CHAPTER 3
CONFIGURING SECURE INTERNET ACCESS
Once you have installed Microsoft Internet Security and Acceleration Server 2000 (ISA Server)
as a firewall, all Internet access for your client computers will be blocked by default.
Configuring client access may also entail configuring ISA Server’s Automatic Discovery feature,
which allows clients to connect automatically to an ISA Server on the network, and configuring a
dial-up entry in ISA Server.
Lesson 1:
Configuring Local Clients for Secure Internet Access
After you install ISA Server, you can begin to configure Internet access for the client computers.
For all client requests, ISA Server processes the request by analyzing access policy rules to
determine whether access is allowed. If the client request is allowed ISA Server dynamically
opens and closes the ports required for the communication.
About ISA Server Client
ISA Server supports the following three types of clients:
Assessing Client Requirements
Before you deploy or configure client software, assess the needs of your organization. Determine
which applications and services your internal clients require.
Essentially, your choice for each client computer is whether to install Firewall Client software on the
computer, or whether simply to configure the client as a SecureNAT client.
=======================================================================
winisa3.html PAGE 2 2002/05/15
Configuring SecureNAT Clients
SecureNAT clients do not require specific software to be deployed on the client computers.
pecifically, the default gateway for the SecureNAT clients must be properly configured. When
setting the default gateway property, identify which of the following two types of network topology
you are configuring:
Simple network. A simple network topology does not have any routers configured between
the SecureNAT client and the ISA Server computer.
Complex network. A complex network topology has one or more routers connecting
multiple subnets that are configured between a SecureNAT client and the ISA Server
computer.
Configuring SecureNAT Clients on a
Simple Network
To configure SecureNAT clients on a simple network, you should set the SecureNAT client’s
default gateway settings to the IP address of the ISA Server computer’s internal network address
card.
Configuring SecureNAT Clients on a
Complex Network
To configure SecureNAT clients on a complex network, you should set the default gateway settings
to the last router in the chain between the SecureNAT client and the ISA Server computer. In this
case, you do not have to change the default gateway settings for the SecureNAT clients.
Additional SecureNAT Configuration
for Dial-up Networks
For both simple and complex networks relying upon a dial-up connection to the Internet, SecureNAT
clients require additional configuration. To establish Internet access outside of a Web browser from a
client computer that does not have Firewall Client installed, you must first create a dial-up entry policy
element in ISA Management, and then you need to configure the Network Configuration node
properties to use that dial-up entry when routing to upstream servers.
Resolving Names for SecureNAT
Clients
SecureNAT clients will probably request objects both from computers in the local network and
from the Internet.
=======================================================================
winisa3.html PAGE 3 2002/05/15
Internet Access Only
If your SecureNAT clients require Internet access only and do not need to resolve DNS names internal
to your network, you should configure the TCP/IP settings for these clients to use external (Internet-based)
DNS servers. You then need to create a protocol rule allowing the clients to use a DNS Query operation.
Internal Network and Internet Access
If SecureNAT clients will request data both from the Internet and from internal network servers, the
clients should use a DNS server located on the internal network. You should configure the DNS
server to resolve both internal address and Internet addresses. Alternately, you can configure the
clients’ TCP/IP properties to recognize an external DNA server as the preferred server and your
internal DNS server as an alternate DNS server.
Firewall Clients
A firewall client is a computer with Firewall Client software installed and enabled. The firewall client
runs Winsock applications that use ISA Server’s Firewall service. When a firewall client uses a
Winsock application to request an object from a computer, the client checks its copy of the local
address table (LAT) to see whether the specified computer is in the LAT. If the computer is not
in the LAT, the request is sent to the ISA Server Firewall service.
After installing the client software, you can modify the server name to which the client connects by
specifying a different name either on the ISA Server computer to which the client currently connects
or by changing the name in the Firewall Client software. The configuration changes take effect
after the firewall configuration is refreshed.
Install Client software:
path\Setup
Firewall Client Application Settings
Installing the Firewall Client software does not automatically configure individual Winsock
applications. Instead, the client software uses the same Winsock dynamic link library (.dll).
In processing Winsock requests, the Firewall Client application looks for a Wspcfg.ini file in
the directory where the client Winsock application is installed.
=======================================================================
winisa3.html PAGE 4 2002/05/15
If this section also does not exits, it looks for the same sections in the Mspc1nt.file.
Advanced Client Configuration
For more Winsock applications, the default Firewall Client configuration works with no need for
further modification. You can store the client configuration information in one of the following two
locations:
Mspclnt.ini. This is the global client configuration file, which is located in the Firewall
Client installation folder. The Mspc1nt.ini file is periodically downloaded by the client
from the ISA Server computer and overwrites previous versions.
Wspcfg.ini. This file is located in a specific client application folder. The ISA Server
computer does not overwrite this file. Consequently, if you can make configuration
changes to this file, they will apply only to the specific client.
Web Proxy Service
The Web Proxy service (w3proxy) is a Windows 2000 service that supports requests from any
Web browser. This provides nearly every desktop operating system, including Windows NT,
Microsoft 95, Windows 98, Windows 2000, Macintosh, and UNIX with Web access.
Web Proxy clients – typically, browsers must be specifically configured to use the ISA Server
computer. When a user requests a Web site, the browser parses the Uniform Resource Locator
(URL).
When you stop the Web Proxy service, the information in the cache is not deleted. However,
when you restart the Web Proxy service, several seconds may pass before the cache is fully
enabled and functional. If the Web Proxy service has crashed, ISA Server restores the
information in the cache. This takes some time, and performance may not be optimal until the
cache is eventually restored.
Configuring Web Proxy Clients
You do not have to install any software to configure Web Proxy clients. However, you must
configure the proxy capable applications on the client computers to use the ISA Server
computer as the proxy server.
The script is stored at a specific URL on any Server computer in an array. This makes it
easy to update all Web browser settings without having to reconfigure each individual Web
browser.
=======================================================================
winisa3.html PAGE 5 2002/05/15
Lesson Summary:
rules in ISA Server that allows Internet protocols to pass through the ISA Server firewall to
the client computers.
Cache mode, or if you want to avoid installing software on the client computers, you can
configure your client computers as SecureNAT clients.
Proxy clients.
the ISA Server computer as the proxy server.
Lesson 2:
Configuring ISA Server Dial-up Connections
ISA Server can provide firewall and caching benefits for your network even when you do not
have a dedicated Internet connection.
Configuring Dial-up Entries
However, if through a dial-up connection you want to use non-Web services such as POP3 and
Network News Transfer Protocols (NNTP) on clients that do not have Firewall Client installed,
you need to configure a dial-up entry and then configure the network to route requests using that
dial-up entry.
By creating dial-up entries, you can specify how the ISA Server computer connects to the
Internet with those dial-up connections.
You can configure dial-up entries only for network dial-up connections that are configured on
all the ISA Server computers in an array.
=======================================================================
winisa3.html PAGE 6 2002/05/15
Dial-on-Demand
You can configure ISA Server to use a dial-up entry to dial out to the Internet for simple routing or for
active caching.
Routing. When a client requests an object, if the route for the client request requires establishing a dial-up
connection, and if access policy allows the client request, ISA Server will dial out to the Internet using the
active dial-up entry.
Active caching. If active caching is enabled, ISA Server dials out to the Internet to retrieve the
frequently-accessed files.
In addition, ISA Server dials out to the Internet when ISA Server cannot definitively determine whether
access policy allows a client request.
If a routing rule indicates that a dial-up connection should be established for the request, ISA Server dials
out to the Internet either to resolve the name of the computer requested by the client or to do a reverse look-up.
NOTE: Only Web Proxy and firewall clients can be configured for dial-on-demand. Fore SecureNAT
clients to connect to the Internet, a dial-up connection must already be established.
Limiting ISA Server Dial-out to External Sites
You can restrict ISA Server to dial out to the Internet only when necessary by configuring the
LDT so that it indicates the names of all internal computers.
This prevents ISA Server from dialing out to an external DNS server, only to determine that the
requested computer is actually internal. Firewall clients maintain a local copy of the LDT, which is
updated regularly, on their computer. Note that the LDT is checked only for requests from firewall clients.
Lesson Summary:
connection, you will need to create a dial-up entry policy element and configure the network
to route requests to upstream servers using the dial-up entry.
allows your ISA Server computer to initiate a dial-up connection to the Internet automatically
whenever a Web Proxy or firewall client on the local network requests a remote host.
=======================================================================
winisa3.html PAGE 7 2002/05/15
Lesson 3:
Configuring Automatic Discovery of ISA Server
It is a simple tasks to configure the ISA Server computer that connects firewall clients and Web Proxy clients.
Configuring Automatic Discovery of ISA Server
The ISA Server can automatically configure the client users.
Automatic Discovery
It is a simple task to configure the ISA Server computer that connects firewall clients and Web Proxy
clients.
Configuring automatic discovery requires that you publish automatic discovery on the ISA Server
computer;
Protocol entry.
computer and an alias (CNAME) record named WPAD pointing to the ISA Server computer.
Configuring WPAD and WSPAD on the DNS or DHCP Server
Through automatic discovery, the firewall client or the Web Proxy client requests an object from the ISA
Server that is configured to fulfill requests.
Automatic Discovery for Firewall Clients
When you configure Firewall Clients in Control Panel on your client computer, you indicate a
particular ISA Server computer to which the client should connect. You can also configure the
automatic discovery feature so that the firewall client automatically discovers which ISA Server
computer it should use.
=======================================================================
winisa3.html PAGE 8 2002/05/15
Verifying Automatic Discovery for Firewall Clients
When you enable automatic discovery in Firewall Client, you should verify afterwards that the automatic
discovery feature is functioning. When automatic discovery cannot successfully discover or resolve the
ISA Server computer, the firewall client is treated as a SecureNAT client, and the client sessions stop
passing user account and client computer name information to the ISA Server.
If so, the client is operating as a firewall client, and the automatic discovery is working. If not, the
client is behaving as a SecureNAT client, and automatic discovery is not working.
Automatic Discovery for Web Proxy Clients
ISA Server provides similar support for Web Proxy clients. You can configure the automatic
discovery feature in the Internet Explorer LAN Settings so that roaming Web Proxy clients will
always connect to the appropriate ISA Server computer when they log on to the Internet.
Lesson Summary:
automatically discover an appropriate ISA Server computer.
connect to an appropriate ISA Server computer when they connect to the Internet. To
enable automatic discovery, your network must be configured either for DNS, DHCP or both.
Protocol entry; and ensure that your network DNS server has both a host (A) record of the
ISA Server computer and an alias (CNAME) record named WPAD pointing to the ISA
Server computer.
Lesson 4:
Troubleshooting ISA Server Client Connectivity
Through establishing secure Internet connectivity through ISA Server is a simple process on a clean
installation, any number of factors can complicate your configuration and create connectivity problems.
=======================================================================
winisa3.html PAGE 9 2002/05/15
Troubleshooting Client Connections
Client connectivity problems range from poor performance to complete lack of Internet access on
SecureNAT, Firewall, and Web Proxy clients. To simplify future troubleshooting, it is important to
avoid unnecessary complexities in your network configuration and to keep track of all changes made
after your initial, successful installation.
***** REVIEW THE TABLE PAGE 121-123 *****
Restarting Services after Configuration
Changes
If Internet connectivity suddenly stops on your client computers after having been active, try restarting
one of the ISA Server services, such as the Firewall service and/or the Web Proxy service. Some
changes to the ISA Server configuration require that you restart one or more of the ISA Server
services on all the servers in the array. Without restarting ISA Server services, client connectivity
will be lost. In the case of such a configuration change, ISA Management usually, but not always,
displays a message box informing you that the service needs to be restarted.
Lesson Summary:
configuration and by keeping track of all changes you have made from your base installation.