Beruflich Dokumente
Kultur Dokumente
Page 1 of 8
TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 > Technical Library > Configuration and Administration
Contents
Download
Internal Client Access.doc 151 KB Microsoft Word file Get Office File Viewers
Setting Up Clients for Direct Access Enabling Firewall Clients for Direct Access
Specifying Sites for Direct Access Configuring Web Browser Settings on Firewall Client Computers
Enabling Web Proxy Clients for Direct Access Specifying Sites for Direct Access Configuring Web Browsers to Use the Automatic Configuration Script Containing the Direct Access List
Additional Information
Top of page
Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 clients are computers located in networks protected by ISA Server. The clients go through the ISA Server computer to access resources in networks other than their own. ISA Server client requests for resources in the same local network should not go through ISA Server. The only exception is in a single network adapter environment, when ISA Server recognizes only the Internal network. The Internal network will be both the source and destination network in access rules. For more information, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. This document provides an overview of ISA Server client types, and best practices you should follow when creating access rules to control internal traffic. It also discusses several alternative approaches to making internal resources available to internal clients, including internal server publishing, and setting up clients for direct access. This document includes the following sections:
Overview of ISA Server network design and how access rules should be configured to allow internal client access to internal resources.
Considerations for using publishing rules or access rules to allow clients to access internal resources. Tips
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 2 of 8
on allowing both route and network address translation (NAT) relationships between network objects.
For a summary of ISA Server client types, see ISA Server Clients later in this document.
Top of page
Networks that typically correspond to your physical network infrastructure. Network sets that group networks together. A single computer. A computer set. A subnet. An address range of contiguous IP addresses, a set of URLs, or a domain set.
You define network rules to specify whether network objects can communicate, and whether a network address translation (NAT) or route relationship should be applied to traffic flowing between the network objects. To learn more about configuring network objects and network rules, see Best Practices for Configuring Networks in ISA Server 2004 at the Microsoft TechNet Web site. When creating access rules to control traffic flowing between your internal networks protected by ISA Server, use the following guidelines:
ISA Server is designed so that communication between different networks should traverse ISA Server. It is not intended that clients on a specific network should go through ISA Server to access resources on the same network. Such a configuration is known as looping back through the ISA Server computer. Using ISA Server like this may cause a reduction in performance of the ISA Server computer, and may cause Domain Name System (DNS) configuration issues when internal clients try to access internal resources through an external interface. Because ISA Server is not designed to link traffic between resources on the same network, you cannot use a network to specify the source or destination in an access rule you create to control communication between two hosts in the same network. In such a scenario, there are several alternatives:
You can use network objects such as computers, subnets, and address ranges to control traffic between such hosts. For example, if your Internal network definition consists of 172.16.10.0/24, and includes a routed subnet with a 192.168.3.0/24 address range, you can create two different address sets from a subset of the Internal network Internet Protocol (IP) address ranges, and use these as source and destination in an access rule. Where appropriate, use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.
Top of page
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 3 of 8
that the user requesting the object sees the IP address of the ISA Server computer rather than the private IP address of the internal server being published. There are some circumstances in which you may consider giving internal clients access to resources in other networks by using a server publishing rule, rather than by means of an access rule permitting access using a specific protocol. One common scenario is when you have a perimeter network defined, and you want to allow computers in the perimeter network to contact Internal network hosts, or to allow computers in the Internal network to contact hosts in the perimeter network. When choosing whether to use access rules or server publishing rules, consider the following:
A server publishing rule can only publish a single server. Port translation can easily be performed with server publishing. Some built-in application filters, such as the Simple Mail Transfer Protocol (SMTP) filter are designed to work with server publishing rules, and not with access rules. In a NAT relationship, you cannot use an access rule to permit access to a computer if that computer is a SecureNAT client. In this scenario, you must use a server publishing rule. If there is a route relationship, an access rule will work. When using server publishing in a route relationship, the server publishing rule works like an access rule to allow access to the published server. Clients send requests directly to the IP address of the server being published, and not to the IP address of the ISA Server client-facing network interface. If you are using Network Load Balancing (NLB), use server publishing rules in preference to access rules. Server publishing rules allow correct load balancing of traffic to the published server. An access rule allowing Hypertext Transfer Protocol (HTTP) always uses NAT in both directions by default, even between networks with a route relationship. If you choose to configure a route relationship rather than NAT between two separate networks, there is no loss in functionality using server publishing rules. Filters (for example SMTP, POP3, or DNS) should work as they would for server publishing rules across networks with a NAT relationship. Note that the H.323 filter does not support server publishing.
In the scenario described, there may be either of the following relationships between the perimeter network and the Internal network:
You have a route relationship between the perimeter network and the Internal network. You have a NAT relationship between the perimeter network and the Internal network.
The following table summarizes how the use of access rules or server publishing rules is affected in a NAT or route network relationship. Perimeter and internal relationship NAT Control traffic with access rules Control traffic with server publishing rule
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer. For example, if a NAT relationship is defined from source Network_A to destination Network_B, the IP address of client computers on Network_A are replaced with the IP address of the network adapter connected to Network_B on the ISA Server computer. Packets from Network_B returned to clients on
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer unless you
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 4 of 8
configure the rule to forward the original client source IP address. Note that there is a difference between server publishing (where the default is to pass the client address, and Web publishing, where the default is to use the ISA Server internal address.
Route
ISA Server listens on the IP address of the published server. Published server log shows original client source IP address. Note that if access rules allow HTTP traffic, this will go through Web Proxy Filter and be subject to NAT, even in a route relationship. To override this default behavior, you would disable the filter for the HTTP traffic. For more information, see Troubleshooting Web Proxy Traffic in ISA Server 2004 at the Microsoft TechNet Web site.
ISA Server listens on the IP address of the published server. Clients should request the actual IP address of the published server. Use the From part of the server publishing rule to limit clients who can use the rule.
Set up a NAT relationship between hosts in Network_A and hosts in Network_B. Set up a route relationship between other hosts in Network_A and hosts in Network_B.
Do this as follows: Create a computer set (ComputerSet_1) for the computers in Network_A that require a route relationship with clients in Network_B. You could also use a different network object such as an IP address range or a computer. Create a computer set (ComputerSet_2) for the computers in Network_A that require a NAT relationship with clients in Network_B. Create a network rule with a route relationship. Specify ComputerSet_1 in the From part of the rule, and specify Network_B in the To part of the rule. Create a network rule with a NAT relationship. Specify ComputerSet_2 in the From part of the rule, and specify Network_B in the To part of the rule.
When you set up the server publishing rule for the server in Network_B, there are essentially two listeners for the network: the ISA Server network adapter serving Network_A, and the published servers IP address. ComputerSet_1 can use either of these listeners. ComputerSet_2 can only use the listener on the ISA Server network adapter for Network_A.
Top of page
Allow clients direct access to external Web sites without going through ISA Server. This may be useful
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 5 of 8
where connecting to the Web site through ISA Server is problematic, for example, if Web sites are running some Java applications.
Allow clients direct access to published servers located on the same network as the client making the request. Direct access allows Web Proxy clients to bypass Web Proxy configuration settings when accessing resources. They can then leverage SecureNAT or Firewall Client settings where appropriate. Direct access allows Firewall clients to bypass the Firewall Client configuration settings when connecting to resources on the same network as the Firewall client computer making the request.
In ISA Server Management, specify the list of IP address ranges, computers, and site URLs that should be accessed directly by the clients. The specified list is sent to the Web browser in the automatic configuration script when the browser makes a request to ISA Server either for automatic discovery (using http://wpad.dat) or to the http://ISAServer_Name:8080/array.dll?Get.Routing.Script URL, which returns configuration settings. If Internet Explorer is not already configured on Firewall client computers, you can configure Web Proxy client settings for Firewall clients in ISA Server Management. These Web browser configuration settings are applied when Firewall Client software is installed on the client computer, or when Firewall Client configuration settings are updated (every six hours by default). If Firewall Client is installed and you specify sites for direct access by Web Proxy applications, Firewall Client can still handle authentication requirements on access rules. Firewall Client can pick up the traffic transparently and authenticate with ISA Server on behalf of the Web Proxy application. You can restart client computers, or click Detect Now in the Firewall Client dialog box to refresh client computers with updated settings. Computers with Firewall Client installed have settings for each application that specify whether ISA Server does name resolution on behalf of the client. When you specify domains and computers for direct access on the Domains tab, Firewall client computers will attempt to resolve the name without going through ISA Server. Client computers will need a DNS server specified in the TCP/IP parameters so that they can resolve names correctly. In particular, they must be able to resolve the name of published resources to an internal IP address.
2. 3. 4. 5.
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks. For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Web Browser tab, click the Add button. In the Add Server dialog box, select Domain or computer, and enter the name of the site to which you want to allow direct access. Repeat for each direct access site, and then click OK. Click Apply to save the changes.
6. 7.
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 6 of 8
2. 3. 4.
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks. For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Firewall Client tab, set the following:
To specify that the Web browser should automatically detect the ISA Server computer with configuration settings, click Automatically detect settings. Note To configure Firewall clients for auto-discovery against ISA Server 2004 Standard Edition, install ISA Server 2004 Standard Edition Service Pack 1. For more information, see Microsoft Knowledge Base article 885683 "You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery." This problem does not exist on ISA Server 2004 Enterprise Edition.
To specify that the Web browser should be configured to use the default configuration script, click Use automatic configuration script, and then click Use default URL. To specify that the Web browser should be configured to use a custom configuration script, click Use automatic configuration script, and then click Use custom URL. To manually specify the ISA Server computer that Web Proxy clients should use as a proxy, click Use a Web proxy server, and then in ISA Server name or IP address, specify the ISA Server computer that clients should use.
In ISA Server Management, specify the list of IP address ranges, computers, and sites that should be accessed directly by clients. The specified list is sent to the Web browser in the automatic configuration script. Configure Internet Explorer to use the automatic configuration script containing the direct access list. Internet Explorer can either be configured to automatically detect ISA Server configuration settings, by means of a Web Proxy Automatic Discovery (WPAD) entry in DNS or DHCP, or you can manually specify the location of the configuration script.
In normal circumstances, requests from Web Proxy clients going through ISA Server are resolved by ISA Server on behalf of the client. For direct access destinations, Web Proxy clients must be able to do name resolution themselves, and will need a DNS server specified in TCP/IP properties for the client computer. For published resources, clients must be able to resolve the name of the published resource to an internal IP address. Client computers configured as Web Proxy clients only will require an access rule allowing anonymous access to the direct access site without requiring authentication. Place the rule above other rules requiring authentication for the same protocol.
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 7 of 8
On the network on which the Web Proxy clients requiring direct access are located, do the following: 1. In the tree of ISA Server Management, click Networks:
2. 3. 4. 5.
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks. For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Web Browser tab, click the Add button. In the Add Server dialog box, select Domain or computer, and enter the name of the site to which you want to allow direct access. Repeat for each direct access site, and then click OK. Click Apply to save the changes.
6. 7.
Configuring Web Browsers to Use the Automatic Configuration Script Containing the Direct Access List
This procedure assumes Internet Explorer as the Web browser. To configure Web browsers to use the automatic configuration script, do the following:
In Internet Explorer, click the Tools menu, and then click Internet Options. Click the Connections tab, and then click LAN Settings. To use automatic detection of configuration settings, click Automatically detect settings. To specify the location of the configuration script that the Web browser should use, click Use automatic configuration script, and in Address, specify the script location. Click OK to save the settings. Note For more information about setting up automatic detection for Web Proxy clients, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site.
Top of page
Additional Information
This section provides a description of ISA Server client types and a list of additional resources.
SecureNAT client
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 8 of 8
Server as an endpoint. Web Proxy client Computer running Web-enabled application (such as Internet Explorer) that can be configured to proxy Web requests to ISA Server.
Note Computers can be configured as more than one client type. For example, a computer may have Firewall Client software installed, or be configured as a SecureNAT client with a default gateway to the ISA Server computer, and be configured to also act as a Web Proxy client by pointing Web Proxy settings to ISA Server. The client type used is in the context of the request made to ISA Server.
Resources
Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page. Also, refer to the following Microsoft Knowledge Base articles and Microsoft TechNet Web site articles:
Microsoft Knowledge Base article 312864 "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions" Microsoft Knowledge Base article 838122 "How to deploy the ISA Server 2004 Firewall Client program" Automatic Discovery for Web Proxy and Firewall Clients at the Microsoft TechNet Web site Microsoft Knowledge Base article 816320 "How to configure firewall client and Web proxy client Autodiscovery in Windows Server 2003" ISA Server 2004 Standard Edition Service Pack Pack 1 at the Microsoft Download Center.
Top of page
Manage Your Profile 2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007