Configuring Internal Client Access to Internal Resources in ISA Server 2004

7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004

1/8

TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 >Technical Library > Configuration and Administration

Configuring Internal Client Access to Internal Resources in ISAServer 2004Microsoft Internet Security and Acceleration Server 2004

Published: November 2, 2005

Contents

Top of page

Introduction

Microsoft Internet Security and Acceleration (ISA) Server 2004 clients are computers located in networks

protected by ISA Server. The clients go through the ISA Server computer to access resources in networksother than their own. ISA Server client requests for resources in the same local network should not go

through ISA Server. The only exception is in a single network adapter environment, when ISA Server

recognizes only the Internal network. The Internal network will be both the source and destination network

in access rules. For more information, see Configuring ISA Server 2004 on a Computer with a Single

Network Adapterat the Microsoft TechNet Web site.

This document provides an overview of ISA Server client types, and best practices you should follow when

creating access rules to control internal traffic. It also discusses several alternative approaches to making

internal resources available to internal clients, including internal server publishing, and setting up clients for

direct access. This document includes the following sections:

Download

Get Office File Viewers

Internal Client Access.doc

151 KB

Microsoft Word file

Introduction

Controlling Traffic Between Internal Networks

Publishing Access Rules

Configuring Network Objects with NAT and Route Relationships

Setting Up Clients for Direct Access

Enabling Firewall Clients for Direct Access

Specifying Sites for Direct Access

Configuring Web Browser Settings on Firewall Client Computers

Enabling Web Proxy Clients for Direct Access


Configuring Web Browsers to Use the Automatic ConfigurationScript Containing the Direct Access List

Additional Information

ISA Server Clients

Resources

Overview of ISA Server network design and how access rules should be configured to allow internal clientaccess to internal resources.

Considerations for using publishing rules or access rules to allow clients to access internal resources. Tips

Page 1 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004

21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true


2/8

For a summary of ISA Server client types, see ISA Server Clients later in this document.

Top of page

Controlling Traffic Between Internal NetworksISA Server 2004 uses access rules and publishing rules to define how traffic is allowed to flow between your

organizations internal networks, and between internal and external networks. When creating access rules,

you use ISA Server network objects to specify a source and destination in the rule. Network objects can be:

You define network rules to specify whether network objects can communicate, and whether a network

address translation (NAT) or route relationship should be applied to traffic flowing between the network

objects. To learn more about configuring network objects and network rules, see Best Practices for

Configuring Networks in ISA Server 2004 at the Microsoft TechNet Web site.

When creating access rules to control traffic flowing between your internal networks protected by ISA

Server, use the following guidelines:

Top of page

Publishing Access Rules

ISA Server access rules determine how clients on a source network can access resources on a destination

network. They are generally used to give internal computers protected by ISA Server access to resources on

external networks, or to control traffic between the Internal network and servers located in a perimeter

network.

ISA Server publishing rules are most often used to allow external clients to access resources protected byISA Server. For example, you may allow public access from the Internet to a Web server published with a

Web publishing rule, or allow external access to a specific server using server publishing rules. Server

publishing in a NAT relationship hides the actual address of the published server (a SecureNAT client), so

on allowing both route and network address translation (NAT) relationships between network objects.

How to set up clients for direct access.

Networks that typically correspond to your physical network infrastructure.

Network sets that group networks together.

A single computer.

A computer set.

A subnet.

An address range of contiguous IP addresses, a set of URLs, or a domain set.

ISA Server is designed so that communication between different networks should traverse ISA Server. Itis not intended that clients on a specific network should go through ISA Server to access resources on the

same network. Such a configuration is known as looping backthrough the ISA Server computer. UsingISA Server like this may cause a reduction in performance of the ISA Server computer, and may cause

Domain Name System (DNS) configuration issues when internal clients try to access internal resources

through an external interface.

Because ISA Server is not designed to link traffic between resources on the same network, you cannotuse a network to specify the source or destination in an access rule you create to control communication

between two hosts in the same network. In such a scenario, there are several alternatives:

You can use network objects such as computers, subnets, and address ranges to control trafficbetween such hosts. For example, if your Internal network definition consists of 172.16.10.0/24, and

includes a routed subnet with a 192.168.3.0/24 address range, you can create two different address

sets from a subset of the Internal network Internet Protocol (IP) address ranges, and use these as

source and destination in an access rule.

Where appropriate, use direct access for such host-to-host communications to ensure that requestsbetween internal clients are not looped back through the ISA Server computer.




3/8

that the user requesting the object sees the IP address of the ISA Server computer rather than the private

IP address of the internal server being published.

There are some circumstances in which you may consider giving internal clients access to resources in other

networks by using a server publishing rule, rather than by means of an access rule permitting access using

a specific protocol.

One common scenario is when you have a perimeter network defined, and you want to allow computers in

the perimeter network to contact Internal network hosts, or to allow computers in the Internal network tocontact hosts in the perimeter network. When choosing whether to use access rules or server publishing

rules, consider the following:

In the scenario described, there may be either of the following relationships between the perimeter network

and the Internal network:

The following table summarizes how the use of access rules or server publishing rules is affected in a NAT or

route network relationship.

A server publishing rule can only publish a single server.

Port translation can easily be performed with server publishing.

Some built-in application filters, such as the Simple Mail Transfer Protocol (SMTP) filter are designed towork with server publishing rules, and not with access rules.

In a NAT relationship, you cannot use an access rule to permit access to a computer if that computer is aSecureNAT client. In this scenario, you must use a server publishing rule. If there is a route relationship,

an access rule will work.

When using server publishing in a route relationship, the server publishing rule works like an access ruleto allow access to the published server. Clients send requests directly to the IP address of the server

being published, and not to the IP address of the ISA Server client-facing network interface.

If you are using Network Load Balancing (NLB), use server publishing rules in preference to access rules.Server publishing rules allow correct load balancing of traffic to the published server.

An access rule allowing Hypertext Transfer Protocol (HTTP) always uses NAT in both directions by default,even between networks with a route relationship.

If you choose to configure a route relationship rather than NAT between two separate networks, there isno loss in functionality using server publishing rules. Filters (for example SMTP, POP3, or DNS) should

work as they would for server publishing rules across networks with a NAT relationship. Note that theH.323 filter does not support server publishing.

You have a route relationship between the perimeter network and the Internal network.

You have a NAT relationship between the perimeter network and the Internal network.

Perimeter and

internalrelationship

Control traffic with access rules Control traffic with server

publishing rule

NAT ISA Server listens for requests on the client-facing

network adapter on the ISA Server computer.

Clients should make requests to the client-facing

adapter, and not directly to the IP address of the

published server.

Client source IP address is that of the ISA Server

computer. For example, if a NAT relationship is defined

from source Network_A to destination Network_B, the

IP address of client computers on Network_A are

replaced with the IP address of the network adapter

connected to Network_B on the ISA Server computer.

Packets from Network_B returned to clients on

ISA Server listens for

requests on the client-facing

network adapter on the ISA

Server computer.

Clients should make requests

to the client-facing adapter,

and not directly to the IP

address of the published

server.

Client source IP address is

that of the ISA Server

computer unless you




4/8

Configuring Network Objects with NAT and Route Relationships

There may be circumstances in which you want to set up network objects for both NAT and route

relationships. For example:

Do this as follows:

When you set up the server publishing rule for the server in Network_B, there are essentially two listeners

for the network: the ISA Server network adapter serving Network_A, and the published servers IP address.

ComputerSet_1 can use either of these listeners. ComputerSet_2 can only use the listener on the ISA

Server network adapter for Network_A.

Top of page

Setting Up Clients for Direct Access

There may be some scenarios in which you want to set up Firewall clients or Web Proxy clients for direct

access to resources. Typical scenarios where this configuration is required include:

Network_A are not translated. configure the rule to forward

the original client source IP

address.

Note that there is a difference

between server publishing

(where the default is to pass

the client address, and Webpublishing, where the default

is to use the ISA Server

internal address.

Route ISA Server listens on the IP address of the published

server.

Published server log shows original client source IP

address.

Note that if access rules allow HTTP traffic, this will go

through Web Proxy Filter and be subject to NAT, even

in a route relationship. To override this defaultbehavior, you would disable the filter for the HTTP

traffic. For more information, see Troubleshooting Web

Proxy Traffic in ISA Server 2004 at the Microsoft

TechNet Web site.

ISA Server listens on the IP

address of the published

server.

Clients should request the

actual IP address of the

published server.

Use the From part of theserver publishing rule to limit

clients who can use the rule.

Set up a NAT relationship between hosts in Network_A and hosts in Network_B.

Set up a route relationship between other hosts in Network_A and hosts in Network_B.

Create a computer set (ComputerSet_1) for the computers in Network_A that require a route relationshipwith clients in Network_B. You could also use a different network object such as an IP address range or a

computer.

Create a computer set (ComputerSet_2) for the computers in Network_A that require a NAT relationshipwith clients in Network_B.

Create a network rule with a route relationship. Specify ComputerSet_1 in the From part of the rule, andspecify Network_B in the To part of the rule.

Create a network rule with a NAT relationship. Specify ComputerSet_2 in the From part of the rule, andspecify Network_B in the To part of the rule.

Allow clients direct access to external Web sites without going through ISA Server. This may be useful




5/8

Enabling Firewall Clients for Direct Access

Enabling direct access for Firewall clients configured as Web Proxy clients consists of the following:


To configure sites that the Firewall client should access directly, or that the Web Proxy client running on the

Firewall client computer should access directly, do the following:

where connecting to the Web site through ISA Server is problematic, for example, if Web sites are

running some Java applications.

Allow clients direct access to published servers located on the same network as the client making therequest.

Direct access allows Web Proxy clients to bypass Web Proxy configuration settings when accessingresources. They can then leverage SecureNAT or Firewall Client settings where appropriate.

Direct access allows Firewall clients to bypass the Firewall Client configuration settings when connectingto resources on the same network as the Firewall client computer making the request.

In ISA Server Management, specify the list of IP address ranges, computers, and site URLs that shouldbe accessed directly by the clients. The specified list is sent to the Web browser in the automatic

configuration script when the browser makes a request to ISA Server either for automatic discovery

(using http://wpad.dat) or to the http://ISAServer_Name:8080/array.dll?Get.Routing.Script URL, which

returns configuration settings.

If Internet Explorer is not already configured on Firewall client computers, you can configure Web Proxyclient settings for Firewall clients in ISA Server Management. These Web browser configuration settings

are applied when Firewall Client software is installed on the client computer, or when Firewall Client

configuration settings are updated (every six hours by default).

If Firewall Client is installed and you specify sites for direct access by Web Proxy applications, FirewallClient can still handle authentication requirements on access rules. Firewall Client can pick up the traffic

transparently and authenticate with ISA Server on behalf of the Web Proxy application.

You can restart client computers, or click Detect Now in the Firewall Client dialog box to refresh clientcomputers with updated settings.

Computers with Firewall Client installed have settings for each application that specify whether ISA

Server does name resolution on behalf of the client. When you specify domains and computers for directaccess on the Domains tab, Firewall client computers will attempt to resolve the name without going

through ISA Server. Client computers will need a DNS server specified in the TCP/IP parameters so that

they can resolve names correctly. In particular, they must be able to resolve the name of published

resources to an internal IP address.

1. In the tree of ISA Server Management, click Networks:

For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Arrays, expand Array_Name, expand Configuration, and then click

Networks.

For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Server_Name, expand Configuration, and then click Networks.

2. In the results pane, click the Networks tab, and then select the applicable network.

3. On the Tasks tab, click Edit Selected Network.

4. On the Web Browser tab, click the Add button.

5. In the Add Server dialog box, select Domain or computer, and enter the name of the site to

which you want to allow direct access.

6. Repeat for each direct access site, and then click OK.

7. Click Apply to save the changes.




6/8

Configuring Web Browser Settings on Firewall Client Computers

On the network on which the Firewall client computers requiring direct access are located, do the following:

Enabling Web Proxy Clients for Direct Access

Enabling direct access for Web Proxy clients that do not have Firewall Client software installed consists of

the following:

Note the following:




Networks.

For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Server_Name, expand Configuration, and then click Networks.



4. On the Firewall Client tab, set the following:

To specify that the Web browser should automatically detect the ISA Server computer withconfiguration settings, click Automatically detect settings.

Note

To configure Firewall clients for auto-discovery against ISA Server 2004 Standard Edition, installISA Server 2004 Standard Edition Service Pack 1. For more information, see Microsoft Knowledge

Base article 885683 "You receive error messages if the Internet Security and Acceleration Server

2004 Firewall Client program is configured for auto-discovery or if you try to configure this

program for auto-discovery." This problem does not exist on ISA Server 2004 Enterprise Edition.

To specify that the Web browser should be configured to use the default configuration script, clickUse automatic configuration script, and then click Use default URL.

To specify that the Web browser should be configured to use a custom configuration script, clickUse automatic configuration script, and then click Use custom URL.

To manually specify the ISA Server computer that Web Proxy clients should use as a proxy, clickUse a Web proxy server, and then in ISA Server name or IP address, specify the ISA Servercomputer that clients should use.

In ISA Server Management, specify the list of IP address ranges, computers, and sites that should beaccessed directly by clients. The specified list is sent to the Web browser in the automatic configuration

script.

Configure Internet Explorer to use the automatic configuration script containing the direct access list.Internet Explorer can either be configured to automatically detect ISA Server configuration settings, by

means of a Web Proxy Automatic Discovery (WPAD) entry in DNS or DHCP, or you can manually specify

the location of the configuration script.

In normal circumstances, requests from Web Proxy clients going through ISA Server are resolved by ISAServer on behalf of the client. For direct access destinations, Web Proxy clients must be able to do name

resolution themselves, and will need a DNS server specified in TCP/IP properties for the client computer.

For published resources, clients must be able to resolve the name of the published resource to an internal

IP address.

Client computers configured as Web Proxy clients only will require an access rule allowing anonymousaccess to the direct access site without requiring authentication. Place the rule above other rules

requiring authentication for the same protocol.




7/8

On the network on which the Web Proxy clients requiring direct access are located, do the following:



Networks.

For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Server_Name, expand Configuration, and then click Networks.



4. On the Web Browser tab, click the Add button.

5. In the Add Server dialog box, select Domain or computer, and enter the name of the site to

which you want to allow direct access.

6. Repeat for each direct access site, and then click OK.

7. Click Apply to save the changes.

Configuring Web Browsers to Use the Automatic Configuration Script Containing the DirectAccess List

This procedure assumes Internet Explorer as the Web browser. To configure Web browsers to use the

automatic configuration script, do the following:

Top of page

Additional Information

This section provides a description of ISA Server client types and a list of additional resources.

ISA Server Clients

The following table summarizes ISA Server client types.

In Internet Explorer, click the Tools menu, and then click Internet Options.

Click the Connections tab, and then click LAN Settings.

To use automatic detection of configuration settings, click Automatically detect settings.

To specify the location of the configuration script that the Web browser should use, click Use automatic

configuration script, and in Address, specify the script location.

Click OK to save the settings.

Note

For more information about setting up automatic detection for Web Proxy clients, seeAutomatic

Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site.

Client type Feature

Firewall

client

Computers with Firewall Client software installed and enabled. Firewall Client uses a

common Winsock provider, and intercepts requests from applications making Winsock

requests. The Firewall client decides on a per-application basis how to deal with such

requests. This is the only client that can use secondary protocols.

SecureNAT

client

Computers with a default route through the network to the ISA Server computer as a

means of communication to other networks. No Firewall Client software is installed and

enabled.

In a simple network, ISA Server is configured as the default gateway.

In a complex network, the client points indirectly to ISA Server through routers, with ISA




8/8

NoteComputers can be configured as more than one client type. For example, a computer may have Firewall

Client software installed, or be configured as a SecureNAT client with a default gateway to the ISA Server

computer, and be configured to also act as a Web Proxy client by pointing Web Proxy settings to ISA

Server. The client type used is in the context of the request made to ISA Server.

Resources

Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page.

Also, refer to the following Microsoft Knowledge Base articles and Microsoft TechNet Web site articles:

Do you have comments about this document? Send feedback.

Server as an endpoint.

Web Proxy

client

Computer running Web-enabled application (such as Internet Explorer) that can be

configured to proxy Web requests to ISA Server.

Microsoft Knowledge Base article 312864 "Automatic Proxy Discovery in Internet Explorer with DHCPrequires specific permissions"

Microsoft Knowledge Base article 838122 "How to deploy the ISA Server 2004 Firewall Client program"

Automatic Discovery for Web Proxy and Firewall Clients at the Microsoft TechNet Web site

Microsoft Knowledge Base article 816320 "How to configure firewall client and Web proxy clientAutodiscovery in Windows Server 2003"

ISA Server 2004 Standard Edition Service Pack Pack 1 at the Microsoft Download Center.

Top of page

Manage Your Profile

2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement


Configuring Internal Client Access to Internal Resources in ISA Server 2004

Documents

Transcript of Configuring Internal Client Access to Internal Resources in ISA Server 2004