Microsoft ISA Server 2004 Firewall

Microsoft ISA Server 2004 is a hybrid stateful packet-inspecting, circuit-filtering, and application layer proxy firewall. By hybrid, we mean that it can provide any of those functionalities at any given time based on the traffic it is receiving. If it has an application filter for the given protocol or application, it will function as an application proxy firewall for that traffic. If it does not, it will resort to either stateful packet inspecting or circuit filtering as required. In addition, ISA Server 2004 includes virtual private networking (VPN) and caching capabilities, allowing it to function as an all-in-one device that, as one would expect, integrates pretty cleanly with Microsoft-centric environments.

Before we look at the features of Microsoft ISA Server 2004, let's talk about the elephant in the room, namely the perception that ISA Server 2004 is not a "real" firewall. This perception is largely the result of misinformation, lack of education regarding the product, and simple dislike/disregard of anything Microsoft being remotely considered as a security solution. When you look at ISA Server 2004 with an honest and skeptical eye, it is relatively easy to cut through many of the fallacies and realize that Microsoft ISA Server 2004 is an effective and practical firewall solution.

First on the list of misconceptions is the statement that any firewall running on a Windows platform cannot be secure. This is just not factually accurate. All firewalls run on some operating system. In the case of firewalls such as the Cisco PIX Firewall or Check Point SecurePlatform, the operating system is specialized and hardened for use on a firewall. Windows, out of the box, is not designed to be run on a firewall, but it can be effectively secured and hardened following the principles of running the minimum required services and functionality necessary to operate as a firewall alone. Some excellent resources detail how to effectively secure the underlying Windows operating system:

NSA Security Configuration Guides
http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1
Hardening the Windows Infrastructure on the ISA Server 2004 Computer
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/hardeningwindows.mspx
Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
ISA Server 2004 Security Hardening Guide
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

Note

Keep in mind that many of the procedures for Windows 2000 are applicable to Windows 2003 and vice versa, so do not hesitate using both the Windows 2000 and 2003 guides regardless of your actual operating system

Another frequent misconception is that ISA Server 2004 is "just" an upgrade to Microsoft Proxy Server 2.0. Although ISA Server 2004 is indeed the logical upgrade to Proxy Server 2.0 (technically, ISA Server 2000 is the direct upgrade to Proxy Server 2.0), that is not to say that ISA Server 2004 is just a proxy server. Proxy Server 2.0 had absolutely no advanced firewall features. It was primarily a caching engine with basic packet-filtering capabilities. Microsoft ISA Server 2004 is a fully featured firewall, capable of performing stateful packet inspection as well as application layer filtering and proxying. In addition, it can function as a caching engine. Simply put, trying to claim that because ISA Server 2004 is an upgrade to Proxy Server it is therefore not a "real" firewall has absolutely no technical merit.

Microsoft ISA Server 2004 Features

Microsoft ISA Server 2004 consists of two editions: Standard Edition and Enterprise Edition. The predominant differences between the Standard and Enterprise editions relate to scalability. Table 8-1 summarizes the differences between the Standard and Enterprise editions.

Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise Editions
Feature	Standard Edition	Enterprise Edition
Networks	Unlimited	Unlimited, with the addition of enterprise networks (networks that can be applied to any firewall array anywhere in the enterprise)
Scale up	Up to 4 CPUs and 2-GB RAM	Unlimited (per operating system)
Scale out	Single server	Up to 32 nodes using Microsoft Network Load Balancing (NLB)
Caching	Single server store	Unlimited (through the use of Cache Array Routing Protocol (CARP))
High availability	None	Yes (using NLB)
Management	Local management and configuration	Array and enterprise-level configuration
Underlying operating system	Microsoft Windows Server 2003 (Standard or Enterprise Edition), Microsoft Windows 2000 Server or Advanced Server with Service Pack 4 (SP4) or later, or Windows 2000 Datacenter Server	Microsoft Windows Server 2003 (Standard or Enterprise Edition)

As you can see, if you need multiple ISA servers working in tandem, or need additional memory and processors, you need to use the Enterprise Edition. Similarly, if you need a high-availability solution, use Enterprise Edition.

In general, Microsoft ISA Server 2004's firewall features can be categorized as follows:

Security and filtering features
Firewall clients and authentication
Web caching server functionality
Network services publishing
VPN functionality
Management and administration features
Miscellaneous features

Security and Filtering Features

The Microsoft ISA Server 2004 firewall is a hybrid firewall capable of performing the following:

Stateful packet inspection ISA Server 2004 can perform full stateful packet inspection and filtering of all traffic passing through the firewall.
Circuit filtering ISA Server 2004 can perform application-transparent circuit filtering to a host of protocols, including Telnet, RealAudio, Windows Media technologies, and Internet Relay Chat (IRC). This filtering occurs at the transport or session layer as opposed to the application layer. This proxy functionality works in conjunction with the stateful packet-inspection functionality.
Application filtering ISA Server 2004 can act as an application proxy and filter traffic for a number of protocols including HTTP, FTP, and Gopher. This allows Microsoft ISA Server 2004 to act on behalf of clients, hiding and protecting the client from external resources and threats.

Microsoft ISA Server 2004 can perform these filtering functions in a multidirectional method, supporting as many network interfaces as the physical hardware can contain. This allows for the creation of multiple demilitarized (DMZ) segments, allowing for the creation of unique filtering rulesets on a per-DMZ segment basis. Of course, filtering of traffic for/from the internal and external networks is also available.

Microsoft ISA Server 2004 also supports basic intrusion detection functionality, although full intrusion detection system (IDS) functionality is best provided through the integration of third-party products such as ISS RealSecure or similar products. Currently, ISA Server 2004 can natively detect the following intrusion/attack attempts:

WinNuke
Ping of death
Land attack
IP half scan
Port scan
UDP bomb
POP3 buffer overflow
SMTP buffer overflow
DNS zone transfer
DNS length overflow
DNS host name overflow

Firewall Clients and Authentication

Microsoft ISA Server 2004 supports the following three types of firewall clients for systems that are attempting to access resources outside the protected network:

SecureNAT client
Firewall client
Web proxy client

SecureNAT Client

The SecureNAT client is effectively any device that attempts to communicate through the ISA Server 2004 firewall without being configured as one of the other firewall types. For all intents and purposes, this is the traditional "point to the firewall as the default gateway to communicate" type of a client. Therefore, practically any type of TCP/IP network host can communicate through the firewall as a SecureNAT client. Although easy to implement (there is no special configuration required beyond just enabling network communications on the host), the SecureNAT client is the least secure and capable of the firewall clients. SecureNAT clients cannot be configured to authenticate with the firewall to determine what access should be permitted, nor can they access resources requiring complex protocols (protocols that require multiple connections; for example, standard FTP [port] mode connections) without the use of application filters installed on the firewall itself.

Firewall Client

The ISA Server 2004 firewall client is one of the components to an ISA Server 2004 solution that really separates it from the competition in terms of the kind of control over access that can be managed. The firewall client software can be installed on any Windows-based client, which is a limitation in environments that use Linux, Sun, UNIX, or Mac computers. Once implemented, however, the firewall client enables you to define access to external resources based on users and groups and authenticate all access requests to ensure that only the users you have specified are allowed to communicate. It also enables you to define how they can communicate. This authentication information is stored in the firewall log files, making it easy to perform a forensic analysis to determine what sites, protocols, and applications the user was running or accessing.

Perhaps the most powerful feature of the firewall client is the ability to enforce security controls on the client itself (for example, allowing only applications that you explicitly permit to function on the client or allowing only certain ports on the client to be used for communications). For example, a relatively difficult task to perform with most firewalls is to prevent instant messaging and peer-to-peer applications from being used by the users. Instant messaging applications can almost all use HTTP (or any other protocol) as the transport protocol, making it difficult to effectively block at the firewall. Similarly, many peer-to-peer applications can do the same thing. With the firewall client, you can define the names of applications that should not be allowed to run; they will be blocked by the firewall client software. Keep in mind that if the users can rename the application executable, they can bypass these restrictions.

Web Proxy Client

The web proxy client is used anytime a computer is configured via its web browser to use a proxy, and the ISA Server 2004 server is specified as the proxy. Although web browsers are the most commonly implemented applications that use proxies, instant messaging software and other applications that support using a proxy can also be configured as web proxy clients.

The web proxy client enables you to improve the performance of web access because the data can be cached by the firewall and served to the clients out of cache. This also reduces bandwidth requirements, as discussed in the next section. The web proxy client also supports using authentication for access, similar to the firewall client, thus providing a mechanism to control and track access on a user basis.

Web Caching Server Functionality

Although technically not a firewall or security feature, the ISA Server 2004 server provides full caching server functionality. This allows the server to transparently cache web request and then service subsequent requests out of cache, thus reducing the amount of bandwidth that is used for client web browsing. This also allows the ISA Server 2004 server to function as a proxy, retrieving content on behalf of clients.

Network Services Publishing

To provide access to protected resources, ISA Server 2004 implements what are known as publishing rules. These rules are used to provide inbound/ingress filtering functionality to resources that are being protected by the firewall. For example, if you have a web server that needs to provide services to external clients, you would use network services publishing (specifically web server publishing rules) to "publish" or provide access to the protected web server resource.

There are four types of publishing rules:

Web server publishing rule
Secure web server publishing rule
E-mail server publishing rule
Server publishing rule

As you would expect, the first three rules are specialized to handle the corresponding types of network services. The server publishing rule is the generic catchall rule type for any and all other publishing requirements.

VPN Functionality

Microsoft ISA Server 2004, like many other firewalls, also provides integrated VPN functionality, allowing you to use the ISA Server 2004 both as a component in a site-to-site VPN as well as a termination point for remote access VPN services. Although previous versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 also supports native IPsec tunnel mode VPN implementations.

Because the VPN functionality is integrated with the firewall, ISA Server 2004 can also perform stateful packet filtering and inspection on VPN traffic that is passing through the firewall, providing additional security and control of all traffic that is entering or exiting the protected network. Doing so enables you to perform actions such as limiting your remote sales users to a subset of servers and services on the protected network.

Management and Administration Features

Arguably some of the most deficient aspects of previous versions of ISA Server were the fact that the management interface was not intuitive, the access rule management methodology was contrary to almost every other product out there, and the monitoring and reporting capabilities left a lot to be desired. ISA Server 2004 has gone a long way toward improving these deficiencies.

Management Interface

As shown in Figure 8-2, ISA Server 2004 takes advantage of the Microsoft Management Console to provide a management interface. This management console can either be accessed locally on the ISA server by using Terminal Service (TS) or Remote Desktop (RDP) to start a terminal session, or can be installed on a remote system (such as the administrators desktop) to allow for remote management of all ISA Server 2004 resources in the environment. In the case of TS or RDP, the TS/RDP process handles protection and encryption of the data over the network. In the case of installing the management console on a remote system, Microsoft is intentionally vague as to what if any encryption or protection of the data that is transmitted between the management console and the ISA Server 2004 server occurs. Like all Microsoft products, administrative access is granted through the use of Microsoft users and groups, as well as by defining individual or ranges of IP addresses that are allowed to make management connections.

Figure 8-2. ISA Server 2004 Management Console

In addition, some third-party web-based management interfaces can be implemented, allowing for the management of the ISA server to be performed via a web browser, thus eliminating the need to install a management client for remote management.

Access Rule Management

Access rule management has also been greatly simplified, following well-defined conventions that have been long established for firewall rule management. Unlike server publishing rules, which are designed for defining inbound/ingress filters, access rules are used to define outbound/egress filters to protect traffic that is sourced from a protected network. Rules have the following components that can be defined in a wizard-driven fashion:

Rule name
Rule action (permit/deny)
Protocol the rule applies to
Source traffic
Destination traffic
Users to which the rule applies

An important distinction to be aware of is that for SecureNAT clients, rules that are set to apply to all IP traffic actually only apply to defined protocols, so you need to ensure that you define any protocols that you want to filter based on.

Monitoring and Reporting

Although monitoring and reporting are some of the less-elegant aspects of firewall management, Microsoft made significant improvements to the monitoring and reporting features of ISA Server 2004, providing the following capabilities:

Real-time monitoring of log entries and firewall sessions
Report customization and publishing
E-mail notification
Configurable log summary start times (the ability to pick any start time, as opposed to having to use a defined start time such as midnight everyday)
Improved SQL logging (the ability to log to a SQL server, thereby allowing for the use of advanced SQL tools to query the database and build custom reports)
Microsoft Data Engine (MSDE) logging capabilities

Miscellaneous Features

Although the ability to support multiple networks may sound like a given, multinetwork support is actually a new feature of ISA Server 2004, allowing it to be implemented in enterprise environments that contain multiple networks (both internal and perimeter networks such as DMZ segments). In conjunction with this, you can define the relationships between the networks and then use this information during rule creation. By default, ISA Server 2004 supports the following networks:

The internal network (this is the subnet directly connected to the internal interface of the firewall)
The external network (any IP addresses that do not belong to another network)
The VPN clients network (any IP addresses which are assigned to VPN clients)
The local host network (the IP addresses of the firewall itself)

Remote VPN users represent one of the bigger security risks for most environments. These users typically connect to all sorts of networks that are outside of the control of the IT department and then attempt to connect to their corporate network. This allows the VPN client to become a carrier of viruses, worms, and other malicious software and content, thereby spreading it to the corporate network when they establish their VPN connection. To help mitigate this risk, ISA Server 2004 includes VPN Quarantine Control. With VPN Quarantine Control, ISA Server 2004 can be configured to enforce policies on the VPN clients, including the following:

All security updates and service packs defined by the administrator must be installed.
The client must have antivirus software installed and enabled.
The client must have personal firewall software installed and enabled.

If these conditions are not met, the VPN client will not be connected to the VPN and gain access to the full network resources; instead, they will be connected to a limited-access network where they can download and apply any required patches and updates. Although this does not remove any malicious software from the VPN client computer, by requiring only patched and updated systems to connect you can help ensure that the VPN client computer is less susceptible to threats.

Microsoft ISA Server 2004 Requirements and Preparation

ISA Server 2004 can be a relatively complex product to implement. A number of system requirements and recommendations should be implemented before installing and configuring ISA Server 2004. Table 8-2 details the system requirements as well as my recommendations beyond the system requirements.

Table 8-2. System Requirements
Component	Minimum	Recommended
Processor	Single Pentium III 550 MHz	Single or dual Xeon 3 GHz
Memory	256 MB	2 GB
Disk space	150 MB	Mirrored or RAID5 36-GB capacity with separate disks for caching (if implemented)
Network	At least two 10/100-Mbps network adapters	At least two 100/1000-Mbps network adapters
Operating system	Microsoft Windows 2000 Server or Advanced Server with SP4 or later	Microsoft Windows Server 2003 (Standard or Enterprise Edition)

In addition to the system requirements, you need to harden the operating system prior to installing ISA Server 2004 on the system. Use the guides mentioned early in the "Microsoft ISA Server 2004 Firewall" section as a basis for securing the underlying operating system as well as the Microsoft ISA Server 2004 software.

Of particular importance is to harden the external network interface (at a minimum) to remove all clients, services, and protocols except TCP/IP itself, as shown in Figure 8-3.

Figure 8-3. External Network Interface Configuration

In addition, you also need to configure the routing table on the ISA server accordingly to support all the networks it will need to reach, or you will need to install and configure Routing and Remote Access on the firewall to enable routing protocols such as OSPF or RIPv2.

Finally, ensure that you disable any network services or applications that are not explicitly required by ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including the startup mode that should be used. All other services should be disabled.

Table 8-3. Service Requirements
Service Name	Function/Purpose	Startup Mode
COM+Event System	Core operating system	Manual
Cryptographic Services	Core operating system (security)	Automatic
Event Log	Core operating system	Automatic
IPSec Services	Core operating system (security)	Automatic
Logical Disk Manager	Core operating system (disk management)	Automatic
Logical Disk Manager Administrative Service	Core operating system (disk management)	Manual
Microsoft Firewall	Required for normal functioning of ISA Server 2004	Automatic
Microsoft ISA Server Control	Required for normal functioning of ISA Server 2004	Automatic
Microsoft ISA Server Job Scheduler	Required for normal functioning of ISA Server 2004	Automatic
Microsoft ISA Server Storage	Required for normal functioning of ISA Server 2004	Automatic
MSSQL$MSFW	Required when MSDE logging is used for ISA Server 2004	Automatic
Network Connections	Core operating system (network infrastructure)	Manual
NTLM Security Support Provider	Core operating system (security)	Manual
Plug and Play	Core operating system	Automatic
Protected Storage	Core operating system (security)	Automatic
Remote Access Connection Manager	Required for normal functioning of ISA Server 2004	Manual
Remote Procedure Call (RPC)	Core operating system	Automatic
Secondary Logon	Core operating system (security)	Automatic
Security Accounts Manager	Core operating system	Automatic
Server	Required for ISA Server 2004 Firewall Client Share	Automatic
Smart Card	Core operating system (security)	Manual
SQLAgent$MSFW	Required when MSDE logging is used for ISA Server 2004	Manual
System Event Notification	Core operating system	Automatic
Telephony	Required for normal functioning of ISA Server 2004	Manual
Virtual Disk Service (VDS)	Core operating system (disk management)	Manual
Windows Management Instrumentation (WMI)	Core operating system (WMI)	Automatic
WMI Performance Adapter	Core operating system (WMI)	Manual

How the Microsoft ISA Server 2004 Firewall Works

Almost all management functions for ISA Server 2004 firewalls are performed with the ISA Server management console. This is a Microsoft Management Console (MMC)-based management console that is either run on the ISA server itself (and typically accessed via RDP/TS) or must be installed separately on the remote management workstation (via the ISA Server 2004 installation program). Figure 8-4 shows the ISA Server 2004 management console.

Figure 8-4. ISA Server 2004 Management Console

To perform remote administration of ISA Server 2004 firewalls using the management console, the management workstation must be added to the Enterprise Remote Management Computers (to manage all firewalls in the enterprise) or the Remote Management Computers (to manage a single firewall in the enterprise) computer set, and then remote management must be enabled. The easiest way to do this is to right-click the Firewall Policy object in the management console and choose Edit System Policy. Under the Remote Management configuration group, select Microsoft Management Console and ensure that Enable is checked on the General tab. Next, click the From tab and choose the appropriate group that you want to update, as shown in Figure 8-5, and then click Edit.

Figure 8-5. Modifying Remote Management Rules

At the Properties screen, add, edit, or delete systems that will be allowed to perform remote management on the firewalls. When you have finished, click OK to close any open windows, returning to the management console. Before any configuration changes are actually performed on the ISA servers, the last task is to select to either apply or discard the changes, as shown in Figure 8-6.

Figure 8-6. Applying Configuration Changes

Note

Keep in mind that any time you are applying or discarding changes you make, if you have made multiple changes then you are selecting to apply or discard all of the changes, or in the event of firewall policy changes, you are selecting to apply or discard the entire firewall policy. Make sure you are comfortable with any and all changes you have opted to make before you decide to click Apply.

To understand how the Microsoft ISA Server 2004 firewall works, it is important to identify the specific functions that an ISA Server 2004 firewall can perform:

Filter outbound access
Publish internal resources
Perform application filtering
Configure system policy rules
Configure client access methods
Cache web data

Filtering Outbound Access

ISA Server 2004 manages and applies all rules in what is known as a firewall policy. Two general classifications of rules, publishing rules, are used to define access from external sources to internal/protected resources, to external destinations.

Access rules consist of the following policy elements:

Rule action This defines whether traffic should be allowed or denied when the rule conditions are met.
Protocols This is where you specify the protocols to which the rule applies. These can be any Layer 3 (IP level) protocol, any Layer 4 (transport layer) port number, or any ICMP properties.
Source This is where you define the source of the traffic that the rule will apply to, typically an internal network.
Destination This is where you define the destination of the traffic that the rule will apply to, typically an external network.
User sets This is where you define the users that the rule will apply to. To take advantage of user sets, you cannot be using the SecureNAT firewall client because it has no means of performing authentication.
Content types This is where you define the Multipurpose Internet Mail Extensions (MIME) types and file extensions that the rule will apply to. Content types can only be specified and used with rules for the HTTP and tunneled FTP (FTP that is handled by the Microsoft ISA Server 2004 web proxy filter) protocols, allowing you to define what specific content will be permitted (for example, denying .exe extensions in URL requests).
Schedules This is where you define the schedule during which the rule will be applied. Schedules only apply to new connections; existing connections that are in place outside of the hours that the schedule has defined are not disconnected automatically.

Building the access rule is a largely wizard-driven process, with the exception of configuring the content types and schedule, which must be done by editing the properties of an existing rule. Just right-click the firewall policy and choose New > Access Rule, as shown in Figure 8-7.

Figure 8-7. Creating an Access Rule

This will begin the New Access Rule Wizard. At the Welcome screen, assign an appropriate access rule name and click Next. At the Rule Action screen, select to Allow or Deny the traffic as appropriate and click Next. At the Protocols screen, you can select to apply the rule to All Outbound Traffic, Selected Traffic, or All Outbound Traffic Except Selected Traffic. If you choose the latter, you must click Add to specify the protocols that the rule applies to. For example, Figure 8-8 shows a rule being created that applies to the HTTP protocol only.

Figure 8-8. Protocols Screen

When you have finished, click Next to be presented with the Access Rule Sources screen. Click Add to specify the traffic source that this rule will apply to. Figure 8-9 shows the Add Network Entities screen that is accessed by clicking Add.

Figure 8-9. Add Network Entities Screen

After you have specified the appropriate source, click Next to be taken to the Access Rule Destinations screen. Once again, click Add and specify the destination traffic that the rule will apply to. When you have finished, click Next. At the User Sets screen, specify the users that the rule will apply to. Keep in mind that only web proxy clients and firewall clients perform authentication; so if you want the rule to apply to everyone, including unauthenticated users, just accept the default value of All Users, as shown in Figure 8-10.

Figure 8-10. User Sets Screen

Review the rule configuration and click Finish. At this point, the rule has been created but not applied to the firewall. Just click Apply in the MMC as previously discussed.

If you need to change any of the rule settings, including editing the content type or schedule configuration, just right-click the rule and choose Properties or Edit System Rule as appropriate for the corresponding rule.

Publishing Internal Resources

Publishing internal resources follows largely the same process as creating an access rule. It is a wizard-driven process, but the focus of a publishing rule is allowing access to protected resources, as opposed to access rules (which allow access from protected resources).

Regardless of which type of publishing rule you need to create, the process is fairly similar. The first step is to right-click the firewall policy and select to create a new publishing rule (for example, a web publishing rule) and follow the wizard. At the Welcome screen, enter the appropriate rule name and click Next. At the Select Rule Action screen, specify whether traffic that matches the rule should be permitted or denied and click Next. Figure 8-11 shows the Define Website to Publish screen. This is where you specify the information for the internal server that is hosting the website. Enter the appropriate information and click Next. For example, if you use host headers to allow multiple websites to exist on the same physical server, you will want to check the box to Forward the original host header instead of the actual one (specified above). This will cause the ISA server to actually keep the host header information, instead of just routing all web requests to the default website on the internal web server. One of the nice features of the web publishing rule is the ability to specify individual folders on the website that the rule will apply to. When you have finished, click Next.

Figure 8-11. Define Website to Publish Screen

At the Public Name Details screen, you enter the information that the website will be known to the public as (for example www.cisco.com). You can also define the public path that the Microsoft ISA Server 2004 server will advertise. Figure 8-12 illustrates this screen.

Figure 8-12. Public Name Details Screen

When you have finished, click Next. Doing so brings you to the Select Web Listener screen. The web listener allows you to define the external IP address and port number that the firewall will listen for requests for this rule on. If you do not already have a listener defined, you can click New to launch the New Web Listener Definition Wizard. Doing so enables you to define the interfaces and IP addresses as well as the port numbers that the rule will use. You can also define the internal path that the web request will be directed to on the internal web server. In most cases, the internal and external paths will match; if you want the external path to redirect to a different internal path, however, you can specify different settings. For example, if you want http://www.cisco.com/sales.htm to redirect on the internal web server to http://www.cisco.com, you specify an external path of http://www.cisco.com/sales.htm and an internal path of /*. After you have defined the listener, just select it from the Web Listener drop-down dialog box, as shown in Figure 8-13, and click Next.

Figure 8-13. Select Web Listener Screen

At the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console.

Performing Application Filtering

ISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console. For web filters, just right-click an HTTP or HTTPS rule and select Configure HTTP. By default, Microsoft ISA Server 2004 supports the following HTTP application-filtering options:

Maximum header length (in bytes)
Maximum payload length (in bytes)
URL length and query length protection (in bytes)
URL normalization and high bit character blocking
Windows executable blocking
User defined HTTP method filtering (for example, denying POST methods)
File extension filtering
User-defined HTTP header content
User-defined signature content filtering

For application filters, most can be managed from the add-ins screen, as shown in Figure 8-14.

Figure 8-14. Application Filters

A notable exception to this is the DNS filtering, which is configured under the General section of the management console by clicking Enable Intrusion Detection and DNS Attack Detection (by default, both intrusion detection and DNS attack detection is enabled).

Configuring System Policy Rules

Access rules and server publishing rules control the access to and from networks protected by the firewall. To control access to the firewall itself, system policy rules have been created. These rules do not show up by default when you view the firewall policy, but they can be enabled by selecting the firewall policy and then clicking Show System Policy Rules. Doing so causes all system policy rules to display in addition to any access and publishing rules, as shown in Figure 8-15.

Figure 8-15. Displaying the System Policy Rules

You can add, change, and delete the system policy rules manually, or you can edit the system policy via a graphical user interface (GUI) by right-clicking the firewall policy and selecting Edit System Policy. Doing so launches the System Policy Editor screen, as shown in Figure 8-16.

Figure 8-16. System Policy Editor Screen

The System Policy Editor enables you to configure everything from what systems are allowed to remotely manage the firewall to how the firewall performs its authentication tasks.

Configuring Client Access Methods

As previously mentioned, Microsoft ISA Server 2004 supports three firewall clients: the SecureNAT client, the firewall client, and the web proxy client. The SecureNAT client really is not a client at all. Instead, any system that accesses the firewall via TCP/IP that is not one of the other client types is a SecureNAT client.

Configuring the Web Proxy Client

The web proxy client is any system that has been configured to use a proxy for Winsock applications. This is typically done in the client web browser settings, specifying the IP address and port number that should be used to access the proxy server. From the ISA server side, the web proxy configuration is performed by clicking Networks in the management console to open the Networks configuration screen and then right-clicking the internal network and selecting Properties, as shown in Figure 8-17.

Figure 8-17. Selecting the Internal Network Properties

From the Internal Network Properties screen, select the Web Proxy tab and specify whether to enable web proxy clients (by default, they are enabled) and define the port number that the clients will connect on. You can click Authentication to define which users will/will not be permitted access. Figure 8-18 shows the Web Proxy tab.

Figure 8-18. Web Proxy Configuration

Configuring the Firewall Client

Configuring the firewall client is a little bit more involved than the other client configurations. First, the firewall client must be installed on the client computers. This can be done in the following manners:

Via file sharing and manually running the installation
Via Active Directory Group Policy
Via silent installation scripts and integration with login scripts
Via Microsoft Systems Management Server (SMS)

During the firewall client installation, you must specify the ISA server that the firewall client will get its configuration from. This step allows you to manage the firewall client configuration at a single location, the ISA Server 2004 firewall itself, and ensure that all firewall clients receive the same configuration settings.

On the ISA server itself, two general firewall client configuration tasks need to be performed.

Step 1.	Configure the general firewall client configurations settings.
Step 2.	Configure the firewall client application settings.

The firewall client general configuration is performed in a similar fashion to the web proxy client configuration. Just right-click the appropriate network in the management console, choose Properties, and then select the Firewall Client tab, as shown in Figure 8-19.

Figure 8-19. Firewall Client Tab

Doing so enables you to define settings such as the configuration script that should be used and whether the client should use a proxy server. In addition, you can specify the names of domains that the firewall client should not apply to by selecting the Domains tab and entering the domain name.

The firewall client application settings can be configured by clicking General in the management console then clicking Define Firewall Client Settings. Doing so launches the Firewall Client Settings screen, as shown in Figure 8-20. On this screen, you can define applications that will or will not be permitted to run on the client computer and how permitted applications will be allowed to communicate on the network. An important thing to keep in mind is that the application name is a constant; so if the users change the name of the application (for example, from kazaa.exe to happy.exe), the firewall client settings no longer apply, because the application name no longer matches the name that was defined. An alternative is to use third-party products that integrate with Microsoft ISA Server 2004.

Figure 8-20. Firewall Client Settings Screen

Caching Web Data

Configuring the firewall to cache web data is a straightforward process. In the management console, navigate to the Cache screen, right-click the server, and choose Properties to launch the Server Cache Properties screen, as shown in Figure 8-21. Notice how the Cache icon has a red arrow pointing down, denoting that caching is not currently enabled.

Figure 8-21. Launching the Cache Properties Screen

To enable caching, just select the drives and the maximum cache size and click Set. When you have finished, click OK and then click Apply to apply the configuration change to the firewall. You must restart the ISA services before the caching functionality will be enabled.

When caching has been enabled, you can define rules regarding what data should be cached and how it should be cached by selecting the Cache Rules tab from the Cache screen and defining an appropriate rule. Like most other tasks in Microsoft ISA Server 2004, this is a wizard-driven process that is relatively straightforward and easy to understand.

Microsoft ISA Server 2004 Checklist

Enabling and configuring Microsoft ISA Server 2004 can be a relatively complex task. It is not something that should be performed without extensive planning and design prior to implementation. To get a basic ISA Server 2004 implementation in place and operational, the following tasks should be performed:

Step 1.	Install the underlying operating system.
Step 2.	Ensure that network services such as DNS are functioning properly.
Step 3.	Configure routing on the firewall as required.
Step 4.	Determine the firewall clients that will be implemented.
Step 5.	Determine the edition of Microsoft ISA Server 2004 that is most appropriate for your environment.
Step 6.	Install ISA Server 2004.
Step 7.	Harden the appropriate underlying operating system and applications.
Step 8.	Configure the system policy rules.
Step 9.	Configure access rules (filter outbound access).
Step 10.	Configure server publishing rules (filter inbound access).
Step 11.	Enable web data caching.
Step 12.	Configure the firewall clients accordingly.
Step 13.	Perform application filtering.
Step 14.	Configure additional functionality (that is, VPN, remote logging, and so on) as required.