Note: The schedule will be applied only to new connections. If users has connected before the schedule expires, the user’s connection will not be dropped.

You may notice that this scheduling option isn’t appear when you use New Access Rule Wizard, the schedule will be set to Always (24/7) by default. There are also two other pre-configured schedules: Weekends, 00:00-24:00 (Sat,Sun) and Work hours, 9:00 – 17:00 (M-F). You can also create your custom schedule time if you don’t like these pre-configured schedules.

Next, I show an example of how to configure schedule on an access rule, that allow access to the Internet, to active only in 8:00 – 18:00 (M-F). There isn’t any pre-configured schedule for this time period so I will create a new one.

Step-by-step

1. Currently, I have two access rules on this example: Allow Internet access and Default rule. I’m going to configure schedule for the upper rule. Right-click on the access rule and select Properties.
   Note: You can’t change configuration on the default rule.
   
2. Click on Schedule tab. You see the current schedule is set to Always (default value). I want to create a new one so click New button.
   Note: You can set schedule to others if you have ones by click on the drop down list on Schedule.
   
3. On New Schedule, type name and description of the schedule that you want and set activation time for this schedule. To change the activation time between active or inactive, select range that you want to change and click on the radio buttons at the bottom (Active or Inactive), color on the range that you’ve selected will change accordingly. On this example, I named it ‘Customized work hours‘ and set the activation times as 8:00 – 16:00 (Monday – Friday). Then, click OK.
   
4. You see that condition on the access rule has been changed. The ‘Customized work hours‘ has been added to the rule.
   
5. Apply the configuration.
   

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started...
2. Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology Network Topology From Part I, you have finished install ISA...
3. Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type Introduction After completed part III, you have done basic configurations...

If you are using ISA Server 2006 in an organization, you might want to customize these error messages to be more specific for your organization. For example, include your company logo, explain why users cannot access the request web page, provide help-desk’s contact information if user need more information, etc. These error messages are kept as .htm files in directory ErrorHtmls in the ISA Server installation directory. So the default location is “C:\Program Files\Microsoft ISA Server\ErrorHtmls“. The following syntax is used to identify the files:

• For internal clients, the files are named Error_number.htm.
• For external clients, the files are named Error_numberR.htm (where R indicates reverse).

On this article, I will show how to create a new HTML error message from the default error message and customize it. The error message that I will customize is code 12202: The ISA Server denied the specified Uniform Resource Locator (URL) which occurs when ISA Server blocks a request from client.

Step-by-step

1. On ISA Server 2006, open folder to ErrorHtmls where the error messages are located. The default location is “C:\Program Files\Microsoft ISA Server\ErrorHtmls“. You will see that there is no error message for code 12202 yet so I will create a new one.
   Note: You should backup the original file if you are going to edit an existing error message so that if there is something wrong, you still have a backup.
2. Duplicate the file default.htm (by copy and paste on the current directory) and rename it to 12202.htm
   
3. Open the file 12202.htm with WordPad. You see HTML code which is the default error message.
   Note: You can use other HTML editor as you want.
   
4. On this example, I modify only some text message between <BODY>…</BODY> tag and leave page’s style as default. Then, save the file.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

   <body bgColor=#f3f3ed> <table cellSpacing=0 cellPadding=0 width="100%"> <tbody> <tr> <td class=titleborder_x width=30> <table height=25 cellSpacing=2 cellPadding=0 width=25 bgColor=black> <tbody> <tr> <td class=x vAlign=center align=middle>X</td> </tr> </tbody> </table> </td> <td class=titleBorder id=L_default_2>Network Access Message:<span class=TitleDescription> The page cannot be displayed</span> </td> </tr> </tbody> </table>   <table id=spacer> <tbody> <tr> <td height=10></td></tr></tbody></table> <table width=400> <tbody> <tr> <td noWrap width=25></td> <td width=400><span class=explain><id id=L_default_3><b>Explanation:</b></id></span><id id=L_default_4> You are not authorized to view this page. Please check if you have enough permission to access the page.</id><br /><br />   <id id=L_default_9>If you need more information, please contact our IT personnel. <br /> Tel: 123-4567 <br /> Mobile: 0900-111-2222 <br /> E-mail: support@yourcompany.com.</id> <br /><br /> </td> </tr> </tbody> </table>   <table id=spacer><tbody><tr><td height=15></td></tr></tbody></table>   <table width=400> <tbody> <tr> <td noWrap width=25></td> <td width=400 id=L_default_10><b>Technical Information (for support personnel)</b> <ul class=adminList> <li id=L_default_11>Error Code: [ERRORNUM]. [ERRORTEXT]([SPECIFICERRORNUM]) </li><li id=L_default_12>IP Address: [IPADDRESS] </li><li id=L_default_13>Date: [TIMESTAMP] </li><li id=L_default_14>Server: [SERVERNAME] </li><li id=L_default_15>Source: [SOURCE]   </li></ul> </td> </tr> </tbody> </table>   </body>

5. To make changes effect, you need to restart the firewall service. Open Services console and restart Microsoft Firewall.
   Note: You can also restart the firewall service from ISA Server Management -> Monitoring -> Services -> right-click on Microsoft Firewall and select Stop and then select Start.
   
6. That’s it. Now if client try browse to an unauthorized web site, a new customized error message will be shown.
   

Reference

• How to Customize HTML Error Messages in ISA Server 2006

No related posts.

On ISA Server, there is a Domain Name Set object which you can use to control access to a website. For example, if you don’t want users to access google.com, you create a Domain Name Set object with value *.google.com and add it to denied rule. This will blocks users from access entire google.com including its sub-domains such as maps.google, video.google, etc. Domain Name Set is applied to all clients type and all protocols which means it support SecureNAT, Web Proxy or Firewall client types and applied to any protocols that define in the rule.

This article show you how to create a denied access rule to restricted users from internal network to access some restricted websites such as facebook.com, myspace.com, hi5.com by using Domain Name Sets.

If you are new to ISA Server, I first recommend you read this series – Getting started with Microsoft ISA Server 2006.

Step-by-step

1. Suppose that I have already configured these access rule which allow DNS query and allow Internet access for all clients on the Internal network.
   
2. Now I will create a new access rule to block some websites. Let’s name the rule as ‘Restricted WebSites‘.
   
3. On Rule Action, select Deny and click Next.
   
4. On Protocols, select All outbound traffic. Click Next.
   
5. On Access Rule Sources, add Internal to the sources. Click Next.
   
6. On Access Rule Destinations, I will create a new Domain Name Set’s object which contains a list of websites that I want to block. Click Add.
   
7. On Add New Entities, select New -> Domain Name Set from drop-down menu.
   
8. On New Domain Name Set Policy Element, set name to ‘Restricted WebSites‘ and add these websites to this set.
   • *.facebook.com
   • *.myspace.com
   • *.hi5.com

   Then, click OK.
   Note: By adding ‘*‘ in front of the website name, it will include any sub-domain name of that website.
   

9. You will see a new Domain Name Set’s object has been created.
   
10. Add the ‘Restricted WebSites‘ object to the Access Rule Destinations and click Next.
    
11. On User Sets, click Next.
    
12. On Completing the New Access Rule Wizard, click Finish.
    
13. Click Apply to save changes and update the configuration.
    Note: Makes sure that the new access rule that you have created is on top or higher than the allow Internet access’s rule.
    
14. These are completed access rules on this example.
    
15. Let’s try to access www.facebook.com with SecureNAT’s client. Here is the result.
    
16. Let’s try to access www.facebook.com with Web Proxy’s client. Here is the result.
    
17. This is the log while access the blocked website.
    

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger This article is one of the series of Getting started...

Block Windows Live Messenger

From Part 11: HTTP Filtering, you learn about HTTP filtering concept. Now let’s apply it with a real world example, Windows Live Messenger. On this post, I show you how to block Windows Live Messenger on ISA Server 2006.

Windows Live Messenger is a popular instant messaging application, many people using it regularly. But sometimes, people use it at work place and unintentionally receive a file containing virus. Then, they execute it, so the virus spread on the network. Therefore, it is a task of an IT staff to secure the system and prevent this issue. The best and effective solution is to enforce strictly firewall policy. But sometimes, you cannot do that. For example, users on research department want access to any websites (HTTP) because they do not know what websites they want to access until they need. Then, you have to create an access rule to allow HTTP to from Internal to External for these users. Now they can use Windows Live Messenger because Windows Live Messenger communicates with its servers through either of these ports:

• MSN Messenger protocol (TCP: 1863).
• HTTP protocol (TCP: 80).

If you block only MSN Messenger protocol, users still can use Windows Live Messenger through HTTP protocol. Now what should you do? Block HTTP protocol? Doing that will also block users to access websites so you cannot do that. Here it comes, HTTP filtering. You can block only Windows Live Messenger on ISA Server without blocking the HTTP protocol if you know the signature. HTTP header is also the signature.

So what is the signature of Windows Live Messenger? I have sniffed HTTP packets while I signing to Windows Live Messenger. Here are the signature and protocol port of Windows Live Messenger:

• The client communicates with the server of Windows Live Messenger using TCP outbound port 1863.
  
• While the client requesting information from the server (request header), one signature of it is User-Agent: Windows Live Messenger.
  

Now I show you how to configure to block Windows Live Messenger on ISA Server 2006.

Step-by-step

1. Create an access rule to block TCP outbound port 1863. ISA Server 2006 already has pre-defined this port as MSN Messenger protocol. I am not going to show detail steps on creating an access rule. You can review them at Part 7: Create DNS Lookup Rule and Part 8: Create Web Access Rule.
   • Rule Name: Block Windows Live Messenger
   • Action: Deny
   • Protocol: MSN Messenger
   • From: Internal
   • To: External
   • Condition: All Users

   

2. Next, configure HTTP filtering to block the signature of Windows Live Messenger. Right click on “Allow HTTP, HTTPS for Linglom” and select Configure HTTP.
   Note: This menu option available on an access rule that contains HTTP protocol only.
   
3. On Configure HTTP policy for rule, click on Signatures tab and click Add.
   
4. On Signature, enter these information below to block Windows Live Messenger and then click OK.
   • Name: Blocks Windows Live Messenger or any name as you want.
   • Search in: Request headers
   • HTTP header: User-Agent:
   • Signature: Windows Live Messenger

   Note: Don’t forget semi-colon (:) after User-Agent text.
   

5. Back to Configure HTTP policy for rule, you see the signature has been created for this rule. You also can disable the signature by un-check it. On this example, leave it as checked to enable the signature. Click OK.
   
6. Don’t forget to click Apply to update the configuration.
   
7. Let’s try to sign in Windows Live Messenger on the client computer, you see that I cannot sign in any more.
   

Summary

Now You have reach the end of Getting started with Microsoft ISA Server 2006 series. This series contains 12 parts: it gives you an introduction of ISA Server 2006, how to install and configure ISA Server 2006 on simple environment, how to create an access rule, and how to use some useful features on ISA Server 2006. I hope you get what you want on this series. If you have any comment or suggestion, feel free to leave it below.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter Have you ever need to block users using MSN or...
2. Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering This article is one of the series of Getting started...
3. Getting started with Microsoft ISA Server 2006, Part 1: Introduction Introduction Microsoft Internet Security and Acceleration Server (ISA Server) is...

HTTP Filtering

From Part 10: Logging, you learn how to configure and use logging on ISA Server 2006. Now, you will learn about HTTP filtering.

Have you ever want to block users using MSN or Yahoo messenger, or deny them to using free email services, or block them to post anything on web boards, or block them to use bit-torrent to download files? This post will answer these questions with Microsoft ISA Server 2006.

HTTP traffic is a data packet using HTTP protocol on the network which is used by most applications. On each packet of HTTP traffic, there is a header which contains information about server and client that are communicating each other at the time. These header information are such as:

• Request Methods. For example, GET, POST, CONNECT.
• User-Agent, such as Mozilla/4.0, Mozilla/5.0, Firefox
• Content-Type. The mime type of the body of the request, such as application/x-www-form-urlencoded, application/xml, image/jpeg, text/xml.
• Host. The domain name of the server, for example, www.bing.com, www.linglom.com.

For more information about HTTP, see these links from wiki.org:

• Hypertext Transfer Protocol
• Lists of HTTP headers

So why learn about these HTTP headers? You can use these HTTP headers information to block or allow specific application on ISA Server 2006. Still not get it? Let’s see some examples of real HTTP traffic.

You can use some sniffer program to capture data packets that pass in/out through a network interface card on a computer. On this example, I use Ethereal. I install it on the same server as ISA Server 2006 but you can install and test on any computer as you want. Then, I start capturing packets on the network interface card that connects to the Internet and browse to http://www.bing.com using Internet Explorer.

After that, I see these HTTP traffics on ethereal. First, My computer sends a HTTP request to the web server (www.bing.com).
Detail: Request Method is GET. User-Agent is Mozilla/4.0 (compatible: MSIE 6.0). HOST is www.bing.com.

Second, the web server has send HTTP response back to the client. The response packet looks similar as the figure below.
Detail: Response Code is 200 (OK). Content-Type is text/html.

What’s Next?

Now you learn some concepts about HTTP and its header. Next, I will show how to use these information to block Windows Live Messenger on ISA Server 2006. See Part 12: Block Windows Live Messenger.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter Have you ever need to block users using MSN or...
2. Getting started with Microsoft ISA Server 2006, Part 1: Introduction Introduction Microsoft Internet Security and Acceleration Server (ISA Server) is...
3. Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger This article is one of the series of Getting started...

Logging

From Part 9: Client Configuration, you learn how to configure a client computer. On this post, I will show how to use logging to observe usage which is a feature on ISA Server 2006 which keeps track any usage on ISA Server 2006.

When there is a communication between networks (Internal, External, Localhost, etc.) on the ISA Server, it will generate log. The log shows the log time, source IP address, destination IP address and port, action, rule applied to, etc. You can configure what fields that you want to log. There are three log storage formats supported on ISA Server 2006: MSDE database, SQL database and file.

The benefits of logging:

• Track usage on certain users, groups.
• Troubleshoot issues on the ISA Server.
• Keep as Internet access log. In some countries, it is require to keep the Internet access log in order to comply with the law.

Step-by-step

Logging Configuration

Actually, there is no need to configure logging on ISA Server 2006 because the configuration works great on default settings already.

1. Open Logging by expand Arrays -> BKKISA001 -> Monitoring. Click on Logging tab.
   
2. To configure firewall logging, select Tasks -> Configure Firewall Logging.
   Note: You also can configure web proxy logging by click on Configure Web Proxy Logging. The configuration is the same as firewall logging so I will not repeat it.
   
3. On Firewall Logging Properties, you can choose to keep log on MSDE, SQL Server or a file. The default configuration is MSDE database and the default location is C:\Program Files\Microsoft ISA Server\ISALogs. Let’s click on Options next to MSDE database to see what can be configured for MSDE database.
   
4. On Options, you see that you can change location to store the log files and the log file storage limitation. You can limit the size of log files, maintain disk space by deleting the older log files or discard new entries and whether you want to delete log files after period of time.
   
5. Back to Firewall Logging Properties, there is another tab, Fields. Here you can customize which fields you want to keep or discard on log files. Normally, you don’t have to modify these configuration. It works perfect by default.
   

Observe Logging

1. On Logging, click on Start Query.
   
2. Generate some traffic by access the Internet on the client computer. Open web browser and browse to www.google.com.
   
3. Now you see some logs on the ISA Server 2006.
   
4. You can filter logging on ISA Server 2006 by click on Edit Filter.
   
5. On Edit Filter, modify columns and conditions as you want. Then, click Start Query.
   
6. This is an example of the filtered logs on ISA Server 2006.
   

What’s Next?

Now you learn how to observe logging on ISA Server 2006. It is a useful feature which allow you to troubleshoot issues most of the time. Next, I will show more advance topic, HTTP filtering. See Part 11: HTTP Filtering.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 1: Introduction Introduction Microsoft Internet Security and Acceleration Server (ISA Server) is...
2. Getting started with Microsoft ISA Server 2006, Part 3: Installation This article is one of the series of Getting started...
3. Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering This article is one of the series of Getting started...

Client Configuration

From Part 8: Create Sample Access Rule, you have created an access rule on ISA Server 2006. Now, it is time to configure the client computer. There are three types of client that you can choose: SecureNAT, Firewall client and Web Proxy. Each type has a different features, see the table below for the comparison.

On this example, I configure the client computer as firewall client type. But you will see how to configure all types of client.

Section

• Client Types
• SecureNAT client
• Firewall client
• Web Proxy client

Client Types

The table below compares the ISA Server clients.

Back to top

SecureNAT client

1. To configure client as SecureNAT client type, set the default gateway of the network interface card on client to the ISA Server.
   
2. If you are using DHCP, you can configure by add Router scope option to the ISA Server.
   

Back to top

Firewall client

1. Download Firewall Client for ISA Server from Microsoft.
2. Install Microsoft Firewall Client on the client computer.
   
3. On ISA Server Computer Selection, select Connect to this ISA Server computer and type the ISA Server host name.
   
4. After the installation completes, you will see the firewall client’s icon on the task bar.
   
5. You can view and modify configuration by double-click on the icon and select Settings tab. Also, you can click on Apply Default Settings Now for other users on this computer can use this configuration.
   

Back to top

Web Proxy client

1. Open your web browser. On this example, I use Internet Explorer.
2. On Menu bar, Click on Tools -> Internet Options.
   
3. On Internet Options, Select Connections tab and click on LAN settings.
   
4. On Local Area Network (LAN) Settings, check the box Use a proxy server for your LAN and type the ISA Server address and port.
   

Back to top

What’s Next

Now I have done the basic configuration on both ISA Server 2006 and the client computer. Next, it is time to test accessing the Internet from the client through the ISA Server. See Part 10: Logging.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type Introduction After completed part III, you have done basic configurations...
2. Getting started with Microsoft ISA Server 2006, Part 1: Introduction Introduction Microsoft Internet Security and Acceleration Server (ISA Server) is...
3. Getting started with Microsoft ISA Server 2006, Part 10: Logging This article is one of the series of Getting started...

Create Firewall Policy Rule

From Part 7: Create DNS Lookup Rule, you have create an access rule to allow DNS look up from the internal network to the external DNS addresses. But you do not have any web access rule for users. So now, I will show how to create an access rule on ISA Server 2006 to allow HTTP and HTTPS protocols for a user to access the Internet.

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. On Firewall Policy, select Tasks and click on Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type a name for the access rule. On this example, I type “Allow HTTP, HTTPS for Linglom” and click Next.
   
4. On Rule Action, select Allow and click Next.
   
5. On Protocols, you have to choose which protocols will be applied to this rule.
   • Select Selected protocols and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on HTTP and HTTPS. Then, click Close and click Next to continue.
     
6. On Access Rule Sources, select the source network for this rule.
   • Click Add.
     
   • On Add Network Entities, expand Network and double-click on Internal. Click Close and click Next to continue.
     
7. On Access Rule Destinations, do the same as the previous step but select External network as a destination.
   
8. On User Sets, you have to select which users and groups are applied to this access rule. On this example, I want this rule apply to only a domain user account – linglom.
   • Remove All Users by click on Remove and add a new User Sets by click Add.
     
   • On Add Users, you see existing user sets available. There is no user set that I want so I will create a new one. Click New.
     
   • On Welcome to the New User Set Wizard, type the name of a new user set that you want and click Next.
     
   • On Users, click Add -> Windows users and groups.
     
   • On Select Users or Groups, select the users or groups that you want to add to this new user set. On this example, I select the domain user – linglom. Then, click OK.
     
   • You see that the user has been added to a new user set. Click Next.
     
   • On Completing the New User Set Wizard, click Finish.
     
   • A new user set is created. The, select on it and click Add to add the new user set to this rule.
     
   • Now the user set is added to the rule. So this rule will be apply to only this user – Linglom. Click Next.
     
9. On Completing the New Access Rule Wizard, click Finish.
   
10. Don’t forget to save the changes that you have made by click on Apply at the top.
    
11. The changes have been saved. Click OK.
    
12. Now you see the rule that you have created.
    

What’s Next

You have some access rules on ISA Server 2006. That’s it for the basic configuration on the sever. Next, I will start configure client to access the Internet through ISA Server 2006. See Part 9: Client Configuration.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule Firewall Policy From part II, you have configured Network Topology....
2. Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule This article is one of the series of Getting started...
3. Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger This article is one of the series of Getting started...

Create DNS Lookup Rule

From Part 6: Configure Network Layout, you have configured network environment of the ISA Server 2006. Now let’s create some access rules on ISA Server 2006.

On this example, I have internal and external DNS servers as I have shown the network diagram in Part 2: Environment Setup. The internal DNS server should work fine since it is on the same network with clients – the Internal network. But the external DNS servers (or my ISP’s DNS servers) are on the external network. And currently, ISA Server 2006 blocks all network access so clients from the internal network cannot request any DNS look up from the external DNS servers. This would be a problem if some clients want to use the Internet. Therefore, I will create an access rule to allow DNS look up for clients on the internal network to the external DNS servers. The external DNS servers are 203.144.255.71 and 203.144.255.72.

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. Create a new access rule by click on Tasks tab -> Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type the access rule name. On this example, I type “Allow DNS Lookup” and click Next.
   
4. On Rule Action, you can select allow or deny on this rule. Select Allow and click Next.
   
5. On Protocols, you can select the protocols this rule applied to.
   • Choose Select protocols from a drop down menu and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on DNS. Click Close.
     
   • Back to Protocols, now the DNS protocol is added to the rule. Click Next.
     
6. On Access Rule Sources, you can specify source networks for this rule.
   • Click Add.
     
   • On Add Network Entities, expand Networks and double-click on Internal. Click Close.
     
   • Back to Access Rule Sources, now the Internal network is added as access rule source. Click Next.
     
7. On Access Rule Destination, you can specify destination networks for this rule.
   • Click Add.
     
   • On Add Network Entities, click on New -> Address Range.
     
   • On New Address Range Rule Element, type the name and specify the IP address range. On this example, I name it as “External DNS Addresses” and the IP address range is 203.144.255.71 to 203.144.255.72. Click OK.
     
   • Back to Add Network Entities, there is a new address range that I have just created so double-click on it to add to the rule and click Close.
     
   • Back to Access Rule Destination, now the “External DNS Addresses” is added to the rule as access rule destination. Click Next.
     
8. On User Sets, you can specify the user sets for the rule. On this example, I leave it as All Users and click Next.
   
9. On Completing the New Access Rule Wizard, click Finish.
   
10. To save changes that you have made, you must click on Apply.
    
11. On Saving Configuration Changes, click OK.
    
12. Now you have completed create an access rule to allow DNS look up from internal network to the external DNS server.
    

What’s Next?

You have created your first access rule for DNS look up. Now clients will be able to resolve name on the Internet. But there is no access rule for Internet access yet. So next, I will create another access rule for clients to access the Internet. See Part 8: Create Web Access Rule.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule This article is one of the series of Getting started...
2. Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule Firewall Policy From part II, you have configured Network Topology....
3. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started...

Configure Network Layout

From Part 5: Network Layout Concept, you learn about network templates. On this post, I will show how to configure networking environment of the ISA Server 2006 using edge firewall template which is the most suitable template for this example. You can see the network diagram of the example on Part 2: Environment Setup.

Step-by-step

1. Open ISA Server Management by click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
   
2. On Microsoft Internet Security and Acceleration Server 2006, expand Arrays -> BKKISA001 -> Configuration -> Networks.
   
3. Select Templates tab and click on the Edge Firewall template.
   
4. A Network Template Wizard window appears, click Next to continue.
   
5. On Export the ISA Server Configuration, you can click on Export button to backup your current ISA Server configuration. But this is the first time configuration so there is no need to backup anything.
   
6. On Internal Network IP Addresses, verify if the IP address ranges are correct. My internal network is 192.168.10.0/24 so the existing range is correct. Click Next.
   
7. On Select a Firewall Policy, you can choose a pre-defined firewall policy which will be applied to the network specified in this template. On this example, I select Block all. I will create firewall rules manually on the next part.
   Note: On edge firewall template, there are five predefined firewall policies which are:
   1. Block all
      Block all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access.
      Use this option when you want to define firewall policy on your own.
   2. Block Internet access, allow access to ISP network services
      Block all network access through ISA Server, except for access to network services, such as DNS. This option is useful when these services are provided by your Internet Service Provider (ISP).
      Use this option when you want to define firewall policy on your own.

      The following access rules will be created:

      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
   3. Allow limited Web access
      Allow Web access using HTTP, HTTPS, FTP, only. Block all other network access.

      The following access rules will be created:

      • Allow HTTP, HTTPS, FTP from Internal Network to External Network.
      • Allow all protocols from VPN Clients Network to Internal Network.
   4. Allow limited Web access and access to ISP network services.
      Allow limited Web access using HTTP, HTTPS, and FTP, and allows access to ISP network services, such as DNS. Block all other network access.
      The following access rules will be created:
      • Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.
   5. Allow unrestricted access
      Allow unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet.

      The following access rules will be created:

      • Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.

   

8. On Completing the Network Template Wizard, click Finish.
   
9. Then, you notice that there is a warning icon at the top of ISA Server Management. This means that the changes which you have made do not take effect yet. To update the configuration, click Apply.
   Note: If you want to undo changes that you have made, click Undo.
   
10. The changes have been saved.
    

What’s Next

You have configure networking environment for the ISA Server 2006. Next, let’s see how to create some access rules on ISA Server 2006. See Part 7: Create DNS Lookup Rule.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept This article is one of the series of Getting started...
2. Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology Network Topology From Part I, you have finished install ISA...
3. Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type Introduction After completed part III, you have done basic configurations...