2. Click Define cache drives in the right console pane. 3. Select an available hard disk. To reserve the disk space, type in the size in MB into Maximum cache size field.
Figure : Enabling cache
4. Press Set to confirm. 5. Apply the settings on ISA Server. You should restart the firewall service to run the cache. Make it by responding the console query.
Cache Rules
Similar to existing firewall rules, there are cache rules, too. The rules contain requested content definition (the URL address) and how to manipulate with the URL address objects. The process of evaluating the rules is the same as for the firewall, i. e. from the first sequentially. A rule matching the given communication is being searched. There is one rule in the default state allowing to cache the communication with Microsoft Update servers and a last default rule caching the whole communication. You can display the cache rules choosing the Cache Rules panel in Cache configuration in the middle pane of the ISA Server console.
Figure : Cache default rules
There are a few items for a given content (URL) defined by the cache rule: Saving to cache you can enable or disable the caching for a given location.
Page 91
Returning the content how to return it to a client o o If there is valid cache content, it should be returned from cache, or it should be returned from server (and updated in the cache) otherwise. If there is any content in cache (valid or invalid), it should be returned from cache, or it should be returned from server (and updated in the cache) otherwise. If there is any content in cache (valid or invalid), it should be returned from cache, or the requirement should be ignored
Own Cache Rule Definition: 1. Select Configuration a Cache in ISA Server console. 2. Right-clicking, select New and Cache Rule. 3. Type in the rule name and go to the next wizard screen. 4. Select the network object representing the information source (servers). 5. Select the method to provide the requirements from the ISA Server cache. Option one is returning the valid pages from cache, option two is returning any object version, if there is any. If failed, contact the object server to receive the new content. Option three is returning the requirements from cache entirely. If there are no required objects in cache, the client will be given any of them.
Figure : How to work with cache
6. Using option Never, no content will be cached, you can prevent the ISA Server cache from storing the resource content on the next screen. Option two If source request headers indicate to cache allows ISA Server to store the content to cache if it is not prohibited in the HTTP headers explicitly. Next options allow to save dynamic content to cache too, offline content and content requiring user authentication.
Page 92
Figure : Storing to cache
7. You can limit the maximum size of cached objects on the next screen. A screen with HTTP caching settings follows. Cache objects availability (TTL) is set on 20 % of it's age, however not less than 15 minutes and not more than 1 day.
Figure : HTTP caching
8. It's allowed to cache FTP objects (files) on the next screen. FTP objects default TTL available time is 1 day. 9. Finish the wizard and apply the ISA Server settings.
Content Download Jobs

Jobs for automatic content downloading are used for regular storing the particular Web presentation into cache. 1. Select Content Download Jobs in Cache panel of the ISA Server console. 2. Click on Schedule a Content Download Job in the console right pane. A warning will be displayed that the Scheduled Download Job item should be allowed in the ISA Server system policy. Check modifying the policy and apply ISA Server settings.
Page 93
3. Click the Schedule a Content Download Job item again in Tasks panel. 4. Enter job name. 5. Set the downloading frequency and specify this on the next screen. 6. Enter URL to be downloaded to cache on the next screen. You can specify if other URL references should be traced, too, and which presentation reference depth should be downloaded.
Figure : Content automatic downloading
7. You can specify the content to be stored and it's availability on the next screen.
Figure : Content automatic downloading
8. Finish the wizard and apply the settings on ISA Server. The downloading job will be scheduled according to the plan, or it can be forced right-clicking from the drop down menu.
Page 94
Managing and Monitoring ISA

Administrative Role
You can manage and monitor the ISA Server using the ISA Server administrative role. As for users, there are three administrative roles for ISA Server 2006 Standard. ISA server Full Administrator full ISA Server authorization. ISA server Auditor an user entitled to examine the firewall configuration and setting/following the monitoring tasks. ISA server Monitoring Auditor an user entitled just to examine the monitoring tasks.
The next figure shows the default ISA Server administrative role settings.
Figure : ISA Server default roles
Both ISA Server admin's local account and BUILTIN\Administrators group representing the domain admins have the full access to ISA Server the role ISA server Full Administrator. Assigning Administrative Role to User 1. Open ISA Server console and select Configuration and General in the left pane of the navigation tree. 2. Click Assign Administrative Role in the middle pane. 3. Press Add to add user or group you want to assign the administrative role. Press Browse to choose some user or group account from the Active Directory domain. Select the administrative role for the particular user on the bottom of the window.
Page 95
Figure : Administrative role definition
4. Apply the settings on ISA Server. An user with a defined ISA Server role can log in to the ISA Server and perform the allowed actions from the ISA Server console monitoring, setting the monitoring, firewall configuration. Or he can manage the ISA Server from ISA Server console remotely from his workstation which is a member of the Remote Management Computers group.
Monitoring
Monitoring ISA Server stands for a substantial role when following the communication, checking the correct functionality of firewall access and publishing rules, or when solving issues dealing with clients failing the expected access to Web. You can perform the monitoring from the ISA Server administrative console, part Monitoring. Dashboard offers a complex overview of the ISA Server available part monitoring. The Dashboard panel resumes up-to-date status of ISA Server and gives a solid information about potential issues to the admin. It contains information on connectivity verifiers, ISA Server functions, actual number of clients or alerts on different events.
Page 96
Figure : ISA server dashboard
Alerts
Alerts are the configuration items defining the ISA Server behavior on particular situations. ISA Server contains a rich set of alerts for configuration that can be modified and/or extended. There are three categories of alerts Information, Warning, and Error. Each alert contains an information saying by which event or by how many events it will be activated in some time slice. While recording on ISA Server console, the activated alert performs a pre-defined action. This can be sending an email, running a program/script, recording the event into Event log, or even ISA Server services can be cancelled. You can see the activated alerts from Dashboard or Alerts panels in ISA Server console.
Figure : Acknowledge or reset alert
You can acknowledge or reset the recorded alerts from the drop down menu. Acknowledging the alert, you say you have taken the note of it and the acknowledged alert will not be
Page 97
displayed in Dashboard any longer Resetting the alert, you will remove it from both Dashboard and Alerts panels.
Figure : Some ISA server alerts
Sessions
You can trace connecting clients with ISA Server on the Sessions panel.
Figure : Actual connections with ISA server
Since ISA Server records the communication to a database file, this log can be looked up efficiently. Click Edit Filter for your own view on communication and set the filter displaying the required information. Press Start Query on Sessions panel to display all Web-Proxy clients in last 24 hours using your own filter on ISA Server console.
Page 98
Figure : Own filter
Services
The Services panel includes a few items, each representing a single ISA Server service. You can restart the services from here, or you can check their functions.
Figure : Panel of services
Reports
ISA Server reporting facilities are used for making a transparent graphical evaluation ISA Server activities and communications. ISA Server will set up a short evaluation on per day and per month basis. These data are used for generating reports in form of HTML documents including pictures and graphs. A report may be generated on demand or automatically, let's say on per week base. These reports can be stored automatically to a shared folder on network or on internal Web server. A report may contain multiple parts: Summary basic overview of most often used protocols, Web servers, cache functions or data flow through ISA Server Web usage more detailed information about clients accessing Web Application usage more detailed information about applications accessing Web
Page 99
Traffic and Utilization more detailed information about data flow and ISA Server load Security information about cancelled connections or failed authentication
Figure A part of repost sample
How to set up a monthly plan of reporting 1. Select Monitoring and Reports panel in ISA Server console. 2. Select Create and Configure Report Job in the right panel Tasks, a window will be opened with defined reporting plans. 3. Press Add to run the setup report wizard. 4. Enter a report name, such as Monthly Report 5. Select the data that you are concerning about on the next screen.
Page 100
Figure : Report content
6. Select the frequency of generating the report on the next screen
Figure : Automatic report generation schedule
7. You can publish a report into a shared folder stored on some server on the next screen. You can also define a user account that provides access to this folder. A given user account should have edit permission on file system and on the shared folder of the report destination.
Figure : Publishing report
8. You can send information about a new report on an email address on the next screen. 9. Finish up the wizard and apply the settings on ISA Server. You can generate a single report in a similar way. You should use the option Generate a New Report from the Tasks panel. The generated reports are available on ISA Server Microsft ISA Server 2006 A School Guide Page 101
Reports panel. Choosing Publish from the report drop down menu, you can store this report to a specific location (such as documents or desktop).
Figure : Generated reports
There is also the part Customize Reports in panel Tasks containing several references allowing to accommodate the particular parts of reports.
Connectivity verifiers
Connectivity verifiers are used for testing the servers and services availability. Verifiers can be used for checking if a host is on-line (running) using ICMP (PING) or checking a service availability on a host establishing a connection with a service. Concerning Web servers, you can test a server by sending a HTTP GET request to gain a Web content.
Figure : Connectivity verifiers
Logging
Similarly as for Sessions panel, you can gain information from ISA Server log file in the logging panel. Information available in this part of console deals directly with communication. A defined default filter shows all active connectivity. You can trace communication source and destination, protocol used, user name, or a mastering rule (enabling or disabling) to these connections. If there are any issues to be solved, such as unavailable network resources for entitled users, you can find out the blocking rule from here.
Page 102
Figure Communication logging
The default filter for displaying logging is shown on the figure above. You can display actual connections Firewall or Web-Proxy clients by applying this filter using Start Query reference. The real-time logging (i.e. actual communication is shown) might be rather CPU timeconsuming while lowering the ISA Server performance. Thus, you should use on-line logging just for debugging and trouble shooting while leaving it switched off otherwise.
Figure : Log query sample
Internet Blocking Tool (InetBlocker)

The Internet Blocking Tool application was designed for an easy ISA Server control by unskilled users. Using this, you can perform a fast disabling or enabling the Web connection for special host groups. Thus, authorized staff (teachers for instance) is entitled to control the connection of a classroom to Web using the simple application.
Page 103
Figure : Web Blocking Tool application
Installation
The Internet Blocking Tool (IBT) application was designed for fast Web disabling/enabling during lessons. It will be typically installed on workstations such as lecturer's hosts in classrooms. This application uses ISA Server management console components, so ISA Server management console should be installed on these workstations. You should also have installed the component .NET framework 2 on your workstation. If missing, you can download it from the Microsoft site, or automatically using the Windows Update. Process of Installation: 1. Use admin's account to log in to workstation. 2. Verify availability of the ISA Server management console on the workstation. Try to find it in Start, Programs, Microsoft ISA Server menu. Add it from the ISA Server installation media if not available. 3. Install .NET framework 2 if not available. Internet Blocking Tool installation program tests the presence of this component. It will provide you with the Web address for downloading the component if not available. 4. Run the program Setup.exe from the directory containing installation files of the application. 5. Click Next on the installation wizard welcome page. 6. You can select the installation target folder and choose if the application should be installed for the actual user, or for each host user on the next screen. Install it for all users to include the shortcuts to this application into every host's Start menu.
Page 104
Figure : Installing IBT
7. Finish the installation wizard. An item InetBlocker will appear in the Start menu, where 2 versions of this application will be available. InetBlocker allows fast internet connection disabling/enabling for specified host groups InetBlockerAdmin besides the previous functions, it allows also set IP address of managed ISA server and define the host groups being managed by this application.
Figure : InetBlocker shortcuts
Page 105
ISA Server Settings

The remote ISA Server management should be available for the workstations using Internet Blocking Tool. You have to include each host IP address used for ISA Server management into the Remote Management Computers in ISA Server console. 1. Log in to ISA Server and run ISA Server management console. 2. Select Firewall Policy from the navigation tree. Select Toolbox, Network Objects in the right panel and double click Remote Management Computers to open modification of this group. 3. Press Add to add the hosts being allowed for the remote ISA Server management performance. You can also define the host IP addresses, IP address range, or a subnetwork. 4. Save the Remote Management Computers group modifications and apply the settings on ISA Server.
Figure : Modifying Remote Management Computers
If other users besides admins would be allowed to block the access to Web (teachers for instance), you should assign the ISA Server administrative role to these users. Since these are the ISA Server configuration modifications, the role ISA server Full Administrator should be assigned to such users. 1. Log in to ISA Server and run the management console. 2. Select Configuration and General in the navigation panel. 3. Click Assign Administrative Roles in the middle panel.
Page 106
4. Press Add to assign the administrative role to users. 5. Type in user name or user group name in the form domain\name, or press Browse to find out the user or user group in Active Directory. 6. Choose ISA server Full Administrator administrative role. 7. Save the settings and apply the modifications on ISA Server. Specified users (teachers) are allowed to modify the ISA Server settings from specified hosts from now on.
Figure : Assigning the roles
You can also create special (service) user account for ISA server management with defined ISA server Full Administrator role and then configure InetBlocker application for use this user account and password for manage ISA server remotely. Teachers or other users, who should simply enable or disable internet for specified groups of computers, will not be ISA server Full administrators and they will not be able to manage ISA server in other way than by simple InetBlocker application. Application will use preset creditionals of this special user account to make changes to ISA server configuration.
InetBlockerAdmin
Run InetBlockerAdmin under admin's account from the Start menu and insert IP address of managed ISA server after installing Internet Blocking Tool. 1. Log in to the workstation as admin. 2. Run InetBlockerAdmin from the Start menu. 3. Click Settings to specify ISA server IP address. Microsft ISA Server 2006 A School Guide Page 107
4. Type in the internal ISA Server IP address being managed. Next, you can set the application to gain the actual ISA Server settings after being run, or to log in by another user name (service account) to ISA Server. 5. If you set the application to log in by another name, you have to assign the Full Administrator role to this name. The application will log in by actually logged in user otherwise. 6. Press OK to check the settings.
Figure : IBT settings
Once you have set the ISA Server IP address, you can press Read Rules to download the Internet blocking rules for specified hosts from ISA Server. These rules are special access rules set up by the application on ISA Server. There are no rules when using the application first time, so no rules will be displayed. Setting up a Group Using InetBlockerAdmin application, you can create groups of hosts whose access to Web will be driven by this application. 1. Press Add Group to create a group; assign a name to that group.
Page 108
Figure : Creating a group
2. Select a created group from the list and click Edit Group. A window will be opened which can be used to add hosts to that group.
Figure : Modifying the group
3. Press Add to add hosts to this group. You can define them using IP addresses or IP address range. Press Computer from domain to display the list of hosts being included to the domain within two weeks; you can select the hosts to be added to that group. 4. Press OK to finish the modification. 5. Once you have finished creating and modifying the groups, you can apply these settings by pressing Save Rules on ISA Server. Microsft ISA Server 2006 A School Guide
Page 109
Figure : Saving the settings
As a result of the application performance, defined groups were created in the ISA Server Toolbox and a firewall access rule was set up to block the whole Web communication from the defined host groups on the first place (highest precedence).
Figure : InetBlockers firewall access rule
InetBlocker
Second InetBlocker application, a simplified version of InetBlockerAdmin, handles the defined host groups and settings. Nor managed ISA Server IP address neither creating or modifying the host groups is allowed. InetBlocker can just allow or disallow Web access for a specified host groups. Thus, this is an application easy to use for users (teachers) who are unfamiliar with networking, however who are able to affect access to Web for a specified host group (classroom). This application manage ISA server by users login account or by specified service account defined by InerBlockerAdmin.
Page 110
Figure : Simplified InetBlocker
Having been run by Read Rules, the application downloads settings of specified groups from ISA Server. Then select Yes or No for selected group of computers to block or unblock internet and press Save rules to apply these settings on ISA Server. This application is logging in as an actually logged in system user or as the user account defined in InetBlockerAdmin settings to ISA Server. Should have no appropriate role for ISA Server management, the user will not be able to download actual configuration and/or to save the modified configuration on ISA Server.
Figure : User has not ISA Server Full administrator role
Downloading InetBlocker
You can download the InetBlocker application from the following sites: Microsft ISA Server 2006 A School Guide Page 111
http://www.codeplex.com/inetblocker , or http://www.codeplex.com/inetblocker/Release/ProjectReleases.aspx free of charge.
Summary
The applications InetBlocker and InetBlockerAdmin offer a simplified interface for fast ISA Server configuration. To work properly, you should ensure: The workstations running these tools should have installed the management ISA Server console, too. The workstations must be members of Remote Management Computers group in ISA Server console Toolbox. For a proper function, users applying these tools should be assigned with the ISA Server administrative role, or the tools themselves have to be run from a user account with ISA Server configuration facility.
Page 112
Appendixes
References
www.microsoft.com/isaserver Microsoft ISA Server home page http://www.microsoft.com/technet/isa ISA server TechCenter http://www.microsoft.com/technet/isa/2006/Upgrade_Guide_SE.mspx Upgrading ISA Server how-to http://www.microsoft.com/technet/isa/2006/clients.mspx Detailed information about ISA Server types of clients http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx HTTP application filter typical settings for blocking the well-known services http://www.isaserver.org Independent server with ISA Server products
FAQ
Where can I get an application for a simple Web blocking Web Blocking Tool? You can download it from: http://www.codeplex.com/inetblocker, or from the site Modern Sprvce: http://www.modernivyuka.cz/spravce
Page 113
Page 114
Page 115

Microsoft ISA Server 2006 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft ISA Server 2006 en

Uploaded by

Copyright:

Available Formats

Microsoft ISA Server 2006

ISA Server2006: A School Guide

ISP = Internet Service Provider

Microsft ISA Server 2006 A School Guide