Toolbox Reference for ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 includes a Toolbox containing the set of rule elements that you can use when creating ISA Server policies and rules. This document provides background information and descriptions for each Toolbox element.

The Toolbox is accessed from the Firewall Policy node of ISA Server Management. The Toolbox includes these types of rule elements:

Protocols

Users

Content Types

Schedules

Network Objects

ISA Server Network Objects include Networks, Enterprise Networks (Enterprise Edition only) Network Sets, Computers, Address Ranges, Subnets, Computer Sets, URL Sets, Domain Name Sets, Web Listeners, and Server Farms).

In ISA Server®2006 Enterprise Edition, enterprise administrators can create and modify Toolbox rule elements at both the enterprise level (from the Enterprise Policies node in ISA Server Management) and the array level (from the Firewall Policy node in ISA Server Management). Enterprise-level rule elements can be used in both enterprise and array-level policies.

Protocols

ISA Server®2006 includes a variety of preconfigured protocols that you can use when you create access rules and server publishing rules. You can further expand the set of protocols by using ISA Server Management to create your own.

Protocol Categories

In the Toolbox, protocols are categorized in functional groups. These categories were created to help facilitate selection of the appropriate protocol for your specific scenario. Note that some protocols are listed in more than one category.

Protocol category Description

Common Protocols

This category includes protocols used for common publishing and access needs, such as HTTP and HTTPS.

Infrastructure

This category includes protocols used for common networking infrastructural needs, such as: address assignment (DHCP), Active Directory® (LDAP), and name resolution (DNS).

Mail

This category includes protocols used by mail servers, such as SMTP, IMAP4, POP3, and others.

Instant Messaging

This category includes protocols required for instant messaging, including MSN Messenger, ICQ, H.323, and others.

Remote Terminal

This category includes protocols required to allow remote management, including RDP, Telnet, and others.

Streaming Media

This category includes protocols required for streaming media, including MMS, RTSP, and others.

VPN and IPsec

This category includes protocols required for VPN connections, such as IKE Client, IKE Server, L2TP, and others.

Web

This category includes protocols used to access Web sites, such as HTTP, HTTPS, FTP, and others. You can select protocols only from this category when creating Web publishing rules.

User-Defined

This category includes protocols that are defined by users.

Authentication

This category includes protocols required for authentication, such as RADIUS, RSA SecurID, and Kerberos.

Server Protocols

This category includes server protocols, used in server publishing rules, such as RPC Server, Microsoft SQL Server™, FTP Server, and others. Protocols used for server publishing include "Server" as part of their name and are always inbound. For example, FTP Server protocol is an inbound protocol used for server publishing, while FTP protocol is outbound.

All Protocols

This category includes all protocols that are in the Toolbox (predefined and user-defined).

For a complete list of protocols used by Microsoft Windows Server System™ products and subcomponents, see "Service overview and network port requirements for the Windows Server System" at Microsoft Help and Support.

Protocol Properties

Predefined and user-defined protocols are comprised of Protocol Type, Direction, Port Range, Protocol Number, ICMP Properties (ICMP protocols only), and Secondary Connections (optional).

Predefined protocols included with ISA Server cannot be modified or deleted.

Protocol Type

Specifies which low-level protocol is used for the protocol definition: TCP, UDP, ICMP, or IP-level.

Direction

ISA Server uses protocol direction to specify whether traffic is considered outbound or inbound. For TCP, this includes Inbound and Outbound. For UDP this includes Send, Receive, Send Receive, or Receive Send. For ICMP and IP-level, this includes Send and Send Receive.

For access rules, protocol direction is usually defined as outbound. This allows traffic from the network entities specified as the rule sources (From) to the network entities specified as the rule destinations (To). Generally, this means that a client behind ISA Server is allowed to send traffic to other network objects or networks, such as the External network (Internet).

For server publishing rules, protocol definition must be defined as inbound. This allows traffic from the network entities specified as the network sources to the published service on the server. For server publishing rules, predefined protocols are always identified with the suffix Server. For example, DNS Server protocol allows requests for Domain Name System (DNS) services to reach the published DNS server. When you define protocols for server publishing, you are not required to add the suffix. However, you must define the protocol as inbound.

Port Range

For TCP and UDP, this is a range of ports between 1 and 65,535 that is used for the initial connection.

More than one protocol can be associated with the same port.

If you create a rule denying access to a specific protocol, be sure to include all protocols that use the same port in the exception list. Alternatively, you can create a rule denying any one of the protocols that use the port, and place the deny rule before the access rule in the rules order.

For example, if you create a protocol to be used in a rule that denies access to a virus, do not create an access rule that allows access to everything except the new protocol. Instead, create a rule that denies access to the new protocol. Place this rule before any other access rules that allow protocols on the same ports as the new protocol.

Protocol Number

For IP-level protocols, this is a number between 0 and 254.

ICMP Properties

  • For ICMP, this is the ICMP code and type.

Secondary Connections

  • This is the range of ports, protocol types, and direction used for additional connections or packets that follow the initial connection. You can configure one or more secondary connections.
  • Secondary connections is an optional property. You cannot define secondary connections for IP-level primary protocols.

Application Filters and Protocols

Some application filters create and install new protocols. These protocols are complex protocols, meaning that they have secondary connections. By translating the ports used by these complex protocols, the application filter enables them, allowing traffic that uses these protocols to pass. The primary connections for these protocols function whether the application filter is enabled or not.

Other application filters filter traffic of existing protocols, either user-defined or configured by ISA Server. When these application filters are disabled, the protocols that they filter are not disabled. For example, even if you disable the Simple Mail Transfer Protocol (SMTP) filter, SMTP protocols might still be allowed to pass (unfiltered).

You can apply one or more application filters to a protocol, to control how this protocol is used. For example, Web Proxy Filter applies to the Hypertext Transfer Protocol (HTTP). When you disable Web Proxy Filter, Web filters will not apply to traffic that matches this rule. In addition, you can configure a protocol so that an application filter does not apply to the protocol.

The following describes the process:

  1. The client opens a primary connection to a server on the Internet.
  2. The ISA Server computer notifies the filter about the connection.
  3. The filter examines the data that is flowing through the primary connection and determines which secondary connection the client is going to use.
  4. The filter informs the ISA Server computer to allow that particular secondary connection.
  5. The ISA Server computer opens the specific port, as indicated by the application filter.

Note

Protocols installed with application filters cannot be modified, although they can be deleted. Protocol definitions with attached application filters usually do not have predefined secondary connections.

RPC Protocols

When you install ISA Server, incoming and outgoing remote procedure call (RPC) protocol definitions are provided.

Incoming RPC Protocols

When you install ISA Server, two default RPC protocol definitions are provided for incoming requests:

  • RPC Server (all interfaces). If this protocol definition is allowed in a server publishing rule, ISA Server will map any inbound RPC requests to the published RPC server. If the universally unique identifier (UUID) is registered on the RPC server, access to the procedure is given. If the UUID is not registered on the RPC server, the request is dropped.
  • Exchange RPC server. A list of UUID interfaces used for Microsoft Exchange Server is defined as an RPC protocol definition. You can use this protocol definition in server publishing rules to deny or allow access to specific Exchange functions.

You can create additional RPC protocol definitions. Using the New RPC Protocol Wizard, you can either select UUID interfaces from a list of interfaces available on the RPC server, or you can define the interfaces manually. If you do not specify any interfaces for the incoming RPC protocol definition, server publishing rules that allow this protocol definition do not allow any traffic.

Outgoing RPC Protocols

When you install ISA Server, an outbound RPC protocol is defined for outgoing requests. All UUID interfaces are used for this protocol definition.

You can create access rules that allow use of this outbound RPC protocol definition. This can allow internal clients to use the RPC protocol to access external resources. For example, you can allow clients on the Internal network access to an external Exchange server. Similarly, you can create outgoing RPC protocol definitions, and use these in access rules, to allow internal clients access to external resources.

Outbound RPC protocols can be configured on a per-rule basis, to enforce strict RPC compliance. By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as DCOM, will not be allowed through ISA Server.

Users

When you create policy rules, you apply a rule to a specific set of users, known as a user set. A user set includes the list of users and the corresponding authentication scheme.

A user set can include all users in a specified namespace, or a subset of users. In addition, a user set can include users from different authentication schemes. For example, a user set might include a Microsoft Windows® user, a user from a RADIUS namespace, and another user from the SecurID namespace.

ISA Server comes preconfigured with the following user sets:

  • All Authenticated Users. Predefined user set representing all authenticated users. A rule defined using this set applies to authenticated users. (Note that SecureNAT clients are not authenticated, unless they are also VPN clients. In this case, credentials of a VPN are used for authorization.)
  • All Users. Predefined user set representing all users. A rule defined using this set applies to all users, both authenticated and unauthenticated.
  • System and Network Service. Predefined user set representing the Local System service and the Network service on the ISA Server computer. This user set is used in some system policy rules.
  • The user set selected for a Web publishing rule must match the authentication scheme specified in the Web listener rule properties. For example, if your Web publishing rule specifies RADIUS authentication, you must select a user set for users in the RADIUS namespace.

Authentication

You can create Web publishing rules, allowing or denying access to a set of computers or to a group of users. If the rule applies specifically to users, ISA Server checks the incoming Web request properties to determine how the user will be authenticated. For example, a Web publishing rule might allow access only to specific users. ISA Server will authenticate the user requesting the object, to determine if the Web publishing rule allows the requesting user access. The user must authenticate, using one of the authentication methods specified for the incoming Web requests.

ISA Server provides a secure, encrypted logon environment for browsers that support Microsoft Windows NT® Challenge/Response authentication, and for other browsers that use Basic authentication. Authentication methods can be set for all IP addresses on the server, or separately for each IP address.

Content Types

The content types rule element allows you to apply another layer of security to your access rules by limiting the rule application to specific types of content, based on the Multipurpose Internet Mail Extensions (MIME) type and file name extension.

Content type settings apply only to HTTP and tunneled File Transfer Protocol (FTP) traffic, which passes through ISA Server 2006.

When a client requests HTTP content, ISA Server sends the request to the Web server. When the Web server returns the object, ISA Server checks the object's MIME type or its file name extension, depending on the header information returned by the Web server. ISA Server determines if a rule applies to a content type that includes the requested file name extension, and processes the rule accordingly.

When a client requests FTP content, ISA Server checks the file name extension of the requested object. ISA Server determines if a rule applies to a content type that includes the requested file name extension, and processes the rule accordingly.

Preconfigured Content Types

ISA Server is preconfigured with the following content types that can be used in access rules. Preconfigured content types cannot be modified or deleted.

Content Type Description

Application

Used to control access to content containing applications, such as executables, dynamic-link libraries (DLL), .ole, and .vbs files.

Application Data Files

Used to control access to content containing data for applications, such as Perfmon, Help, and .wmf files.

Audio

Used to control access to content containing audio files, such as MP3 and WAV files.

Compressed Files

Used to control access to content including compressed files, such as .z and .zip files.

Documents

Used to control access to documents, such as [GB] text, Adobe PDF, and XML documents.

HTML Documents

Used to control access to content containing HTML documents, such as .xsl and .htm files.

Images

Used to control access to content containing images, such as Windows Bitmap, JPEG, and GIF files.

Macro Documents

Used to control access to documents that may contain macros, such as Microsoft Office Word and Microsoft Office Excel®.

Text

Used to control access to content containing text files, such as .txt and plain text files.

Video

Used to control access to content containing video files, such as AVI, Quick Time, and MPEG files.

VRML

Used to control access to content containing VRML files, such as .flr and .wrl files.

Creating Content Type Sets

In addition to the ISA Server preconfigured content types, you can create your own content type rule element, called a content type set. When you create a content type set, we recommend that you specify the content's MIME type and file name extension. For example, to include all director files in a content type, select the following file name extensions and MIME types:

  • .dir
  • .dxr
  • .dcr
  • application/x-director

When you configure a content type set and specify the MIME type, you can use an asterisk (*) as a wildcard character. For example, to include all application types, type application/*. The asterisk wildcard character can be used only with MIME types (and not with file extensions). The asterisk can be specified only once, at the end of the MIME type after the slash mark (/).

For a complete list of Internet Information Services (IIS) default associations, see Appendix A: MIME Types and File Name Extensions.

Some published Web sites may include references to internal computer names. Because only ISA Server is available to external clients, and not computers on the Internal network, these references will appear as broken links. ISA Server has a link translation Web filter that enables you to create a dictionary of definitions for internal computer names that map to publicly known names. When you enable link translation for a Web publishing rule, a link translation dictionary is automatically created. You can add more entries to this default dictionary if required.

The link translation filter checks the Content-type header of the request response to determine whether it needs to perform translation on the body of the message. By default, link translation only operates on the HTML documents content group, but you can specify other groups. If no Content-type header is present, the filter will look for a Content-location header to perform translation. If neither header is present, the filter will look at the file name extension of the requested URL.

Note

When the Microsoft Outlook® Web Access server or the ISA Server computer listens for requests on nonstandard ports, and the configured bridging mode is Secure connection to mail server, you must enable link translation for a content type that includes the following:

  • application/x-javascript
  • text/css
  • text/x-component
  • text/xml
  • .eml
  • .css

You must create a new content type, or modify an existing content type, to include these files and MIME types.

Schedules

When you create rules, you can apply a schedule to the rule to determine when it is in effect. ISA Server 2006 is preconfigured with the following two schedules:

  • Weekends. Permits access at all times on Saturday and Sunday.
  • Work hours. Permits access between 09:00 (9:00 A.M.) and 17:00 (5:00 P.M.) on Monday through Friday.
  • Preconfigured schedules cannot be modified or deleted. You can create your own schedules and apply them to both access rules and publishing rules, to define when a rule is active.
  • If you do not apply a schedule, a default schedule allowing access at all times is automatically applied to access rules and publishing rules.

Network Objects

Network objects are used to categorize IP addresses into different types of network entities, which are used to specify network traffic sources and destinations in the access rules, publishing rules, cache rules, traffic chaining rules, and HTTP compression settings that make up your firewall policy.

Note that network rules determine whether there is a relationship between two network entities, and define the type of relationship. Network relationships can be configured for a network address translation (NAT) or route relationship.

The following network objects are created in the Toolbox:

  • Networks. A network entity typically corresponds to a physical network. A network always has a network adapter associated with it, and represents one or more IP address range or ranges that can be reached from the associated network adapter.
  • Network Sets. A network set includes one or more networks.
  • Computers. A computer object represents a single IP address.
  • Address Ranges. An address range is a collection of contiguous IP addresses to which you want to apply rules.
  • Subnets. A subnet represents a group of computers located on the same subnet.
  • Computer Sets. A computer set is a collection of computers, IP address ranges, or subnets.
  • URL Sets. A URL set defines one or more URLs.
  • Domain Name Sets. A domain name set defines one or more domains.
  • Web Listeners. Web listener objects are used to enable an ISA Server network to listen for Web requests on a specific IP address and port. Web listeners can also be enabled to require client authentication for Web requests.
  • Server Farms. The server farms object allow you to publish a farm of Web servers, rather than a single Web server. For more information, see "Web Publishing Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

For details about configuring network objects and network rules, see "Network Concepts in ISA Server 2006" at the Microsoft TechNet Web site.

Enterprise-Level Network Objects

In ISA Server 2006 Enterprise Edition, an enterprise-level network is a network defined for the enterprise, rather than for a specific array. Such a network can be used when defining enterprise-level access rules, or included in the definition of an array-level network. The following network objects can also be created at the enterprise level:

  • Enterprise Networks
  • Network Sets
  • Computers
  • Address Ranges
  • Subnets
  • Computer Sets
  • URL Sets
  • Domain Name Sets

Networks

Networks describe a range of IP addresses. Networks, however, are different from other network objects, in that they also describe physical boundaries. Within these physical boundaries that the network describes, traffic can flow freely. ISA Server policy is not applied within an ISA Server network. A network must always have a network adapter associated with it, and networks cannot have overlapping IP addresses.

When you install ISA Server, the networks described in the following table are created.

Content Type Description

External

Built-in network object representing the Internet. The External network does not have any IP addresses associated with it. External network properties include Network Load Balancing (NLB), defined on the External network NLB tab.

Internal

This network object represents your Internal network. The IP addresses associated with this network are defined during ISA Server setup. The IP addresses associated with this network may be modified. Additionally, the Internal network includes the following properties: Web Proxy, Firewall Client, Web Browser, Auto Discovery, Domains, CARP, and NLB.

Enterprise Edition: There is not Internal network created at the enterprise level.

Local Host

Built-in network object representing the ISA Server computer.

Enterprise Ee

Quarantined VPN Clients

Built-in dynamic network representing client computers connecting to ISA Server using a VPN that are currently quarantined.

VPN Clients

Built-in dynamic network object representing client computers connected to ISA Server using the VPN connection.

Enterprise Networks (Enterprise Edition Only)

When you install ISA Server, the Enterprise networks described in the following table are created at the enterprise level. These networks can be used in enterprise-level and array-level rules.

Content Type Description

External

Built-in network object representing

all computers not included in any other network and in the array to which the enterprise policy is applied.

Local Host

Built-in network object representing all the computers in the Enterprise that are running ISA Server services in the array to which the enterprise policy is applied.

Quarantined VPN Clients

Built-in dynamic network representing client computers connecting to ISA Server using a VPN that are currently quarantined, in the array to which the enterprise policy is applied.

VPN Clients

Built-in dynamic network object representing client computers connected to ISA Server using the VPN connection, in the array to which the enterprise policy is applied.

Network Sets

Network sets are used to define several networks as a single set. This set can be used in firewall policy rules to apply rules to all the networks in the set.

ISA Server 2006 is preconfigured with the following network sets:

  • All Networks (including Local Host) . This predefined network set includes all the currently defined ISA Server networks (user-defined and built-in networks).
  • All Protected Networks . This predefined network set includes all currently defined ISA Server networks (user-defined and built-in networks), except for the built-in External network.

There are two types of network sets, Exclude and Include. Exclude network sets are defined by selecting a set of networks excluded from the network set. The network set is actually comprised of all the networks that are not selected. Include network sets are defined by selecting the networks that are included in the network set.

Computers

A computer network object defines a single computer IP address as a network element that can be used in access and policy rules. Note that a computer name cannot be used.

Address Ranges

Specify an address range to use a set of contiguous IP addresses as a rule source or destination. For example, you may want to give a set of client computers in a specific address range access to resources in another network. ISA Server does not define any default address ranges. Use an IP address range entity to define a single object that encompasses IP addresses within a specified range.

Subnets

Use a subnet to define a group of client computers located in the same subnet when applying a rule. ISA Server does not create any default subnets. The subnet object only includes IP addresses that fall within a range that can be defined by a standard address mask, unlike an address set entity, which can include addresses within any range.

Computer Sets

  • Computer sets define a collection of computers, IP address ranges, or subnets as a single network object that can be used in access and policy rules. When you install ISA Server, the following computer sets are created:
  • Anywhere. A predefined computer set of all IP address ranges.
  • IPsec Remote Gateways. A predefined computer set that includes the IP addresses of Internet Protocol security (IPsec) remote VPN gateways that are configured using the Site-to-Site VPN Wizard.
  • Remote Management Computers. A predefined computer set that includes computers allowed to manage ISA Server remotely. It should be modified to include IP addresses of all computers that can manage ISA Server remotely. If ISA Server is installed remotely within an active Remote Desktop session, the IP address of the remote computer is added automatically to this computer set.
  • Array Servers. (Enterprise Edition only.) A predefined computer set used in a system policy rule that allows traffic between array members. For each array, this computer set includes the IP addresses of array members. Computers are added during installation. If you subsequently change the address of an array member, be sure to update this computer set accordingly.
  • Managed ISA Server Computers. (Enterprise Edition only.) A predefined computer set that includes computers allowed to connect to this array's Configuration Storage server. It should be modified to include IP addresses of all computers that will connect to the Configuration Storage server.

When you install ISA Server Enterprise Edition, the following enterprise-level computer sets are created.

  • Anywhere. A predefined computer set of all IP address ranges.
  • Enterprise Remote Management Computers. A computer set that includes computers allowed to remotely manage all ISA Server computers in the enterprise. The Enterprise Remote Management Computers computer set can also be used when creating array-level rules.
  • Replicate Configuration Storage servers. A predefined computer set that includes all Configuration Storage server computers that are replicated with the local Configuration Storage server.

URL Sets

Uniform Resource Locator (URL) sets specify one or more URLs grouped together to form a set. URL sets can be used in access rules to allow or deny access to specified Web sites.

You can create a URL set, and then use it in access rules to allow or deny access to Web sites specified in the set. When ISA Server processes a rule that applies to a URL set, the URL set element of the rule is only processed for Web traffic requests. Protocols include HTTP, HTTPS, or FTP over HTTP. If a client request uses another protocol, ISA Server ignores the URL set when processing the rule. For example, if a rule has both a computer set and a URL set specified as destination criteria, only the computer set will be evaluated in the rule. The URL set will be ignored.

You can specify one or more URLs in URL format:

<protocol>://<host>:<port>/<path>

In the host part of the name, you can use an asterisk (*) wildcard character to specify a set of computers. For example, to specify all computers in the Microsoft.com domain, specify *.microsoft.com.

In the path part of the name, you can specify an asterisk wildcard character as part of the path, but only at the end. For example:

You cannot specify a URL set as an IP address.

Processing URL Sets

ISA Server processes rules that apply to URL sets only for Web traffic (for client requests for HTTP or FTP over HTTP). When a client uses any other protocol, ISA Server does not process rules that apply only to a URL set.

Note the following behavior in matching requests with rules containing URL sets:

  • Only the host name and path are considered in a request.
  • The protocol part of the URL is stripped from requests and ignored.
  • You can also specify a path. Wildcard characters can be used in the path, but only at the end. For example, www.microsoft.com/\* is acceptable. However, www.microsoft.com/\*/sales is not acceptable.
  • Although the URL can include a specific port number, ISA Server ignores that port number when processing the rule. Any port number specified is stripped from requests and ignored.
  • If a request includes a question mark (?), the question mark and everything following it are stripped from the request before matching.
  • When matching, the host and path names are not case-sensitive. For example, this means that folderA and foldera would be considered the same path.
  • For HTTP or FTP over HTTP, when the URL is specified in a request without a path, it will match any path. For example, https://a.com or a.com is equivalent to https://a.com/\*.
  • For HTTPS traffic, URL sets are only processed if the URL does not have a path specified, for example, https://a.com or a.com. If the URL has a path specified, for example a slash mark (/), it is ignored for HTTPS traffic.
  • When ISA Server checks the URL sets configured for a rule, text after a question mark (?) is ignored. URLs with a ?, which are included in a URL set, are ignored.

Possible protocols are HTTP, HTTPS, and FTP. However, when ISA Server processes a rule that applies to a URL set, the protocol specified is ignored—only the host name and path are considered.

Name Resolution (URL Sets and Domain Name Sets)

ISA Server determines whether requests should be allowed or denied in accordance with access policy. The ISA Server rules engine attempts to match access rules, and then routing rules, with requests. Rules that include domain name sets and URL sets require name resolution. If there are no rule criteria that prevent rule matching, and the rule may match the request if name resolution is performed, the rule will be subject to name resolution. If the rule contains a URL set, but a schedule limitation on the rule prevents matching, the rule is not subject to name resolution. The following types of requests may be marked for name resolution:

  • A Web request specified by name encounters a rule that has an address range specified as the destination criteria (forward lookup).
  • A Web request specified by IP address encounters a rule that has a URL set as the destination criteria (reverse lookup).

The Microsoft Firewall service includes its own Domain Name System (DNS) cache. If the requested IP address or host name resides in this cache, the request is processed without issuing a DNS request. Otherwise, a DNS request is issued. Name resolution provides a host entry, and the rules engine then compares the host entry against the destination criteria of the rule. The rules engine does a string compare against URL sets and domain name set entries.

Note that rules requiring name resolution are evaluated and enforced in accordance with DNS resolution information. If DNS information is not configured correctly or securely, rules may not be applied as required.

URL Set Mapping

Some URL set mapping examples are as follows:

Domain Name Sets

Domain name sets define one or more domain names as a single set, so that you can apply firewall policy to the specified domains. When you install ISA Server, the following domain name sets are created:

  • Microsoft Error Reporting Sites. A predefined domain name set used to allow error reporting.
  • System Policy Allowed Sites. A predefined domain name set used to allow access to trusted sites for maintenance and management.
  • Enterprise Configuration Storage Servers. (Enterprise Edition only.) A predefined domain name set for the Configuration Storage server used by the ISA Server computer.
  • Microsoft Update Domain Name Set. A predefined domain name set of all Microsoft update servers. This domain name set is used in the ISA Server Microsoft Update Cache Rule properties.

Specifying Domain Names

When you apply a rule to a domain name set, ISA Server checks whether the request matches the specified domain name set. ISA Server checks the exact name that you specified, including port numbers. For example, consider a Web publishing rule that allows access to a domain name set that includes fabrikam.put:1111. Requests to fabrikam.put will be denied. Requests to fabrikam.put will be allowed only if the domain name set is changed to include fabrikam.put. For this reason, do not specify a port number in a domain name set.

When creating a domain name set, note the following:

  • When you specify a domain name, specify the computer name using the fully qualified domain name (FQDN). For example, computer_name.microsoft.com, and not \\computer_name. You cannot specify a domain name set as an IP address. When specifying the domain name, you can use an asterisk (*) to specify a set of computers. For example, to specify all computers in the Microsoft.com domain, type the domain name as *.microsoft.com. Note that the asterisk can appear only at the start of the domain name, and can be specified only once in the name.
  • When you create a domain with a wildcard character, such as *.microsoft.com, this only includes host computers at the domain, for example www.microsoft.com, ftp.microsoft.com. Note that if the domain name points to a host, *.microsoft.com will have no effect on the URL https://Microsoft.com.
  • We recommend that you enter the domain name as it is returned by the Domain Name System (DNS). If you specify a dot at the end of a domain name, a request for the domain name (without a dot) may not be matched as required.
  • When matching rules, the domain name is not case-sensitive.

Name Resolution and Domain Name Sets

ISA Server determines whether requests should be allowed or denied in accordance with access policy. The ISA Server rules engine attempts to match access rules, and then routing rules, with requests. Rules that include domain name sets and URL sets require name resolution. If there is no rule criteria that prevents rule matching, and the rule may match the request if name resolution is performed, the rule will be subject to name resolution. If the rule contains a URL set, but a schedule limitation on the rule prevents matching, the rule is not subject to name resolution.

The following types of requests may be marked for name resolution:

  • A Web request specified by name encounters a rule that has an address range specified as the destination criteria (forward lookup).
  • A Web request specified by IP address encounters a rule that has a URL set as the destination criteria (reverse lookup).

The Microsoft Firewall service includes its own DNS cache. If the requested IP address or host name resides in this cache, the request is processed without issuing a DNS request. Otherwise, a DNS request is issued. Name resolution provides a host entry, and the rules engine then compares the host entry against the destination criteria of the rule. The rules engine does a string compare against URL sets and domain name set entries.

Note that rules requiring name resolution are evaluated and enforced in accordance with DNS resolution information. If DNS information is not configured correctly or securely, rules may not be applied as required.

Web Listeners

When you create a Web publishing rule, you specify a Web listener to be used when applying the rule. The Web listener properties determine:

  • Type of connections the Web listener will establish with clients, either Secure Sockets Layer (SSL) or HTTP.
  • The ISA Server networks, and which IP addresses and ports on the specified networks, will listen for Web requests.
  • The SSL server certificate that will be used to authenticate the client connection (if SSL is selected).
  • Which authentication method will be used and when authentication is required.
  • The method used by clients to authenticate to ISA Server.
  • The method used by ISA Server to validate client credentials.

Web listeners can be used by more than one Web publishing rule.

Web Listener Network (IP Address) Selection

The Web listener network, or networks, that you select depend on which network clients will use to connect to the published Web server. For example, if the Web site you are publishing allows client requests from the Internet (External network), you should select the External network for the Web listener. By selecting the External network, you are selecting the IP addresses on the ISA Server computer that are associated with the external network adapter. If you do not limit the IP addresses, all IP addresses associated with the selected network adapter will be included in the listener configuration.

Web listeners are used by a Web publishing rule. The rule specifies source network objects in addition to specifying a Web listener. The network objects specified for the Web publishing rule must also be specified for the Web listener.

Selecting SSL Server Certificates

Each Web listener can be used for one or more Web sites. However, ISA Server limits one certificate per IP address. If all the Web sites use the same certificate, you can publish using the same Web listener. However, if different certificates are required, you must do one of the following:

  • Install a wildcard certificate.
  • Add an IP address to the listening network adapter on the ISA Server computer (or array in ISA Server Enterprise Edition) for each SSL-enabled Web site.

For example, you want to publish three SSL Web sites: www.treyresearch.net, www.Finance.treyresearch.net, and www.Marketing.treyresearch.net. All three sites are registered in a public DNS, and resolve to the same IP address. You must install a wildcard certificate for *.treyresearch.net to publish these sites. Alternatively, you could add more IP addresses.

In ISA Server 2004, wildcard certificates are supported only on the ISA Server computer. In HTTPS-to-HTTPS bridging, you cannot use wildcard certificates to authenticate the back-end Web server to ISA Server. In ISA Server 2006, wildcard certificates are supported on both the ISA Server computer and the back-end Web server.

For more information about wildcard certificates, see "Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2006" at the Microsoft TechNet Web site. Most of the procedures in this document are applicable for ISA Server 2006.

Limiting Concurrent Connections

By limiting the number of connections allowed simultaneously to the ISA Server computer, you can prevent attacks that overwhelm the system's resources. This is particularly useful when publishing servers. You can limit the number of computers that connect, while allowing for specific clients to continue connecting, even when the limit is surpassed.

Port Specification

By default, ISA Server listens on port 80 for HTTP requests. If, however, connecting clients are expected to use a different port, you should change the port number accordingly. You can also enable the Web listener to listen for SSL requests on the default port 443. If you choose SSL, an appropriate certificate must first be installed on the ISA Server computer. You must select a server certificate to be used by the Web listener so that the ISA Server computer can authenticate itself to the client.

Server Farms

Web applications and sites are often hosted by a Web farm, consisting of two or more mirrored Web servers. A server farm (also referred to as a Web farm) defines an existing load balanced cluster as an ISA Server server farm that can be used for publishing load balanced Web applications. When you create a server farm, you specify the computer name or IP address of each server in the farm.

Server Farm Load Balancing Mechanism

In many scenarios, for load balancing to be effective, affinity must be maintained between the client and the Web server that receives and responds to the client's request. Otherwise, a series of requests from the client and responses from the Web farm will be handled by different Web servers, ignoring the context of the requests. For example, Outlook Web Access is an application that requires client affinity, because the Outlook Web Access server maintains a context for the connected client.

The need for affinity is also demonstrated in a Web shopping scenario, where a client sets up a shopping cart on a Web server. If affinity is not maintained, at some point in the client's session, the client's requests may be directed to another Web server that is unaware of the shopping cart.

When you apply a rule to a server farm, you can also configure if the load balancing mechanism should be cookie based or source-IP based.

We recommend that you use session affinity when possible, because it provides more reliable client affinity when a Web server is restarted. This is sometimes referred to as client stickiness. It also works better in a situation where you are draining a Web server. Session affinity should be used for load balancing Outlook Web Access or Microsoft Windows SharePoint® Services access, both of which use Microsoft Internet Explorer®, and therefore support HTTP cookies.

IP address-based affinity has an advantage over session affinity in that it supports clients that are not fully compliant with HTTP 1.1 (clients that do not support HTTP cookies), such as some mobile devices. IP address-based affinity must also be used in a scenario where you are load balancing RPC over HTTP Outlook access. Outlook does not work with HTTP cookies, and therefore cannot use session affinity.

Note that if you are publishing a server farm with ISA Server 2006 located behind another firewall, you must either use session affinity, or use IP address affinity and verify that the front-end firewall is configured to pass the original client's IP address to ISA Server.

Server Farm Connectivity Verifiers

When you create a server farm, ISA Server creates a connectivity verifier for each Web server. Note that if your Web servers use a port other than port 80, specify that port on the server farm properties Connectivity Verification tab. You can view connectivity verifier status for the server farm in the Monitoring node, on the Connectivity Verifiers tab.

Draining a Server Farm

ISA Server provides a Drain option allowing you to specify that a server in the farm should temporarily stop accepting new connections. When you are ready for the server to begin accepting connections again, the Resume option is available.

Note that Drain and Resume are only active after you click the Apply button on the Apply Changes bar. When you drain a server, it stops accepting new connections. However, existing connections are not dropped.

Additional Information

The following resources provide additional information when configuring ISA Server network objects:

Appendix A: MIME Types and File Name Extensions

Depending on the Web server, different MIME types are associated with different file name extensions. The following table lists the Internet Information Services (IIS) default associations.

File name extension MIME type

.hta

application/hta

.isp

application/x-internet-signup

.crd

application/x-mscardfile

.pmc

application/x-perfmon

.spc

application/x-pkcs7-certificates

.sv4crc

application/x-sv4crc

.bin

application/octet-stream

.clp

application/x-msclip

.mny

application/x-msmoney

.p7r

application/x-pkcs7-certreqresp

.evy

application/envoy

.p7s

application/pkcs7-signature

.eps

application/postscript

.setreg

application/set-registration-initiation

.xlm

application/vnd.ms-excel

.p7b

application/x-cpio

.cpio

application/x-dvi

.dvi

application/x-pkcs7-certificates

.doc

application/msword

.dot

application/msword

.p7c

application/pkcs7-mime

.ps

application/postscript

.wps

application/vnd.ms-works

.csh

application/x-csh

.iii

application/x-iphone

.pmw

application/x-perfmon

.man

application/x-troff-man

.hdf

application/x-hdf

.mvb

application/x-msmediaview

.texi

application/x-texinfo

.setpay

application/set-payment-initiation

.stl

application/vndms-pkistl

.mdb

application/x-msaccess

.oda

application/oda

.hlp

application/winhlp

.nc

application/x-netcdf

.sh

application/x-sh

.shar

application/x-shar

.tcl

application/x-tcl

.ms

application/x-troff-ms

.ods

application/oleobject

.axs

application/olescript

.xla

application/vnd.ms-excel

.mpp

application/vnd.ms-project

.dir

application/x-director

.sit

application/x-stuffit

.*

application/octet-stream

.crl

application/pkix-crl

.ai

application/postscript

.xls

application/vnd.ms-excel

.wks

application/vnd.ms-works

.ins

application/x-internet-signup

.pub

application/x-mspublisher

.wri

application/x-mswrite

.spl

application/futuresplash

.hqx

application/mac-binhex40

.p10

application/pkcs10

.xlc

application/vnd.ms-excel

.xlt

application/vnd.ms-excel

.dxr

application/x-director

.js

application/x-javascript

.m13

application/x-msmediaview

.trm

application/x-msterminal

.pml

application/x-perfmon

.me

application/x-troff-me

.wcm

application/vnd.ms-works

.latex

application/x-latex

.m14

application/x-msmediaview

.wmf

application/x-msmetafile

.cer

application/x-x509-ca-cert

.zip

application/x-zip-compressed

.p12

application/x-pkcs12

.pfx

application/x-pkcs12

.der

application/x-x509-ca-cert

.pdf

application/pdf

.xlw

application/vnd.ms-excel

.texinfo

application/x-texinfo

.p7m

application/pkcs7-mime

.pps

application/vnd.ms-powerpoint

.dcr

application/x-director

.gtar

application/x-gtar

.sct

text/scriptlet

.fif

application/fractals

.exe

application/octet-stream

.ppt

application/vnd.ms-powerpoint

.sst

application/vndms-pkicertstore

.pko

application/vndms-pkipko

.scd

application/x-msschedule

.tar

application/x-tar

.roff

application/x-troff

.t

application/x-troff

.prf

application/pics-rules

.rtf

application/rtf

.pot

application/vnd.ms-powerpoint

.wdb

application/vnd.ms-works

.bcpio

application/x-bcpio

.dll

application/x-msdownload

.pma

application/x-perfmon

.pmr

application/x-perfmon

.tr

application/x-troff

.src

application/x-wais-source

.acx

application/internet-property-stream

.cat

application/vndms-pkiseccat

.cdf

application/x-cdf

.tgz

application/x-compressed

.sv4cpio

application/x-sv4cpio

.tex

application/x-tex

.ustar

application/x-ustar

.crt

application/x-x509-ca-cert

.ra

audio/x-pn-realaudio

.mid

audio/mid

.au

audio/basic

.snd

audio/basic

.wav

audio/wav

.aifc

audio/aiff

.m3u

audio/x-mpegurl

.ram

audio/x-pn-realaudio

.aiff

audio/aiff

.rmi

audio/mid

.aif

audio/x-aiff

.mp3

audio/mpeg

.gz

application/x-gzip

.z

application/x-compress

.tsv

text/tab-separated-values

.xml

text/xml

.323

text/h323

.htt

text/webviewhtml

.stm

text/html

.html

text/html

.xsl

text/xml

.htm

text/html

.cod

image/cis-cod

.ief

image/ief

.pbm

image/x-portable-bitmap

.tiff

image/tiff

.ppm

image/x-portable-pixmap

.rgb

image/x-rgb

.dib

image/bmp

.jpeg

image/jpeg

.cmx

image/x-cmx

.pnm

image/x-portable-anymap

.jpe

image/jpeg

.jfif

image/pjpeg

.tif

image/tiff

.jpg

image/jpeg

.xbm

image/x-xbitmap

.ras

image/x-cmu-raster

.gif

image/gif