You are on page 1of 51

Final del formulario

Getting started with Microsoft ISA Server 2006

Part I: Installation

Introduction

Microsoft Internet Security & Acceleration Server 2006 is a


firewall and proxy product from Microsoft. It can protect local
network from hackers, limit access for internet access, improve
internet speed for users and also logging any connections that
pass through ISA Server
Or you can say that ISA Server is a gateway between intranet(LAN) and internet so it has more
than one network interfaces usually it has 2 or 3 network interfaces depends on network
topology(Edge firewall, 3-Leg
Perimeter, etc.) in your
organization.
This post will show how to
install ISA Server 2006 Standard
Edition on a Windows 2003
Server which has 2 network
interfaces: one is connected to
internal network(LAN) and the
other connected to
external(Internet). The diagram
is as below:

Step-by-step

1. Open ISA setup program

2. Click Next.

3.Enter your license information. Click


Next.

4.Select Setup Type. If you want to


customize features or change installed
directory, select Custom. Otherwise,
select Typical. I leave Typical for
convenience.
5. On Internal Network, you must enter your internal IP address range. You can do this by
adding manually or select from network adapter. Before click Next, ensure that your
network addressed was configured correctly.
6. On Firewall Client Connections, if you haven’t upgrade from previous ISA Server(ISA
2000 or 2004), leave the check box uncheck and click Next. Otherwise, checks the check

box before continue.

7. On Service Warning, click Next. Notice


that some of services will be restarted
or disabled while installing.

8.Click Install.

9.Wait for install finishes.

10.10.You can check “Invoke ISA Server


Management when the wizard closes” if
you want to configure ISA now.
11. Now you have finished installing ISA
Server 2006.
Question: How do I setup the network card that connected to external (Internet). My Internet
connection through a router to local ISP with IP address like 60.25.115.23.?

Answer: For external interface, the IP Address should be in the same network as the router.
Same subnet as the router. Gateway point to router’s IP Address. DNS is ISP’s DNS.

Part II: Configure Network Topology

Network Topology
From Part I, you have finished install ISA Server
2006. Before using the server, you need to do some
configurations first. On Getting Started with ISA
Server 2006 page on ISA Server Management, there
are 5 steps for set up ISA Server as the figure below.

To use ISA Server, only first 2 steps on the figure


above are needed to be configured so this part will
shows how to configure Network Topology on ISA
Server which is the first step in the figure above. For
the second step, I will cover in the next part (part
III). Also, you need to enable client to access ISA
Server by configure on clients, too. Client Configuration will be covered in part IV.
ISA Server 2006 comes with many defined templates. Here are some details of each template. You
can select one of them that match your network.
Edge Firewall

This is a standard network topology for small to medium


organization. The ISA Server is a main gateway controlling
traffic between intranet and internet. The ISA Server needs 2
network interfaces.

Leg Perimeter
This is a standard network topology for medium to large
organization. There are another network which is Perimeter
network adding to ISA server compare to edge firewall. The
perimeter network or DMZ (Demilitarized Zone) is a network
that is less secure for serving Web server, E-Mail server, DNS
server,etc so that internet users can access these services
without access to internal network. The ISA Server needs 3
network interfaces.
Front Firewall
This is a network topology for organization that security is
high priority. In this case, there are more than 1 firewall server.
When hacker attacks the server and one fails, there is still back
firewall to protect your internal network. This template, ISA
Server will be act as front firewall server between internet and
perimeter network and needs 2 network interfaces.

Back Firewall

This is a network topology for organization that security is


high priority. The configuration is the same as in Front
Firewall template except that the ISA Server that you’re
configuring is the back firewall that serperate internal and
perimeter network.This template, ISA Server needs 2 network
interfaces.

Single Network Adapter

This is a network topology for ISA Server to be act as Proxy


server only. ISA Server can do caching to improve
performance for users using Internet in organization. This
template, ISA Server requires only a single network interface
as the name of the template.

Note: For Front and Back Firewall templates, you have more than one firewall servers. It is best
practice that you should use
different firewall software or
using hardware firewall with
software firewall not the same
on front and back. If hacker can
destroy the front firewall, you
still have back firewall which
the hacker can’t use the
previous technique to attack the
firewall.

Step-by-step
This example will configure
ISA Server 2006 using Edge
Firewall template.
1. Open ISA Server Management.
1) On left window, expand Configuration and select Networks
2) On right window, select Templates tab.
3) Click on Edge Firewall template. Network Template Wizard window appears.

2. Click Next.

3. You can export your configurations before


let the wizard overwrite the old one by click
on Export button. Otherwise, click Next.

4. On Internal Network IP Addresses,


you can configure your internel
network IP Address. If the existing
value is correct, click Next.
5. On Select a Firewall Policy, you can
select firewall policy template. The
description will display what will be
configure on ISA Server. I select
“Block all” to block all traffic between
ISA Server. I will configure rules later
in the the next part.

6. Click Finish to complete the wizard.

7. To make ISA Server takes effect, click on Apply.

Part III: Create Firewall Policy Rule


Firewall Policy
From part II, you have configured Network Topology. Now you need to create a policy rule to
allow traffic pass through the ISA Server.
By default, ISA Server is configured with default rule which blocks all traffics pass through ISA
Server. But you can customize rules to match your policy in organization. On each rule, you can
customize to allow or deny access, protocols, source and destination addresses, users (ISA Server
can integrated with Active Directory), time to use the rule, content types.

Step-by-step
Next, I will create a new web access rule for all users in internal network to access internet
(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.

1. Open ISA Server


Management. Expand server
name (in this example,
BKKFRW001)  Right click
on Firewall Policy  New 
Access Rule.

2. New Access Rule Wizard appears,


enter the name of access rule. Click
Next.

On Rule Action, select Allow. Click Next.


3. On Protocols, click Add. Add
Protocols window appears, expand
Common protocols and select
HTTP and HTTPS.

4. On Access Rule Sources, click


Add. Add Network Entities
window appears, expand Networks
and select Internal.
5. On Access Rule Destinations, add External network.

6. On User Sets, leave All Users.


Click Next.

7. Click Finish to complete create new rule.

6. Again, don’t forget to apply your setting on ISA Server to take effect. Click Apply.
Question: How can i password protect a user from entering an IP address to: Internet option,
connections, and LAN settings?

Answer: The best way is to use group policy to restrict users from modify settings. Here are the
steps to disable tabs on Internet Options using Group Policy:
1. Click the Start button. Type “gpedit.msc” into the Search box and press Enter.
2. On Local Group Policy Editor, expand User Configuration  Administrative
Templates  Windows Components  Internet Explorer  click on Internet
Control Panel.
3. On right side, you see polices that you can configure. If you want to disable users
editing LAN Settings, you have to disable the Connections Page. Double-click on
Disable the Connections page policy and change setting from Not Configured to
Disabled.

Part IV: Configure Client Type


Introduction
After completed part III, you have done basic configurations on ISA Server. In this part, you’re
going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client
or Web Proxy Client. You can see more detail in topic below.

The table below compares the ISA Server clients.


Feature\ Client types SecureNAT client Firewall client Web Proxy client
Some network
No, Web browser
Installation required configuration changes Yes
configuration required
may be required
Any operating system
that supports
Operating system Only Windows All platforms, but by
Transmission Control
support platforms way of Web application
Protocol/Internet
Protocol (TCP/IP)
Hypertext Transfer
Application filters for Protocol (HTTP),
All Winsock
Protocol support multiple connection Secure HTTP (HTTPS),
applications
protocols required File Transfer Protocol
(FTP), and Gopher
Some network
User-level
configuration changes Yes Yes
authentication
required
No configuration or Configuration file
Server applications Not applicable
installation required required
Configurations
On this section, I will how to configure each client type on a client computer. You only select one
of these three client types configurations.

1. SecureNAT client
To configure SecureNAT client, only
change gateway in network properties
to ISA Server:

○ Open Network Connection


Properties on client
computer.

○ On Network Properties,
select Internet
Protocol(TCP/IP) and
click Properties.
○ On Internet Protocol(TCP/IP) Properties, change IP Address on default gateway to
ISA Server.

2. Firewall client
○ Download Firewall Client for ISA Server at
Microsoft or at here – Microsoft Firewall
Client.

○ Run setup program, set the ISA Server DNS


name or IP Address on ISA Server
Computer Selection page.

○ After install, you’ll see icon as the figure below in task


icon. The green color means the client has successfully
connected to ISA Server. If the red shows, the client can’t
connect to ISA Server. You can double-click on icon to see more detail.

○ If you have double-clicked on previous step,


select Settings tab and you can verify that
ISA Server Selection is type correctly or
not. Also, click on Apply Default Settings
Now for other users on this computer can
use this configuration,too.

3. Web Proxy client


○ Open Web browser. In this example, I demonstate on Internet Explorer.
On menu bar, select Tools  Internet Options.

○ On Internet Options, select Connections tab


and click on LAN Settings.

○ On Local Area Network (LAN) Settings, set


Address and Port to your ISA Server
configuration.
Note: By default, Web proxy port is 8080.

Question: I have setup ISA 2006 Standard according to your guideline and it works fine. My ISA
is on Domain and it has been installed as member server. I want all users of Active
Directory to autheticate when they want to connect to online services. Is it possible to
ask them to authenticate by web form so that I can monitor every users?

Answer: It is inferred that users in active directory are already authenticated when they’re
logged in the domain so it is unnecessary to make them authenticate again when they
want to use the Internet. And ISA Server has logging system to log every traffic pass
in/out. So you can view users who are using the Internet and which website they surf.

Part V: Configure HTTP Filter


Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free
email services? Or even block them to post anythings on web boards? Or block them to using bit
torrent to download files? This topic can answer these questions by using Microsoft ISA Server
2006.

From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work
in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that
it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo
Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic
using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let’s
see about HTTP traffic in the next section.

Note: This topic isn’t required in order to running ISA Server, only Part I to IV is sufficient. But
this topic will be benefits in most organization to improve security.

HTTP Traffic
HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by
default is on port 80) which is the protocol that is used by most applications. On each HTTP
connection, there will be a header information about client that send to server or server to client.
These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2),
User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.),
etc. I will not go into deep detail about HTTP protocol if you want more information, you can find
at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow
or block specific application or traffic.

To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that
pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which
running a web server. Let see the different example of each HTTP header information below.
When client sends request to the web server by browser the Internet Explorer to http://bkkexternal
(bkkexternal is the computer that runs a web server).

Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).

This the response header from the above


request.

Detail: The response code is 200 (OK).


The server is running by Apache 2.2.4.
The Content-Type is text/xml

When you submit a form on the browser to


the web server.
Detail: The request method is POST. The client host is bkkmisc01. The Content-Type is
application/x-www-form-urlencoded.

Note: “/r/n” is tag that tells end of a line, a control line feed.

Configurations
To configure HTTP filter, you need to know what attribute and value need to be configured.
On this post, I will show only the following:
1. Block specific browser: Firefox.
2. Block MSN Messenger, Windows Live Messenger.
3. Block download file .torrent.
4. Block AOL Messenger.
5. Block Yahoo Messenger.
6. Block Kazaa.
7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
8. Block post on web boards.

Step-by-step
1. Open Microsoft ISA Server Management Console.
2. Right-click on the rule that being configured HTTP filter -> select Configure HTTP.

3.

Click on Signatures tab and click Add.


4. Block specific browser: Firefox.

To block users to use Firefox


browser by configure signature to
“Firefox”, “User-Agent” in HTTP
Header and Request headers in
Search in.

5. Block MSN Messenger, Windows Live


Messenger.
• To block MSN Messenger by configure signature to “msnmsgr.exe”, “User-Agent” in
HTTP Header and Request headers in Search in.

• To block Windows Live Messenger by


configure signature to “login.live.com”,
“Host” in HTTP Header and Request
headers in Search in.

5. Block downloads file .torrent.

To block download any .torrent files by configure


signature to “application/x-bittorrent”,
“Content-Type” in HTTP Header and Request
headers in Search in.

6. Block AOL Messenger.

To block users to use AOL Messenger by configure


signature to “Gecko”, “User-Agent” in HTTP
Header and Request headers in Search in.
7. Block Yahoo Messenger.

To block users to use Yahoo Messenger by


configure signature to “msg.yahoo.com”, “Host”
in HTTP Header and Request headers in Search
in.

8. Block Kazaa.

To block users to use Kazaa by configure


signature to “KazaaClient”, “User-Agent” in
HTTP Header and Request headers in Search in.

9. Block free web mail. (e.g. hotmail.com,


mail.yahoo.com, etc.)

To block users to access free web mail, block any


URL that contain string “mail” by configure on
signature to mail.

10. Block post on web boards.


Block users to sending any information to internet (e.g. post on web board) by configure to
disallow HTTP method: POST.
○ Select on Methods tab and select block specified methods.

○ Click Add. New window appears, type


“POST” on method and enter some
description.

○ Don’t forget to apply the settings after


configuration.

11.If the users are blocked by HTTP


filter, they will see page like the figure.
“Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter.”

Creating a Site to Site VPN using ISA 2006 Firewalls at the


Main and Branch Office
In this, part 1 of a two part series on creating site to site VPNs using the new ISA firewall, we
will go over the basic network configuration and then start the configuration for the site to site
VPN at the main office ISA firewallStop
Wasting Time On Email Mgmt!Let
users archive and manage their own email & reduce email storage
& PST related headaches with GFI MailArchiver for Exchange
Download a free time-limited trial!
A site-to-site VPN connection connects two or more networks using a VPN link over the Internet. The VPN site-to-site
configuration works just like a LAN router; packets destined for IP addresses at a remote site are routed through the
ISA Server 2006 firewall. The ISA firewall acts as a VPN gateway joining two networks over the Internet.
Each site-to-site link can use one of the following VPN protocols:
• PPTP
• L2TP/IPSec
• IPSec Tunnel Mode
PPTP is the Point-to-Point Tunneling Protocol and can provide a good level of security, depending on the complexity
of the password used to authenticate the PPTP connection. You can enhance the level of security applied to a PPTP
link by using EAP/TLS-based authentication methods. For information on how to use EAP/TLS authentication for site
to site VPN links, check out this link.
The L2TP/IPSec VPN protocol provides a higher level of security because it uses the IPSec encryption protocol to
secure the connection and enforces machine authentication as well as user authentication. You can use computer and
user certificates to provide an even higher level of security to the L2TP/IPSec connection. If you are not ready to
deploy a certificate infrastructure, you can use a pre-shared key to create the site-to-site L2TP/IPSec VPN connection.
ISA 2006 firewall support IPSec tunnel mode for site-to-site VPN connections. Only use IPSec tunnel mode when you
need to create a site-to-site link with third-party VPN gateways. There are three primary reasons for avoiding IPSec
tunnel mode:
• IPSec tunnel mode is less secure
• IPSec tunnel mode has limited routing abilities on Windows Server 2003 machines
• IPSec tunnel mode can reduce effective throughput through the VPN tunnel by as much
as 50%. You can confirm this by reading the ISA 2004 performance white paper.
The figure below depicts how such a site-to-site VPN works:

Figure 1
In this two part article
series we will go
through procedures
required to create an
L2TP/IPSec site-to-site
link between two ISA
Server 2006 firewall
machines. The
ISALOCAL machine will simulate the Main Office firewall, and the ISA2005BRANCH will simulate the Branch
Office firewall. We will use the L2TP/IPSec VPN protocol to create the site-to-site link and both computer certificates
and pre-shared keys to support the IPSec encryption protocol.
You will complete the following procedures to create the site-to-site VPN connection:
• Create the Remote Network at the Main Office
• Create the VPN Gateway Dial-in Account at the Main Office
• Create the Remote Network at the Branch Office
• Create the Network Rule at the Branch Office
• Create the Access Rules at the Branch Office
• Create the VPN Gateway Dial-in Account at the Branch Office
• Activate the Site-to-Site Links
The lab network includes two ISA firewalls, one at the main office and one at the branch office, a domain controller
that is also running Exchange 2003, and a client machine located behind the branch office ISA firewall, which in this
case is Windows Server 2003 SP1. The figure below depicts the machines in this article and their IP addresses.
Figure 2
Note:
It is important to note that both the EXCHANGE2003BE machine and the REMOTEHOST machine are DHCP
servers. This is required to provide Routing and Remote Access Service IP addresses to assign the calling VPN
gateways. If your network does not have a DHCP server, you can use static address pools configured on each of the
ISA Server 2006 firewall/VPN gateways. I prefer to use DHCP because it will make it easier to assign on-subnet
addresses to the VPN gateways virtual interfaces.
In this article I will not go through the process of deploying certificates and will use a pre-shared key for our
L2TP/IPSec site to site VPN connection. I should note here that this is not a best practice and that you should use
certificates for machine authentication for your site to site VPNs. There are a number of methods you can use to obtain
and install machine certificates and I have gone through this procedure many times on the ISAserver.org Web site.
For a comprehensive review of how to obtain and install machine certificates for ISA firewalls in a site to site VPN
scenario, I highly recommend that you check out the ISA Server 2000 VPN deployment kit. While the ISA firewall
configuration is quite different, the certificate deployment issues remain unchanged. Check out the ISA Server 2000
VPN Deployment Kit.

Create the Remote Site at the Main Office ISA Firewall


We will begin by configuring the ISA firewall at the Main Office. The first step is to configure the Remote Site
Network in the Microsoft Internet Security and Acceleration Server 2006 management console.
Perform the following steps to create the Remote Site Network at the Main
Office ISA firewall:
Figure 3
1. Open the Microsoft Internet Security and
Acceleration Server 2006 management console
and expand the server name. Click on Virtual
Private Networks (VPN) node.
2. Click on the Remote Sites tab in the Details pane.
Click on the Tasks tab in the Task pane. Click Add
Remote Site Network.

3. On the Welcome to the


Create VPN Site to Site
Connection Wizard page,
enter a name for the remote
network in the Site to site
network name text box. In
this example, enter Branch.
Click Next.
4. On the VPN Protocol page,
you have the choice of using

IP Security protocol
(IPSec Tunnel Mode,

Figure 4
Layer Two Tunneling Protocol (L2TP) over IPSec or

Point-to-Point Tunneling Protocol.

If you do not have certificates


installed on the Main and Branch
Office machines and do not plan to
deploy them in the future, choose
the PPTP option. If you have
certificates installed on the Main
and Branch Office firewalls, or if
you plan to install them in the
future, choose the L2TP/IPSec
option (you can use the pre-shared
key prior to installing the
certificates).

Do not use the IPSec option unless


you are connecting to a third-party
VPN server (because of the low
security conferred by IPSec Tunnel
Mode site-to-site links and much
lower throughput). Figure 5

In this example, we will use pre-


shared keys for our site to site VPN
connection in preparation for
deploying certificates after the
L2TP/IPSec tunnels are
established. Select Layer Two
Tunneling Protocol (L2TP) over
IPSec. Click Next.
5. A dialog box appears informing
you that you need to create a
user account on the main office
ISA firewall. This user account
will be used by the branch office
ISA firewall to authenticate to
the main office ISA firewall when the branch office ISA firewall attempts to create its site to
site VPN connection to the main office ISA firewall.

The user account must have the same name as the Remote FigureSite
6 Network we’re creating,
and that’s defined by the name we included in the first page in the wizard. In this example,
we named the site to site
Network connection Branch, so
the user account we create on
the main office ISA firewall must
also have the name Branch,
and we will need to enable dial-
up access for that account. We’ll
go through the details of
creating that account later in
this article. Click OK.
6. On the Connection Owner
page you select which
machine in the array should
be the connection own for

Figure 7
this site to site VPN connection. This option is only seen in ISA Enterprise Edition and
not in Standard Edition. If you have NLB enabled on the array, then you don’t need to
manually assign the connection owner, as the integrated NLB process will
automatically assign a connection owner when NLB is enabled on the array.

In this example we are not using NLB on the main office array (I’ll do another article on
how to do that in the future), and there is only one member of our main office ISA
firewall Enterprise Edition array. So we’ll use the default entry, which is the name of
the ISA firewall at the main office and click Next. (note, the name of the server in the
graphic suggests that this machine is Standard Edition, but it is in fact Enterprise
Edition).
7. On the Remote Site
Gateway page, enter the IP
address or FQDN
representing the external
interface of the remote ISA
Server 2006 firewall
machine. Note that this is a
new feature in the 2006 ISA
firewall, in that before you
could not use a FQDN. This
is helpful as many branch
offices must use dynamic
addresses and so the only
way to reliably connect to
the branch office was via a
DDNS service.

In this example, we’ll use


Figure 8
the FQDN
branch.msfirewall.org, so
enter this value into the text box. Click Next.
8. On the Remote Authentication page, put a checkmark in the Local site can
initiate connections to remote site using these credentials check box. Enter the
name of the account that you will create on the branch office ISA Server 2006 firewall
to allow the Main Office ISA firewall access. In this example, the user account will be
named Main (the user account much match the name of the demand-dial interface
created on the remote site). When we get to configuring the branch office ISA firewall,
we will create a Remote Site Network with the name Main and then create a user
account with the name
Main on the branch office
ISA firewall. The main office
ISA firewall will use this
account to authenticate to
the branch office ISA
firewall to create the site to
site VPN connection.
The Domain name is the
name of the branch office
ISA Server 2006 firewall,
which in this example is
ISA2006BRANCH (if the
remote ISA Server 2006
firewall were a domain Figure 9
controller, you would use
the domain name instead of
the computer name). Enter
a password for the account and confirm the password. Write down the password so you
will remember it when you create an account later on the branch office ISA 2006
firewall. Click Next.
9. On the L2TP/IPSec Outgoing Authentication page you select the method you want
authenticate your machine against the branch office ISA firewall. In this example we’ll
use the Pre-shared key authentication option and then enter a pre-shared key in
the Pre-shared key text box. Make sure you write this down, as we’ll need this
information when configuring the machine authentication settings at the branch office.
Click Next.
10. 0Click Add Range on the Network Addresses page. In the IP Address Range
Properties dialog box, enter 10.0.1.0 in the Starting address text box. Enter
10.0.1.255 in the Ending
address text box. Click
OK.
11. Click Next on the Network
Addresses page.
Figure 10

Figure 11

12.On the Remote NLB


page you tell the ISA
firewall if NLB is being used
on the branch office ISA
Figure 12 firewall. If NLB is being
used, then you would put a
checkmark in the The remote site is enabled for Network Load Balancing
checkbox. Then you would add the dedicated IP addresses on the branch office NLB
array by clicking the Add Range button.

We’re not running NLB at the branch office, so we’ll remove the checkmark from the
The remote site is enabled for Network Load Balancing. In a future article I’ll
show you how to create site
to site VPNs with the NLB
feature enabled. Click
Next.
13. On the Site to Site
Network Rule page you
can configure a Network
Rule that connects the
main and branch office ISA
firewall Networks.
Remember, the ISA firewall
requires that you always
have a Network Rule to
connect ISA firewall
Networks to each other. Even if you create the Networks and create Access Rules, the
connections will not work until you create a Network Rule.
The new ISA firewall fixes a problem that people had when creating site to site VPNs
with ISA 2004, in that most people forget or didn’t know that they needed a Network
Rule in order for it work. The 2006 ISA firewall will ask you if you want to create the
Network Rule while still in the wizard,Figure
which 13
is a nice convenience and great usability
improvement. It’s clear that the ISA firewall’s development team are a lot more mindful
of ease of use than the Exchange 2007 beta team!

Select the Create a Network Rule specifying a route relationship option and
accept the default name. Note that you also have the I’ll create a Network Rule
later option if you want to create the Network Rule manually. Notice that the default
option is to set a route relationship between the main and branch office ISA firewall
Networks. This is a excellent choice because you have a much wider range of protocol
access when using route relationships.
Click Next.
14. Another new feature in the 2006 ISA firewall is the Site to Site Network Access Rule
page. Here you can configure an Access Rule allowing connections from the main office
to the branch office. With the ISA 2004 firewall, you had to do this manually after the
wizard was completed, another kudo for the VPN developers on the ISA team!

You also have the option to not create an Access Rules at this time by selecting the I’ll
change the Access Policy later option.

When you select the Create an allow Access Rule. This rule will allow traffic cetween
the Internal Network and the new site to site Network for all users’ option, you’ll be
given three choices from the Apply the rule to these protocols drop down list. This
include:
All outbound traffic: Use this
option if you want to allow all
traffic from the main office to the
branch office.

Selected protocols: Use this


option if you want to control which
traffic can move from the main
office to the branch office. If you
want to limit the connections to a
selected list of protocols, select
this option and click the Add
button to all the protocols. Note
that at this point you can’t lock
down the protocol usage on a per
user/group basis. You’ll have to
wait until the wizard is complete
and then go into the Firewall policy
to make that change. Figure 14

All outbound traffic except selected: Select this option if you want to allow all traffic
except for a few protocols. Again, you use the Add button to set which protocols you want to
block.

Figure 15
In this example, we’ll being by allowing all protocols. Later, I’ll show you how you can use
user/group based authentication to control which users at the main office are allowed to
connect to the branch office. This is important, as typically you don’t want average users to
access to the branch office, you just want the administrators to get there. We’ll also see how
you can use user/group based
access controls at the branch office
to prevent branch office users from
getting adventurous.
Select the All outbound traffic
option and click Next.
15. Click Finish on the
Completing the New Site to
Site Network Wizard page.
16. In the Remaining VPN Site
to Site Tasks dialog box, it
informs you that that you need
to create a user account with
the name Branch. We’ll do
that in the next section. Click
OK.
You can see the new ISA firewall Remote
Site Network in the ISA firewall console, as
seen in the figure below.

Select the Remote Site Network


Figure 16
and click the Edit Selected
Network link in the Task Pane.
Figure 17
In the Branch Properties dialog
box, the General tab provides
information about the Remote
Site Network. You can also
enable or disable the site to site VPN connection from this tab.
On the Server tab, you can change the connection owner for the site to site VPN.
You only have to assign a connection owner
when NLB isn’t enabled on the external
interface of the ISA firewall. If NLB is
enabled on the external interface of the ISA
firewall, then NLB will automatically assign
the connection own for you. Keep in mind
that you can create ISA firewall arrays of
VPN gateways without NLB enabled on the
external interface. However, in most cases
you will want to use NLB. We’re not using
NLB on the external interface in this article
because there is a single ISA Enterprise
Edition firewall in our current configuration.
On the Addresses tab, you can change or
add addresses to the definition of the
Remote Site Network.
On the Remote NLB tab, you specify the
dedicated IP addresses on the remote site
VPN gateway. You only need to configure
these addresses if the Remote Site
Network’s VPN gateway is using NLB. We won’t be adding addresses in our example because NLB won’t be enabled
at the branch office ISA firewall.
On the Authentication tab you choose the authentication protocol you
want the main office ISA firewall to use when authenticating with the
branch office VPN gateway. The default is Microsoft CHAP Version
2. The most secure option is EAP, but that requires that you assign
user certificates to the accounts used to authenticate with each
gateway. Maybe in the future I’ll show you how to do it with 2006 ISA
firewall’s, but the procedure is very similar to how you do it in ISA
2004, as shown in
http://www.isaserver.org/articles/2004s2seapauth.html.
On the Protocol tab you configure what VPN protocol you want to use
to create the site to site VPN tunnel. You can also change the pre-
shared key here.
On the Connection tab you can change the credentials used to
authenticated to the Remote Site Network’s VPN gateway. You can
also configure how long you want the site to site VPN to stay up
during idle periods. The
default is Never drop the
connection.
Close the Branch
Properties dialog box.
Right click the Remote
Site Network and click the
Site to Site Summary
command. In the Site to
Site Summary dialog box
you’ll see summary
information about the
local site to site settings
and the Required site to
site settings for the other
end of this tunnel.
You can right click in
the lower frame and
Select All and then
Copy to get the
information on how to
configure the Remote
Site VPN gateway.
General VPN Settings Authentication Protocols (one or more of the
following):
MS-CHAP v2

VPN Network Authentication Protocols (one or more of the following):


MS-CHAP v2

Outgoing Authentication Method: Pre-shared secret (the pre-shared key


will appear here)

Incoming Authentication Method: Certificate and pre-shared secret (the


pre-shared key will appear here)
Remote Gateway Address:
An IP address or a DNS resolvable name.
If NLB is enabled, the VIP of the remote array should be used.

Local User: ISA2006BRANCH\main

Remote Site User: Branch

Site-to-Site Network IP Addresses: 10.0.0.0-10.0.0.255,


10.255.255.255

Routable Local IP Addresses: 10.0.1.0-10.0.1.255

Complete the configuration by clicking Apply to save the


changes and then click OK in the Apply New Configuration
dialog box.

DHCP Configuration
One last thing you need to confirm is your addressing
information for the site to site VPN gateway. You have two
options to assign IP addresses:
• DHCP
• Static address pool
I prefer to use DHCP because it allows you to assign VPN clients and gateways on-subnet addresses without having to
manually remove those addresses from the definition of the default Internet Network, to which the internal interface of
the ISA firewall belongs.
For example, suppose the ISA firewall’s internal interface has the IP address 192.168.1.1. The definition of the default
Internal Network is 192.168.1.0-192.168.1.255. If we wanted to use a static address pool to assign on-subnet
addresses, such as 192.168.1.10-192.168.1.20, we would have to change the definition of the default Internal Network
because these addresses we want to assign VPN clients overlap with the definition of the default Internal Network. In
this case the definition of the default Internal Network would change to:
192.168.1.0-192.168.1.9
192.168.1.21-192.168.1.255
On the other hand, if we used DHCP to assign the VPN clients on-subnet addresses, the ISA firewall will
automatically remove any address assigned to a VPN client or VPN gateway from the definition of the default Internal
Network and dynamically assign them to the definition of the VPN clients Network. This prevents overlap between the
VPN Clients Network and the default Internal Network.
You can check on the IP address assignment method by clicking on the Virtual Private Networks (VPN) node in the
left pane of the console and then clicking the Defiane Address Assignments link in on the Tasks tab in the Task
Pane. You’ll see what appears in the figure below.
Note that the Dynamic Host Configuration Protocol (DHCP) option is only available on ISA Standard Edition or
single-member ISA Enterprise Edition arrays. If you choose not to use DHCP, then you must click the Add button to
manually add your IP addresses assignment to VPN clients and VPN gateways.
If you use a static address pool, you might want to consider using off-subnet IP addresses. There is no problem with
this, but you must make your routing infrastructure aware that in order to reach the network ID used for the VPN
clients network that they must forward those connections to the ISA firewall interface from which the connection was
received.
In a simple dual NIC configuration, this would be the Internal interface. In a 3+ NIC configuration, you would
configure the routers to forward requests to the VPN clients network ID to the ISA firewall interface closest to the
routers.

Configure the Main Office Firewall’s Demand-dial Interface


to not Register in DNS
A common problem encountered with multihomed computers is that they register multiple interfaces in the DNS. This
is especially problematic when machines create site-to-site connections and register their demand-dial interface IP
address. This can cause difficult to troubleshoot problems, such as Web Proxy and Firewall clients being unable to
connect to the Internet. The reason why the Web Proxy and Firewall clients cannot connect to the Internet in this
scenario is that the ISA Server 2004 firewall’s Demand-dial interface registered itself in the DNS, and the Web Proxy
and Firewall clients attempt to connect to the ISA Server 2004 firewall via that address.
Perform the following steps to disable dynamic DNS registration for
the ISA Server 2004 firewall’s Demand-dial interface:
1. At the Main Office ISA Server 2004 firewall, click
Start, and point to Administrative Tools.
Click Routing and Remote Access.
2. In the Routing and Remote Access console,
expand the server name in the left pane of the
console. Click the Network Interfaces node.
3. In the right pane of the Network Interfaces
node, right click on Branch, and click
Properties.
4. On the Branch Properties dialog box, click the
Networking tab.
5. On the Networking tab, click Internet
Protocol (TCP/IP) in the This connection
uses the following items list, and click
Properties.
6. On the Internet Protocol (TCP/IP)
Properties dialog box, click Advanced.
7. On the Advanced TCP/IP Settings dialog box, click the DNS tab. On the DNS tab,
remove the
checkmark
from the
Register
this

connection’s addresses in DNS check box, and click OK.


8. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
8. Click OK in the Branch Properties dialog box.
9. Close the Routing and Remote Access console.
Create the VPN Gateway Dial-in Account at the Main Office
A user account must be created on the Main Office ISA firewall that the Branch Office firewall can use to authenticate
when it creates the site-to-site connection. This user account must have the same name as the demand-dial interface on
the Main Office computer. You will later configure the Branch Office ISA firewall to use this account when it dials the
VPN site-to-site link.
Perform the following steps to create the account the remote ISA Server 2006 firewall will use to connect to the Main
Office VPN gateway:
1. Right click My Computer on the desktop, and click Manage.
2. In the Computer Management console, expand the Local Users and Groups node.
Right click the Users node, and click New User.
3. In the New User dialog box, enter the name of the Main Office demand-dial interface.
In our current example, the demand-dial interface is named Branch. Enter Branch into
the text box. Enter a Password and confirm the Password. Write down this password
because you’ll need to use it when you configure the remote ISA Server 2006 VPN
gateway machine. Remove the checkmark from the User must change password at
next logon check box. Place checkmarks in the User cannot change password and
Password never expires check boxes. Click Create.
4. Click Close in the New User dialog box.
5. Double click the Branch user in the right pane of the console.
6. In the Branch Properties dialog box, click the
Dial-in tab. Select Allow access. Click
Apply, and then click OK.

Summary
In this, part 1 of a two part series on creating site to site VPNs using
the new ISA firewall, we went over the basic network configuration
and then started the configuration for the site to site VPN at the main
office ISA firewall. We created the Remote Site Network at the main
office ISA firewall and created the user account that the branch
office ISA firewall will use when calling the main office ISA
firewall.
In the second and last part of the site to site VPN series, we’ll move
our attention to the branch office ISA firewall and configure it to
connect to the main office ISA firewall. We’ll also create a user
account that the main office firewall will be able to use when calling
the branch office ISA firewall. Then we’ll test the solution by
activating the site to site VPN link and checking the log files and
sessions information to see what things look like in the ISA firewall
console when the site to site VPN is successfully established.
In this part 2 of our article series we’ll finish up by configuring the branch office ISA firewall
and then test the connection.
In part 1 in this two part series on configuring an L2TP/IPSec site to site VPN connection between two ISA firewalls
we went over the details of the sample network and configured the main office ISA firewall.

Create the Remote Site at the Branch Office


Now that the Main Office is ready, we can configure the Branch Office ISA Server 2006 firewall. The first step is to
create the Remote Site Network at the Branch Office.
Perform the following steps to create the Remote Site Network at the Branch Office:
1. Open the Microsoft Internet Security
and Acceleration Server 2006
management console and expand the
server name. Click on Virtual Private
Networks (VPN) node.
2. Click on the Remote Sites tab in the
Details pane. Click on the Tasks tab in
the Task pane. Click Add Remote Site
Network.
3. On the Welcome to the Create VPN
Site to Site Connection Wizard
page, enter a name for the remote
network in the Site to site network name text box. In this example, enter Main.
Click Next.
4. On the VPN Protocol page, you have the choice of using several VPN protocols. In this
example, we will use pre-shared keys for our site to site VPN connection in preparation
for deploying certificates after the L2TP/IPSec tunnels are established. Select Layer
Two Tunneling Protocol (L2TP) over IPSec. Click Next.
5. A dialog box appears informing you that
you need to create a user account on
the branch office ISA firewall. This user
account will be used by the main office
ISA firewall to authenticate to the
branch office ISA firewall when the main
office ISA firewall attempts to create its
site to site VPN connection to the
branch office ISA firewall.

The user account must have the same


name as the Remote Site Network we’re
creating, and that’s defined by the
name we included in the first page in
the wizard. In this example, we named
the site to site Network connection
Main, so the user account we create on the branch office ISA firewall must also have
the name Main, and we will need to enable dial-up access for that account. We’ll go
through the details of creating that account later in this article. Click OK.

6. On the Connection Owner page you


select which machine in the array
should be the connection own for this
site to site VPN connection. This option
is only seen in ISA Enterprise Edition
and not in Standard Edition. If you have
NLB enabled on the array, then you
don’t need to manually assign the
connection owner, as the integrated
NLB process will automatically assign a
connection owner when NLB is enabled
on the array.
In this example we are not using NLB on the main office array (I’ll do another article on
how to do that in the future), and there is only one member of our main office ISA
firewall Enterprise Edition array. So we’ll use the default entry, which is the name of
the ISA firewall at the main office and click Next.

7. On the Remote Site Gateway page, enter the IP address or FQDN representing the
external interface of the main office ISA Server 2006 firewall. In this example, we’ll use
the FQDN main.msfirewall.org, so enter this value into the text box. Click Next.
8. On the Remote Authentication page, put a checkmark in the Local site can
initiate connections to remote site using these credentials check box. Enter the
name of the account that you created on the main office ISA firewall to allow the
branch ISA firewall access. In this example, the user account is named Branch (the
user account much match the name of
the demand-dial interface created at the
remote site). The branch office ISA
firewall will use this account to
authenticate to the main office ISA
firewall to create the site to site VPN
connection.

The Domain name is the name of the


main office ISA firewall, which in this
example is ISA2006SE (if the remote
ISA Server 2006 firewall were a domain
controller, you would use the domain
name instead of the computer name).
Enter a password for the account and
confirm the password. Click Next.
9. On the L2TP/IPSec Outgoing Authentication page you select the method you want
authenticate your machine against the branch office ISA firewall. In this example we’ll
use the Pre-shared key authentication option and then enter a pre-shared key in
the Pre-shared key text box. Make sure this is the same key used at the main office
ISA firewall. Click Next.

10. Click Add Range on the Network


Addresses page. In the IP Address
Range Properties dialog box, enter
10.0.0.0 in the Starting address text
box. Enter 10.0.0.255 in the Ending
address text box. Click OK.
11. Click Next on the Network Addresses
page.

12. On the Remote NLB page you tell the


ISA firewall if NLB is being used on the
branch office ISA firewall. If NLB is being
used, then you would put a checkmark
in the The remote site is enabled for
Network Load Balancing checkbox.
Then you would add the dedicated IP
addresses on the main office NLB array
by clicking the Add Range button.
We’re not running NLB at the main office, so we’ll remove the checkmark from the The
remote site is enabled for Network Load Balancing. In a future article I’ll show
you how to create site to site VPNs with the NLB feature enabled. Click Next.
13. On the Site to Site Network Rule page you can configure a Network Rule that
connects the main and branch office ISA firewall Networks. Remember, the ISA firewall
requires that you always have a Network Rule to connect ISA firewall Networks to each
other. Even if you create the Networks and create Access Rules, the connections will
not work until you create a Network Rule.

Select the Create a Network Rule specifying a route relationship option and
accept the default name. Note that you also have the I’ll create a Network Rule
later option if you want to create the
Network Rule manually. Notice that the
default option is to set a route
relationship between the main and
branch office ISA firewall Networks. This
is a excellent choice because you have a
much wider range of protocol access
when using route relationships.

The route relationship at the branch


office should match the route
relationship at the main office.
Click Next.

14. On the Site to Site Network Access


Rule page you can configure an Access
Rule allowing connections from the
branch office to the main office.

You also have the option to not create


an Access Rules at this time by
selecting the I’ll change the Access
Policy later option.

When you select the Create an allow


Access Rule. This rule will allow
traffic cetween the Internal
Network and the new site to site
Network for all users option, you’ll be
given three choices from the Apply the
rule to these protocols drop down
list. This includes:

All outbound traffic

Selected protocols
All outbound traffic except selected.

In this example, we’ll begin by allowing all protocols. Later, I’ll show you how you can
use user/group based authentication to control which users at the branch office are
allowed to connect to the main office. This will be a key configuration step, as branch
office users should have very limited access to resources at the main office network
and should be allowed access only to the server and protocols required to get their
work done, and they must also be forced to authenticate before gaining access to the
main office network.

Select the All outbound traffic option and click Next.


15. Click Finish on the Completing the New Site to Site Network Wizard page.
16. In the Remaining VPN Site to Site Tasks dialog box, it informs you that that you
need to create a user account with the name Branch. We’ll do that in the next section.
Click OK.
Make a note of the
firewall policy
created by the VPN
wizard and then click
Apply to save the
changes and click OK
in the Apply New
Configuration dialog
box.
Remember to confirm your address assignment settings for VPN clients and gateways in the same way you did so at
the main office. If the ISA firewall isn’t able to assign IP addresses to the remote gateway, the configuration will fail.
In addition, remember to configure the demand dial interface to not register in DNS, as we did when we configured the
main office demand dial interface to not register in DNS in part 1 of this series.

Create the VPN Gateway Dial-in Account at the Branch


Office
We must create a user account that the Main Office ISA firewall can use to authenticate when it initiates the VPN site-
to-site connection. The user account must have the same name as the demand-dial interface created on the Branch
Office ISA firewall.
Perform the following steps to create the account the main office ISA firewall will use to connect to the branch Office
VPN gateway:
1. Right click My Computer on the desktop and click Manage.
2. In the Computer Management console,
expand the Local Users and Groups node.
Right click the Users node and click New
User.
3. In the New User dialog box, enter the name
of the Main Office demand-dial interface. In
our current example, the demand-dial
interface is named Main. Enter Main into the
text box. Enter a Password and confirm the
Password. Write down this password because
you’ll need to use this when you configure the
remote ISA Server 2006 VPN gateway
machine. Remove the checkmark from the
User must change password at next
logon check box. Place checkmarks in the
User cannot change password and
Password never expires check boxes. Click
Create.
4. Click Close in the New User dialog box.
5. Double click the Main user in the right pane of the console.
6. In the Main Properties dialog box, click the Dial-in tab. Select Allow access. Click
Apply and then click OK.

Activate the Site-to-Site Links


Now that both the Main and Branch Office ISA Server
2006 firewalls are configured as VPN routers, you can test
the site-to-site connection.
Perform the following steps to test the site-to-site link:
1. At the remote client computer behind
the branch ISA firewall machine, click
Start, and then click the Run
command.
2. In the Run dialog box, enter cmd in the
Open text box, and click OK.
3. In the command prompt window, enter
ping –t 10.0.0.2 and press ENTER
4. You will see a few pings time out, and then the ping responses will be returned by the
domain controller on the Main Office network.
5. Perform the same procedures at the domain controller at the Main Office network, but
this time ping 10.0.1.2, which is the REMOTEHOST computer.
You can see the results of the ping queries in the figure below:

If you check the real time log view on the branch office ISA firewall, you’ll see lines like those in the figure below.

Now click on the Sessions tab at the branch office ISA firewall. You’ll see an active session representing the site to
site VPN connection. Notice the filter to point out the site to site connection.

Figure 17 (Click image to enlarge)


You can go to the main office ISA firewall and perform similar checks.

Conclusion
In this article series we discussed how to create an L2TP/IPSec site to site VPN connection between two ISA firewalls.
The discussion was limited to using a pre-shared key between the ISA firewalls at the main and branch offices, but you
should keep in mind that in a production environment you should strive to use machine certificate authentication
instead of a pre-shared key. I provided a link to the ISA Server 2000 VPN deployment kit which will provide you all
the information you need to deploy your certificates.
In the next article we’ll take a look at two things you can do to help secure and accelerating your branch office
connections: locking down the Access Rules for communications over the site to site VPN link and using Web proxy
chaining so that the branch office ISA firewall can benefit from the larger cache contained on the main office ISA
firewall. See you then! –Tom.

ISA Firewall Quick Tip: Internal DNS Forwarding Through ISA Server 2004/2006
This article shows to your how to configure your internal DNS server to forward requests to external servers,
a common scenario to your ISP's DNS servers. Configurations are done on the Internal DNS server and
also on ISA Server.

Configuration on DNS Server

1. Click Start, point to Administrative Tools, and then click DNS.

2. Right-click DNS-SRV ( ServerName ), where ServerName is the name of the server, and then
click the Forwarders tab.
3. Click a DNS domain in the DNS domain list. Or, click New, type the name of the DNS domain for
which you want to forward queries in the DNS domain box, and then click OK.

4. In the Selected domain's forwarder IP address box, type the IP address of the first DNS server
to which you want to forward, and then click Add.

5. Repeat step 4 to add the DNS servers to which you want to forward, usually you might have two
ISP's DNS server, enter them both.

6. Click OK
7. The last thing you should do on your DNS Server is to set it as a Secure Nat Client, this is done
by setting its Default Gateway to be ISA Server Internal IP

This is all what you have to do on your Internal DNS Server, now lets see what we need to do with ISA
Server.

Configuration on ISA Server


1. Open ISA Management Console

2. Create a new Access rule, Right click Firewall Policy , then click on New then choose Access
Rule
3. The New Access Rule Wizard will be launched, give a name to your new rule , in this example we
will name it Forward DNS To ISP, then click Next

4. In the Rule Action page, choose Allow, then click Next

5. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected
Protocols
click on Add button, the Add Protocol page will open, expand the Infrastructure container,
choose the DNS protocol and click on Add , then click Close

The selected protocol will be displayed in the Protocols page, click Next

6. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog
box, from the Menu Bar, click on New and choose Computer .
The New Computer Rule Element page will open, click on the Browse button, then write your
Internal DNS server name in the
first textbox under Name, and click on Find, the IP address of the DNS server will be listed. Click
ok OK

You will return back to the New Computer Rule Element page, click on OK
7. click on the Computers folder. Double click on the DNS-SRV, then click the Close button in the
Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.

8. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add
Network Entities dialog box. Click Next on the Access Rule Destinations page.
9. On the User Sets page, accept the default setting of All Users.

10. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
11. Click the Apply button to save the changes and update the firewall policy.

12. Your rule will look this :

13. The rule you have just created will permit your Internal DNS Server to communicate with your ISP's
DNS servers, now we need to create a rule to allow users to surf the internet, start creating a new
Access Rule

14. Right click Firewall Policy , then click on New then choose Access Rule

15. Name this rule Allow Internet, then click Next


16. In the Rule Action page, choose Allow, then click Next

17. In the Protocols page, From the drop down list of This Rule Applies To, choose Selected
Protocols, click on the Add button and from the Common Protocols folder, choose HTTP,
HTTPS, POP3 and SMTP. Click Add on each protocol your choose and once you select them all
click on Close. The protocols will e displayed in the Protocols page, click Next

18. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog
box, click on the Networks folder. Double click on the Internal network, then click the Close button
in the Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box.

19. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog
box, click the Networks folder. Double click the External entry and click Close in the Add
Network Entities dialog box. Click Next on the Access Rule Destinations page.
20. On the User Sets page, accept the default setting of All Users.

21. Review your settings and click Finish on the Completing the New Access Rule Wizard page.
22. Now, your rules will look like this:

23. Click the Apply button to save the changes and update the firewall policy.

Summary

In this article, we learned how to configure our Internal DNS Server to forward request to the ISP's DNS
servers; also we learned to create the necessary rule to allow ISA to allow the DNS communication
between the Internal DNS and the ISP DNS.
How i can detect user who use or run sniffung and spoofing programes from isa server.

To detect that kind of traffics, try to setup IDS in your system. The free popular one is
When i block MSN Messenger by configure signature to “msnmsgr.exe” this block
msnmsgr.exe and also hotmail mail access. There any soulution to block msn access
without blocking hotmail access.

If you blocked only the signature “msnmsgr.exe”, you can check email on hotmail through
web access. I’ve tested it.

It seems that the application will try attempt to connect on other ports (including 80) if the
5050 fails. Therefore, there is no way to block by using rule port. (But mine works,
strange!)

So I want you to try block these servers: scs.msg.yahoo.com, scsa.msg.yahoo.com,


scsb.msg.yahoo.com and scsc.msg.yahoo.com. These are servers that the messenger
connects to. But I haven’t tested it yet.

Reference: How do I configure my firewall/proxy server?


If the solution above doesn’t work. I think you may need to block by other means. For
instance, block by using group policy (if the PC is in the domain) to restrict installing the
application instead of blocking from firewall.

Yesterday I spent full day to monitor yahoo messenger packets by Wireshark, and I did
block these TCP ports : 20,25,23,119,5050,5150,5051.(which I found that it was right as
explained in the link you provided-thank you)
It does work till now! And I hope it will

I will also try the servers and let you know the result but I wonder why the signature did
not work I think it was best solution!

I think this is because new yahoo messenger use Mozilla interface which result in changed
signature! I mean the signature become Mozilla/4.0! What’s your idea?
thank you for your help and attention anyway. Now I’m working on Google Talk, any
advice will be appreciated The signature is Google Talk in User-Agent area! but it does not
work too )

You can customize the error pages on ISA Server. The templates are located in the folder –
C:\Program Files\Microsoft ISA Server\ErrorHtmls.

I configured the VPN in isa server 2006 it give some error 800 i dont know why Please if
you tell me VPN configuration.

I don’t have experience about VPN. I haven’t tried VPN yet. But there are many resources
about configuring VPN on ISA Server on the Internet:
○ Enabling the ISA Server 2004 VPN Server – ISAServer.org
○ How to configure a VPN server by using Internet Security and Acceleration (ISA)
Server 2006 – Microsoft.com
○ How to configure a VPN connection to your corporate network in Windows XP
Professional – Microsoft.com
○ Error Message: VPN Connection Error 800: Unable to Establish Connection –
Microsoft.com

In my organisation we have implementing ISA server 2006 and we have created four
policys mentioned below
1. Only mail access rule – users can access the company mail only.
2. Allowed sites access rule – users can access only particular sites.
3. Access with restriction access rule – users can access al the websites except particular
sites
4. Full access rule – all the websites can access.
In this scenario, only the Full access rule users can able to access the yahoo, msn and gtak
etc..
But, we need to give the chat permission for mail,allowed and access with restriction user
also.
How to create the policy for this senario, kindly help us.

I’m not sure about mail chat. I don’t have this kind of traffic in my environment.
But I’ve found some posts related with this issue.
○ Block Yahoo mail chat
○ Allowing/Denying IM and other protocols on ISA Server

i just configured VPN in isa server 2006 but the problem is that when iam typing \\isaserver
in run from client it cant find the the server but when iam typing ip from server to a client it
can find it that computer
Please if help me what is the problem.
Note: when iam typing from server \\client computer cant find if iam typing an ip of client
it can find it

You may have to check DNS configuration whether it points to the correct server.

I can’t block yahoo messenger 9 with isa 2006


i tried to filter signatures: scs.msg.yahoo.com, scsa.msg.yahoo.com, scsb.msg.yahoo.com
and scsc.msg.yahoo.com but didnt work

To completely block messengers from ISA Server aren’t easy. Most of them now can
communicate through HTTP(80) which makes them even hard to block. The best way to
solve the problem is control software restriction installation on PCs. This can be achieved
using Group Policy.

How to block download for users. Or block only mp3 etc…

You can block specific extensions by open configure HTTP policy for rule -> Select
extensions tab -> Select Block specified extensions (allow all others) -> Then you can add
the extensions that you want to block such as .exe, .mp3, etc.

Having the problem that sometimes internet connection drops for few minutes and the
interent connection just comes back online by itself or by restart the ISA server. They don’t
have constant interent connection.
You should check the Internet link between ISA Server and your ISP to see if it drop or
not. Sometimes, it could be hardware problem.
If that is not the case, try to check system log on ISA Server. If there is a problem with the
server, you will see some error message there.

Every thing is working fine except the voice and video for yahoo and msn. Please help me
how to allow voice and video chat

i have an rule in outlook that is allowed to send mails in the isa server, all outbound, from
internal, to external, but the problem is users can browse all the sites in the internet, but
when i change to rule for a specific sites, i cant send anymore,it doesnt see my webmail,
In the ISA server console.

Right click the Firewall policy -> New ->Access Rule


In the name window type the rule name. Eg .mail allow
next in the Rule action window select Allow.
In the protocol window Select protocols under the This rules apply to. click add in the
commom protocol select POP3 and SMTP click next
Access rules source window select INTERNAL Next
Access rules destination window select EXTERNAL ( enter your email server ip or
FQDN ) click next
in the user sets click next thats all.
2.For Website access :
In the ISA server console.
Right click the Firewall policy -> New ->Access Rule
In the name window type the rule name. Eg .Website allow
next in the Rule action window select Allow.
In the protocol window Select protocols under the This rules apply to. click add in the
commom protocol select HTTP and HTTPS click next
Access rules source window select INTERNAL Next
Access rules destination window select EXTERNAL or URL set click next
in the user sets click next thats all.

how can i blocked facebook, orkut, game chating, sex site, in only one access deny rule. i
have isa std etd.

first creat the Domain list for facebook, Orkut, game chating, sex sites.
For crating Domain name list
Goto Firewall Management console –> Right side Toolbox –> Click New –> Select
Domain Name list
–> In the name type (Any name ) –> click Add *.facebook.com again click add
*.orkut.com and OK
now create a rule for Firewall Policy.
Right click firewall policy– > Select New and Access Rule –> Type the Name you want –>
then Next –> Rule action window Select DENY and next
–> Protocol window select HTTP and HTTPS and Next –> In the Access Rule source
window select INTERNAL and Next –> In Access Rule Destinations window Select
(Created DOMAIN SET) and Next
–> In the user set (select all user or crate some users for set of users) and next.
For deny the sexual sites:
You cannot deny all the sexual sits, for that u have to configure HTTP Signature.
After the Rule created, select the rule and right click select Configure HTTP select
Signature Tab
click add type any name for your reference.
in the Search in window select either select REQUEST URL or REQUEST BODy and In
the Signature window
type PORN, GAY, LESBIAN or SEX and give OK
Note : This HTTP signature will only applicable on ALLOW RULE.
I am not understand about the game chating

can u please tell me the difference between domain name set & url set.

The difference between Domain set and URL set is, if you want to block the only speific
URL means we can use the URLlist.
Ex. you want to block http://www.google.com, it will block only http://www.google.com
for the client request and it will not blocl http://mail.google.com or
http://msdn.microsoft.com. what URl you given that only will be block
Domain name list means will block the entire domain *.google.com, the * will use for
including subdomains of google.
This is the difference, will you understand.
For online gaming: use HTTP signature to block, if you know the WEB URL, you can use
either Domain or URL set for that.
Thanks
Nandha