ISA Server 2000 Feature Pack 1

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

Microsoft Internet Security and Acceleration (ISA) Server supports three types of clients:

  • Firewall clients are client computers that have the Firewall Client software installed and enabled.

  • Secure network address translation (SecureNAT) clients are client computers that do not have the Firewall Client installed.

  • Web Proxy clients are any client Web application configured to use ISA Server.

For more information, see "Firewall clients,"" SecureNAT clients," and "Web Proxy clients" later in this document.

The table below compares the ISA Server clients.


SecureNAT client

Firewall client

Web Proxy client

Installation required

Some network configuration changes may be required


No, Web browser configuration required

Operating system support

Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP)

Only Windows platforms

All platforms, but by way of Web application

Protocol support

Application filters for multiple connection protocols required

All Winsock applications

Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher

User-level authentication

Some network configuration changes required



Server applications

No configuration or installation required

Configuration file required

Not applicable

Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, all Web requests (HTTP, FTP, HTTPS, and Gopher) are sent directly to the Web Proxy service. All other requests are handled first by the Firewall service.

On This Page

ISA Server Clients and the Domain Name System
SecureNAT Clients
Web Proxy Clients

ISA Server Clients and the Domain Name System

Domain Name System (DNS) name resolution is a primary consideration when choosing which ISA clients to utilize on the internal network. The following table outlines how DNS name resolution is performed by each ISA client.

ISA Server Client

Name Resolution Method

SecureNAT client

Dependent on the environment. Need to provide client with internal DNS server or configure ISA Server to pass DNS queries directly from the client to an external DNS server.

Web Proxy client

ISA Server Web Proxy service can provide simple DNS functionality. This is based on the DNS configuration on the ISA Server itself.

Firewall client

ISA Server Firewall service can provide simple DNS functionality. This is based on the DNS configuration on the ISA Server itself.

Firewall Clients

A Firewall client is a computer with Firewall Client software installed and enabled. The Firewall client runs Winsock applications that use the Firewall service of ISA Server. When a Firewall client uses a Winsock application to request an object from a computer, the client checks its copy of the local address table (LAT) to verify if the specified computer is in the LAT. If the computer is not in the LAT, the request is sent to the ISA Server Firewall service. The Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The Firewall Client software can send Windows user information, which is required for authentication purposes, to the ISA Server computer.

ISA Server installs the following components on the client computer during client setup:

  • Mspclnt.ini, a shared client configuration file and the local domain table

  • Msplat.txt, a shared client local address table

  • The Firewall Client application

You can change the default settings for all of these components after installation. The new configuration settings take effect only when the client configuration is refreshed.

For more information, see "Firewall client components" in the ISA Server documentation.

Setting up a Firewall client does not configure individual Winsock applications. Instead, it uses the same Winsock dynamic link library (.dll) that the other applications use. The Firewall client then intercepts the application calls and determines whether to route the request to the ISA Server computer. For more information, see "Install Firewall Client software" in the ISA Server documentation.

You can install Firewall Client software on client computers that run Windows ME, Windows 95, Windows 98, Windows NT 4.0, or Windows 2000. Also, 16-bit Winsock applications are supported, but only on Windows 2000 and Windows NT 4.0.

Firewall clients are supported in Firewall or Integrated mode, not in cache mode. For more information about modes, see ISA Server modes in the ISA Server documentation.

SecureNAT Clients

Client computers that do not have Firewall Client software are secure network address translation (SecureNAT) clients. SecureNAT clients can benefit from many of the features of ISA Server. This includes most access control features, with the exception of high-level protocol support and user-level authentication.

Although SecureNAT clients do not require special software, it is recommended that you configure the default gateway so that all traffic destined to the Internet is sent by way of ISA Server, either directly or indirectly, through a router. You can configure clients either by using the DHCP service or manually.

Because requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security features:

  • Application filters can modify the protocol stream to enable handling of complex protocols. In Windows 2000 NAT, this mechanism is accomplished through the use of NAT editors that are written as kernel-mode NAT editor drivers in Windows 2000.

  • The Firewall service can pass all Hypertext Transfer Protocol (HTTP) requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.

SecureNAT and Windows 2000 NAT

ISA Server extends the Windows 2000 network address translation (NAT) functionality by enforcing ISA Server policy for SecureNAT clients. In other words, all ISA Server rules can be applied to SecureNAT clients, despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism. (Policies regarding protocol usage, destination, and content type are also applied to SecureNAT clients.)

SecureNAT clients and server publishing

As with Firewall clients, SecureNAT clients can also actually be servers, such as mail servers, which publish information to the Internet. You configure server publishing rules to publish servers as SecureNAT clients. Further, if you are using server publishing rules to publish a server, it is recommended that the server be a SecureNAT client, because the Firewall Client software can interfere with the publishing. Because the published server is a SecureNAT client, no special configuration of the published server is required after you create the server publishing rule on the ISA Server computer. Note that ISA Server must be configured as the default gateway on the published server. For more information, see "Configuring SecureNAT clients" in the ISA Server documentation.

SecureNAT clients are supported in Firewall or Integrated mode, not in cache mode. For more information about modes, see "ISA Server modes" in the ISA Server documentation.

Web Proxy Clients

A Web Proxy client is a client computer that has a Web browser application that complies with Hypertext Transfer Protocol (HTTP) 1.1 and that is configured to use the Web Proxy service of ISA Server. Each Web browser is configured through its own user interface.

When you install Firewall Client software, the Web browser settings on the Firewall Client desktop can be configured automatically. Subsequently, you can reconfigure the Web browser clients. You can use ISA Management to configure the following Web browser properties:

  • The ISA Server and port to which the client will connect

  • Automatic discovery settings

  • The computers that the Firewall client's Web browser will access directly

  • Backup route, if the ISA Server is unavailable

When the Firewall Client software is installed, the Web browser on the client computer is configured with those settings.

If the Firewall Client software is not installed, then the Web browser can be configured manually.

For more information, see the following topics in the ISA Server documentation:

  • Enable Web browser configuration during client setup

  • Automatic discovery

  • Configure a server for direct access

  • Configure a backup route for Web requests

  • Configure Microsoft Internet Explorer 5 to use the Web Proxy service