Contents
Overview 1
Access Policy and Rules Overview 2
Creating Policy Elements 6
Configuring Access Policies and Rules 18
Configuring Bandwidth Rules 24
Using ISA Server Authentication 28
Lab A: Enabling Secure Internet Access 35
Review 52

Module 3: Enabling
Secure Internet Access

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr.
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels,
Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey

Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart



Module 3: Enabling Secure Internet Access iii

Instructor Notes
This module provides students with the knowledge and skills to configure
access policies for enabling secure Internet access for client computers.
After completing this module, students will be able to:

Explain the use of access policies and rules to enable Internet access.

Create policy elements.

Configure access polices and rules.

Configure bandwidth rules.

Explain the use of authentication for outgoing Web requests.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials

To teach this module, you need the Microsoft
®
PowerPoint
®
file 2159A_03.ppt.
Preparation Tasks
To prepare for this module, you should:

Read all of the materials for this module.

Complete the lab.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and
provide the answers.

Read “Configuring Policy Elements,” “Configuring Access Policy,” and
“Configuring Bandwidth“ in ISA Server Help.

Presentation:
50 Minutes

Lab:
60 Minutes
iv Module 3: Enabling Secure Internet Access

Module Strategy
Use the following strategy to present this module:


Access Policies and Rules Overview
Describe the components of access policies. Use the slide graphic to explain
how Microsoft Internet Security and Acceleration (ISA) Server 2000
processes outgoing Web requests. Focus on protocol rules and site and
content rules. Mention that Internet Protocol (IP) packet filters and routing
rules are covered in later modules. Emphasize the importance of proper
planning before creating the rules for access policies.

Creating Policy Elements
Explain that before you can configure an access policy, you must create the
associated policy elements that you will use when defining the rules.
Describe each policy element.

Configuring Access Polices and Rules
Explain that proper planning helps to ensure that you configure rules that
are appropriate for your organization. Emphasize that ISA Server processes
Web requests only if a protocol rule permits the use of the protocol and a
site and content rule allows access to the site. Demonstrate the procedure
that you use to create a protocol rule to show students how protocol rules
use policy elements. Demonstrate the procedure that you use to create a site
and content rule to show students how site and content rules use policy
elements

Configuring Bandwidth Rules
Explain that ISA Server uses bandwidth rules to determine how to process
client requests when your network is congested. Mention that ISA Server
only applies bandwidth rules when there is insufficient bandwidth to process
all of the user requests. Demonstrate the procedure that you use to create a
bandwidth rule to show students how bandwidth rules use policy elements.


Using ISA Server Authentication
Explain that that way that you configure authentication for ISA Server
depends on the type of client. Mention that requiring authentication for all
Web Proxy clients enables you to configure access rules that are based on
users and group membership. Mention that authentication also enables you
to include information about user Web activity in ISA Server logs. Describe
the types of authentication that are available for each type of client.
Describe the types of authentication that ISA Server supports. Explain the
use of listeners and the procedures that you use to configure authentication.

Module 3: Enabling Secure Internet Access v

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The labs in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:


Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Perform a full installation of ISA Server manually.

Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all of the ISA Server client computers. To prepare student
computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the ISA Server administration tools manually.

Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all of the
ISA Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the Firewall Client manually.

Important
vi Module 3: Enabling Secure Internet Access


Setup Requirement 4
The lab in this module requires that all of the ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure the default gateway manually.

Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all of the student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure Internet Explorer manually.

Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all of the ISA Server computers to use Transmission Control
Protocol (TCP) port 8008 as the default Web site. To prepare student computers
to meet this requirement, perform one of the following actions:


Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure IIS manually.

Lab Results
Performing the lab in this module introduces the following configuration
changes:

The following policy elements are created on the ISA Server computer for
each student:
• A schedule that is called x High Network Utilization (where x is the
student’s assigned student number).
• A destination set that is called x Contoso Sports Site (where x is the
student’s assigned student number).
• A client address set that is called x Accounting Department (where x is
the student’s assigned student number).
• A protocol definition that is called x LoB Application (where x is the
student’s assigned student number).
• A content group that is called x New Graphics Format (where x is the
student’s assigned student number).
• A bandwidth priority that is called x High Priority (where x is the
student’s assigned student number).
Module 3: Enabling Secure Internet Access vii


The following protocol rules are created on the ISA Server computer for
each student:

• A protocol rule that is called x Allow HTTP, HTTP-S, and FTP (where x
is the student’s assigned student number).
• A protocol rule that is called x Allow Access to LoB Application (where
x is the student’s assigned student number).

The following site and content rules are created on the ISA Server computer
for each student:
• A site and content rule that is called x Deny Access to Sports Site (where
x is the student’s assigned student number).
• A site and content rule that is called x Deny Access to Pictures (where x
is the student’s assigned student number).

A bandwidth rule that is called x High Priority for Microsoft
Windows Media
™
(where x is the student’s assigned student number) is
created on the ISA Server computer for each student:

ISA Server is configured for an effective bandwidth of 256 kilobits per
second (Kbps).

Authentication for outgoing Web requests uses Basic and Integrated
authentication. ISA Server asks unauthorized users for authentication.



Module 3: Enabling Secure Internet Access 1

Overview


Access Policies and Rules Overview

Creating Policy Elements

Configuring Access Policies and Rules

Configuring Bandwidth Rules

Using ISA Server Authentication

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server provides policy-
based access control that enables organizations to securely control outbound
access. Network administrators can configure access policies to specify which
content and sites are accessible, whether a particular protocol is available for
outgoing Internet requests, and during which times access is allowed. In
addition, network administrators can configure authentication to restrict access
on a per-user basis or on a per-group basis.
After completing this module, you will be able to:

Explain the use of access policies and rules to enable Internet access.

Create policy elements.


Configure access polices and rules.

Configure bandwidth rules.

Explain the use of authentication for outgoing Web requests.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring access
policies to enable secure
Internet access for client
computers.
2 Module 3: Enabling Secure Internet Access





Access Policy and Rules Overview

Understanding Access Policy Components

Processing Outgoing Client Requests

Planning an Access Policy Strategy


*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
One of the primary functions of ISA Server is connecting your internal network
to the Internet while implementing your organization’s policies that define the
type of Internet access that you allow. By creating an access policy and
associated rules, you can allow or deny users access to specific protocols,
Internet sites, and content. When ISA Server processes an outgoing request, it
uses the access policy to determine if access should be allowed or denied. It is
important to plan a strategy before creating an access policy to ensure that the
rules that you create meet the needs of your organization.
Topic Objective
To list the topics related to
access policies and rules.
Lead-in
One of the primary functions
of ISA Server is connecting
your internal network to the
Internet while protecting
your internal users from
inappropriate or malicious
content.
Module 3: Enabling Secure Internet Access 3

Understanding Access Policy Components
Site and Content
Rule
Site and Content

Rule
Policy
Element
Policy
Element
Policy
Element
Policy
Element
Allow or
Deny
Allow or
Deny
Allow or
Deny
Allow or
Deny
Access Policy
Access Policy
Protocol Rule
Protocol Rule
Policy
Element
Policy
Element
Policy
Element
Policy
Element
Allow or

Deny
Allow or
Deny
Allow or
Deny
Allow or
Deny

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
An access policy consists of the following components:

Protocol rules. Define the protocols that the ISA Server clients can use to
communicate between the internal network and the Internet.

Site and content rules. Define the type of content and the sites to which Web
Proxy clients are allowed or denied access.

Policy elements. Define settings that you use as parts of rules. For example,
you can create policy elements that define a schedule or a specific type of
content.

Topic Objective
To describe the components
of an access policy.
Lead-in
An access policy consists of

several components.
4 Module 3: Enabling Secure Internet Access

Processing Outgoing Client Requests
Is there a
site and content
rule that denies the
request?
Is there a
site and content
rule that denies the
request?
Is there a
protocol rule that denies
the request?
Is there a
protocol rule that denies
the request?
Request from
internal client
Request from
internal client
Deny request
Deny request
Retrieve object
Retrieve object
Is there a
protocol rule that allows
the request?
Is there a

protocol rule that allows
the request?
Yes
No
No
Yes
Yes
No
No
Is there a
site and content
rule that allows the
request?
Is there a
site and content
rule that allows the
request?
Yes
No
Yes
Does an IP packet filter
block the request?
Does an IP packet filter
block the request?
Does a routing
rule specify routing to an
upstream server?
Does a routing
rule specify routing to an
upstream server?

Yes
Route to
upstream server
Route to
upstream server
No

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When ISA Server processes an outgoing client request, it checks protocol rules
and site and content rules to determine if access is allowed. A request is
allowed only if both a protocol rule and a site and content rule each allow the
request and if there is no rule that explicitly denies the request.

ISA Server also controls Internet traffic based on Internet Protocol (IP)
packet filters and routing rules. For more information about IP packet filters
and routing rules, see Module 6, “Configuring the Firewall,” and Module 9,
“Configuring ISA Server for the Enterprise,” in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.

When you install ISA Server as a stand-alone server, a site and content rule
named "Allow Rule" allows access to all content on all sites by default.
However, because ISA Server contains no protocol rules by default, no traffic is
allowed to pass until you define at least one protocol rule.
Topic Objective
To describe the process that
ISA Server uses to process

outgoing client requests.
Lead-in
When ISA Server processes
an outgoing client request, it
checks protocol rules and
site and content rules to
determine if access is
allowed.
Delivery Tip
Use the slide graphic to
explain how ISA Server
processes outgoing client
requests. Focus on protocol
rules and site and content
rules. Mention that IP packet
filters and routing rules are
covered in later modules.
Note
Key Points
By default, a site and
content rule named "Allow
Rule" allows access to all
content on all sites.
Module 3: Enabling Secure Internet Access 5

Planning an Access Policy Strategy
Determine Organizational Requirements
Determine Organizational Requirements
Define Rules
Define Rules

Create Policy Elements
Create Policy Elements
Create Rules by Using Policy Elements
Create Rules by Using Policy Elements
Test Rules
Test Rules

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You should perform the following tasks when planning an access policy
strategy:

Determine your organization’s requirements based on your business
needs.
Because an access policy should be consistent with business needs, it is
important to identify your business needs before you create an access
policy. For example, one of your business needs may include giving users
access to a supplier’s Web site.

Define the rules that are needed.
You define rules to implement your organization’s access policy. For
example, you can create a rule to grant access for all employees to the
www.contoso.msft Web site during business hours.

Create policy elements.
Rules require policy elements, which are the building blocks that you use to
create rules. For example, you can create a policy element that defines

specific computers or directories at www.contoso.msft.

Create rules that use the policy elements.
When you create rules, you use policy elements to define the rules.

Test rules.
Ensure that the rules allow the required access for your users, without
providing more access than necessary. Ensure that you test all of the rules
before allowing users to gain access to the Internet.

Topic Objective
To identify the tasks that
you must perform to plan an
access policy strategy.
Lead-in
You should perform the
following tasks when
planning an access policy
strategy.
Delivery Tip
Emphasize the importance
of proper planning before
creating the rules for an
access policy.
6 Module 3: Enabling Secure Internet Access






Creating Policy Elements

Policy Element Overview

Creating Schedules

Creating Bandwidth Priorities

Creating Destination Sets

Creating Client Address Sets

Creating Protocol Definitions

Creating Content Groups

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Policy elements are the components that you use to create ISA Server rules.
Policy elements give you more control to define users, locations, bandwidth
allocation, specific protocols, and types of content in policy rules. ISA Server
includes several types of policy elements that you can use to create rules for
your access policy.

Policy elements do not define any access policy by themselves.
Rather, you use policy elements as components of rules that control access.


Topic Objective
To identify the topics related
to creating policy elements.
Lead-in
Policy elements are the
components that you use to
create ISA Server rules.
Important
Module 3: Enabling Secure Internet Access 7

Policy Element Overview
Policy Elements Can Include:

Schedules

Bandwidth Priorities

Destination Sets

Client Address Sets

Protocol Definitions

Content Groups

Dial-up Entries

*****************************
ILLEGAL FOR NON
-

TRAINER USE
******************************
Before you can configure an access policy, you must create the associated
policy elements that you will use when defining the rules. ISA Server policy
elements can include:

Schedules. The days and times when a rule is active.

Bandwidth priorities. Determine the relative amount of bandwidth that you
can allocate to different types of network traffic. You use bandwidth
priorities in bandwidth rules that determine which connection gets priority
over others to allocate available network bandwidth.


Destination sets. One or more computers or directories on specific
computers. For access policy rules, destination sets are computers that are
not on the internal network.

Client address sets. One or more computers that you specify by name or by
using an IP address or range of IP addresses. For access policy rules, client
address sets are computers on the internal network.

Protocol definitions. Predefined or user-defined protocols that ISA Server
clients can use to communicate with other computers.

Content groups. Logical groupings of common file types and file
extensions.

Dial-up entries. Specify how the ISA Server computer will connect to the
Internet. The dial-up entry includes the name of the network dial-up

connection that is configured for the remote access server and the user name
and password for a user who has permissions to gain access to the dial-up
connection.

Topic Objective
To describe the policy
elements that are available
in ISA Server.
Lead-in
Before you can configure an
access policy, you must
create the associated policy
elements that you will use
when defining the rules.
Key Points
Before you can configure an
access policy, you must
create the associated policy
elements that you will use
when defining the rules.
Emphasize that policy
elements are the building
blocks of rules.
8 Module 3: Enabling Secure Internet Access

Creating Schedules
New schedule
Name: Lunch Hours and Weekends
Description: Use this schedule to permit access to sites
lunch hours and weekends.

OK
Cancel
Click Active to add
portions of the week, or
click Inactive to remove
portions of the week.
Set the activation times for rules that are based on this schedule.
12 · 2 · 4 · 6 · 8 · 10 · 12 · 2 · 4 · 6 · 8 · 10 · 12
Al
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday from 12 AM to 12 AM
Active Inactive

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Use schedules to create rules that apply separate access policies during different
times of the day or the week. For example, you can create a schedule to use in a
rule for an access policy that allows access to the Internet during the lunch hour
only.
To create a schedule:
1. In ISA Management, in the console tree, expand Policy Elements, click

Schedules, and then in the details pane, click Create a Schedule.
2. In the New schedule dialog box, in the Name box, type the name of the
schedule.
3. In the Description box, type a description for the schedule.
4. In the schedule table, click a cell, day, or hour, or drag multiple cells, to
select the specified times.
5. To modify the schedule, do the following tasks, and then click OK:
• Click Active to add portions of the week to the schedule.
• Click Inactive to remove portions of the week from the schedule.
When a blue cell appears, the rule is in effect during that period; when a
white cell appears, the rule is not in effect during that period.


By default, ISA Server contains the Weekends schedule and the Work
hours schedule, which you can modify for use in policy rules.

Topic Objective
To describe the procedure
that you use to create
schedules.
Lead-in
You can apply a schedule to
a rule to determine when a
rule is in effect.
Delivery Tip
Compare the New
schedule dialog box to
other Windows 2000
schedule dialog boxes, such
as the one that you use to

define logon hours for users.
Note
Module 3: Enabling Secure Internet Access 9

Creating Bandwidth Priorities
New Bandwidth Priority
Name:
Description
(optional):
OK
OK
OK Cancel
Basic Priority
Assigns high priority to incoming traffic.
Outbound bandwidth (1-2000):
Inbound bandwidth (1-200): 20
New Bandwidth Priority
Name:
Description
(optional):
OK
OK
OK Cancel
High Priority
Assigns high priority to incoming traffic.
Outbound bandwidth (1-2000):
Inbound bandwidth (1-200): 30

*****************************
ILLEGAL FOR NON

-
TRAINER USE
******************************
Use bandwidth priorities to create bandwidth rules that assign a higher priority
to specific traffic that is moving to or from the Internet. For example, you can
create a bandwidth rule that assigns a high bandwidth priority to traffic for
specific employees or departments. Before you can assign this type of
bandwidth rule, you must create the associated bandwidth priorities.
How Bandwidth Priorities Work
Bandwidth priorities assign priorities to connections that pass through ISA
Server. Bandwidth priorities are directional and can be controlled for both
inbound connections and outbound connections.
When there is limited bandwidth, ISA Server allocates this bandwidth
according to bandwidth priorities that you assign to traffic that is processed by
ISA Server. You can use a number between 1 and 200 to specify a bandwidth
priority. A higher number indicates a higher priority.
When you assign a bandwidth priority, you must assess the impact of that
bandwidth priority in relationship to the other bandwidth priorities that you
assign. For example, if you assign bandwidth priority A to30 and you assign
bandwidth priority B to 20, ISA Server will allocate 60 percent of the available
bandwidth to traffic with bandwidth priority A and will allocate 40 percent of
the available bandwidth to traffic with bandwidth priority B when processing
bandwidth rules.
Topic Objective
To describe the procedure
that you use to create
bandwidth priorities.
Lead-in
Bandwidth priorities define a
priority level for connections

that pass through ISA
Server.
Delivery Tip
Explain that the numbering
system that you use to
specify bandwidth priorities
is a relative numbering
system. The effect of a
given number that you use
for a bandwidth priority is
determined by how it
compares to all of the other
numbers that you use.
10 Module 3: Enabling Secure Internet Access

Creating a New Bandwidth Priority
To create a new bandwidth priority:
1. In ISA Management, in the console tree, right-click Bandwidth Priorities,
point to New, and then click Bandwidth Priority.
2. In the New Bandwidth Priority dialog box, in the Name box, type the
name of the bandwidth priority.
3. In the Description box, type a description of the bandwidth priority.
4. Do the following tasks, and then click OK:
• To define the bandwidth priority for outbound traffic, in the Outbound
bandwidth box, type a number between 1 and 200.
• To define the bandwidth priority for inbound traffic, in the Inbound
bandwidth box, type a number between 1 and 200.

Module 3: Enabling Secure Internet Access 11


Creating Destination Sets
Remove
Remove
Remove
New Destination Set
Name: Partner Web
Description
(optional):
Cancel
Include these computers:
Name/IP Range Path
OK
Edit…
Edit…
Edit…Add…
Add/Edit Destination
Computer name: nwtraders.msft
IP addresses:
Cancel
To include a specific directory in the destination set, type the path
below.
To include all the files, use this format: /dir/*.
To select a specific file, use this format: /dir/filename.
Path:
/sales/accounts.xls
OK
Browse…
From:
To (optional):


*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Use destination sets to create rules that allow or deny access to one or more
computers. For example, you can create a destination set that includes the Web
sites of business partners and then allow access to this destination set. You can
specify destination sets by using a domain name or by using a range of IP
addresses. You can also allow or deny access to specific directories on a
computer. Other rules, such as bandwidth rules, also use destination sets.
To create a new destination set:
1. In ISA Management, in the console tree, click Destination Sets, and then in
the details pane, click Create a Destination Set.
2. In the New Destination Set dialog box, in the Name box, type a name for
the destination set.
3. In the Description box, type a description for the destination set.
4. Click Add, and then in the Add/Edit Destination dialog box, do one of the
following:
If specifying a
destination set by

Then

Computer or
domain name
Click Destination, and then type the computer name or
click Browse to select a computer on your network. To add
all of the computers in a domain, type *.domain (where
domain is the name of your domain). For example, to add

all of the computers in the contoso.msft domain, you would
type *.contoso.msft
IP address Click IP addresses. In the From box, type the first IP
address in the range, and then in the To box, type the last IP
address in the range. To include a single computer, type the
same IP address in the From box and in the To box.

Topic Objective
To describe the procedure
that you use to create
destination sets.
Lead-in
You can specify destination
sets by using a domain
name or by using a range of
IP addresses.
12 Module 3: Enabling Secure Internet Access

5. To specify a particular path on a Web site, in the Path box, type the path of
the specified computer by using the format listed in the following table, and
then click OK twice:
To specify Use the format

A specific directory /dir
All of the files in a directory /dir/*
A specific file in a directory /dir/filename


ISA Server processes path components of a rule for only client
requests that use the Hypertext Transfer Protocol (HTTP) protocol and for

only Web Proxy client requests that use the File Transfer Protocol (FTP)
protocol. ISA Server ignores the path component of a destination set when
processing any other client requests but still evaluates the computer and IP
address components of any applicable destination set, independent of the
protocol that the client uses. For more information, see “Site and content
rules” in ISA Server Help.


Delivery Tip
Emphasize that ISA Server
processes the path
component for only certain
types of client requests but it
processes the remainder of
a destination set for all client
requests.
Important
Module 3: Enabling Secure Internet Access 13

Creating Client Address Sets
Client Set
Name: Support Staff
Description
(optional):
Select the addresses of computers that belong to this client
address set.
Members:
Remove
Remove
Remove

From To
Edit…
Edit…
Edit…Add…
CancelOK
Add/Edit IP Addresses
Client set IP addresses:
CancelOK
From: 192 . 168 . 101 . 0
To: 192 . 168 . 101 . 255

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Use client address sets to create rules that allow or deny access to outgoing
Web requests from a single computer or from a set of computers. Other rules,
such as bandwidth rules, also use client address sets.
To create a client address set:
1. In ISA Management, in the console tree, click Client Address Sets, and
then in the details pane, click Create a Client Set.
2. In the Client Set dialog box, in the Name box, type a name for the client
address set.
3. In the Description box, type a description for the client address set.
4. Click Add.
5. In the Add/Edit IP Addresses dialog box, in the From box, type the first IP
address in the range, and then in the To box, type the last IP addresses in the
range. To include a single computer, type the same IP address in the From
box and the To box.

6. Click OK twice.


Although you can use the Open Windows’ User Manager button on the
Configure Client Address Sets taskpad to create or modify Microsoft
Windows
®
2000 security groups on the ISA Server computer, the security
groups are separate policy elements from the client address sets.

Topic Objective
To describe the procedure
that you use to create client
address sets.
Lead-in
Use client address sets to
apply a policy rule to
outgoing Web requests from
a single computer or from a
set of computers.
Note
14 Module 3: Enabling Secure Internet Access

Creating Protocol Definitions
Type a number
between between 1
and 65535 to specify
the port number.

*****************************

ILLEGAL FOR NON
-
TRAINER USE
******************************
Protocol definitions define the communications parameters that a protocol uses.
You use protocol definitions to create rules that allow or deny access based on
specific protocols. ISA Server includes many predefined protocol definitions
for the most popular protocols. If you use a protocol for which ISA Server does
not contain a definition, you can create a new protocol definition for that
protocol.

You can create protocol definitions for only the Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) protocols. To control
network traffic that uses any other protocol types, such as the Internet Control
Message Protocol (ICMP), you must create packet filters. For more information
about packet filters, see Module 6, “Configuring the Firewall,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.

Protocol Definition Overview
Before you create a new protocol definition, you must know how the protocol
works. This knowledge includes the port number that a protocol uses, the
protocol type, and the direction of the connection. Generally, you obtain port
information from an application vendor or from a protocol specification, such
as a Request for Comments (RFC).

The Internet Assigned Numbers Authority (IANA) maintains a registry
of assigned protocol and port numbers. For more information, see the IANA
Web site at


Topic Objective
To describe the procedure
that you use to create
protocol definitions.
Lead-in
Use protocol definitions to
create policy rules that
control access based on
specific protocols.
Delivery Tip
Emphasize that ISA Server
contains more than 80
predefined policy definitions.
Before creating a new policy
definition, students should
always check carefully for a
predefined protocol
definition that meets their
needs.
Note
Delivery Tip
Emphasize that knowledge
about the protocol is crucial
when creating protocol
definitions.
Note
Module 3: Enabling Secure Internet Access 15

Primary Connections
Protocols use at least one port during a session. When you define a protocol

definition, you must specify which port the protocol uses to establish the
session. This port is the primary connection. For example, the Simple Mail
Transfer Protocol (SMTP) uses TCP port 25 for a client connection to a mail
server. To create a protocol definition for SMTP, you must specify a primary
connection that uses TCP port 25 for outgoing connections.
Secondary Connections
Some protocols use multiple ports during the same session. When creating a
protocol definition for this type of protocol, you must define one or more
secondary connections in addition to the primary connection. For example, the
FTP protocol uses TCP port 21 for a client to establish an initial connection
with a server and then, by default, the FTP server uses TCP port 20 for a
connection to the client to transfer data. To create a protocol definition for the
FTP protocol, in addition to configuring a primary connection that uses TCP
port 21 for an outgoing connection, you must configure a secondary connection
that uses TCP port 20 for incoming connections.

Before deleting a protocol definition that you created, always ensure
that no rules use that protocol definition. If a rule uses a protocol definition that
you delete, ISA Server will not start. In addition, you cannot modify or delete
built-in protocol definitions or the protocol definitions that are defined by
application filters. For more information about protocol definitions and
application filters and for a list of protocol definitions included with ISA
Server, see “Configuring protocol definitions” in ISA Server Help.

Creating a New Protocol Definition
To create a new protocol definition:
1. In ISA Management, in the console tree, right-click Protocol Definitions,
and then in the details pane, click Create a Protocol Definition.
2. In the New Protocol Definition Wizard, in the Name box, type the name of
the protocol definition, and then click Next.

3. On the Primary Connection Information page, specify a port number
between 1 and 65535 that the protocol uses for the initial connection.
Specify the protocol type, which is TCP or UDP. Specify the direction:
• Outbound (TCP only). An internal computer establishes the connection.
• Inbound (TCP only). An external computer establishes the connection.
• Send (UDP only). An internal computer sends packets without
expecting the external host to reply by using the same connection.
• Send/Receive (UDP only). An internal computer sends packets and
expects the external host to reply by using the same connection.
• Receive (UDP only). An external computer sends packets without
expecting the internal host to reply by using the same connection.
• Receive/Send (UDP only). An external computer sends packets and
expects the internal host to reply by using the same connection.
Importan
t
Delivery Tip
Point out that the settings
for direction are different for
the TCP protocol and the
UDP protocol. This
difference is because UDP
is a connectionless protocol
and TCP is a connection-
oriented protocol.
16 Module 3: Enabling Secure Internet Access

4. On the Secondary Connections page, specify whether to use secondary
connection settings. If the protocol that you are defining uses secondary
connections, for each secondary connection, click New, and then specify the
port range, protocol type, and the direction of the secondary connection,

click OK, and then click Next.
5. On the Completing the New Protocol Definition Wizard page, review your
choices, and then click Finish.

Module 3: Enabling Secure Internet Access 17

Creating Content Groups
ISA Server includes several
preconfigured content groups.
ISA Management
Action View
Tree
Name Description Content Types
Internet Security and Acceleration Server
Servers and Arrays
LONDON
Monitoring
Computer
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Schedules
Bandwidth Priorities
Destination Sets
Client Address Sets
Protocol Definitions
Application Applications application/hta.application/x-internet-signup.application/x-pkcs7-certific
Application Data Files Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.appl
Audio Audio files audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3

Compressed Files Compressed Files application/x-gzip,application/x-tar,application/x-gtar,application/x-com
Documents Documents text/tab-separated-values,text/xml,text/h323,application/postscript,appl
HTML Documents HTML Documents text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xsl
Images All known types of images .cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.ras
Macro Documents Documents that may contain macr… application/msword,application/vnd.ms-excel,application/x-msaccess,a
Text Text content .txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/
Video Video files video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.
VRML VRML x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Content groups define types of Web content. Use content groups to create rules
that allow or deny access to Web requests based on the type of content. When
you create content groups, you must specify the content's Multipurpose Internet
Mail Extensions (MIME) type and file extension. ISA Server uses MIME types
when applying rules to HTTP traffic and file extensions when applying rules to
FTP traffic. ISA Server includes many predefined content groups. You can also
define new content groups when you want to create a rule that is not predefined.


For a list of default MIME types and files extensions, see “Configuring
content groups” in ISA Server Help.

To create a content group:
1. In ISA Management, in the console tree, right-click Content Groups, point
to New, and then click Content Group.
2. In the New Content Group dialog box, in the Name box, type the name of

the content group.
3. In the Description box, type a description for the content group.
4. In the Available Types box, do one of the following:
To In the Available types box

Select an existing content type Select a file extension or a MIME type.
Add a new content type Type a new file extension or a MIME type.

5. Click Add, repeat this step for additional content types, and then click OK.


ISA Server uses content groups only when applying rules to HTTP
requests from all client types and to FTP requests from Web Proxy clients.

Topic Objective
To describe the procedure
that you use to create
content groups.
Lead-in
In addition to limiting access
to particular destinations,
you can apply rules to
specific content groups.
Note
Key Points
Explain that ISA Server only
uses content groups when
applying rules to HTTP
requests from all client types
and to FTP requests from

Web Proxy clients.
Important