Using the HTTP Filter to Help Secure HTTP Access

Microsoft® Internet Security and Acceleration (ISA) Server 2006 provides granular control over Hypertext Transfer Protocol (HTTP) communication. This control is provided in the form of an HTTP filter, an application-layer filter that examines HTTP commands and data, through which you set HTTP policy. The HTTP filter screens all HTTP traffic that passes through the ISA Server computer, and only allows compliant requests to pass through. This significantly improves the security of your Web servers, by helping ensure that they only respond to valid requests. It also enables you to control the specifics of ISA Server client Internet access.

HTTP filtering can be applied in two general scenarios:

  • Clients on a source network accessing HTTP objects (HTML pages and graphics, or other data that can be transferred using the HTTP protocol) on another network through the ISA Server computer. This access is controlled by ISA Server access rules, to which an HTTP policy can be applied using the HTTP filter.
  • Clients on the Internet accessing HTTP objects on a Web server that is published through the ISA Server computer. This access is controlled by ISA Server Web publishing rules, to which an HTTP policy can be applied using the HTTP filter.

HTTP filtering in ISA Server is rule specific, so that you can apply different levels and types of filtering depending on the specific requirements of your firewall policy. For example, you can use HTTP filtering to block the use of a particular peer-to-peer file sharing service for one set of users, but allow it for another set.

This document describes HTTP filtering in general terms, and how to configure the HTTP filter. It provides examples of HTTP policies for Web publishing and Exchange® Web Client Access publishing. It also describes how to use the HttpFilterConfig.vbs script to import the example policies.

Comparing the HTTP filter and URLScan

ISA Server 2000 Feature Pack 1 included the URLScan tool, which provided similar functionality as the HTTP filter. The main difference between URLScan and the HTTP filter is that URLScan applied to all HTTP traffic, whereas the HTTP filter can be configured on a per-rule basis. This gives you greater control over your HTTP policy.

Another difference is that the HTTP filter does not include this functionality from the URLScan tool:

  • EnableLogging
  • PerProcessLogging
  • AllowLateScanning
  • PerDayLogging
  • RejectResponseUrL
  • UseFastPathReject
  • DenyUrlSequences

Logging is incorporated as a separate field (FilterAction) in ISA Server logging.

RejectResponseURL is a mechanism used by URLScan to redirect the requesting client to a different page. ISA Server includes error response pages.

UseFastPathReject was an option to simply drop the request, rather than using the RejectResponseURL

DenyUrlSequences is replaced by the Signatures tab of the HTTP filter properties.