Configuring ISA Server 2004 on a Computer with a Single Network Adapter

This document provides information about supported scenarios and limitations when running Microsoft Internet Security and Acceleration (ISA) Server 2004 on a computer with a single network adapter, and includes:

  • Procedures for configuring ISA Server with a single network adapter
  • Information about supported scenarios
  • Information about unsupported scenarios
  • Description of common issues

Typically, you would use a single network adapter configuration when ISA Server is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge connecting and protecting corporate resources from the Internet.

When installed on a computer with a single network adapter, ISA Server supports the following scenarios:

  • Forward Web Proxy requests using Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), or File Transfer Protocol (FTP) for downloads
  • Cache Web content for use by clients on the corporate network
  • Web publishing to protect published Web or FTP servers
  • Microsoft Office Outlook Web Access 2003, ActiveSync, and remote procedure call (RPC) over HTTP publishing

Configuring ISA Server with a Single Network Adapter

Supported Scenarios

Unsupported Scenarios

Common Issues

Additional Information

Configuring ISA Server with a Single Network Adapter

When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all unicast Internet Protocol (IP) addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.

Configure the Internal Network During Setup

During Setup of ISA Server 2004 on a computer with a single network adapter, specify all IP address ranges for the Internal network, excluding the following:

  • 0.0.0.0
  • 255.255.255.255
  • 224.0.0.0-254.255.255.255 (multicast)
  • 127.0.0.0-127.255.255.255

Apply a Network Template

ISA Server includes a number of predefined network templates that respond to common network topologies. When you install ISA Server on a computer with one network adapter, we recommend that you configure the ISA Server Single Network Adapter network template. To do this, use the Network Template Wizard, as follows.

To apply the Single Network Adapter template

  1. In ISA Server Management, expand the Configuration node, and then click Networks.

  2. On the Templates tab, click the Single Network Adapter template.

  3. On the Welcome page of the Network Template Wizard, click Next.

  4. On the Export the ISA Server Configuration page, click Export to export your current configuration before applying the Single Network Adapter template. Then click Next.

    Warning

    When you apply a network template, the new template overwrites all current rules (except system policy rules) and network configuration settings.

  5. On the Internal Network IP Addresses page, specify settings for the Internal network. Then click Next.

    Note

    The default configuration proposed for the Internal network IP address range is:

    • 0.0.0.1 to 126.255.255.255 and 128.0.0.0 to 255.255.255.254.
    • This includes all IP addresses except 0.0.0.0, 255.255.255.255, and the address ranges 127.0.0.0–127.255.255.255 (localhost).
    • We recommend that you also exclude 224.0.0.0-254.255.255.255 (multicast).
  6. On the Select a Firewall Policy page, click Apply default Web proxying and caching configuration, and then click Next.

Note

This creates a default access rule denying traffic to all networks. After setting up the template, create the policy rules required to allow Internet access to Web clients, configure caching as required, and create Web publishing rules to control access to servers protected by ISA Server.

  1. Check the settings for the new template, and click Finish to complete the wizard.
  2. In ISA Server Management, click Apply to save the new settings.

After applying the Single Network Adapter network template, the following network and access rule settings are configured:

  • Local Host network: 127.0.0.0–127.255.255.255.
  • Internal network: equals everything else, where everything else is:
    • 0.0.0.1–126.255.255.255
    • 128.0.0.0–255.255.255.254
  • Default access rule: denies access to all locations.

This is the set of addresses defined by RFC 791 and related RFC updates. Addresses outside this scope are not generally allocated for the Internet or for intranets.

Note

If you excluded the multicast addresses in addition to 0.0.0.0, 255.255.255.255 and 127.0.0.0.-127.255.255.255.255, the Internal network range will be as follows:

0.0.0.1 - 126.255.255.255, 128.0.0.0 - 223.255.255.255.255, 255.0.0.0 - 255.255.255.254.

Supported Scenarios

ISA Server supports the following scenarios when installed on a computer with a single network adapter:

  • Forward Web proxy and caching
  • Web publishing and Outlook Web Access Publishing

Forward Web Proxy and Caching

When ISA Server is installed on a computer with a single network adapter and configured with the Single Network Adapter template, you can deploy it as a forward proxy and caching server. In this configuration, ISA Server proxies requests from internal clients to remote networks such as the Internet, and can maintain a cache of frequently requested Internet objects to provide Web browser clients with optimized access. Note the following when configuring ISA Server with a single network adapter in a forward Web proxy and caching configuration:

  • Only Web Proxy requests are supported.

  • In a scenario where ISA Server is behind another edge firewall, Web Proxy clients send URL requests to the ISA Server computer. ISA Server checks whether the Web object can be served from the cache. If the page is not cached or has expired, ISA Server makes an Internet request through the edge firewall. The edge firewall handles the ISA Server request in accordance with its access settings, which may or may not allow the request. If allowed, the Web object is returned through the edge firewall to ISA Server, which places the object into its cache in accordance with cache settings, and forwards the cached object to the Web Proxy client.

  • Rules allowing client access through the ISA Server computer should be configured with source addresses using only actual internal IP addresses. This is required because every IP address is considered part of the Internal network, except for the loop back address. The destination network should either use the Internal network, or a specific address as required.

  • If Web pages include items requiring protocols other than HTTP and FTP (download), Web Proxy clients accessing the site through ISA Server with a single network adapter cannot access this traffic through ISA Server. You can configure direct access on network settings to allow this.

  • To provide access to the Internet on the ISA Server computer itself, you must either modify system policies, or create access rules from Local Host to Internal. Even with the Single Network Adapter template applied, ISA Server still protects itself from the Internal network, and system policy or access rules are needed to control traffic between the two networks.

    Note

    This behavior differs from ISA Server 2000 in cache-only mode, which did not filter traffic from any network.

Configure Forward Web Proxy and Caching

Configuration of forward Web proxy and caching consists of the following process:

  • Configure client proxy settings. Configure Web Proxy settings on client browsers to point to ISA Server or use automatic configuration. For more information about automatic configuration, see Automatic Discovery for Web Proxy and Firewall Clients at the Microsoft TechNet Web site.
  • Configure the Internal network to listen for Web Proxy client requests. The network must be configured to listen for requests from Web Proxy clients.
  • Configure authentication on the Internal network. To ensure that Web Proxy client requests are authenticated, you can choose to configure authentication on the network, or on specific access rules. If you choose to set Require all users to authenticate on the Internal network properties, the following will occur:
    • All users must authenticate, and no anonymous requests will be allowed.
    • ISA Server will always ask for user credentials before checking access rules. If Require all users to authenticate is not enabled, client credentials are only requested if client authentication is required to validate an access rule match.
  • Enable caching. If you want to enable caching for Web objects, enable caching on ISA Server by setting a cache size to greater than zero, and then configure cache rules to maintain frequently requested Web objects to be available from the cache for client requests.
  • Configure cache rules. Set up cache rules to specify which objects are in the cache, and how they are served to clients. Before ISA Server makes a request to the Internet, it checks whether the requested object is available in the cache, and provides it to the user in accordance with cache rules.
  • Configure access rules. After applying the Single Network Adapter template, there is a single access rule denying access to all networks. Although all IP addresses are considered part of the Internal network in a single network adapter scenario, client requests are denied by this default rule. Set up access rules to allow Web clients to use HTTP, and HTTPS and FTP if required. The source and destination networks for this rule should be set to Internal.

To configure client proxy settings (Internet Explorer)

  1. Open Internet Explorer on the client computer.
  2. Click the Tools menu, and then click Internet Options.
  3. On the Connections tab, click LAN Settings.
  4. To specify that a Web Proxy client should use the auto-detection feature to locate an ISA Server computer for Web requests, select Automatically detect settings. Web Proxy clients can use this feature to detect an ISA Server computer that they should use automatically, or you can manually specify an ISA Server computer.
  5. To use a script for automatic configuration, select Use automatic configuration script, and specify the name of the script.

Note

Enable automatic discovery to allow Web Proxy clients to find the ISA Server computer to which they should connect by querying Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS).Internet Explorer locates a DHCP Option 252 entry that points to the location of the Wpad.dat script file, or a Windows Internet Name Service (WINS) or DNS entry that points to the server hosting the Web Proxy Automatic Discovery (WPAD) script. This file provides specific information for the client to use in accessing Web content, such as the location of the ISA Server computer that the client should use for Web requests. After the location is known, Web Proxy clients make a call to https://wpad:port/wpad.dat, where port is the port listening on the ISA Server computer for Web requests. Note that the clients must be able to resolve the ISA Server computer specified in the WPAD entry. For DNS entries, ISA Server must listen for automatic discovery requests on port 80. DHCP can listen on any port. By default, ISA Server listens on port 8080.

To configure the Internal network to listen for Web Proxy client requests

  1. In ISA Server Management, click the Networks node.
  2. In the details pane, click the Networks tab, and select Internal.
  3. On the Tasks tab, click Edit Selected Network.
  4. On the Web Proxy tab, ensure that Enable Web Proxy clients is selected.

To configure authentication on the Internal network

  1. In ISA Server Management, click the Networks node.
  2. In the details pane, click the Networks tab, and select Internal.
  3. On the Tasks tab, click Edit Selected Network.
  4. On the Web Proxy tab, click Authentication.
  5. To allow requests only from Web Proxy users with validated credentials, select Require all users to authenticate. This blocks anonymous requests.
  6. Select the type of authentication that should be used in the Method list.

Note

The following authentication methods are available for authentication of Web Proxy requests: Basic, Digest, Integrated, Secure Sockets Layer (SSL) client certificates, and Remote Authentication Dial-In User Service (RADIUS). Note that although ISA Server technically supports client certificate authentication for Web Proxy client requests, this is not supported by the browser for requests to an Internet Web server. Client certificates are supported for Web Proxy clients authenticating against an upstream ISA Server computer. For more information, see the Microsoft Knowledge Base article 838126: "You cannot perform certificate-based Web proxy authentication in ISA Server 2004."

To configure caching

  1. In ISA Server Management, expand the Configuration node, and then click Cache.
  2. In the details pane, click the Cache Drives tab, and select the drive you want to use for caching.
  3. On the Tasks tab, click Define Cache Drives (enable caching).
  4. In Maximum cache size (MB), type the amount of space on the selected drive to allocate for caching.

Note

aching is enabled only when the size of at least one cache drive is greater than zero. The maximum size for a single cache file is 64 gigabytes (GB). If you require a larger cache, split it into multiple files over different drives.

To configure cache rules

  1. In ISA Server Management, expand the Configuration node, and then click Cache.

  2. In the details pane, click the Cache Rules tab.

  3. On the Tasks tab, click Create a Cache Rule.

  4. On the Welcome page of the New Cache Rule Wizard, specify a descriptive name for the rule. Then click Next.

  5. On the Cache Rule Destination page, select the network to which the rule applies. Click Add, expand Networks, and then click Internal. Click Add, and then click Close. Then click Next.

  6. On the Content Retrieval page, specify how content should be retrieved from the cache, and then click Next:

    1. To specify that an object should be retrieved from the cache if it is valid, or otherwise route the request to the Internet Web server or upstream proxy server, click Only if a valid version of the object exists in the cache. If no valid version exists, route the request to the server.

    2. To specify that an object should be retrieved from the cache if it is available (regardless of whether it is valid), or otherwise route the request to the Internet Web server or upstream proxy server, click If any version of the object exists in the cache. If none exists, route the request to the server.

    3. To specify that an object should be retrieved from the cache if it is available (regardless or whether it is valid), or otherwise the request should be dropped, click If any version of the object exists in the cache. If none exists, drop the request (never route the request to the server).

      Note

      A cache object is considered valid if its Time to Live (TTL) value has not expired. For HTTP objects, expiration is based on the TTL defined in the response header and TTL boundaries defined in the cache rule.

  7. On the Cache Content page, specify how objects retrieved are stored in the cache, and then click Next:

    • To never cache Web objects, click Never, no content will ever be cached.
    • To cache objects if the Web server supplying the object indicates that it should be cached, click If source and request headers indicate to cache.
    • To cache all content even if it is not marked as cacheable (including content retrieved using a query that returned content that is accessible by using a URL with a question mark in it), click Dynamic content.
    • To cache content with 302 and 307 response codes, click Content for offline browsing (302, 307 responses).
    • To cache content that may require authentication for access, click Content requiring user authentication for retrieval.
  8. On the Cache Advanced Configuration page, to specify a size limit for cached objects, click Do not cache objects larger than, and then specify a maximum size. To specify that SSL objects should be cached, click Cache SSL responses. Then click Next.

    Note

    Caching SSL requests is only functional for Web-published content because Web Proxy client requests for SSL content is tunneled between the client and upstream server and thus not available to ISA Server for caching.

  9. On the HTTP Caching page, consider the following options, and then click Next:

    • To specify that HTTP objects should be cached, click Enable HTTP caching.
    • To specify how long HTTP objects should remain in the cache as a percentage of content age, specify a value in Set TTL of objects (% of the content age).

    Note

    The TTL of an HTTP object in the cache is set to a percentage of the age of the content (the amount of time that has passed since an object was created or modified). The higher percentage you specify, the less frequently the object is refreshed in the cache.

    • To specify how long HTTP objects should remain in the cache as a time value, type the minimum and maximum times in No less than and No more than.
    • To apply TTL settings to objects, even if the object source header specifies an expiration time, click Also apply these TTL boundaries to sources that specify expiration.
  10. On the FTP Caching page, click Enable FTP caching to specify that downloaded FTP objects should be cached. In Time-To-Live for FTP objects, specify how long FTP objects should remain in the cache before they expire. Then click Next.

  11. Check rule settings, and then click Finish to complete the wizard.

  12. Click Apply to save the settings.

To configure access rules

  1. In ISA Server Management, right-click the Firewall Policy node, point to New, and then click Access Rule.

  2. In the Welcome page of the New Access Rule Wizard, type a descriptive name for the rule. Then click Next.

  3. On the Rule Action page, click Allow. Then click Next.

  4. On the Protocols page, select Selected protocols, and then click Add. Click to expand Web, and then select the protocols you want to allow Web Proxy clients to access. These include HTTP, and possibly HTTPS and FTP. Select each protocol, and then click Add. After you have selected the required protocols, click Close. Then click Next.

  5. On the Access Rule Sources page, click Add. Expand Networks. Click Internal, and then click Add. Click Local Host, and then click Add. Click Close. Then click Next.

    Note

    You can also create and use address range sets to further limit the clients that can use ISA Server as a Web proxy.

  6. On the Access Rule Destinations page, click Add. Expand Networks. Click Internal, and then click Add. Click Close. Then click Next.

  7. On the User Sets page, select how users authenticate with the rule, and then click Next:

    • To allow anonymous Web Proxy access, select All Users.
    • To force authentication for Web Proxy requests, click Add. In the Add Users dialog box, click All Authenticated Users. Click Close. In the User Sets page, select All Users, and then click Remove.

    Note

    If a rule that matches the Web Proxy request requires authentication, client credentials will be requested and validated. If you specify that the rule applies to All Authenticated Users, any users failing authentication will be denied by the rule (even an allow rule). You can create a new user set that consists of Windows users and groups, RADIUS, or SecurID users. If you select RADIUS or SecurID, you can choose All Users in Namespace, or Specified User Name. If you specify All Users in Namespace, RADIUS or SecurID will allow any user that can be authenticated using Basic authentication (users not prompted for credentials).

  8. On the Finish page of the wizard, check settings, and then click Finish to complete the wizard.

  9. Click Apply to save settings.

Web Publishing and Outlook Web Access Publishing

You can deploy ISA Server on a single network adapter computer in reverse proxy mode, enabling you to publish Web servers, and publish Exchange servers for Outlook Web Access connections. You can publish servers over HTTP or over HTTPS for a secure SSL connection. You can authenticate incoming requests, and chain requests to upstream proxies.

When you publish Outlook Web Access on a single network adapter computer, the following Outlook Web Access features are available:

  • Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features
  • Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP
  • Forms-based authentication
  • HTTP and HTTPS

For example, publishing a Web server or Outlook Web Access over an SSL connection on a single network adapter computer consists of the following configuration process:

  • Specify public DNS entry. The edge device protecting your organization from the Internet must be configured to forward requests for published servers, or Outlook Web Access requests, to the correct IP address on the ISA Server computer. For example, if an Internet user accesses Outlook Web Access at https://mail.fabrikam.com/exchange, there must be a public DNS entry for mail.fabrikam.com, and that entry must resolve to the external interface of the edge device that is configured to forward Outlook Web Access requests to ISA Server.

  • Configure edge device to forward packets. The edge device should be configured to forward relevant requests to the ISA Server computer.

  • Configure ISA Server network template. Ensure that ISA Server is installed and configured with the Single Network Adapter template.

  • Request a server certificate on the Web server or Outlook Web Access server. For secure publishing, an HTTPS-to-HTTPS bridging configuration is recommended. This configuration provides an SSL connection from the client to the ISA Server computer, and from the ISA Server computer to the published Web server. Generally, you use a commercial certificate for SSL external publishing. You create a certificate request from a commercial certification authority (CA) (such as Verisign or Thawte) using the IIS Web Server Certificate Wizard. Because IIS is not typically installed on ISA Server, you request the certificate from the published Web server. Currently, there is no way to request a server certificate from ISA Server 2004 directly to the CA.

  • Export the server certificate. After obtaining the certificate on the Web server, export it to a file, together with the private key.

  • Import the server certificate. Import the certificate from the exported file to the computer’s Personal certificate store.

    Note

    There are a number of best practice guidelines that should be followed when requesting and configuring certificates. For more information, see Troubleshooting SSL Certificates in ISA Server 2004 Publishing on the Microsoft TechNet Web site.
    For detailed procedures for obtaining server certificates, see Digital Certificates for ISA Server 2004 on the .

  • Enable SSL on the published Web server. In a secure published scenario, configure IIS on the published server to support SSL-encrypted Basic authentication.

  • Create a listener. In ISA Server Management, create a secure Web listener on the Internal network, to listen for requests for the published server.

    Note

    For security purposes, consider using forms-based authentication, and limiting attachment access from public computers. You should configure these properties after creating the listener using the New Web Listener Wizard. In ISA Server 2004 Standard Edition, forms-based authentication could not be used with any other authentication method. In ISA Server 2004 Standard Edition Service Pack 1, and ISA Server 2004 Enterprise Edition, you can configure forms-based authentication together with RADIUS.

  • Create a secure publishing rule. For Web publishing, create a rule using the Web Publishing Rule Wizard. For publishing Outlook Web Access, create a rule using the Mail Server Publishing Wizard. Note that you can also publish Outlook Mobile Access, RPC over HTTP, and Exchange ActiveSync using this wizard. To publish servers securely, use an HTTPS-to-HTTPS bridging configuration. In this scenario, users connect to ISA Server using SSL. ISA Server terminates the SSL connection at the ISA Server computer and inspects traffic. Packets are then forwarded to the published Web server over a new HTTPS connection.

    Note

    For step-by-step instructions on publishing Web servers, see Publishing Web Servers using ISA Server 2004 at the Microsoft TechNet Web site. and Publishing Web Servers Using ISA Server 2004 Enterprise Edition at the Microsoft TechNet Web site.
    For step-by-step instructions on publishing Outlook Web Access, see Outlook Web Access Server Publishing in ISA Server 2004 at the , and Outlook Web Access Server Publishing in ISA Server 2004 Enterprise Edition at the .

Unsupported Scenarios

When you install ISA Server on a computer with a single network adapter, the following ISA Server features and scenarios are not supported:

  • Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer itself.
  • Application layer inspection. Application level filtering is not functional, except for the Web Proxy filter (for HTTP, HTTPS, and FTP over HTTP).
  • Server publishing. Server publishing is not supported. There is no separation of Internal and External networks, so ISA Server cannot provide the network address translation (NAT) functionality required in a server publishing scenario.
  • Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. This service is not available in a single network adapter environment.
  • SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. Because the Firewall service is not available in a single network adapter configuration, such requests are not supported.
  • Virtual private networking. Site-to-site virtual private networks (VPNs) and remote access VPNs are not supported in a single network adapter scenario.

Note

You cannot configure a network adapter to use two IP addresses, or a second network adapter that is disabled, as a way to use multi-network features on a computer with a single network adapter.

Common Issues

This section describes the following common issues and solutions:

  • How can I get other services or applications to coexist with ISA Server in single network adapter mode,for example, a single network adapter server with a DNS server?
    Server publishing is not supported in single network adapter mode. However, regardless of what network template is applied, the Firewall service and application filters run in the context of the ISA Server computer itself (the Local Host network). Therefore, you can allow non-Web traffic to the ISA Server computer itself by creating access rules between the Local Host network and the Internal network, to allow internal users to reach applications and services running on the ISA Server computer.
  • Can I publish my Web site over an SSL connection with a single network adapter?
    Yes, but you must bridge the connection. If you select SSL tunneling when configuring the Web publishing rule, this in effect uses server publishing to publish the Web server, and this configuration does not work in a single network adapter scenario.
  • Can I publish multiple Web sites with a single IP address in a single network adapter scenario?
    Yes. You can use Web publishing rules to publish multiple Web sites using a single IP address. With application layer inspection, ISA Server examines the host header of an incoming request, and decides how to forward the request to a Web server based on the header information. ISA Server can listen for requests for multiple Web sites on a single IP address, and forward them as follows:
    • Publish multiple sites on the same IP address and port using a host header. IIS uses the host name passed in the HTTP header to determine which site is requested. For more information, see the Microsoft Knowledge Base article838252: "How to configure Web publishing rules to host multiple Web sites with host headers in ISA Server."
    • Publish multiple sites on different ports, and redirect requests to the same IP address, but to different ports.
      For secure SSL publishing, only one server certificate can be bound to a Web listener. If you have a single IP address, you can only publish a single SSL Web site. The only exception is if you are using certificates with wildcard characters. For more information, see Publishing Multiple Web sites using a Wildcard Certificate in ISA Server 2004 at the Microsoft TechNet Web site.
  • I want to deploy an array of single network adapter ISA Server computers to provide proxy to the Internet for internal users. How do I use Network Load Balancing (NLB) in such a scenario?
    • If you are running ISA Server on a computer that does not have Microsoft Windows Server 2003 with Service Pack 1 installed, you must install a second network adapter to be used for intra-array communication. NLB must be configured on an adapter with a static IP address. Ensure that you choose the IP address for the intra-array adapter from the intra-array network, and not the Internal network.
    • If you are running ISA Server on a computer that has Windows Server 2003 Service Pack 1 installed, you do not need a second adapter for intra-array communication.
  • Can I publish on an alternative port in a single network adapter scenario?
    • HTTP and HTTPS requests can be redirected to the published Web server over HTTP, HTTPS, or FTP over HTTP. You can select that requests be directed to the standard port (80 for HTTP, 443 for HTTPS, 21 for FTP), or that an alternate port should be used.
    • Creating a publishing rule using a port that is not standard on ISA Server or the Exchange server is not supported when publishing Outlook Web Access.
  • Does ISA Server support FTP uploading in a single network adapter scenario?
    In a single network adapter scenario, FTP requests are handled by the Web Proxy filter. The Web Proxy filter supports FTP download only.
  • Can I use a RADIUS server to authenticate Web traffic in a single network adapter scenario?
  • Yes. RADIUS authentication can be used to authenticate Web traffic with the following process:
    • Configure ISA Server as a RADIUS client in Internet Authentication Service (IAS), and specify a shared secret.
    • In ISA Server Management, configure RADIUS settings to point to the IAS server, and specify the same shared secret you configured in IAS.
    • Enable system policy to allow communication between ISA Server and the IAS server.
    • Configure RADIUS authentication to be used for Web Proxy requests on the Web Proxy listener of the network from which client requests will arrive.
    • Create an access rule to allow authenticated RADIUS users. Create a RADIUS user set to use in this rule. On the rule, you can choose to allow access to all users that the IAS server can authenticate, or to a specific RADIUS user. For more flexibility, you can configure the IAS remote access policy to take care of client authentication. To do this, set the dial-up properties of all user accounts to Control access through Remote Access Policy, and then add a condition on the remote access policy to allow access to these users. Note that forward Web proxy with RADIUS only supports unencrypted (PAP) authentication.
  • Some Web sites are not appearing properly. What could be wrong?
    ISA Server in a single network adapter environment only supports Web (HTTP, HTTPS, and FTP) protocols. If the Web site requires another protocol such as non-HTTP streaming media, or applications, content may not display as required. You will need to add another network adapter and use the Firewall client for Internet access to the specific site.
  • In a single network adapter environment, what MSN messenger features are available?
    Text messaging is available, because the instant messaging server generally mediates the communication between two clients, which avoids any NAT issues that may arise with an external client. For other features, you need a dual homed ISA Server computer with Firewall clients.
  • In a single network adapter scenario, clients behind the ISA Server computer are unable to log on to an FTP server with credentials that are not anonymous. Why?
    When Folder View for FTP sites is enabled in Internet Explorer, the Internet Explorer client bypasses the Web proxy and instead tries to establish a Winsock connection to the FTP server, like a typical FTP client application. In a single network adapter scenario, this type of request cannot be handled as a proxy or with NAT, and fails. To ensure that Internet Explorer sends FTP requests as HTTP requests, do the following:
    • In the Tools menu of Internet Explorer, click Internet Options.
    • On the Advanced tab, clear Enable folder view for FTP sites.
    • Connect using this syntax: ftp://<domain\username>:<password>@<TargetSiteURL>
    • Note that this does not enable FTP upload, which is not supported for Web Proxy clients. For this functionality, the client computer must be configured as a SecureNAT client or Firewall client, in addition to a Web Proxy client. This will require more than one network adapter.
  • How do I reconfigure a single network adapter configuration with multiple adapters?
    Add another physical adapter to the computer, and apply a multiple network adapter network template in ISA Server Management (all templates other than the Single Network Adapter template).
  • Can I deploy Outlook Web Access and Outlook Mobile Access using forms-based authentication together with another authentication scheme on the same Web listener?
    Such a configuration is not supported in a single network adapter or multiple network adapter configuration. Forms-based authentication can be enabled as the only authentication method, or together with RADIUS authentication (for ISA Server 2004 Standard Edition Service Pack 1, and ISA Server 2004 Enterprise Edition). If you need to authenticate users on ISA Server, you need two separate Web listeners, and separate Web publishing rules.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page at the Microsoft Windows Server System Web site ().

Also, refer to the following Knowledge Base (KB) articles and Microsoft TechNet Web articles: