Internet Security and Acceleration Server 2004 : Additional Configuration Tasks

10/13/2010 9:26:55 AM
The steps completed to this point will perform a basic installation and configuration to get ISA 2004 up and running as a perimeter firewall and caching server, with internal clients having basic Web access. For most installations, that is only the starting point. Most installations will need to have additional tasks completed, including setting up VPN access, configuring monitoring, and configuring additional Firewall policies to expand and fine-tune the rules that control access. And, finally, many installations will need to have reverse proxy set up or have internal servers published that need to be securely reachable from the Internet.

Define VPN Access

One of the common tasks for ISA 2004 is setting up VPNs. And it’s something that ISA 2004 does really well. Frankly, as an old time network administrator, I was dreading having to write the VPN section because I remember what a colossal pain it was in the old days.

To define VPN access, follow these steps:

Open the ISA 2004 management console, and navigate to the Getting Started page.

Click Configure VPN Access to open the VPN Clients tab of the Virtual Private Networks (VPN) page, shown in Figure 1.

Figure 1. The main VPN Clients tab

Click Verify That VPN Client Access Is Enabled to open the VPN Clients Properties dialog box shown in Figure 2.

Figure 2. The VPN Clients Properties dialog box

Select the Enable VPN Client Access check box. Specify the maximum number of VPN clients that this ISA server will allow. The default is 100.

Click the Groups tab and then click Add to add the accounts you will allow to VPN in your network. Avoid specifying individual accounts; rather, create a specific security group that is allowed access, as shown in Figure 3.

Figure 3. Select the groups that will be allowed to use VPNs to connect to the network

Click the Protocols tab, and specify the VPN protocols you will support. The default is PPTP, but you can also use L2TP/IPSec for more secure access.

Click the User Mapping tab. If you will be using RADIUS to authenticate requests, you can simplify the configuration by setting a default Windows domain to use. For simple, Windows-managed VPN access that includes only Windows clients, you can leave User Mapping disabled.

Click OK to close the dialog box. Nothing has yet been actually enabled—we need to Apply the settings before they can take effect, and we’re not ready yet.

Click Remote Access Configuration to open the Virtual Private Networks (VPN) Properties dialog box shown in Figure 4.

Figure 4. The Virtual Private Networks properties dialog box of Remote Access Configuration

The defaults are for only External networks to use VPN access, DHCP on the Internal network for IP address assignment, MS-CHAPv2 authentication, and no RADIUS server. Click the appropriate tabs to make any changes necessary, and then click OK to close the dialog box.

Optional: Click View Firewall Policy For The VPN Clients Network to configure the Firewall Policy rules for VPN clients if you want to create special policies that apply only to your VPN clients.

Optional: Click View Network Rules to verify the network rules for incoming VPN clients and to set up any special network rules that only apply to VPN clients.

When you’ve configured all the settings, click Apply in the main ISA 2004 VPN Clients page, and the new configuration will be applied and VPN access will be enabled.

Setup Monitoring

ISA 2004 provides a diverse set of monitoring tools. The main front end to the monitoring is the Dashboard, shown in Figure 5, which has a capsule summary of connectivity, services, reports, alerts, sessions, and the overall system performance all on a single page. The biggest weakness of the dashboard is that it’s read only. If you want more information or detail about a particular report, alert, and so on, you need to drill down to the tab related to the type of element it is. No double-clicking or right-clicking to get more information.

Figure 5. The Dashboard page

The default installation provides a good starting point to add any additional reports or monitoring you need for your environment. To add a new alert or report, change the filtering of sessions, or make other monitoring changes, click the tab in the center pane for the kind of monitoring you want to modify, and then click the Tasks tab in the rightmost pane. You’ll have context-sensitive choices that are appropriate to the kind of monitoring you’re configuring.

Publishing Servers (Reverse Proxy)

In addition to firewall and caching features, ISA 2004 also supports “reverse proxy.” Reverse proxy lets you keep your key network services inside your firewall perimeter but still be available from the Web, thus protecting the servers. The two most common examples of doing this are an extranet Web server and your e-mail server. ISA 2004 makes it easy to publish the servers and services you need to make available while protecting the servers from attack.

To publish a mail server, follow these steps:

Open the ISA 2004 management console, and navigate to the Firewall Policy page.

On the tasks pane, click Publish A Mail Server to open the New Mail Server Publishing Rule Wizard.

Enter a name for the rule, and click Next to open the Select Access Type dialog box, shown in Figure 6.

Figure 6. The Select Access Type dialog box of the New Mail Server Publishing Rule Wizard

Select the type of access you’ll be providing to the mail server, and then click Next.


If you’ll be providing both direct POP3/IMAP4 access and OWA access, you need to run the wizard twice.

Select the services your e-mail server uses, and then click Next.

Specify the IP address of the server. This IP address will be on your internal network segment.

Click Next to open the IP Addresses dialog box shown in Figure 7.

Figure 7. The IP Addresses dialog box of the New Mail Server Publishing Rule Wizard

Specify the IP addresses that should have access to the server, and click Next.

Click Finish to close the wizard, and then click Apply on the main Firewall Policy page to actually implement the changes.

Additional Configuration

The initial setup and configuration of ISA 2004 is fairly straightforward, as we’ve seen, in a basic configuration. Adding more features and specific rules and filters adds complexity, but doing this follows the same logic and steps as the basic configuration. We can’t begin to cover all the possibilities in a single chapter, but we want to highlight some typical configuration and management tasks. ISA 2004 has a logical consistency in the way it’s configured, and if you understand how to do one set of tasks in it, you’ll find it easy to extend that knowledge to additional tasks.

The Toolbox

The Toolbox is where you create, modify, and delete all the various elements that make up the policies of ISA 2004. You can find the Toolbox tab in the rightmost pane of the Firewall Policy section. The elements you can add, delete, or edit here include:

  • Protocols

  • Users

  • Content Types

  • Schedules

  • Network objects

By combining these elements, you can create the rules and policies that you need for your network.

Defining Network Entities

ISA 2004 has several predefined network entities, as we’ve seen in setting up our original access rule. But there might well be reasons you need to define additional entities. These might take the form of individual computers or specific subnets, and they can refer to either internal or external computers and networks.


Because there is no 64-bit firewall client, you can define special rules for your 64-bit computers, allowing you to provide special access rules that apply only to them. Once a 64-bit client is available, you should remove special rules for 64-bit computers and apply consistent policies across your client network.

To define a new network entity, follow these steps:

Open the ISA 2004 management console if it isn’t already open.

Click Firewall Policy in the leftmost pane.

Click the Toolbox tab, and expand the Network Objects panel, as shown in Figure 8.

Figure 8. The Toolbox tab, with the Network Objects panel expanded

Select the kind of object you want to create from the New menu as shown in Figure 9. The kinds of network objects you can create are listed in Table 34-3.

Figure 9. Selecting a new computer object

Table 1. Network object types in ISA 2004
NetworkOne or more contiguous ranges of IP addresses.
Network SetOne or more defined networks. Allows you to combine noncontiguous ranges of IP addresses into a logical grouping.
ComputerA single IP address. (Note: A computer object is defined by an IP address only and is not directly correlated to a computer name. If you’re using DHCP to distribute IP addresses, you should use a DHCP reservation if you need a specific computer to be defined for ISA purposes.)
Address RangeA single contiguous range of IP addresses.
SubnetA single IP subnet (network ID and subnet mask).
Computer SetOne or more computers, address ranges, or subnets. Predefined computer sets in ISA 2004 are Anywhere, IPSec Remote Gateways, and Remote Management Computers.
Web ListenersThe addresses and ports on a network that will listen for Web requests.
URL SetOne or more URLs that can be used to define specific access rules.
Domain Name SetGroups DNS domain names into a set. Specific firewall policies can then be applied to the set.

Fill in the wizard or dialog box necessary for the object type you’re creating. Figure 10 shows the dialog box for creating a computer object.

Figure 10. The New Computer Rule Element dialog box

Once the new network entity has been added, you can use it in rules to either permit or deny specific access to the entity.

Defining Users

If your clients are running the ISA Firewall Client, you can manage access to and from the Internet by user and group, giving you much more flexibility and simplifying the maintenance of policies and access rules. Plus the user will have the correct level of access regardless of what computer she or he is logged on to.

To define a new set of users, follow these steps:

Open the ISA 2004 management console, and navigate to the Firewall Policy page.

Click the Toolbox tab in the leftmost pane, and expand the Users section. There are three sets of predefined users—All Authenticated Users, All Users, and System and Network Service.

Click New, and the New User Sets Wizard opens, as shown in Figure 11. Type a name for this set of users in the User Set Name field, and click Next.

Figure 11. The New User Sets Wizard

Click Add, and the choice of types of users to add opens, as shown in Figure 12.

Figure 12. ISA 2004 supports users of three very different types

Select the user type, and the users or groups of users you want to add. You can choose from multiple source types here. When you have added all the users you want, click Next.

Click Finish to close the wizard, and then Apply in the main Firewall Policy pane to implement the change.
PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Top 10 Video Game
-   Rise of Incarnates [PC] Zeus Trailer
-   Heroes Reborn | The Extraordinary Among Us (Preview)
-   Battleborn | E3 2015 Gameplay Demo
-   Fortnite [PC] Mac Showcase Trailer
-   Overwatch [PC] Zarya Gameplay Trailer
-   Tony Hawk's Pro Skater 5 [PS3/PS4/X360/XOne] THPS Is Back Trailer
-   Bombing Busters Trailer
-   Blade & Soul 'What is Blade & Soul?' Trailer
-   Cast of the Seven Godsends 'Plague Armour' Trailer
-   Guncraft X360 Trailer
-   Disgaea 5: Alliance of Vengeance | Official Trailer
-   XCOM 2 [PC] E3 2015 Gameplay Trailer
-   RONIN | Turn-Based Action Platformer
-   Balance Benny | Trailer
-   We Happy Few | An Uncle Jack Episode - Nighty Night, The Pied Piper of Hamlyn, Part1
Game of War | Kate Upton Commercial