Configuring Internal Client Access to Internal Resources in ISA Server 2004
Transcript of Configuring Internal Client Access to Internal Resources in ISA Server 2004
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
1/8
TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 >Technical Library > Configuration and Administration
Configuring Internal Client Access to Internal Resources in ISAServer 2004Microsoft Internet Security and Acceleration Server 2004
Published: November 2, 2005
Contents
Top of page
Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 clients are computers located in networks
protected by ISA Server. The clients go through the ISA Server computer to access resources in networksother than their own. ISA Server client requests for resources in the same local network should not go
through ISA Server. The only exception is in a single network adapter environment, when ISA Server
recognizes only the Internal network. The Internal network will be both the source and destination network
in access rules. For more information, see Configuring ISA Server 2004 on a Computer with a Single
Network Adapterat the Microsoft TechNet Web site.
This document provides an overview of ISA Server client types, and best practices you should follow when
creating access rules to control internal traffic. It also discusses several alternative approaches to making
internal resources available to internal clients, including internal server publishing, and setting up clients for
direct access. This document includes the following sections:
Download
Get Office File Viewers
Internal Client Access.doc
151 KB
Microsoft Word file
Introduction
Controlling Traffic Between Internal Networks
Publishing Access Rules
Configuring Network Objects with NAT and Route Relationships
Setting Up Clients for Direct Access
Enabling Firewall Clients for Direct Access
Specifying Sites for Direct Access
Configuring Web Browser Settings on Firewall Client Computers
Enabling Web Proxy Clients for Direct Access
Specifying Sites for Direct Access
Configuring Web Browsers to Use the Automatic ConfigurationScript Containing the Direct Access List
Additional Information
ISA Server Clients
Resources
Overview of ISA Server network design and how access rules should be configured to allow internal clientaccess to internal resources.
Considerations for using publishing rules or access rules to allow clients to access internal resources. Tips
Page 1 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
2/8
For a summary of ISA Server client types, see ISA Server Clients later in this document.
Top of page
Controlling Traffic Between Internal NetworksISA Server 2004 uses access rules and publishing rules to define how traffic is allowed to flow between your
organizations internal networks, and between internal and external networks. When creating access rules,
you use ISA Server network objects to specify a source and destination in the rule. Network objects can be:
You define network rules to specify whether network objects can communicate, and whether a network
address translation (NAT) or route relationship should be applied to traffic flowing between the network
objects. To learn more about configuring network objects and network rules, see Best Practices for
Configuring Networks in ISA Server 2004 at the Microsoft TechNet Web site.
When creating access rules to control traffic flowing between your internal networks protected by ISA
Server, use the following guidelines:
Top of page
Publishing Access Rules
ISA Server access rules determine how clients on a source network can access resources on a destination
network. They are generally used to give internal computers protected by ISA Server access to resources on
external networks, or to control traffic between the Internal network and servers located in a perimeter
network.
ISA Server publishing rules are most often used to allow external clients to access resources protected byISA Server. For example, you may allow public access from the Internet to a Web server published with a
Web publishing rule, or allow external access to a specific server using server publishing rules. Server
publishing in a NAT relationship hides the actual address of the published server (a SecureNAT client), so
on allowing both route and network address translation (NAT) relationships between network objects.
How to set up clients for direct access.
Networks that typically correspond to your physical network infrastructure.
Network sets that group networks together.
A single computer.
A computer set.
A subnet.
An address range of contiguous IP addresses, a set of URLs, or a domain set.
ISA Server is designed so that communication between different networks should traverse ISA Server. Itis not intended that clients on a specific network should go through ISA Server to access resources on the
same network. Such a configuration is known as looping backthrough the ISA Server computer. UsingISA Server like this may cause a reduction in performance of the ISA Server computer, and may cause
Domain Name System (DNS) configuration issues when internal clients try to access internal resources
through an external interface.
Because ISA Server is not designed to link traffic between resources on the same network, you cannotuse a network to specify the source or destination in an access rule you create to control communication
between two hosts in the same network. In such a scenario, there are several alternatives:
You can use network objects such as computers, subnets, and address ranges to control trafficbetween such hosts. For example, if your Internal network definition consists of 172.16.10.0/24, and
includes a routed subnet with a 192.168.3.0/24 address range, you can create two different address
sets from a subset of the Internal network Internet Protocol (IP) address ranges, and use these as
source and destination in an access rule.
Where appropriate, use direct access for such host-to-host communications to ensure that requestsbetween internal clients are not looped back through the ISA Server computer.
Page 2 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
3/8
that the user requesting the object sees the IP address of the ISA Server computer rather than the private
IP address of the internal server being published.
There are some circumstances in which you may consider giving internal clients access to resources in other
networks by using a server publishing rule, rather than by means of an access rule permitting access using
a specific protocol.
One common scenario is when you have a perimeter network defined, and you want to allow computers in
the perimeter network to contact Internal network hosts, or to allow computers in the Internal network tocontact hosts in the perimeter network. When choosing whether to use access rules or server publishing
rules, consider the following:
In the scenario described, there may be either of the following relationships between the perimeter network
and the Internal network:
The following table summarizes how the use of access rules or server publishing rules is affected in a NAT or
route network relationship.
A server publishing rule can only publish a single server.
Port translation can easily be performed with server publishing.
Some built-in application filters, such as the Simple Mail Transfer Protocol (SMTP) filter are designed towork with server publishing rules, and not with access rules.
In a NAT relationship, you cannot use an access rule to permit access to a computer if that computer is aSecureNAT client. In this scenario, you must use a server publishing rule. If there is a route relationship,
an access rule will work.
When using server publishing in a route relationship, the server publishing rule works like an access ruleto allow access to the published server. Clients send requests directly to the IP address of the server
being published, and not to the IP address of the ISA Server client-facing network interface.
If you are using Network Load Balancing (NLB), use server publishing rules in preference to access rules.Server publishing rules allow correct load balancing of traffic to the published server.
An access rule allowing Hypertext Transfer Protocol (HTTP) always uses NAT in both directions by default,even between networks with a route relationship.
If you choose to configure a route relationship rather than NAT between two separate networks, there isno loss in functionality using server publishing rules. Filters (for example SMTP, POP3, or DNS) should
work as they would for server publishing rules across networks with a NAT relationship. Note that theH.323 filter does not support server publishing.
You have a route relationship between the perimeter network and the Internal network.
You have a NAT relationship between the perimeter network and the Internal network.
Perimeter and
internalrelationship
Control traffic with access rules Control traffic with server
publishing rule
NAT ISA Server listens for requests on the client-facing
network adapter on the ISA Server computer.
Clients should make requests to the client-facing
adapter, and not directly to the IP address of the
published server.
Client source IP address is that of the ISA Server
computer. For example, if a NAT relationship is defined
from source Network_A to destination Network_B, the
IP address of client computers on Network_A are
replaced with the IP address of the network adapter
connected to Network_B on the ISA Server computer.
Packets from Network_B returned to clients on
ISA Server listens for
requests on the client-facing
network adapter on the ISA
Server computer.
Clients should make requests
to the client-facing adapter,
and not directly to the IP
address of the published
server.
Client source IP address is
that of the ISA Server
computer unless you
Page 3 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
4/8
Configuring Network Objects with NAT and Route Relationships
There may be circumstances in which you want to set up network objects for both NAT and route
relationships. For example:
Do this as follows:
When you set up the server publishing rule for the server in Network_B, there are essentially two listeners
for the network: the ISA Server network adapter serving Network_A, and the published servers IP address.
ComputerSet_1 can use either of these listeners. ComputerSet_2 can only use the listener on the ISA
Server network adapter for Network_A.
Top of page
Setting Up Clients for Direct Access
There may be some scenarios in which you want to set up Firewall clients or Web Proxy clients for direct
access to resources. Typical scenarios where this configuration is required include:
Network_A are not translated. configure the rule to forward
the original client source IP
address.
Note that there is a difference
between server publishing
(where the default is to pass
the client address, and Webpublishing, where the default
is to use the ISA Server
internal address.
Route ISA Server listens on the IP address of the published
server.
Published server log shows original client source IP
address.
Note that if access rules allow HTTP traffic, this will go
through Web Proxy Filter and be subject to NAT, even
in a route relationship. To override this defaultbehavior, you would disable the filter for the HTTP
traffic. For more information, see Troubleshooting Web
Proxy Traffic in ISA Server 2004 at the Microsoft
TechNet Web site.
ISA Server listens on the IP
address of the published
server.
Clients should request the
actual IP address of the
published server.
Use the From part of theserver publishing rule to limit
clients who can use the rule.
Set up a NAT relationship between hosts in Network_A and hosts in Network_B.
Set up a route relationship between other hosts in Network_A and hosts in Network_B.
Create a computer set (ComputerSet_1) for the computers in Network_A that require a route relationshipwith clients in Network_B. You could also use a different network object such as an IP address range or a
computer.
Create a computer set (ComputerSet_2) for the computers in Network_A that require a NAT relationshipwith clients in Network_B.
Create a network rule with a route relationship. Specify ComputerSet_1 in the From part of the rule, andspecify Network_B in the To part of the rule.
Create a network rule with a NAT relationship. Specify ComputerSet_2 in the From part of the rule, andspecify Network_B in the To part of the rule.
Allow clients direct access to external Web sites without going through ISA Server. This may be useful
Page 4 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
5/8
Enabling Firewall Clients for Direct Access
Enabling direct access for Firewall clients configured as Web Proxy clients consists of the following:
Specifying Sites for Direct Access
To configure sites that the Firewall client should access directly, or that the Web Proxy client running on the
Firewall client computer should access directly, do the following:
where connecting to the Web site through ISA Server is problematic, for example, if Web sites are
running some Java applications.
Allow clients direct access to published servers located on the same network as the client making therequest.
Direct access allows Web Proxy clients to bypass Web Proxy configuration settings when accessingresources. They can then leverage SecureNAT or Firewall Client settings where appropriate.
Direct access allows Firewall clients to bypass the Firewall Client configuration settings when connectingto resources on the same network as the Firewall client computer making the request.
In ISA Server Management, specify the list of IP address ranges, computers, and site URLs that shouldbe accessed directly by the clients. The specified list is sent to the Web browser in the automatic
configuration script when the browser makes a request to ISA Server either for automatic discovery
(using http://wpad.dat) or to the http://ISAServer_Name:8080/array.dll?Get.Routing.Script URL, which
returns configuration settings.
If Internet Explorer is not already configured on Firewall client computers, you can configure Web Proxyclient settings for Firewall clients in ISA Server Management. These Web browser configuration settings
are applied when Firewall Client software is installed on the client computer, or when Firewall Client
configuration settings are updated (every six hours by default).
If Firewall Client is installed and you specify sites for direct access by Web Proxy applications, FirewallClient can still handle authentication requirements on access rules. Firewall Client can pick up the traffic
transparently and authenticate with ISA Server on behalf of the Web Proxy application.
You can restart client computers, or click Detect Now in the Firewall Client dialog box to refresh clientcomputers with updated settings.
Computers with Firewall Client installed have settings for each application that specify whether ISA
Server does name resolution on behalf of the client. When you specify domains and computers for directaccess on the Domains tab, Firewall client computers will attempt to resolve the name without going
through ISA Server. Client computers will need a DNS server specified in the TCP/IP parameters so that
they can resolve names correctly. In particular, they must be able to resolve the name of published
resources to an internal IP address.
1. In the tree of ISA Server Management, click Networks:
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Arrays, expand Array_Name, expand Configuration, and then click
Networks.
For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Server_Name, expand Configuration, and then click Networks.
2. In the results pane, click the Networks tab, and then select the applicable network.
3. On the Tasks tab, click Edit Selected Network.
4. On the Web Browser tab, click the Add button.
5. In the Add Server dialog box, select Domain or computer, and enter the name of the site to
which you want to allow direct access.
6. Repeat for each direct access site, and then click OK.
7. Click Apply to save the changes.
Page 5 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
6/8
Configuring Web Browser Settings on Firewall Client Computers
On the network on which the Firewall client computers requiring direct access are located, do the following:
Enabling Web Proxy Clients for Direct Access
Enabling direct access for Web Proxy clients that do not have Firewall Client software installed consists of
the following:
Note the following:
Specifying Sites for Direct Access
1. In the tree of ISA Server Management, click Networks:
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Arrays, expand Array_Name, expand Configuration, and then click
Networks.
For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server2004, expand Server_Name, expand Configuration, and then click Networks.
2. In the results pane, click the Networks tab, and then select the applicable network.
3. On the Tasks tab, click Edit Selected Network.
4. On the Firewall Client tab, set the following:
To specify that the Web browser should automatically detect the ISA Server computer withconfiguration settings, click Automatically detect settings.
Note
To configure Firewall clients for auto-discovery against ISA Server 2004 Standard Edition, installISA Server 2004 Standard Edition Service Pack 1. For more information, see Microsoft Knowledge
Base article 885683 "You receive error messages if the Internet Security and Acceleration Server
2004 Firewall Client program is configured for auto-discovery or if you try to configure this
program for auto-discovery." This problem does not exist on ISA Server 2004 Enterprise Edition.
To specify that the Web browser should be configured to use the default configuration script, clickUse automatic configuration script, and then click Use default URL.
To specify that the Web browser should be configured to use a custom configuration script, clickUse automatic configuration script, and then click Use custom URL.
To manually specify the ISA Server computer that Web Proxy clients should use as a proxy, clickUse a Web proxy server, and then in ISA Server name or IP address, specify the ISA Servercomputer that clients should use.
In ISA Server Management, specify the list of IP address ranges, computers, and sites that should beaccessed directly by clients. The specified list is sent to the Web browser in the automatic configuration
script.
Configure Internet Explorer to use the automatic configuration script containing the direct access list.Internet Explorer can either be configured to automatically detect ISA Server configuration settings, by
means of a Web Proxy Automatic Discovery (WPAD) entry in DNS or DHCP, or you can manually specify
the location of the configuration script.
In normal circumstances, requests from Web Proxy clients going through ISA Server are resolved by ISAServer on behalf of the client. For direct access destinations, Web Proxy clients must be able to do name
resolution themselves, and will need a DNS server specified in TCP/IP properties for the client computer.
For published resources, clients must be able to resolve the name of the published resource to an internal
IP address.
Client computers configured as Web Proxy clients only will require an access rule allowing anonymousaccess to the direct access site without requiring authentication. Place the rule above other rules
requiring authentication for the same protocol.
Page 6 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
7/8
On the network on which the Web Proxy clients requiring direct access are located, do the following:
1. In the tree of ISA Server Management, click Networks:
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Arrays, expand Array_Name, expand Configuration, and then click
Networks.
For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and AccelerationServer 2004, expand Server_Name, expand Configuration, and then click Networks.
2. In the results pane, click the Networks tab, and then select the applicable network.
3. On the Tasks tab, click Edit Selected Network.
4. On the Web Browser tab, click the Add button.
5. In the Add Server dialog box, select Domain or computer, and enter the name of the site to
which you want to allow direct access.
6. Repeat for each direct access site, and then click OK.
7. Click Apply to save the changes.
Configuring Web Browsers to Use the Automatic Configuration Script Containing the DirectAccess List
This procedure assumes Internet Explorer as the Web browser. To configure Web browsers to use the
automatic configuration script, do the following:
Top of page
Additional Information
This section provides a description of ISA Server client types and a list of additional resources.
ISA Server Clients
The following table summarizes ISA Server client types.
In Internet Explorer, click the Tools menu, and then click Internet Options.
Click the Connections tab, and then click LAN Settings.
To use automatic detection of configuration settings, click Automatically detect settings.
To specify the location of the configuration script that the Web browser should use, click Use automatic
configuration script, and in Address, specify the script location.
Click OK to save the settings.
Note
For more information about setting up automatic detection for Web Proxy clients, seeAutomatic
Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site.
Client type Feature
Firewall
client
Computers with Firewall Client software installed and enabled. Firewall Client uses a
common Winsock provider, and intercepts requests from applications making Winsock
requests. The Firewall client decides on a per-application basis how to deal with such
requests. This is the only client that can use secondary protocols.
SecureNAT
client
Computers with a default route through the network to the ISA Server computer as a
means of communication to other networks. No Firewall Client software is installed and
enabled.
In a simple network, ISA Server is configured as the default gateway.
In a complex network, the client points indirectly to ISA Server through routers, with ISA
Page 7 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004
21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
-
7/29/2019 Configuring Internal Client Access to Internal Resources in ISA Server 2004
8/8
NoteComputers can be configured as more than one client type. For example, a computer may have Firewall
Client software installed, or be configured as a SecureNAT client with a default gateway to the ISA Server
computer, and be configured to also act as a Web Proxy client by pointing Web Proxy settings to ISA
Server. The client type used is in the context of the request made to ISA Server.
Resources
Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page.
Also, refer to the following Microsoft Knowledge Base articles and Microsoft TechNet Web site articles:
Do you have comments about this document? Send feedback.
Server as an endpoint.
Web Proxy
client
Computer running Web-enabled application (such as Internet Explorer) that can be
configured to proxy Web requests to ISA Server.
Microsoft Knowledge Base article 312864 "Automatic Proxy Discovery in Internet Explorer with DHCPrequires specific permissions"
Microsoft Knowledge Base article 838122 "How to deploy the ISA Server 2004 Firewall Client program"
Automatic Discovery for Web Proxy and Firewall Clients at the Microsoft TechNet Web site
Microsoft Knowledge Base article 816320 "How to configure firewall client and Web proxy clientAutodiscovery in Windows Server 2003"
ISA Server 2004 Standard Edition Service Pack Pack 1 at the Microsoft Download Center.
Top of page
Manage Your Profile
2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page 8 of 8Configuring Internal Client Access to Internal Resources in ISA Server 2004