1

Enabling Secure InternetAccess with ISA Server

2

What Is Secure Access to Internet Resources?

• Users can access the resources that they need.

• The connection to the Internet is secure.• The data that users transfer to and from the

Internet is secure.• Users cannot download malicious programs

from the Internet.

3

How ISA Server Enables Secure Access to Internet Resources

• Implementing ISA Server as a firewall• Implementing ISA Server as a proxy server.• Using ISA Server to implement the

organization’s Internet usage policy

4

What is a Proxy Server?

• A proxy server is a server that is situated between a client application

• All client requests are sent to the proxy server• A proxy server can provide enhanced security

and performance for Internet connections.

5

Configuring ISA Server as a Proxy Server

• User authentication• Filtering client requests• Content inspection• Logging user access• Hiding the internal network details

6

How Proxy Servers Work?• Proxy servers can be used to secure both

inbound and outbound Internet access.• Forward Proxy Server: a proxy server is used

to secure outbound Internet access• Reverse proxy server: a proxy server is used

to secure inbound Internet access

Reverse Proxy Server

Forward Proxy Server

7

How Does a Forward Proxy Server Work?

Web Server

Client makes a request for an object located

on Internet

Client makes a request for an object located

on Internet

The request is sent to the proxy server

Check the request

Check the request

Send the request to Internet

Web server response is sent back to the proxy server.

The object is returned to the client

8

How Does a Reverse Proxy Server Work?

send the request to the appropriate server on internal network

resolve to the IP

address

resolve to the IP

address

make a request for an object on Internal

The object is returned to the client

Web server response is sent back to the proxy server

DNS ServerDNS Server

sends the request for the object

Check the request

Check the request

ISA SERVERISA SERVER

Web ServerWeb ServerClientClient

9

Web Proxy Chaining

• Use to forward Web Proxy connections from one ISA firewall to another ISA firewall

10

Configuring Web Chaining Rule

11

ISA firewall’s Access Policy

• Web Publishing Rules• Server Publishing Rules• Access RulesWeb Publishing Rules and Server Publishing

Rules are used to allow inbound accessAccess Rules are used to control outbound

access.

12

Access Rule Elements

• Protocols• User Sets• Content Types• Schedules• Network Objects

13

Protocols

• Protocol Type• Direction• Port range• Protocol number• ICMP properties• (Optional) Secondary connections

14

User Sets

• All Authenticated Users• All Users• System and Network Service

15

Configuring ISA Server Authentication

• Basic authentication• Digest authentication• Integrated Windows authentication• Digital certificates authentication• Remote Authentication Dial-In User Service

16

Content Types• Application• Application data files• Audio• Compressed files• Documents• HTML documents• Images• Macro documents• Text• Video• VRML

17

Schedules and Network Objects

Schedules:• Work Hours• Weekends• AlwaysNetwork Objects: used to control the source

and destination of connections moving through the ISA firewall.

18

Configuring Access Rules for OutboundAccess

• By default, ISA Server denies all network traffic between networks connected to the ISA Server computer.

19

Configuring Access Rules for OutboundAccess

20

The Rule Action Page

• Allow• Deny

21

The Protocols Page

• All outbound traffic• Selected protocols• All outbound traffic except selected

22

The Access Rule Sources Page

23

The Access Rule Sources Page

24

The Access Rule Destinations Page

25

The User Sets Page

26

Access Rule Properties

• The General tab• The Action tab• The Protocols tab• The From tab• The Users tab• The Schedule tab• The Content Types tab