Customizing ISA Server

ISA Server's functionality can be enhanced in several ways. Microsoft provides the ISA Server Software Developer's Kit (SDK), which allows developers to extend ISA by creating components that are built on or that work with ISA Server. Several third-party software vendors have already developed add-on products that add flexibility to the ISA product. In this section, we take a look at the SDK and a few of the available third-party add-ons.

Using the ISA Server Software Developer's Kit

The ISA Server SDK is a comprehensive collection of development tools and sample scripts that can be used to build new, custom features that enhance ISA's firewall, caching, and management functionality.

The SDK comes with the ISA Server software. It includes full API documentation as well as useful sample extensions such as management tools, application and Web filters, and user interface extensions.

Administration Scripts

Administration scripts can simplify and automate administrative tasks. Developers can create custom administration scripts, or administrators can use the sample scripts included with the SDK.

Sample Administration Scripts

Sample administration scripts provided with the ISA SDK include:

• Add_Dod A VBScript sample that demonstrates how to add a new Dialup Entry and set the Dialup Entry Credentials.

• AdditionalKey A VBScript script that demonstrates how to change an additional key.

• AddLATEntry A VBScript script that demonstrates how to add an IP range to a LAT.

• AddScheduledContentDownload A VBScript that receives an array name, a URL, and a job name and adds a scheduled content download job.

• ApplicationFilterList A script that prompts the user to enter an array, then lists the application filters of the selected array.

• CacheSettings A script that prompts the user to enter the name of an array, then displays the cache settings of that array.

• ConstructLAT A script that demonstrates how to construct the LAT of an array based on its NICs.

• DisableScheduledContentDownloads A VBScript script that disables all prefetcher jobs on Monday and Wednesday on a given array.

• Enterprise_Destination A VBScript script that adds a new destination set to the Enterprise, sets the array policy to use Array and Enterprise Policies, and configures the new rule to use the Enterprise destination. (Can be run only by an enterprise administrator.)

• FetchUrl A VBScript script that causes the Web proxy to fetch an object and store it in the Web proxy's cache. The cached object can be stored under a different name than the source object.

• ListServers A script that lists all the servers in a given array through the name property of the FPCArray object.

• FindScheduledContentDownload A VBScript script that receives an array name and a URL and checks to see if any job includes that URL.

• SetCache A VBScript sample that configures cache settings.

• SetUpstreamRouting A VBScript script that demonstrates how to set up upstream routing to another server using the RoutingRules collection and the RouteEntity object.

• ShowAllProtocolRules A script that lists all the protocol rules of an array by looping through the PrxProtocolRules collection.

• ShowAllRoutingRules A VBScript script that lists all the routing rules of an array by looping through the RoutingRules collection. The script also lists whether or not each routing rule is enabled or disabled and the action that the rule follows.

• StaticFilter A VBScript script that demonstrates how to add a static packet filter that allows NTP communication from the ISA server to the Internet.

Running Administration Scripts

You can run the sample scripts simply by double-clicking the script name in the sdk\samples\admin\Scripts directory, located on the ISA Server CD. You can also run a script by typing its full path at the Run prompt.

Some scripts might prompt you to enter information before performing their tasks. For example, when you run the CacheSettings script, you will be asked to enter an array name (or you can leave the field blank and click OK to specify the first array listed in the ISA Server MMC), as shown in Figure 25.20.

Figure 25.20: The CacheSettings Script Prompts You to Specify an Array Name

When you enter the information or click OK, the script will run and display its results, as shown in Figure 25.21.

Figure 25.21: The Script Runs and Displays the Results

Sample Filters

In addition to the sample scripts, Microsoft has provided in the SDK a number of sample filters to demonstrate how to create firewall, Web, and application filters. A readme.txt file is supplied with each sample filter, an example of which is shown in Figure 25.22.

Figure 25.22: Each Sample Filter Includes a Readme File That Provides More Information

The readme.txt file provides additional information about the filter and the purpose of each file included in the sample. The following are descriptions of included sample filters:

• Connector A console application that emulates an application protocol with a primary connection for control and secondary connections for data. The secondary connections can be inbound or outbound and can use either UDP or TCP.

• ConnectorFilter Enables a complex protocol that requires secondary connections on random ports and makes it possible for the Connector sample to work through Microsoft Proxy for PNAT clients and Winsock clients.

• DbgDump Registers for notifications on all possible events and installs data filters on all connections, then outputs information about the events to the debugger.

• ExeBlock Demonstrates the use of data filters and hooking into the proxy thread pool.

• ServerSplit Demonstrates the use of connection emulation for inbound connections.

• SMTPFltr Captures and analyzes data sent by external clients using the SMTP protocol. The proxy attaches a new instance of the data filter to every inbound port 25 TCP session. The filter can be configured to look for a particular string in the SMTP message.

• SOCKS 4/4a Demonstrates the use of SOCKS protocol version 4/4A.

• SOCKS 5 Demonstrates the use of the SOCKS 5 protocol.

Using Third-Party Add-Ons

Even before Microsoft released the final version of ISA Server, several third-party vendors had begun to develop solutions to customize and enhance ISA's features and functionality. In many cases, Microsoft has partnered with these companies to provide complementary products for ISA.

Third-party add-ons include tools to add security features such as virus scanning, additional intrusion detection filters, integrated access control solutions, more comprehensive reporting and monitoring tools, and enhancements to simplify administrative tasks.

Types of Add-On Programs

The available add-on tools can generally be categorized as follows:

• Administration and management tools

• Reporting tools

• Monitoring tools

• Content security tools

• Access control tools

• Intrusion detection tools

• Network protocol tools

In many cases, a vendor provides one tool that incorporates two or more of these functions. Most tools provide a user-friendly graphical interface. For example, GFI LANguard, shown in Figure 25.23, creates a custom console that includes the ISA Management snap-in along with the LANguard configuration tools. It links into ISA Server as an ISAPI extension so that alerting and reporting functions of ISA are integrated.

Figure 25.23: GFI LANguard Is a Third-Party Add-On That Creates a Custom Console, Which Includes the ISA Management Snap-In

Some of the features of LANguard include virus protection (scanning of HTTP and FTP files) with automatic virus signature updates, and monitoring of Internet usage (including notification to administrators when users access undesirable sites or blocking users from accessing those sites) based on keywords in the URL or Web page. Word macros can be automatically removed from communications, and potentially dangerous file types (executables, Word documents, and the like) can be "quarantined." LANguard can even verify that a file is of the type that its extension indicates (for example, it can verify that a file with the .AVI extension is in fact a video file). LANguard offers very granular control; the program retrieves a list of users and groups from your network and allows you to specify particular users when you create a rule.

Overview of Available Add-On Programs

Other add-on programs provide functionalities similar to those of LANguard. Some of the add-ons that are available or will soon be available include:

• btPatrol from Burst Technology A real-time monitoring tool. More information is available at www.burstek.com/isaserver.

• LANguard from GFI Content filtering and antivirus protection. More information is available at www.gfi.com/isaserver.

• WebTrends firewall suite Analyzes ISA Server activity and generates custom reports. More information is available at www.webtrends.com/isaserver.

• SmartFilter for ISA from Secure Computing Allows you to control Internet access in a manner tailored to your network's needs. More information is available at www.securecomputing.com/isaserver.

• AppManager for ISA Server from NetIQ Monitors ISA modules and services. More information is available at www.netiq.com/isaserver.

• SuperScout for ISA Server from SurfControl Enhances management of Internet access in the corporate environment. More information is available at www.surfcontrol.com/products/web/msisa.

• RealSecure from ISS Enhances the ISA intrusion detection filters. More information is available at www.iss.net/isaserver.

Additional information about third-party add-ons is available at www.isaserver.org.