Controlling Traffic Between Internal Networks

  • Article

ISA Server 2004 uses access rules and publishing rules to define how traffic is allowed to flow between your organization’s internal networks, and between internal and external networks. When creating access rules, you use ISA Server network objects to specify a source and destination in the rule. Network objects can be:

  • Networks that typically correspond to your physical network infrastructure.
  • Network sets that group networks together.
  • A single computer.
  • A computer set.
  • A subnet.
  • An address range of contiguous IP addresses, a set of URLs, or a domain set.

You define network rules to specify whether network objects can communicate, and whether a network address translation (NAT) or route relationship should be applied to traffic flowing between the network objects. To learn more about configuring network objects and network rules, see Best Practices for Configuring Networks in ISA Server 2004 at the Microsoft TechNet Web site.

When creating access rules to control traffic flowing between your internal networks protected by ISA Server, use the following guidelines:

  • ISA Server is designed so that communication between different networks should traverse ISA Server. It is not intended that clients on a specific network should go through ISA Server to access resources on the same network. Such a configuration is known as looping back through the ISA Server computer. Using ISA Server like this may cause a reduction in performance of the ISA Server computer, and may cause Domain Name System (DNS) configuration issues when internal clients try to access internal resources through an external interface.
  • Because ISA Server is not designed to link traffic between resources on the same network, you cannot use a network to specify the source or destination in an access rule you create to control communication between two hosts in the same network. In such a scenario, there are several alternatives:
  • You can use network objects such as computers, subnets, and address ranges to control traffic between such hosts. For example, if your Internal network definition consists of 172.16.10.0/24, and includes a routed subnet with a 192.168.3.0/24 address range, you can create two different address sets from a subset of the Internal network Internet Protocol (IP) address ranges, and use these as source and destination in an access rule.
  • Where appropriate, use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.