SecureNAT Client
The SecureNAT client is effectively any device that attempts to communicate through the
ISA Server 2004 firewall without being configured as one of the other firewall types. For
all intents and purposes, this is the traditional "point to the firewall as the default gateway
to communicate" type of a client. Therefore, practically any type of TCP/IP network host
can communicate through the firewall as a SecureNAT client. Although easy to
implement (there is no special configuration required beyond just enabling network
communications on the host), the SecureNAT client is the least secure and capable of the
firewall clients. SecureNAT clients cannot be configured to authenticate with the firewall
to determine what access should be permitted, nor can they access resources requiring
complex protocols (protocols that require multiple connections; for example, standard
FTP [port] mode connections) without the use of application filters installed on the
firewall itself.
Firewall Client
The ISA Server 2004 firewall client is one of the components to an ISA Server 2004
solution that really separates it from the competition in terms of the kind of control over
access that can be managed. The firewall client software can be installed on any
Windows-based client, which is a limitation in environments that use Linux, Sun, UNIX,
or Mac computers. Once implemented, however, the firewall client enables you to define
access to external resources based on users and groups and authenticate all access
requests to ensure that only the users you have specified are allowed to communicate. It
also enables you to define how they can communicate. This authentication information is
stored in the firewall log files, making it easy to perform a forensic analysis to determine
what sites, protocols, and applications the user was running or accessing.
Perhaps the most powerful feature of the firewall client is the ability to enforce security
controls on the client itself (for example, allowing only applications that you explicitly
permit to function on the client or allowing only certain ports on the client to be used for
communications). For example, a relatively difficult task to perform with most firewalls
is to prevent instant messaging and peer-to-peer applications from being used by the
users. Instant messaging applications can almost all use HTTP (or any other protocol) as
the transport protocol, making it difficult to effectively block at the firewall. Similarly,

many peer-to-peer applications can do the same thing. With the firewall client, you can
define the names of applications that should not be allowed to run; they will be blocked
by the firewall client software. Keep in mind that if the users can rename the application
executable, they can bypass these restrictions.
Web Proxy Client
The web proxy client is used anytime a computer is configured via its web browser to use
a proxy, and the ISA Server 2004 server is specified as the proxy. Although web
browsers are the most commonly implemented applications that use proxies, instant
messaging software and other applications that support using a proxy can also be
configured as web proxy clients.
The web proxy client enables you to improve the performance of web access because the
data can be cached by the firewall and served to the clients out of cache. This also
reduces bandwidth requirements, as discussed in the next section. The web proxy client
also supports using authentication for access, similar to the firewall client, thus providing
a mechanism to control and track access on a user basis.
Web Caching Server Functionality
Although technically not a firewall or security feature, the ISA Server 2004 server
provides full caching server functionality. This allows the server to transparently cache
web request and then service subsequent requests out of cache, thus reducing the amount
of bandwidth that is used for client web browsing. This also allows the ISA Server 2004
server to function as a proxy, retrieving content on behalf of clients.
Network Services Publishing
To provide access to protected resources, ISA Server 2004 implements what are known
as publishing rules. These rules are used to provide inbound/ingress filtering functionality
to resources that are being protected by the firewall. For example, if you have a web
server that needs to provide services to external clients, you would use network services
publishing (specifically web server publishing rules) to "publish" or provide access to the
protected web server resource.
There are four types of publishing rules:
•

Web server publishing rule
•
Secure web server publishing rule
•
E-mail server publishing rule
•
Server publishing rule
As you would expect, the first three rules are specialized to handle the corresponding
types of network services. The server publishing rule is the generic catchall rule type for
any and all other publishing requirements.
VPN Functionality
Microsoft ISA Server 2004, like many other firewalls, also provides integrated VPN
functionality, allowing you to use the ISA Server 2004 both as a component in a site-to-
site VPN as well as a termination point for remote access VPN services. Although
previous versions supported Point-to-Point Tunneling Protocol (PPTP) and Layer 2
Tunnel Protocol / IP Security (L2TP/IPsec) VPN protocols, ISA Server 2004 also
supports native IPsec tunnel mode VPN implementations.
Because the VPN functionality is integrated with the firewall, ISA Server 2004 can also
perform stateful packet filtering and inspection on VPN traffic that is passing through the
firewall, providing additional security and control of all traffic that is entering or exiting
the protected network. Doing so enables you to perform actions such as limiting your
remote sales users to a subset of servers and services on the protected network.
Management and Administration Features
Arguably some of the most deficient aspects of previous versions of ISA Server were the
fact that the management interface was not intuitive, the access rule management
methodology was contrary to almost every other product out there, and the monitoring
and reporting capabilities left a lot to be desired. ISA Server 2004 has gone a long way
toward improving these deficiencies.
Management Interface
As shown in Figure 8-2

, ISA Server 2004 takes advantage of the Microsoft Management
Console to provide a management interface. This management console can either be
accessed locally on the ISA server by using Terminal Service (TS) or Remote Desktop
(RDP) to start a terminal session, or can be installed on a remote system (such as the
administrators desktop) to allow for remote management of all ISA Server 2004
resources in the environment. In the case of TS or RDP, the TS/RDP process handles
protection and encryption of the data over the network. In the case of installing the
management console on a remote system, Microsoft is intentionally vague as to what if
any encryption or protection of the data that is transmitted between the management
console and the ISA Server 2004 server occurs. Like all Microsoft products,
administrative access is granted through the use of Microsoft users and groups, as well as
by defining individual or ranges of IP addresses that are allowed to make management
connections.
Figure 8-2. ISA Server 2004 Management Console
[View full size image]



In addition, some third-party web-based management interfaces can be implemented,
allowing for the management of the ISA server to be performed via a web browser, thus
eliminating the need to install a management client for remote management.
Access Rule Management
Access rule management has also been greatly simplified, following well-defined
conventions that have been long established for firewall rule management. Unlike server
publishing rules, which are designed for defining inbound/ingress filters, access rules are
used to define outbound/egress filters to protect traffic that is sourced from a protected
network. Rules have the following components that can be defined in a wizard-driven
fashion:
•
Rule name

•
Rule action (permit/deny)
•
Protocol the rule applies to
•
Source traffic
•
Destination traffic
•
Users to which the rule applies
An important distinction to be aware of is that for SecureNAT clients, rules that are set to
apply to all IP traffic actually only apply to defined protocols, so you need to ensure that
you define any protocols that you want to filter based on.
Monitoring and Reporting
Although monitoring and reporting are some of the less-elegant aspects of firewall
management, Microsoft made significant improvements to the monitoring and reporting
features of ISA Server 2004, providing the following capabilities:
•
Real-time monitoring of log entries and firewall sessions
•
Report customization and publishing
•
E-mail notification
•
Configurable log summary start times (the ability to pick any start time, as
opposed to having to use a defined start time such as midnight everyday)
•
Improved SQL logging (the ability to log to a SQL server, thereby allowing for the
use of advanced SQL tools to query the database and build custom reports)
•

Microsoft Data Engine (MSDE) logging capabilities
Miscellaneous Features
Although the ability to support multiple networks may sound like a given, multinetwork
support is actually a new feature of ISA Server 2004, allowing it to be implemented in
enterprise environments that contain multiple networks (both internal and perimeter
networks such as DMZ segments). In conjunction with this, you can define the
relationships between the networks and then use this information during rule creation. By
default, ISA Server 2004 supports the following networks:
•
The internal network (this is the subnet directly connected to the internal interface
of the firewall)
•
The external network (any IP addresses that do not belong to another network)
•
The VPN clients network (any IP addresses which are assigned to VPN clients)
•
The local host network (the IP addresses of the firewall itself)
Remote VPN users represent one of the bigger security risks for most environments.
These users typically connect to all sorts of networks that are outside of the control of the
IT department and then attempt to connect to their corporate network. This allows the
VPN client to become a carrier of viruses, worms, and other malicious software and
content, thereby spreading it to the corporate network when they establish their VPN
connection. To help mitigate this risk, ISA Server 2004 includes VPN Quarantine
Control. With VPN Quarantine Control, ISA Server 2004 can be configured to enforce
policies on the VPN clients, including the following:
•
All security updates and service packs defined by the administrator must be
installed.
•
The client must have antivirus software installed and enabled.

•
The client must have personal firewall software installed and enabled.