Installing and Using ISA Server as a Firewall

Microsoft Internet Security and Acceleration (ISA) Server 2000 is an enterprise firewall and Web cache. You can install ISA Server in three modes: Cache, Firewall, or Integrated (which provides both cache and firewall capabilities). Because you're using ISA Server as a firewall, you should select either Firewall or Integrated mode. With ISA Server, you can control every aspect of how clients on the internal network can access resources on the Internet.

To implement a demilitarized zone (DMZ), you need to configure your computers on the internal network to access ISA Server as SecureNAT clients, not as ISA Server firewall clients or Web proxy clients. SecureNAT means that you configure the internal network with a private IP subnet and let ISA Server use Network Address Translation (NAT) to service Internet requests from internal clients. Using SecureNAT simply requires you to configure computers on your internal network to use the ISA Server as the default gateway. You don't need to load any ISA Server­related software on those computers. When using SecureNAT, you need to make sure that all computers requiring access to the Internet are configured with the IP address of your ISP's DNS server on the Internet or that your internal DNS server forwards unresolved queries to your ISP's DNS server or another Internet-accessible DNS server.

To let clients on the Internet access resources inside your internal network, you need to publish the relevant internal servers through ISA Server. To a client on the Internet, the ISA Server appears as the server being accessed. However, when ISA Server receives a client's request, ISA Server redirects the request to the internal server after ISA Server checks its policies and inspects the request for suspicious patterns.

To configure ISA Server's policies for handling incoming and outgoing traffic, you use site and content rules, protocol rules, IP packet filters, Web-publishing rules, and server-publishing rules. Site and content rules control which internal users can access which external Web sites or types of content and when. Protocol rules control which protocols internal clients can use to access computers on the Internet. IP packet filters let you control the types of packets that you want ISA Server to accept from the Internet and from internal computers. For example, you use IP packet filters to allow pings or PPTP packets. Web-publishing rules let you make internal Web servers available to clients on the Internet. With Web-publishing rules, you can control incoming Web requests according to user credentials, client address, and destination address and path. With server-publishing rules, you can make other types of servers (e.g., SMTP servers) available to the outside world. Server-publishing rules let you control incoming requests to these servers according to client IP address.

When an internal client tries to connect to a computer on the Internet, ISA Server checks the request against its protocol rules. If the request is an HTTP or HTTP Secure (HTTPS) request, ISA Server checks site and content rules as well. When ISA Server receives an incoming request from a client on the Internet, ISA Server checks the request against IP packet filters. Then, if the request is HTTP or HTTPS, ISA Server checks the request against Web-publishing rules; otherwise, ISA Server checks the request against server-publishing rules.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.