Protocol rules

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Protocol rules determine which protocols clients can use to access the Internet. You can define protocol rules that allow or deny use of one or more protocol definitions. For more information, see Create a protocol rule.


You can configure protocol rules to apply to all Internet protocol (IP) traffic, to a specific set of protocols definitions, or to all IP traffic except selected protocols.

If Microsoft Internet Security and Acceleration (ISA) Server is installed in cache mode, protocol rules can be applied only to Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS), Gopher, and File Transfer Protocol (FTP) protocols.

ISA Server includes a list of preconfigured, well-known protocol definitions, including the Internet protocols which are most widely used. You can also add or modify additional protocols. For more information, see Configuring protocol definitions.

When a client requests an object using a specific protocol, ISA Server checks the protocol rules. If a protocol rule specifically denies use of the protocol, the request is denied. Furthermore, the request will be processed only if a protocol rule specifically allows the client to communicate using the specific protocol, and if a site and content rule specifically allows access to the requested object. In other words, you must perform the following to allow access:

  1. Create a protocol rule, indicating which protocols can be used to access the specific destinations.

  2. Create a site and content rule, indicating clients that are allowed access to specific destination sets.

Some application filters create and install new protocol definitions. When the application filter is disabled, all its protocol definitions are also disabled. That is, traffic that uses the protocol definition is blocked. For example, if you disable the streaming media filter, then all traffic that uses the Windows Media and Real Networks protocol definitions is blocked.

Other application filters traffic of existing protocol definitions, either user-defined or configured by ISA Server. When these application filters are disabled, the protocol definitions that they filter are not disabled. For example, even if you disable the Simple Mail Transfer Protocol (SMTP) filter, SMTP protocol definitions might still be allowed to pass, left unfiltered.

For more information, see Using extensions.

Protocol rules for SecureNAT clients

Protocol rules apply to Firewall clients and to secure network address translation (SecureNAT) clients. If the protocol is defined by an application filter, then the protocol rule applies to both Firewall and SecureNAT clients. If the protocol rule applies to a protocol that has only a primary connection—for example, HTTP—then the rule applies to both Firewall and SecureNAT clients.

If a protocol has secondary connections, and it is not defined by an application filter, then the protocol rule applies only to the primary connection. In other words, if an application uses a protocol that has secondary connection, then this application will work only on Firewall client.

For SecureNAT clients, if you configure a protocol rule to apply to all IP traffic, the rule will actually apply only to all defined protocols.

For more information on clients, see Firewall clients and SecureNAT clients.

Processing order

Although protocol rules are not ordered, rules that deny protocols are processed before rules that allow access. For example, if you create two rules, one rule that allows use of all protocols and one rule that denies use of the SMTP protocol, the SMTP protocol will not be allowed.

For more information on how ISA Server processes requests, see Controlling outgoing requests and Rules and authentication.

Array-level and enterprise-level protocol rules

Protocol rules can be created at both the array level and at the enterprise level. When an array policy is allowed, then its protocol rules can only further restrict enterprise-level protocol rules. In other words, the array-level protocol rules can only deny use of specific protocols. For more information on enterprise policy, see Applying enterprise policy.


Suppose you want to prohibit a group of users in your organization from using MSN Messenger during work hours. You can create a protocol rule to enforce this policy by configuring the following parameters:

  • Select the MSN Messenger protocol.

  • Select the Work Hours schedule.

  • Select Requests coming from specified users and groups.

  • Select the appropriate user group.

  • Set Action to Deny the request.

For a deployment scenario that illustrates the use of protocol rules, see Firewall scenario.