Network Concepts in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 uses a multi-networking model to protect networks against internal and external security threats. ISA Server isolates networks from each other. Only traffic you specifically allow can flow between networks. For example, the Internal corporate network is isolated from the External network (the Internet). Servers published through ISA Server to serve requests from the Internet may be isolated from the corporate network by locating them in a perimeter network.

Computers in the network infrastructure accessed by ISA Server can be grouped into different types of network objects. You typically create network objects that correspond to the physical networks in your organization. Network objects you can define include networks, network sets, computers, computer sets, address ranges, subnets, URL sets, and domain name sets. ISA Server also provides some predefined network objects that you can modify for your infrastructure.

The most widely used network object is a network. A network typically corresponds to a physical network. It has a network adapter associated with it, and represents one or more IP address ranges that can be reached from the adapter. ISA Server provides a number of predefined networks, and you can create custom networks.

Network objects are isolated from each other until you establish a relationship between them by creating a network rule. Traffic sent between network objects that do not have a network rule defined is dropped by ISA Server. Network rules can specify that traffic between network objects should be routed, or have network address translation (NAT) applied. The relationship you apply between network objects depends on the type of communication required. In some cases, you may want the more secure, less transparent communication provided by NAT. In other situations, you may want to route the traffic through ISA Server.

Network objects are used in the access rules, publishing rules, cache rules, traffic chaining rules, and Hypertext Transfer Protocol (HTTP) compression settings that make up your firewall policy. When creating access rules that control the movement of traffic from internal clients, you specify network objects as the source and destination of the rule. You then configure the rule to allow, deny, and filter traffic flowing between the network objects. In ISA Server 2006 Enterprise Edition, you can create network objects at the enterprise level or at the array level. Enterprise-level network objects can be used when you define enterprise-level access rules. Such access rules are gathered into an enterprise policy that can be applied to multiple arrays for centralized management. In addition, a network created at the enterprise level can be included in a network created at the array level. This allows array-level networks to be referenced across different arrays.

Scenarios

The ISA Server multi-networking model can be deployed in a number of topologies, and network objects, network rules, and firewall policy are defined in line with deployment requirements. ISA Server is typically deployed in the following scenarios:

  • As an edge firewall. In this scenario, Internal and External networks are defined. ISA Server is located at the edge of your network topology and is installed with two network adapters. One adapter is connected internally and the other is connected to the Internet, protecting internal resources.
  • In a 3-leg configuration. This scenario typically has an Internal network and a separate perimeter network. ISA Server is configured with three network adapters. This topology is commonly used to isolate published servers on their own network.
  • With another firewall. In this scenario, ISA Server is configured with two network adapters. It may be configured at the edge of the enterprise, with another firewall between it and the Internal corporate network, or at the edge of the Internal network, with another firewall located at the corporate edge.
  • As an Internal network segment firewall. In this scenario, ISA Server is located between two Internal networks, configured with two network adapters. It routes and filters traffic between the networks, while effectively isolating them from each other.
  • As a Web proxy or caching server. A common scenario is to install ISA Server with a single network adapter, providing Web proxy, caching, and Web publishing functionality.

You can apply the ISA Server predefined network templates to set up most of these scenarios, or alternatively you can set up networks, network rules, and access rules manually.

ISA Server Network Objects

ISA Server provides different types of network objects that you configure for use in firewall policy, as follows:

  • Networks. Networks typically correspond to a physical network. A network always has a network adapter associated with it, and represents one or more IP address range or ranges that can be reached from the associated network adapter.
  • Enterprise Networks. In ISA Server 2006 Enterprise Edition, an enterprise-level network is a network defined for the enterprise, rather than for a specific array. Such a network can be used when defining enterprise-level access rules, or included in the definition of an array-level network.
  • Network Sets. A network set includes one or more networks.
  • Computers. A computer object represents a single IP address.
  • Address Ranges. An address range is a collection of contiguous IP addresses to which you want to apply rules.
  • Subnets. A subnet represents a group of computers located on the same subnet.
  • Computer Sets. A computer set is a collection of computers, IP address ranges, or subnets.
  • URL Sets. A URL set defines one or more URLs.
  • Domain Name Sets. A domain name set defines one or more domains.
  • Networks objects are located in the Toolbox. To locate the Toolbox, click the Firewall Policy node in ISA Server Management, and then click the Toolbox tab. The Toolbox also contains two other network objects that are used only in Web publishing rules, Web listener and Server farms objects. Web listener objects are used to enable an ISA Server network to listen for Web requests on a specific IP address and port. Web listeners can also be enabled to require client authentication for Web requests. The server farms object allow you to publish a farm of Web servers, rather than a single Web server. For more information, see Web Publishing Concepts in ISA Server 2006, at the Microsoft TechNet Web site.

Network Objects in Enterprise Edition

ISA Server 2006 Enterprise Edition uses the enterprise to represent all the IP addresses in your organization's topology. Predefined network objects are available at both the enterprise and array level. Some are available only at one level or the other. You can also create network objects at the enterprise and array level. At the array level, network objects are used when creating different types of rules that make up your firewall policy. At the enterprise level, network objects are used as follows:

  • Use enterprise-level network objects when creating enterprise-level access rules. Enterprise-level access rules are defined as part of an enterprise policy. An enterprise policy can be applied to one or more ISA Server arrays. The firewall policy of each array is a combination of the enterprise-level rules included in the applied enterprise policy, and the policy rules created for the specific array at the array level.
  • Create enterprise-level networks that can be used in enterprise-level access rules, or referenced by the arrays in the enterprise.

Enterprise Networks

Enterprise networks include IP address ranges in your network topology. An IP address can be included in only one enterprise network. All of the IP addresses that are defined at the enterprise level—that are included in some enterprise network—are considered to be the address range for the enterprise. Enterprise networks provide the following:

  • Create enterprise-level access rules. Enterprise administrators can create access rules at the enterprise level. Creating access rules at the enterprise level eases policy maintenance because a single change at the enterprise level can be propagated to multiple arrays using the enterprise policy in which the rule exists. Enterprise networks also provide a mechanism for arrays to reference each other across the enterprise.
  • Include enterprise networks in array-level networks. Array administrators can include one or more enterprise networks when defining address ranges of array-level networks. Array-level networks can include IP address ranges, and in addition, one or more enterprise networks, thereby including IP addresses that are not necessarily physically connected to the array. The enterprise network only includes address ranges that correspond with the routing table of the specific ISA Server computer.
  • Predefined enterprise networks implicitly define the same IP address sets as their array-level counterparts. In particular, the enterprise-level Local Host network implicitly defines a set of IP addresses that will include all the IP addresses bound to network adapters on the local ISA Server computer and 127.0.0.1. The IP addresses actually included in this network vary from server to server within an array.
  • Any rule applied by the enterprise administrator to the predefined enterprise network is applied to the array-level network of the same name. For example, a rule that applies to the enterprise network named Local Host applies to the IP addresses in the Local Host network for that array. Consider another scenario, in which an enterprise-level rule applies to the enterprise-level VPN Clients network. At the array level, this rule is applied only to virtual private network (VPN) clients for that array. For example, suppose that this enterprise policy is applied to two arrays in the enterprise. In this scenario, one array is at the front end of a perimeter and is configured to allow roaming client access (VPN). The second array is at the back end, and does not have VPN client access enabled. If a VPN client connects to the front-end array, the enterprise rule applies to the VPN client. However, if a request from this client is passed to the back-end array, the enterprise rule is not applied on this array, because the client is not considered a VPN client of the back-end array.

Predefined enterprise networks are typically used in enterprise policy. They cannot be explicitly used when creating array-level firewall policy rules.

Array-Level Networks

Enterprise-level networks can be included in the definition of an array-level network. When defining address ranges of array-level networks, the array administrator might want to do any of the following:

  • Create an array-level network that does not include an enterprise network. This effectively creates a network visible and usable only for that array. The rest of the enterprise cannot use this network. This might be useful if an array-level network should not be impacted by changes made at the enterprise level, or an array-level network is unused and unneeded at the enterprise level.
  • Create an array-level network that includes one or more enterprise networks. Consider for example, two arrays: a front-end array and a back-end array, both connected to a network with an IP address range of 10.0.0.0/8. Suppose also that the enterprise administrator has defined an enterprise network called ENT-Perimeter with the IP address range from 10.0.0.0 through 10.255.255.255. Each array administrator can then define an array-level network called Perimeter, and include the IP address range of the enterprise network ENT-Perimeter in it. They can then create array-level firewall policy rules based on the network Perimeter.

Residual Networks

The ability to add multiple enterprise networks into the addresses of an array-level network is useful to ensure that IP addresses are not considered as spoofed. IP addresses that belong to an enterprise, but do not belong to any array-level network, are considered to be part of a residual address range. Traffic to or from such an IP address is considered as spoofed, and dropped.

ISA Server creates a log entry every time such traffic is dropped. The source or destination network field for the log entry will be prefixed Residual, with the name of the enterprise network to which the IP address belongs. Consider, for example, a scenario where IP address 10.1.1.1 belongs to an enterprise network named Ent1, but does not belong to an array-level network. Traffic from 10.1.1.1 will be dropped and a log entry with Source set to [Residual] Ent1 will be generated.

Predefined Network Objects

ISA Server provides a number of predefined network objects. Some of these objects can be used in policy rules, and some may be modified. The objects are summarized in the following table.

Network entity type Predefined object Properties Enterprise Edition

Networks

Local Host

A predefined network that represents the ISA Server 2006 firewall. It includes all IP addresses on all network adapters. You do not explicitly define IP addresses on this network. Addresses are added automatically as they are defined on network adapters, including any wide area network (WAN) adapters that are created for VPN connections. All traffic that comes to and from ISA Server is considered to have passed by way of the Local Host network. You cannot modify it manually, or delete it.

During installation, a network rule is created to route traffic between the Local Host network and all other networks.

Defined at the array level and the enterprise level.

When you define an enterprise-level access rule, and include it in an enterprise policy that is applied to an array, enterprise-networks referenced in the access rules are interpreted as the array-level network of the same name. In particular, the enterprise-level Local Host network implicitly defines a set of IP addresses that will include all the IP addresses bound to network adapters on the local ISA Server computer and 127.0.0.1. The IP addresses actually included in this network vary from server to server within an array.

An enterprise policy rule that references an enterprise-level Local Host network is applied to the IP address range of the array-level Local Host network.

Enterprise networks have no predefined network rules, and cannot be included directly as the source or destination in array-level access rules.

Networks

Internal

A predefined network that represents the primary default protected network. It is generally considered to contain protected IP address ranges, and by default, ISA Server protects resources on the Internal network from all other networks except the Local Host network (the ISA Server computer). It is typically configured during Setup, when ISA Server can construct the Internal network based on the Microsoft Windows Server™ 2003 routing table. The default Internal network can be modified, but cannot be deleted. If you have additional network adapters connected to other internal networks, you can create additional user-defined internal networks. Note that you cannot name such custom-defined networks "Internal."

Defined at the array level only. There is no enterprise-level Internal network. Instead, enterprise networks may be included in the definition of an array-level Internal network. For example, if you have ArrayA with an Internal network range of 10.x, ArrayB with an Internal network range of 20.x, and ArrayC with an Internal network range of 30.x, you can create three custom enterprise networks, one for each internal range. Then include the three enterprise networks in the definition of each array-level default Internal network. Each array references the Internal networks of the other arrays.

Networks

External

A predefined network that includes all IP addresses not explicitly included in any other network. Following installation, the External network includes all addresses not defined in the Internal network, the IP address of the Local Host network (127.0.0.1), and the IP address of all other network adapters on the ISA Server computer. The External network is generally considered to not be trusted, and by default is configured to have a NAT relationship with all other networks. The network definition changes dynamically when other networks are defined and modified. It cannot be directly modified or deleted.

Defined at the array level and the enterprise level.

When you define an enterprise-level access rule, and include it in an enterprise policy that is applied to an array, enterprise networks referenced in the access rules are interpreted as the array-level network of the same name.

An enterprise policy rule that references the enterprise-level External network is applied to the IP address range of the array-level External network.

Enterprise networks have no predefined network rules, and cannot be included directly as the source or destination in array-level access rules.

Networks

VPN Clients

A predefined network that includes IP addresses of currently connected remote VPN clients. The VPN Clients network and the Quarantined VPN Clients network are dynamically assigned in accordance with the IP addresses allocated to remote VPN clients at a specific time. By default, this network has a route relationship with all networks except the External network.

Defined at the array level and the enterprise level.

When you define an enterprise-level access rule, and include it in an enterprise policy that is applied to an array, enterprise-networks referenced in the access rules are interpreted as the array-level network of the same name.

An enterprise policy rule that references the enterprise-level VPN Clients network is applied to the IP address range of the array-level VPN Clients network.

Enterprise networks have no predefined network rules, and cannot be included directly as the source or destination in array-level access rules.

Networks

Quarantined VPN Clients

A predefined network that includes IP addresses of remote VPN clients that have not yet cleared quarantine. By default, this network has a route relationship with all networks except the External network.

Defined at the array level and the enterprise level.

When you define an enterprise-level access rule, and include it in an enterprise policy that is applied to an array, enterprise-networks referenced in the access rules are interpreted as the array-level network of the same name.

An enterprise policy rule that references the enterprise-level VPN Clients network is applied to the IP address range of the array-level Quarantined VPN Clients network.

Enterprise networks have no predefined network rules, and cannot be included directly as the source or destination in array-level access rules.

Network Sets

All Networks (and Local Host)

A predefined network set that includes all defined networks. When you create a new network, it is automatically added to this network set. This network set is the equivalent of the Anywhere predefined computer set.

Defined at the array level and at the enterprise level.

Network Sets

All Protected Networks

A predefined network set that includes all networks except the predefined External network. When you create a new network, it is automatically added to this network set.

Defined at the array level and at the enterprise level.

Computer Sets

Anywhere

A predefined computer set that includes all IP address ranges.

Defined at the array level and at the enterprise level.

Computer Sets

Remote Management Computers

A predefined computer set that includes computers to manage ISA Server remotely. It should be modified to include IP addresses of all computers that can manage ISA Server remotely. If ISA Server is installed remotely within an active Remote Desktop session, the IP address of the remote computer is added automatically to this computer set.

The Enterprise Remote Management Computers set can also be used when creating array-level rules.

Defined at the array level only. When creating enterprise-level access rules, use the Enterprise Remote Management Computers computer set.

Computer Sets

(Enterprise Edition)

Enterprise Remote Management Computers

A predefined computer set that contains computers allowed to remotely manage all ISA Server computers in the enterprise. It should be modified to include IP addresses of all computers that can manage the enterprise remotely. If ISA Server is installed remotely within an active Remote Desktop session, the IP address of the remote computer is added automatically to this computer set.

The Enterprise Remote Management Computers computer set can also be used when creating array-level rules.

Defined at the array level and at the enterprise level

Computer Sets

Replicate Configuration Storage servers

A predefined computer set that includes all Configuration Storage server computers that are replicated with the local Configuration Storage server.

Defined at the array level and at the enterprise level.

Computer Sets

IPsec Remote Gateways

A predefined computer set that includes the IP addresses of Internet Protocol security (IPsec) remote VPN gateways that are configured using the Site-to-Site VPN Wizard.

Defined at the array level only.

Computer Sets

Array Servers

A predefined computer set used in a system policy rule that allows traffic between array members. For each array, this computer set includes the IP addresses of array members. Computers are added during installation. If you subsequently change the address of an array member, be sure to update this computer set accordingly.

Defined at the array level only.

Computer Sets

Managed ISA Servers

A predefined computer set used in a system policy rule that allows traffic from trusted computer sets to the local Configuration Storage server. For each array, this computer set includes IP addresses of array members allowed to access the Configuration Storage server.

Defined at the array level only.

Domain Name Sets

Microsoft Error Reporting Sites

A predefined domain name set used in a system policy rule that allows HTTP or HTTPS access from the Local Host network to trusted domains for error reporting purposes. (For example, *.watson.microsoft.com or watson.microsoft.com.)

Defined at the array level and at the enterprise level.

Domain Name Sets

System Policy Allowed Sites

A predefined domain name set used in a system policy rule that allows HTTP or HTTPS access from the Local Host network to trusted domains. (For example, *.microsoft.com, *.windows.com, or *.windowsupdate.com.)

Defined at the array level and at the enterprise level.

Domain Name Sets

Enterprise Configuration Storage

A predefined domain name set for the Configuration Storage server used by the ISA Server firewall. Used in a system policy rule that allows traffic from ISA Server to the Configuration Storage server.

Defined at the array level only.

Domain Name Sets

Microsoft Update Domain Name Sets

A predefined domain name set with a list of all Microsoft update servers.

Defined at the array level only.

Configuring Network Objects

ISA Server access rules require you to specify network entities as the source and destination of the rule. You can specify a network, network set, computer, address range, subnet, or computer set. You create and modify network objects to mirror your physical networks, and to use when specifying source and destination in policy rules. Create network objects in accordance with the level of granularity required in the rule. For example, you can use a computer object to specify that a rule applies to a single computer, or use a network set object to specify that a rule applies to one or more networks.

Configuring a Computer or Computer Set Object

Use a computer object as the source or destination when you want to control traffic to or from a specific computer. Configure a computer set to allow you to gather a group of individual IP addresses as a source or destination. For example, you might use a computer set to group client computers with a specific configuration. ISA Server does not define any default computer entities. Default computer sets are outlined in the preceding table.

Configuring an Address Range Object

Specify an address range to use a set of contiguous IP addresses as a rule source or destination. For example, you may want to give a set of client computers in a specific address range access to resources in another network. ISA Server does not define any default address ranges. Use an IP address range entity to define a single object that encompasses IP addresses within a specified range.

Configuring a Subnet Object

Use a subnet to define a group of client computers located in the same subnet when applying a rule. ISA Server does not create any default subnets. The subnet object only includes IP addresses that fall within a range that can be defined by a standard address mask, unlike an address set entity, which can include addresses within any range.

Configuring a Domain Name Set Object

Use a domain name set to control access to an entire site. For example, to allow access to all sites at Microsoft.com, you create a domain name set *.microsoft.com, and specify it as the destination in an access rule. Likewise, you can create a rule to block access to a specific site. You can also create more granular domain name sets to control access to specific servers in a domain.

Configuring a URL Set Object

Configure a URL set to group URLs together. URL sets are only processed for Web traffic protocols HTTP, HTTPS, and FTP Web proxy. If a client request uses another protocol, any URL set specified in a rule is ignored.

Configuring a Network Entity

You can modify the default ISA Server Internal network, or create custom networks of these types:

  • Array-level Internal, External, and perimeter networks.
  • Array-level site-to-site VPN network over IPsec, Point-to-Point Tunneling Protocol (PPTP), or Layer Two Tunneling Protocol (L2TP). When you create site-to-site VPN networks in ISA Server, you are establishing a new network entity to represent the remote VPN site. The network definition includes the remote VPN gateway, the IP address range available for VPN access on the remote site, and the connection protocol and authentication method. In ISA Server 2006 Enterprise Edition, these networks can only be created at the array level. Creating a VPN site-to-site network is the first step in establishing a VPN connection. After creating such a network, you define network rules to specify how networks communicate, and access rules to allow and filter traffic between networks. You should only create such networks using the Site-to-Site VPN Wizard. For more information, see "Virtual Private Networking in ISA Server 2006" at the Microsoft TechNet Web site.
  • Enterprise-level networks. You can create custom enterprise-level networks. However, you can only specify an IP address range. No other properties can be configured on enterprise-level networks.

Configuring Network Properties

The Internal network has a number of properties associated with it. You can also specify these properties for custom array-level networks you create. The properties are as follows:

  • Addresses. Define the IP address ranges to include in the network.
  • Web Proxy. Specify whether the network listens for HTTP requests from the Web Proxy clients, and the type of authentication such clients will use for requests. Note that the Enable SSL setting is only for use in a Web proxy chaining scenario. You cannot configure Web Proxy clients to connect to ISA Sever using Secure Sockets Layer (SSL). On the Local Host network, set Web proxy properties to configure the Web proxy listener for use by applications running on the ISA Server network. The options you specify on this property page are reflected in the configuration script that set Web browser settings when Web Proxy clients are configured to use an automatic script.
  • Firewall Client. Specify whether the network listens for requests from Firewall clients on port 1745, and configure settings to determine how the Web browser on Firewall client computers will detect browser settings. You can specify that clients be enabled to detect browser settings using a Web Proxy Automatic Discovery (WPAD) entry in Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), or use an automatic configuration script in a specific location. Settings specified will be applied when Firewall client computers are installed. If you later make changes to Firewall client configuration settings on the ISA Server computer, ISA Server automatically updates configuration settings each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the General tab in the Microsoft Firewall Client dialog box, and every six hours after the previous refresh. Settings are applied to all users on the Firewall client computer. For more information, see "Internal Client Concepts in ISA Server 2006" at the Microsoft TechNet Web site. Note that if IPsec is enabled for a network, Firewall client functionality may be impaired. If you experience this issue, disable IP routing on the network.
  • Auto Discovery. Specify the port number on which the network adapter should listen for WPAD requests from Web Proxy clients, and Winsock Proxy Autodetect (WSPAD) requests from client computers with Firewall Client software installed and enabled. By default, ISA Server publishes automatic discovery information on port 80. On ISA Server computers with Internet Information Services (IIS) co-located, enabling automatic discovery may cause a resource conflict on port 80. The workaround is to point to an automatic configuration script instead of using WPAD. Changing the default port may cause issues, because most applications supporting WPAD will make a request to port 80. For more information, see "Automatic Discovery Concepts in ISA Server 2006" at the Microsoft TechNet Web site.
  • Web Browser. Specify browser settings to be configured for Web Proxy clients in the network. Configuration settings include specifying a backup route, bypassing the proxy for computers in the local network, and using direct access that bypasses the Web proxy. Computers acting as Web Proxy clients that are enabled for automatic detection, or to use an automatic configuration script, will use the settings specified on this tab. For direct access, you can specify that the Web proxy should be bypassed for the domain list specified on the Domains tab, or specify a list of direct access sites. Note the following when you specify destinations for direct access in the Directly access these servers or domains list:
  • You should specify both the IP address and the fully qualified domain name (FQDN) of the destination, or the FQDN only. If there is an IP range in the list, the automatic configuration script determines whether the resolved name of the IP address is included in the list. If it is, the script determines whether the destination is internal before submitting the request.
  • If you add the IP address range of a network or domain to the list, you must include all the addresses of the network or domain that you want the client computer to access directly. For example, if you add a specific IP address range to specify that hosts in the Internal network should be accessed directly, you must then add the entire address range for the network. Otherwise, destinations in the Internal network that are not in the list will be routed through the ISA Server computer. In some circumstances, this may be required behavior. For example, this applies in a branch office scenario, where all requests outside the local network go through the ISA Server computer.
  • If other IP addresses are added to the list, the address range of 127.0.0.0 through 127.255.255.255 (127/8) are automatically added to the list.
  • If no IP addresses are on the list and you want to prevent requests from IP address 127.0.0.1 from being routed, add 127.0.0.1 as an FQDN to the list.
  • Domains. When the setting Directly access computers specified in the Domain tab is enabled on the Web Browser tab, computers acting as Web Proxy clients will connect directly to domains specified on this tab, bypassing the Web proxy. Settings on the Web Browser tab and Domains tab only apply to Firewall clients and Web Proxy clients using automatic configuration. Clients with browsers manually configured with static proxy settings will require configuration settings to be specified in the browser.
  • CARP. ISA Server 2006 Enterprise Edition only. Specifies whether Cache Array Routing Protocol (CARP) is enabled on the network. When you enable CARP, the cache drives on all array servers are treated as a single logical cache drive so that caching is efficiently distributed among the member servers. For more information about CARP, see "Caching Concepts with CARP in ISA Server 2006 Enterprise Edition" at the Microsoft TechNet Web site.
  • NLB. ISA Server 2006 Enterprise Edition only. Specifies if Network Loading Balancing (NLB) is enabled on the network, and specifies a virtual IP address and mask to use. When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for the network adapter accordingly. The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter associated with the network. The virtual IP address must belong to the network. You can only configure this property page if you have enabled Integrated NLB in ISA Server Management. For more information, see "Network Load Balancing Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Network Rules

Configure network rules to define and describe a network topology. Network rules determine whether there is a relationship between two network entities, and define the type of relationship. Network relationships can be configured as follows:

  • Route. Route relationships between networks are bidirectional. For example, if a route relationship is defined from network A to network B, an implicit route relationship also exists from network B to network A. When you specify this type of connection between networks, client requests from the source or destination network are directly forwarded to the other network, with the source and destination IP addresses unchanged. Use a route relationship where IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses, or between two networks with private addresses. In either case, hosts in each network must define the ISA Server IP address in their local network as the route to the other network. In many cases, simply defining the ISA Server IP address as the default gateway is sufficient. Note the following:
    • When using access rules with a route relationship, ISA Server forwards the traffic with the source and destination IP address intact. Access rules can be used either as the source or destination on the To tab or From tab of the rule, but do not specify the same network entity in both.
    • When using server publishing rules, ISA Server forwards the traffic as it does for access rules, but it uses application filters directly. For example, the SMTP filter is not used for SMTP traffic handled by an access rule, but is used with traffic handled by a server publishing rule.
  • Network Address Translation (NAT). NAT relationships between networks are unidirectional. The traffic is handled according to the source or destination of the traffic. ISA Server performs NAT as follows:
    • In access rules, ISA Server replaces the IP address of the client on the source network with the ISA Server default IP address for the destination network. For example, if you create a NAT relationship between the Internal network and the External network, the source IP address of a request from the Internal network will be replaced with the default IP address of the ISA Server network adapter connected to the External network. Note that access rules that handle traffic between networks defined with a NAT relationship can only use the source network specified on the From tab, and the destination network specified on the To tab of the rule.
    • In server publishing rules, the client in the destination network makes a connection to the ISA Server IP address on which the publishing rule is listening for requests. When ISA Server forwards the traffic to the published server, it replaces the ISA Server IP address with the IP address of the internal server that it is publishing, but does not modify the source IP address. Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when the traffic is forwarded to the published server, the published server must use the ISA Server computer as the last hop in the routing structure to the destination network. If this is not possible, configure server publishing rules with the setting Requests appear to come from the ISA Server computer. This causes ISA Server to perform full NAT on the traffic handled by the rule.
  • Upon installation, the following default rules are created:
  • Local Host Access. This rule defines a route relationship between the Local Host network and all other networks. Connectivity is defined between the ISA Server computer and all networks connected to the ISA Server computer.
  • VPN Clients to Internal Network. This rule defines a route relationship between the Internal network and the Quarantined VPN Clients and the VPN Clients networks.
  • Internet Access. This rule defines a NAT relationship between all predefined networks and the External network.

Enterprise Network Rules

In ISA Server 2006 Enterprise Edition, network rules can be created at the enterprise level or at the array level. Array-level network rules can apply to array-level network entities, and to enterprise network entities. Enterprise-level network rules only apply to enterprise network entities. Enterprise-level network rules are useful when you want to create a rule that is applicable to all arrays. For example, suppose that for all arrays in the enterprise, you want to define a NAT relationship from the Internal network to the External network.

Network Rule Processing Order

Network rules are ordered. To determine the address relationship between two addresses, A and B, ISA Server processes network rules according to priority order, looking for a rule that matches the addresses. The first rule that matches defines the address relationship.

You could define a network rule with a route relationship between two networks, and then subsequently override this relationship for a particular address by creating a higher-order network rule.

ISA Server processes array-level network rules first, and then processes enterprise-level network rules. Array administrators can override enterprise-level network rules by creating array-level network rules.

Configuring Network Rules

Create network rules to specify if and how network entities connect. Use the following guidelines when creating network rules:

  • A NAT relationship is unidirectional. For example, if you create a NAT relationship from the Internal network to the perimeter network, traffic returned from the perimeter network to the Internal network is not translated. You cannot use access rules to control traffic from the network that does not have NAT applied to the network that does have NAT applied. To use access rules, networks must have knowledge of IP addresses in the other network. In this example, the Internal network is aware of addresses in the perimeter network, but clients in the perimeter network are not aware of addresses in the Internal network because NAT is applied. Instead, you would use Web publishing rules or server publishing rules to allow traffic from the perimeter network to the Internal network.
  • A route relationship is bidirectional. Defining a network rule with a route relationship between the Internal network and the perimeter network implicitly defines the same relationship from the perimeter network to the Internal network. You can use access rules, Web publishing rules, or server publishing rules to control traffic between networks linked with a route relationship.
  • Network rules are evaluated according to the order in which they appear in the network rules list. ISA Server evaluates traffic against the ordered network rules. ISA Server takes the first rule that applies to the specific traffic, and no further network rules are evaluated.
  • Route and NAT relationships are subject to stateful filtering and application-layer inspection.
  • In some circumstances, protocol requirements may mean that traffic will need a route relationship instead of applying NAT, because there are protocols and applications that do not work through NAT.

After defining networks and network relationships, you can use them to specify source and destination in firewall policy rules. For more information, see "Firewall Policy Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Using Network Entities in Firewall Policy Rules

Note the following when using network entities to specify source or destination in access rules and publishing rules:

  • Normally, only communication between different networks should traverse ISA Server. You should not specify a network entity of network when specifying source or destination in an access rule controlling communication between two hosts in the same network. Instead, you can use other network entities, such as computers, subnets, and address ranges to control traffic between these hosts. Where appropriate, you can also use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.
  • When you create access rules allowing Web access, Web requests from clients protected by ISA Server going through Web Proxy Filter are always subject to address translation, even if there is a route relationship between the source and destination network entities in the rule. The only option is to disable Web Proxy Filter for the client protocol being used.

Network Templates

ISA Server 2006 includes predefined network templates, which correspond to common network topologies. Although networks can be created manually, we recommend applying an ISA Server network template that most closely matches your physical network configuration. When you run the Network Template Wizard to apply one of these templates, you define network IP addresses, and then select a predefined firewall policy that corresponds to the template. After applying the template, you can configure additional network entities, network rules, and access rules.

Applying a network template deletes all existing rules, with the exception of the predefined system policy rules. Back up your current configuration before applying a template. When you run the Network Template Wizard, you have the opportunity to save your current configuration before applying a new template.

Edge Firewall Template

The Edge Firewall template assumes a network topology with ISA Server at the edge of your network. One network adapter is connected to the Internal network, and the other is connected to an External network (Internet). When you select this template, you can allow all outgoing traffic, or limit outgoing traffic to allow only Web access. You should have at least two network adapters available when applying this template, an internal adapter and an external adapter. The following table details firewall policies that are available for selection when you apply the Edge Firewall template, and the rules that are created when you select the policy.

Policy name Description Rules created

Block all

This policy blocks all network access through ISA Server. This option does not create any access rules other than the default rule that blocks all access. Use this option when you want to define firewall policy on your own

None

Block Internet access, allow access to ISP network services

This policy blocks all network access through ISA Server, except for access to external network services, such as DNS. This option is useful when network services are provided by your ISP. Use this option when you want to define firewall policy on your own.

Allow DNS from Internal Network and VPN Clients Network to External Network (Internet)

Allow limited Web access

This policy allows limited Web access using only HTTP, HTTPS, and FTP. This policy blocks all other network access.

Allow HTTP, HTTPS, FTP from Internal Network to External Network

Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access and access to ISP network services

This policy allows limited Internet access and allows access to network services, such as DNS, provided by your Internet service provider (ISP). All other network access is blocked.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet)

Allow DNS from Internal Network and VPN Clients Network to External Network (Internet)

Allow all protocols from VPN Clients Network to Internal Network

Allow unrestricted access

This policy allows unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet to protected networks. You can modify the access rules later to block specific types of network access.

Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet)

Allow all protocols from VPN Clients Network to Internal Network

3-Leg Perimeter Template

The 3-Leg Perimeter template assumes deployment of ISA Server with three network adapters: One network adapter is connected to the Internet (External network), one is connected to the Internal network, and the third is connected to a perimeter network. The following table details firewall policies that are available for selection when you apply the 3-Leg Perimeter template, and the rules that are created when you select the policy.

Policy name Description Rules created

Block all

This policy blocks all network access through ISA Server. This option does not create any access rules other than the default rule that blocks all access. Use this option when you want to define firewall policy on your own.

None

Block Internet access, allow access to network services on the Perimeter network

This policy blocks all network access through ISA Server, except for access to network services, such as DNS, on the perimeter network. Use this option when you want to define the firewall policy on your own.

Allow DNS traffic from Internal Network and VPN Clients Network to Perimeter Network

Block Internet access, allow access to ISP network services

This policy blocks all network access through ISA Server, except for access to External network services, such as DNS. This option is useful when network services are provided by your ISP. Use this option when you want to define firewall policy on your own.

Allow DNS from Internal Network, VPN Clients Network and Perimeter Network to External Network (Internet)

Allow limited Web access

This policy allows limited Web access using only HTTP, HTTPS, and FTP. This policy blocks all other network access.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to Perimeter Network and External Network (Internet)

Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access, allow access to network services on Perimeter network

This policy allows limited Web access using HTTP, HTTPS, and FTP only, and allows access to network services such as DNS on the perimeter network. This option is useful when network infrastructure services are available on the perimeter network.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to Perimeter Network and External Network (Internet)

Allow DNS traffic from Internal Network, and VPN Clients Network to Perimeter Network

Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access and access to ISP network services

This policy allows limited Internet access and allows access to network services, such as DNS, provided by your ISP. All other network access is blocked.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to the External Network (Internet)

Allow DNS from Internal Network, VPN Clients Network, and Perimeter Network to External Network (Internet)

Allow all protocols from VPN Clients Network to Internal Network

Allow unrestricted access

This policy allows unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet to protected networks. You can modify the access rules later to block specific types of network access.

Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet) and Perimeter Network

Allow all protocols from VPN Clients to Internal Network

Front Firewall Network Template

The Front Firewall network template assumes deployment of ISA Server at the edge of the network, with another firewall configured at the back end, protecting the Internal network. In this scenario, ISA Server acts as the front line of defense in a back-to-back perimeter network configuration. The following table details firewall policies that are available for selection when you apply the Front Firewall network template, and the rules that are created when you select the policy.

Policy name Description Rules created

Block all

This policy blocks all network access through ISA Server. This option does not create any access rules other than the default rule that blocks all access. Use this option when you want to define firewall policy.

None

Block Internet access, allow access to ISP network services

This policy blocks all network access through ISA Server, except for access to External network services, such as DNS. This option is useful when network services are provided by your ISP.

Allow DNS from VPN Clients Network and Perimeter Network to External Network (Internet)

Allow limited Web access, allow access to network services on Perimeter network

This policy allows limited Web access. All other network access is blocked. This option is useful when network services, such as DNS, are located on the perimeter network.

Allow HTTP, HTTPS, FTP from Perimeter Network and VPN Clients Network to External Network (Internet)

Allow all protocols from VPN Clients Network to Perimeter Network

Allow limited Web access and access to ISP network services

This policy allows limited Web access, and allows access to network services, such as DNS, provided by your ISP. All other network access is blocked.

Allow HTTP, HTTPS, FTP from Perimeter Network, VPN Clients Network to the External Network

Allow DNS from Perimeter Network, VPN Clients Network to External Network

Allow all protocols from VPN Clients Network to Perimeter Network

Allow unrestricted access

This policy allows unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet to protected networks. You can modify the access rules later to block specific types of network access.

Allow all protocols from Perimeter Network and VPN Clients to External Network (Internet)

Allow all protocols from VPN Clients Network to Perimeter Network

Back Firewall Template

The Back Firewall network template assumes deployment of ISA Server at the back end of the network, with another firewall configured at the edge, protecting the Internal network. In this scenario, ISA Server acts as the back line of defense in a back-to-back perimeter network configuration. The following table details firewall policies that are available for selection when you apply the Back Firewall network template, and the rules that are created when you select the policy.

Policy name Description Rules created

Block all

This policy blocks all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access. Use this option when you want to define firewall policy on your own.

None

Block Internet access, allow access to network services on the Perimeter network

This policy blocks all network access through ISA Server, except for access to network services, such as DNS, on the perimeter network. Use this option when you want to define firewall policy on your own.

Allow DNS traffic from Internal Network and VPN Clients Network to Perimeter Network

Block Internet access, allow access to ISP network services

This policy blocks all network access through ISA Server, except for access to External network services, such as DNS. This option is useful when network services are provided by your ISP. Use this option when you want to define the firewall policy access rules on your own.

Allow DNS from Internal Network and VPN Clients Network to External Network (Internet), excluding Perimeter address range

Allow limited Web access

This policy allows limited Web access. All other network access is blocked.

Allow HTTP, HTTPS, FTP from Internal Network to External Network

Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access, allow access to network services on Perimeter network

This policy allows limited Web access, and allows access to network services on the perimeter network. All other network access is blocked.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to Perimeter Network and External Network (Internet)

Allow DNS traffic from Internal Network and VPN Clients Network to Perimeter Network

Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access and access to ISP network services

This policy allows limited Web access, and allows access to network services, such as DNS, provided by your ISP. All other network access is blocked.

Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet)

Allow DNS from Internal Network and VPN Clients Network, to External Network (Internet), except for Perimeter address range

Allow all protocols from VPN Clients Network to Internal Network

Allow unrestricted access

This policy allows unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet to protected networks. You can modify the access rules later to block specific types of network access.

Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet)

Allow all protocols from VPN Clients Network to Internal Network

Single Network Adapter Network Template

You can install Server 2006 on computers with a single network adapter. When you apply the Single Network Adapter network template, the Internal network is configured to contain all IP addresses. You run the wizard and select Apply default Web proxying and caching configuration to apply the Allow Web proxy and caching policy. This policy configures ISA Server to act as a caching router, and allows Web Proxy clients to access Web content on the Internet, and accelerates Web performance through caching. After applying the Single Network Adapter network template, the following network and access rule is applied:

  • Local Host network: 127.0.0.0–127.255.255.255.
  • Internal network: Equals everything else, where everything else is:
    • 0.0.0.1–126.255.255.255
    • 128.0.0.0–255.255.255.254
  • Default access rule: Denies access to all locations.

When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all IP addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.

Typically, you will apply the Single Network Adapter network template when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server typically functions as a Web proxy, or cache server, proxying Internet requests from internal clients, and caching content from the Internet for use by clients on the corporate network. When installed on a computer with a single network adapter, ISA Server supports the following scenarios:

  • Forward Web proxy requests using HTTP, HTTPS, or FTP for downloads
  • Cache Web content for use by clients on the corporate network
  • Web publishing to protect published Web or FTP servers
  • Microsoft Office Outlook® Web Access 2003, ActiveSync®, and remote procedure call (RPC) over HTTP publishing

For more information about deploying ISA Server with a single network adapter, see "Configuring ISA Server on a Computer with a Single Network Adapter" at the Microsoft TechNet Web site.

Best Practices for Creating ISA Server Networks

Every time a network adapter receives a packet, ISA Server 2006 checks whether the packet's source IP address is a valid address for the specific network adapter that received it. If the address is not considered valid, ISA Server alerts that an IP spoofing attack has occurred. An IP address is considered valid for a specific network adapter if both of the following conditions are true:

  • The IP address resides in the network of the adapter through which it was received.
  • The routing table indicates that traffic destined to that address may be routed through the adapter belonging to that network.

A packet is considered spoofed (and therefore dropped) if one of the following is true:

  • The packet contains a source IP address that (according to the routing table) is not reachable through any network adapter associated with the network.
  • The packet contains a source IP address that does not belong to the address range of a network (array network for Enterprise Edition) associated with a network adapter.
  • Note that any IP address that is not contained in ISA Server protected networks is considered part of the External network.

When ISA Server detects a spoofed packet, ISA Server triggers an alert indicating the reason that the packet is considered spoofed. You should carefully review the alert, and attempt to address the issue by doing one of the following:

  • Fixing potential configuration errors. Verify that packets from the specific IP address should be considered spoofed. If not, determine why ISA Server considers these packets spoofed.
  • Blocking traffic from the IP address. If traffic from the IP address should be considered spoofed, block all access from that IP address.

To avoid traffic from legitimate IP addresses being dropped as spoofed, it is essential that ISA Server networks are properly configured. To do this, use the following guidelines:

  • The ISA Server computer must have at least one network adapter configured and enabled (for communication with the Internal network). An ISA Server computer with only one network adapter should be configured with the Single Network Adapter template, and is subject to some functional restrictions.
  • Do not use dynamic addresses on ISA Server network adapters, except for the adapter associated with the External network.
  • A network adapter can have zero or more addresses, and only be associated with one ISA Server network, so that each address only belongs to a single network. There should be no overlap of address ranges on a network.
  • If you create a custom Internal or perimeter network, you must have an adapter installed to associate with the new network. For example, if you have an ISA Server computer with two network adapters, one connected to the Internet, and the other connected to the Internal network, you will need a third network adapter to define a perimeter network.
  • All IP addresses that can be reached directly from a network adapter must be defined as part of the same ISA Server network. To ensure that remote subnets that are reachable by ISA Server through a router are correctly configured:
    • Be sure that remote subnets are added correctly to the network definition for the adapter where that traffic will be received.
    • Verify that the network's IP address range matches the routing table, and that routes are defined in the routing table for each remote subnet.

Additional Information

The following resources provide additional information when configuring ISA Server network objects: