Contents
Overview 1
Securing the Server 2
Examining Perimeter Networks 6
Examining Packet Filtering and
IP Routing 10
Configuring Packet Filtering
and IP Routing 17
Configuring Application Filters 24
Lab A: Configuring the Firewall 35
Review 45

Module 6:
Configuring the Firewall

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr.
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels,
Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann

CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart



Module 6: Configuring the Firewall iii

Instructor Notes
This module provides students with the knowledge and skills to configure
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 as a firewall.
After completing this module, students will be able to:

Secure the ISA Server computer.

Explain the use of perimeter networks.

Explain the use of packet filtering and Internet Protocol (IP) routing.

Configure packet filtering and IP routing.

Configure application filters.


Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_06.ppt.
Preparation Tasks
To prepare for this module, you should:

Read all of the materials for this module.

Complete the lab.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and
provide the answers.

Read “Using Packet Filtering,” “Using extensions,” “Internet Security,”
“Perimeter Network Scenarios,” and “ISA Server system Security” in ISA
Server Help.

Read Module 9, “Implementing Security in Windows 2000,” in Course
2152, Implementing Microsoft Windows 2000 Professional and Server.

Read Module 3, “Enabling Secure Internet Access,” Module 7,
“Configuring Access to Internal Resources,” and Module 8, “Monitoring
and Reporting,” in Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.


Review RFC 792, “Internet Control Message Protocol,” under Additional
Readings on the Trainer Materials compact disc.

Presentation:
75 Minutes

Lab:
30 Minutes
iv Module 6: Configuring the Firewall

Module Strategy
Use the following strategy to present this module:

Securing the Server
Discuss the best practices for securing computers, explaining that the list in
the module is not comprehensive but is meant to be a guideline. Explain that
the ISA Server Security Configuration Wizard changes several operating
system settings to pre-configured values and emphasize that ISA Server
includes no automatic method of reverting back to the original values.

Examining Perimeter Networks
Briefly describe the use of perimeter networks, which were introduced in
Module 1. Ensure that students understand that ISA Server treats both the
Internet and the perimeter network as external networks, which requires that
you enable IP routing to move network packets between the networks.

Examining Packet Filtering and IP Routing
Explain that the packet filtering and routing functions of ISA Server provide
more enhanced security than the packet filtering and routing functions of the

Microsoft Windows
®
2000 Routing and Remote Access service. Emphasize
that you should use ISA Server, and not the Routing and Remote Access
service, to configure packet filtering and routing on an ISA Server
computer. Explain that ISA Server treats IP addresses that are in the Local
Address Table (LAT) as internal and does not apply packet filters to those
addresses. Explain that the decision to use IP routing to support a perimeter
network depends on the type of perimeter network.

Configuring Packet Filtering and IP Routing
Tell students to always confirm that ISA Server does not include a
predefined filter before creating a custom IP packet filter.

Configuring Application Filters
Explain that unlike IP packet filters, which make forwarding decisions
based on the header of each IP packet, application filters can examine entire
transactions between a client application and a server application. Explain
that some functionality of the Simple Mail Transfer Protocol (SMTP) filter
depends on the Message Screener component. Mention that the Message
Screener is an optional ISA Server component that you usually install on a
separate computer on your network. Explain that redirecting Hypertext
Transfer Protocol (HTTP) requests improves client performance and allows
you to apply site and content rules to Firewall clients and SecureNAT
clients. Explain that the H.323 filter enables users who use conferencing
applications, such as Microsoft NetMeeting
®
, to communicate with others
over the Internet.


Module 6: Configuring the Firewall v

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Perform a full installation of ISA Server manually.

Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:


Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the ISA Server administration tools manually.

Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all ISA
Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Install the Firewall Client manually.

Important
vi Module 6: Configuring the Firewall

Setup Requirement 4
The lab in this module requires that all of the ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.


Configure the default gateway manually.

Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure Internet Explorer manually.

Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure IIS manually.

Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
that allows all members of the Domain Admins group to gain access to the

Internet by using any protocol. To prepare student computers to meet this
requirement, perform one of the following actions:

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.

Create the rule manually.

Lab Results
Performing the lab in this module introduces the following configuration
changes:

The ISA Server computer is configured with the Basicdc.inf security
template.

ISA Server is configured to perform packet filtering and routing.


Module 6: Configuring the Firewall 1

Overview

Securing the Server

Examining Perimeter Networks

Examining Packet Filtering and IP Routing

Configuring Packet Filtering and IP Routing


Configuring Application Filters

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 includes
several security features to help you enforce your security policies. The ISA
Server Security Configuration Wizard enables you to set the appropriate level
of system security for the operating system. Packet filtering helps prevent
unauthorized access to your internal network by inspecting incoming traffic and
blocking packets that do not meet your specified security criteria. Internet
Protocol (IP) routing allows you to forward network packets according to rules
that you define. Application filters control application-specific traffic to
determine if network traffic should be accepted, rejected, redirected, or
modified.

The packet filtering and routing functions of ISA Server provide
more enhanced security than the packet filtering and routing functions of the
Microsoft Windows
®
2000 Routing and Remote Access. To provide the most
comprehensive security for your internal network, use ISA Server, not the
Routing and Remote Access service, to configure packet filtering and routing
on an ISA Server computer.


After completing this module, you will be able to:

Secure the ISA Server computer.

Explain the use of perimeter networks.

Explain the use of packet filtering and IP routing.

Configure packet filtering and IP routing.

Configure application filters.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
how to configure ISA Server
as a firewall.
Important
2 Module 6: Configuring the Firewall





Securing the Server

Best Practices


Setting System Security

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server is an important component of an overall security strategy, but
network security consists of many elements. Using security best practices will
also help you to secure your network effectively.
ISA Server includes the ISA Server Security Configuration Wizard, which you
can use to apply system security settings to a single ISA Server computer or to
all of the servers in an array. The ISA Server Security Configuration Wizard
uses security templates that are included with Microsoft Windows 2000 Server
to configure the operating system for different levels of security. You can set
the appropriate level of system security, depending on how ISA Server
functions in your network.
Topic Objective
To identify the topics related
to securing the ISA Server
computer.
Lead-in
ISA Server is an important
component of an overall
security strategy, but
network security consists of
many elements.
Module 6: Configuring the Firewall 3


Best Practices
Stay Informed About Security Issues
Stay Informed About Security Issues
Install the Latest Service Pack and Security Updates
Install the Latest Service Pack and Security Updates
Do Not Run Unnecessary Services or Accept Unnecessary Packets
Do Not Run Unnecessary Services or Accept Unnecessary Packets
Audit Security-Related Events and Review the Associated Log Files
Audit Security-Related Events and Review the Associated Log Files
Document All Aspects of Your Network Configuration
Document All Aspects of Your Network Configuration
Understand the Network Protocols that You Use With ISA Server
Understand the Network Protocols that You Use With ISA Server
Maintain Physical Security
Maintain Physical Security

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Because the ISA Server computer is often directly connected to the Internet, it
is important that you adequately secure that computer. The following list
presents security best practices to use as guidelines when securing computers in
your network, and particularly the ISA Server computer:

Stay informed about security issues pertaining to Windows 2000 and ISA
Server. For security bulletins and other security-related information, see the
Microsoft Security Web site at You
may also want to subscribe to security-related mailing lists.


Install the latest service pack and security updates. Before installing any
service packs or updates, test them thoroughly in a lab environment.

Do not run unnecessary services on the ISA Server computer, and configure
ISA Server with rules that allow only required network traffic to pass
through the ISA Server computer.

Audit security-related events and frequently review the associated log files.

For more information about Windows 2000 auditing, see Module 9,
“Implementing Security in Windows 2000,” in Course 2152, Implementing
Microsoft Windows 2000 Professional and Server. For more information
about monitoring ISA Server security, see Module 8, “Monitoring and
Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.


Document all aspects of your network configuration. Maintaining
documentation helps you to detect intrusion and recover from intrusion
incidents.

Understand the network protocols that you use with ISA Server. A thorough
understanding of these protocols will help to ensure that you configure ISA
Server properly.

Maintain physical security. Anyone with physical access to the ISA Server
computer can gain complete control of the computer.
Topic Objective
To describe security best

practices.
Lead-in
Because the ISA Server
computer is often directly
connected to the Internet, it
is important that you
adequately secure that
computer.
Delivery Tip
Explain that this list is not
comprehensive, but is
meant to present guidelines
for securing the ISA Server
computer.
Note
4 Module 6: Configuring the Firewall

Setting System Security
Domain Controller Templates
Domain Controller Templates
Hisecdc
Hisecdc
.inf
.inf
Securedc.inf
Securedc.inf
Security Level
Security Level
Dedicated
Dedicated

Limited
Limited
Services
Services
Basicdc
Basicdc
.inf
.inf
Secure
Secure
Server Templates
Server Templates
Hisecws.inf
Hisecws.inf
Securews.inf
Securews.inf
Basicsv.inf
Basicsv.inf

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When configuring the security settings of the ISA Server computer, you can use
the ISA Server Security Configuration Wizard to increase the security of
several components of Windows 2000. Securing the ISA Server computer is
especially important when that computer is directly connected to the Internet.
You can select from one of the following security levels in the ISA Server
Security Configuration Wizard:


Dedicated. Use this setting when an ISA Server computer is functioning as
a dedicated firewall with no other applications.

Limited Services. Use this setting when the ISA Server computer is
functioning as a combined firewall and cache server. An ISA Server
computer can also be protected by an additional firewall.

Secure. Use this setting when the ISA Server computer performs other
functions, such as running a Web server, a database server, or a mail server.


The ISA Server Security Configuration Wizard changes several
operating system settings to pre-configured values. To change all of these
settings back to the original values, you must document or export the settings
before running the wizard and then reconfigure all of the values. ISA Server
includes no automatic method of reverting back to the original values.

Topic Objective
To describe the security
levels that you can set for
the ISA Server computer.
Lead-in
There are three security
levels that you can apply to
an ISA Server computer.
Caution
Module 6: Configuring the Firewall 5

Applying Security Templates

The security template that the ISA Server Security Configuration Wizard
applies depends on the security setting that you select and the type of computer
that you are using.
To run the ISA Server Security Configuration Wizard, the
systemroot\security\templates folder must contain the required template. If the
required template is missing, the ISA Server Security Configuration Wizard
fails to run. To add a missing template, you must copy it from the Microsoft
Windows 2000 Server compact disc to the Templates folder on your computer.
ISA Server uses the templates listed in the following table.
Security level For a server For a domain controller

Dedicated Hisecws.inf Hisecdc.inf
Limited Services Securews.inf Securedc.inf
Secure Basicsv.inf Basicdc.inf


For more information about security templates, see Module 9,
"Implementing Security in Windows 2000," in Course 2152, Implementing
Microsoft Windows 2000 Professional and Server.

Use the ISA Server Security Configuration Wizard to apply system security
settings to an ISA Server computer.
To run the Wizard:
1. In ISA Management, in the console tree, expand your server or array, and
then click Computer or Computers.
2. In the details pane, right-click the applicable server, click Secure, and then
follow the on-screen instructions to complete the wizard.

Viewing Configuration Changes
When you run the ISA Server Security Configuration Wizard, ISA Server

creates a log file of all of the changes. ISA Server names this file securwiz.log
and places it in the ISA Server installation directory. You can review this file to
see the actions that the wizard performed.
Note
6 Module 6: Configuring the Firewall





Examining Perimeter Networks

Perimeter Networks

Three-Homed Perimeter Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can deploy ISA Server as a firewall that acts as a secure gateway to the
Internet for internal clients. ISA Server protects all of the communication
between the internal computers and the Internet. In a simple firewall design, the
ISA Server computer has two network interface cards, one connected to the
local network and one connected to the Internet. In more complex designs, such
as a design that includes a perimeter network with one or more published
servers, you may also need to configure the ISA Server computer for IP routing.
Topic Objective
To identify the topics related

to perimeter network
configurations.
Lead-in
You can deploy ISA Server
as a dedicated firewall that
acts as the secure gateway
to the Internet for internal
clients.
Module 6: Configuring the Firewall 7

Perimeter Networks
Firewall
Internet
Internet
Perimeter Network
Perimeter Network
Internal Network
Internal Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter network, also known as a DMZ, demilitarized zone, or screened
subnet, is a small network that you set up separately from an internal network
and the Internet. Perimeter networks allow external users to gain access to
specific servers that are located on the perimeter network, while preventing
direct access to the internal network.
Perimeter Network Uses

A perimeter network is commonly used for deploying an organization’s
publicly accessible servers, such as e-mail servers and Web servers. Permitting
access to the perimeter network does not allow access to other company data
that may be available on computers in the internal network. Even if an external
user penetrates the perimeter network security, only the perimeter network
servers are compromised.
Perimeter Network Configurations
Typically, a perimeter network uses one of the following configurations:

Back-to-back perimeter network configuration. Uses two ISA Server
computers on either side of the perimeter network to protect the network.

For more information on how to make server resources in a back-to-
back perimeter network available, see Module 7, “Configuring Access to
Internal Resources,” in Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.


Three-homed perimeter network configuration. Uses the same ISA Server
computer with the perimeter network to protect the internal network. The
ISA Server computer is three-homed, which means that it is connected to
three networks: the Internet, the perimeter network, and the internal
network.

Topic Objective
To describe the use of
perimeter networks.
Lead-in
A perimeter network is a
small network that you set

up separately from an
internal network and the
Internet.
Note
8 Module 6: Configuring the Firewall

Three-Homed Perimeter Network
Internet
Internet
Perimeter Network
Perimeter Network
Internal Network
Internal Network
E
n
a
b
l
e

I
P

R
o
u
t
i
n
g


a
n
d

P
a
c
k
e
t

F
i
l
t
e
r
i
n
g
2
2
3
3
1
1
ISA Server
Computer
ISA Server

Computer

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In a three-homed perimeter network configuration, a stand-alone ISA Server
computer or an array of ISA Server computers connects the Internet, the
perimeter network, and the internal network. ISA Server treats both the Internet
and the perimeter network as external networks, which requires that you enable
IP routing to move network packets between the networks.
Setting Up the ISA Server Computer
To set up an ISA Server computer in a three-homed perimeter network
configuration, install and configure each network adapter as follows:
1. Connect one network adapter to the internal network. Include all of the
internal IP addresses in the local address table (LAT).
2. Connect the second network adapter to the perimeter network. Do not add
the IP addresses of the perimeter network to the LAT.
3. Connect the third network adapter to the Internet. Do not add any IP
addresses from the Internet to the LAT.


Placing certain types of servers, especially File Transfer Protocol (FTP)
servers, into three-homed perimeter network configurations may create security
risks. For more information about these risks, see “Three-homed perimeter
network configuration” in ISA Server Help.

Slide Objective
To describe the use of a

three-homed perimeter
network.
Lead-in
In a three-homed perimeter
network configuration, a
stand-alone ISA Server
computer or an array of ISA
Server computers connects
the Internet, the perimeter
network, and the internal
network.
Key Point
ISA Server treats both the
Internet and the perimeter
network as external
networks, which requires
that you enable IP routing to
move network packets
between the networks.
Note
Module 6: Configuring the Firewall 9

Configuring the Perimeter Network
The Microsoft Web Proxy service and the network address translation
component of the Microsoft Firewall service move network packets between
only an internal network and an external network or vice versa. Because ISA
Server treats both the Internet and your perimeter network in a three-homed
perimeter network configuration as external networks, you must use IP routing
to move network packets between the Internet and the perimeter network.
To set up a three-homed ISA Server computer in a perimeter network, perform

the following actions:

Enable IP routing.

Enable packet filtering.

Create the appropriate IP packet filters to allow routing of the correct IP
packets to each of the servers in the perimeter network.

For example, to make a Simple Mail Transfer Protocol (SMTP) server on the
perimeter network available to users on the Internet, you must enable IP routing
and packet filtering. You then need to create an IP packet filter that configures
the ISA Server computer to route all of the required packets from the Internet to
the mail server.
Delivery Tip
Tell students that IP routing,
packet filtering, and IP
packet filters will be covered
later in this module.
10 Module 6: Configuring the Firewall





Examining Packet Filtering and IP Routing

Controlling Network Traffic

Understanding Packet Filtering


Using IP Routing and Packet Filtering

Guidelines for Using Packet Filtering and IP Routing

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can control the flow of IP packets to and from the external network
interface of an ISA Server computer by using packet filtering and IP routing.
By using packet filtering, you can allow IP packets or can block IP packets that
are destined for the ISA Server computer or for specific computers on your
perimeter network or internal network. You can also use packet filtering to
block packets that originate from your internal network.
When you enable routing on a Windows 2000 computer, that computer routes
all traffic between the Internet and your internal network. In this case, the
computer acts as a router, which is a device that connects separate networks by
forwarding packets between them.
By enabling both packet filtering and IP routing in ISA Server, you gain the
benefits of strict policy enforcement by using packet filters and establish the
correct routing behavior for protocols that use secondary network connections
after establishing a primary connection.

You can enable packet filtering only if you install ISA Server in
Firewall mode or in Integrated mode.

Topic Objective
To identify the topics related

to packet filtering and IP
routing.
Lead-in
You can control the flow of
IP packets to and from an
external network interface of
an ISA Server computer by
using IP routing and packet
filtering.
Important
Module 6: Configuring the Firewall 11

Controlling Network Traffic

Web Proxy Service

Firewall Service -- Proxy

Firewall Service -- Routing

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can use ISA Server to control the flow of IP packets between different
networks, typically your internal network and the Internet. ISA Server controls
IP packets by using the following services and methods:

Web Proxy service. The Web Proxy service receives outgoing Web requests

from internal Web Proxy clients and then forwards these requests to Web
servers on the Internet. The packets are never directly exchanged between
the internal Web Proxy client and the Web server on the Internet.

The Web Proxy service can also process incoming Web requests for
internal Web servers, which is called Web publishing. For more information
about Web publishing, see Module 7, “Configuring Access to Internal
Resources,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.


Firewall service -- proxy. The Firewall service processes requests from
internal Firewall clients and SecureNAT clients that use the User Datagram
Protocol (UDP) protocol or the Transmission Control Protocol (TCP)
protocol to gain access to external network resources. The Firewall service
intercepts IP packets, changes the IP header information, and then sends the
packets to the external server. The IP packets appear to the external server
as if they originated from the ISA Server computer.

Firewall service -- routing. The Firewall service can also route IP packets
between networks. Routing forwards network packets between different
networks without changing the IP addresses and ports in the IP packet
header. The Firewall service also uses rules to determine whether to route a
packet. You define these rules by creating IP packet filters.

Slide Objective
To describe the services
and processes that ISA
Server uses to control
network traffic.

Lead-in
You can use ISA Server to
control the flow of IP
packets between different
networks, typically your
internal network and the
Internet.
Note
12 Module 6: Configuring the Firewall

Understanding Packet Filtering
Internal Network
Internal Network
ISA
Server
Packet Filter
131.107.1.1
131.107.2.1
Protocol
Protocol
Direction
Direction
UDP Incoming
Destination / Port
Destination / Port
131.107.2.200 / 53
Source / Port
Source / Port
Any / Any
Type

Type
Allow
Perimeter Network
Perimeter Network
192.168.1.1
131.107.2.200

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Packet filtering allows you to control which packets an ISA Server computer
accepts on an external network interface.

ISA Server treats all network interfaces that are not configured with
an IP address that is in the LAT as external. If one or more of the IP addresses
that are associated with a network interface are in the LAT, ISA Server treats
the network interface as internal and does not apply packet filters.

IP Packet Headers
You control IP packets by using the following IP packet header information:

Source IP address and port

Destination IP address and port

IP protocol information

When you create a packet filter that allows bi-directional traffic, ISA Server

also dynamically opens the appropriate ports that allow packets to return to the
IP address and port of the original packet.
For example, you create a packet filter that allows incoming packets to UDP
port 53 on a server on your perimeter network, and a computer on the Internet
sends a packet to the server. ISA Server automatically allows outgoing network
packets to pass from UDP port 53 on your perimeter network to the IP address
and port number that initiated the connection.

Dynamic packet filters that allow packets to return to the IP address
and port of the original packet are in effect for only the duration of the session.
Also, you cannot modify a dynamic rule.

Topic Objective
To describe the process of
packet filtering.
Lead-in
Packet filtering allows you to
control the network packets
that an ISA Server computer
accepts on an external
network interface.
Important
Importan
t
Module 6: Configuring the Firewall 13

Types of Packet Filters
You control which packets are allowed to traverse an external network interface
of the ISA Server computer by using the following types of packet filters:


Allow filters. Used to define which packets the external network adapter
accepts. ISA Server accepts packets that meet the conditions of an Allow
filter only.

Block filters. Used to define exceptions to Allow filters. ISA Server drops
packets that meet the conditions of a Block filter, even though they may also
meet the conditions of an Allow filter. For example, you can create an
Allow filter to permit incoming SMTP traffic to a mail server. You can then
create a Block filter to deny access to the mail server for an IP address that
was the origin of a previous intrusion attempt. You can also use packet
filters to override protocol rules that allow client connections.
14 Module 6: Configuring the Firewall

Using IP Routing and Packet Filtering

Situations That Require IP Routing

Servers in a three-homed perimeter network

Protocols other than UDP and TCP

Situations That Require Packet Filtering

Services running on the ISA Server computer

Applications running on the ISA Server computer

Servers in a three-homed perimeter network

Protocols other than UDP and TCP


*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In some situations, you must use IP routing, packet filtering, or both IP routing
and packet filtering.
Situations That Require IP Routing
Use IP routing for the following situations:

Servers in a three-homed perimeter network. ISA Server treats both three-
homed perimeter networks and the Internet as external networks and routes
packets between them. When you allow users on the Internet to connect to a
server on a three-homed perimeter network, you must configure ISA Server
to perform IP routing between these networks.

Allowing external users to gain access to resources on servers on a
back-to-back perimeter network requires different configuration steps. For
more information about making servers in a back-to-back perimeter network
available to the Internet, see Module 7, “Configuring Access to Internal
Resources,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.


Protocols other than UDP and TCP. The Web Proxy service handles
outgoing requests that are using the Hypertext Transfer Protocol (HTTP),
Hypertext Transfer Protocol-Secure (HTTP-S), or FTP protocols. The
Firewall service handles requests from any application that uses the UDP
and TCP protocols. For all other protocols, ISA Server must route the

packets.

Topic Objective
To describe situations in
which you must use IP
routing and packet filtering.
Lead-in
In some situations, you must
use IP routing, packet
filtering, or both IP routing
and packet filtering.
Delivery Tip
Ensure that students
understand that the decision
to use IP routing to support
a perimeter network
depends on the type of
perimeter network.
Note
Module 6: Configuring the Firewall 15

Situations That Require Packet Filtering
Use packet filtering for the following situations:

Services running on the ISA Server computer. When a service is running on
an ISA Server computer, you must create an IP packet filter that allows
incoming packets for the port associated with that service.
For example, if the ISA Server computer is also functioning as an external
Domain Name System (DNS) server, you must allow incoming DNS query
packets. To allow the DNS query packets, create an IP packet filter that

allows incoming packets to the ISA Server computer on TCP and UDP
port 53.

Applications running on the ISA Server computer. When you run an
application on the ISA Server computer that needs to connect to the Internet,
you must create one or more IP packet filters that allow the appropriate
outgoing packets. An application running on the ISA Server computer
cannot use the Firewall service to connect to the Internet because
configuring the ISA Server computer as a Firewall client is not supported.
Instead, the application must establish a direct connection to the Internet,
which requires you to create packet filters that allow the appropriate
network traffic.
For example, to allow an e-mail client application that is running on the ISA
Server computer to connect to an SMTP server, create an IP packet filter
that allows packets to pass from the ISA Server computer to TCP port 25 on
a remote SMTP server.

Do not create packet filters for outgoing traffic from internal
clients that pass through the Firewall service or the Web Proxy service.
Because ISA Server automatically and dynamically opens the ports that are
required to handle such communications based on the protocol rules that you
configured, no packet filters are required provided that all client requests use
the TCP or UDP protocol.


Servers in a three-homed perimeter network. When you allow users on the
Internet to connect to a server on a three-homed perimeter network, you
must create IP packet filters to open the ports that are required for ISA
Server to accept and route packets to services that are running on the server
in the perimeter network.

For example, to allow external clients to connect to an SMTP server in a
perimeter network, create an IP packet filter that allows incoming packets
for TCP port 25 on the SMTP server.

Protocols other than UDP and TCP. Because ISA Server routes all requests
from SecureNAT clients that use protocols other than TCP or UDP, you
must configure the appropriate packet filters to allow this traffic to pass
through the ISA Server computer.
For example, to allow clients to use the Ping utility, which uses the Internet
Control Message Protocol (ICMP) protocol, create an IP packet filter that
allows the predefined filter “ICMP all outbound” for internal clients.

Important
16 Module 6: Configuring the Firewall

Guidelines for Using Packet Filtering and IP Routing

Packet Filtering and IP Routing Not Enabled

Packet Filtering Enabled and IP Routing Not Enabled

Packet Filtering and IP Routing Enabled

Packet Filtering Not Enabled and IP Routing Enabled

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************

Use the following guidelines when using packet filtering, IP routing, or both.
Packet Filtering and IP Routing Not Enabled
When you do not enable packet filtering or IP routing, ISA Server does not
apply packet filters to incoming network traffic, which lowers the protection of
the ISA Server computer. Use this combination of settings only to optimize
performance and when the external interface of the ISA Server computer is
connected to a network that you have control over, for example, when using
ISA Server to forward traffic from a branch office by using a leased line.
Packet Filtering Enabled and IP Routing Not Enabled
When you enable packet filtering, ISA Server drops all of the IP packets on
external network interfaces unless they are explicitly allowed by static or
dynamic rules. The ISA Server computer also does not forward packets
directly. Use this setting when:

All client connections use the UDP or TCP protocol.

You do not need to forward packets between the Internet and a three-homed
perimeter network configuration.

Packet Filtering and IP Routing Enabled
When combining packet filtering and IP routing, you gain the security benefits
of packet filtering, the ability to route protocols other than TCP or UDP, and the
ability to route between the Internet and a three-homed perimeter network. Use
this configuration in situations that require both security and routing.
Packet Filtering Not Enabled and IP Routing Enabled
You cannot configure ISA Server to route packets without enabling packet
filtering because of the low level of security that such a configuration would
provide. If your network configuration requires a router, evaluate the Routing
and Remote Access service in Windows 2000.
Topic Objective

To describe guidelines for
using packet filtering and IP
routing.
Lead-in
Use the following guidelines
when using packet filtering,
IP routing, or both.
Module 6: Configuring the Firewall 17





Configuring Packet Filtering and IP Routing

Enabling Packet Filtering and IP Routing

Creating IP Packet Filters

Configuring Packet Filter Options

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You must enable packet filtering and IP routing to forward IP packets from one
external network to another external network. You can then create IP packet
filters to allow incoming packets for specific ports and services. To increase the
security of your ISA Server computer, you can configure packet-filtering

settings.
Topic Objective
To identify the topics related
to configuring packet
filtering and IP routing.
Lead-in
You must enable packet
filtering and IP routing to
forward IP packets from one
external network to another
external network.
18 Module 6: Configuring the Firewall

Enabling Packet Filtering and IP Routing
IP Packet Filters Properties
General
OK Cancel
Use this page to control packet routing and packet
filtering properties.
Packet Filters Intrusion Detection PPTP
Enable packet filtering
Apply
Enable Intrusion detection
Enable IP routing
Select to enable
packet filtering.
Select to enable
IP routing.

*****************************

ILLEGAL FOR NON
-
TRAINER USE
******************************

When you enable packet filtering, ISA Server monitors the IP packets that pass
through the external network adapter on the ISA Server computer. In addition
to packet filtering, you must enable IP routing to forward IP packets from one
external network to another external network, such as the Internet and a three-
homed perimeter network. You must also enable IP routing when client
computers use network protocols other than the TCP and UDP protocols.
To enable packet filtering and IP routing:
1. In ISA Management, in the console tree, expand your server or array,
expand Access Policy, right-click IP Packet Filters, and then click
Properties.
2. On the General tab, ensure that the Enable packet filtering check box is
selected.
3. Click the Enable IP routing check box, and then click OK.

Topic Objective
To describe the procedure
that you use to enable
packet filtering and IP
routing.
Lead-in
Before you can use IP
packet filters, you must
enable IP packet filtering on
the ISA Server computer.
Module 6: Configuring the Firewall 19


Creating IP Packet Filters
Name the Filter
Select the Filter Mode
Select the Filter Type
Select Local IP Address
Select Remote Computer(s)
Start
Start
Start
Finish
Finish
Finish
Configure Filter Settings

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you create an IP packet filter, you must identify the associated protocols
and ports for the specified packets. You must also identify the IP addresses or
IP address ranges of the computers for the source and destination.
To create a new IP packet filter:
1. In ISA Management, in the console tree, expand your server or array,
expand Access Policy, click IP Packet Filters, and then in the details pane,
click Create a Packet Filter.
2. In the New IP Packet Filter Wizard, type a name that describes the filter,
and then click Next.
3. On the Filter Mode page, select Allow packet transmission or Block

packet transmission, and then click Next:
4. On the Filter Type page, select Custom or Predefined to specify the type
of filter to create, and then click Next.

Before creating a custom filter, always confirm that ISA Server
does not include a predefined filter that meets your requirements.

5. If you select a custom filter, on the Filter settings page, enter the following
information, and then click Next.
Topic Objective
To describe the key steps
that you perform to create IP
packet filters.
Lead-in
Before you create an IP
packet filter, you must
identify the associated
protocols and ports for the
specified packets.
Important