ISA Server 2000 Feature Pack 1

Microsoft ISA Server 2000 Feature Pack 1, Version 1

With the packet filtering feature of Microsoft Internet Security and Acceleration (ISA) Server, you can control the flow of Internet Protocol (IP) packets to and from ISA Server. When you enable packet filtering, all packets on the external interface are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically by access policy or publishing rules.

Even if you do not enable packet filtering, communication between your local network and the Internet is enabled only when you explicitly configure rules that permit access.

When to Use Packet Filtering

In most cases, it is preferable to open ports dynamically. Therefore, it is recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, whereas access policy and publishing rules open the ports dynamically, as a request arrives. For example, if you want to grant all internal users access to Hypertext Transfer Protocol (HTTP) sites, you do not create an IP packet filter that opens port 80. Rather, you create the necessary site and content rule and protocol rule for this access.

Another advantage of publishing rules is that application filters can be used to further process requests destined for the server. Application filters are registered with the Firewall service and work with some or all application-level protocol streams or datagrams. An application filter can perform protocol-specific or system-specific tasks, such as authentication and virus checking.

There are client access scenarios and publishing scenarios in which packet filtering must be used, rather than access policy rules or publishing rules.

Client Access Scenarios that Require Packet Filtering

These are the scenarios in which packet filters must be used to allow client access to the Internet:

• When the client is located on the ISA Server computer

• When the client is located in a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet)

• When a client in the internal network requires access using protocols other than TCP and UDP

Client on the ISA Server computer

A client application on the ISA Server computer may require access to the Internet. Access policy rules will not apply to the client, so packet filters must be used. An example of this is if you want to run Outlook Express on the ISA Server computer to access Simple Mail Transport Protocol (SMTP), Post Office Protocol (POP), and Network News Transfer Protocol (NNTP) servers on the Internet. You would create the IP packet filters that allow the POP3, SMTP, and NNTP protocols. This scenario is described in detail in the topic "Running other services on the ISA Server computer" in the ISA Server documentation.

If ISA Server is functioning as your firewall, avoid statically opening ports (by creating IP packet filters) for other services and applications on the computer.

Client in a perimeter network

If there is a client computer in a perimeter network that requires access to the Internet, you will define packet filters to allow access. This is because access policy rules cannot apply to a computer in the perimeter network. You will have to define a packet filter for each protocol for which the client requires access.

Access using protocols other than TPC and UDP

If an internal client requires access to the Internet using a protocol that is not TCP or UDP, you define a packet filter to allow that access. An example of this is the ICMP outbound packet filter that comes with ISA Server.

Publishing Scenarios that Require Packet Filtering

In some publishing scenarios, IP packet filters must be used:

• When you are publishing servers that are situated on a three-homed perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), you must use IP packet filters to make the servers accessible to external clients.

• When you are publishing servers or services that are located on the ISA Server computer itself, you must use IP packet filters.

Publishing servers on a three-homed perimeter network

You configure server publishing rules to allow external clients access to servers situated on the local network. However, in a three-homed perimeter network, you must use packet filters.

In a three-homed perimeter network, the ISA Server computer has three network adapters:

• One network adapter connect's to the internal corporate network.

• One network adapter connects to the corporate network's servers, which are located in the perimeter network. The Internet Protocol (IP) addresses of the perimeter network must not be in the local address table (LAT).

• One network adapter connects to the Internet.

The figure illustrates this perimeter network scenario.

For example, if your SMTP server is located on a three-homed perimeter network rather than on the local network, use IP packet filters to open a port on the server. To publish an SMTP server located on the perimeter network, create an IP packet filter with the following configuration:

• Set Servers that use this filter to All ISA servers in the array.

• Set the filter mode to allow packet transmission.

• Set the custom filter settings as follows:

  • IP Protocol to TCP

  • Direction to Both

  • Local Port to 25

  • Remote Port to Any

• Set Local Computer to This computer and specify the IP address of the SMTP server.

• Set Remote Computer to All remote computers.

More information about three-homed perimeter networks is provided in "Three-homed perimeter network configuration" in the ISA Server documentation.

Publishing a server on the same computer as ISA Server

When a service is located on the same computer as ISA Server, you create IP packet filters to allow communication through to the specific port used by the service. You cannot use server publishing rules in this situation. For example, ISA Server includes a preconfigured IP packet filter called DNS filter that allows DNS queries on the ISA Server computer itself.

An exception to this approach is the publishing of a Web server, for which it is recommended that you use Web publishing rules rather than packet filters. This scenario is described in the document Publish_Web_on_ISA.doc.