Configuring Internal Client Access To Internal Resources in ISA Server 2004

Configuring Internal Client Access to Internal Resources in ISA Server 2004
Page 1 of 8
TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 > Technical Library > Configuration and Administration

Microsoft Internet Security and Acceleration Server 2004
Published: November 2, 2005
Contents
Download
Internal Client Access.doc 151 KB Microsoft Word file Get Office File Viewers
Introduction Controlling Traffic Between Internal Networks Publishing Access Rules
Configuring Network Objects with NAT and Route Relationships
Setting Up Clients for Direct Access Enabling Firewall Clients for Direct Access
Specifying Sites for Direct Access Configuring Web Browser Settings on Firewall Client Computers
Enabling Web Proxy Clients for Direct Access Specifying Sites for Direct Access Configuring Web Browsers to Use the Automatic Configuration Script Containing the Direct Access List
Additional Information
ISA Server Clients Resources
Top of page
Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 clients are computers located in networks protected by ISA Server. The clients go through the ISA Server computer to access resources in networks other than their own. ISA Server client requests for resources in the same local network should not go through ISA Server. The only exception is in a single network adapter environment, when ISA Server recognizes only the Internal network. The Internal network will be both the source and destination network in access rules. For more information, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. This document provides an overview of ISA Server client types, and best practices you should follow when creating access rules to control internal traffic. It also discusses several alternative approaches to making internal resources available to internal clients, including internal server publishing, and setting up clients for direct access. This document includes the following sections:
Overview of ISA Server network design and how access rules should be configured to allow internal client access to internal resources.
Considerations for using publishing rules or access rules to allow clients to access internal resources. Tips
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx?pf=true
21. 1. 2007
Page 2 of 8
on allowing both route and network address translation (NAT) relationships between network objects.
How to set up clients for direct access.
For a summary of ISA Server client types, see ISA Server Clients later in this document.
Top of page
Controlling Traffic Between Internal Networks

ISA Server 2004 uses access rules and publishing rules to define how traffic is allowed to flow between your organizations internal networks, and between internal and external networks. When creating access rules, you use ISA Server network objects to specify a source and destination in the rule. Network objects can be:
Networks that typically correspond to your physical network infrastructure. Network sets that group networks together. A single computer. A computer set. A subnet. An address range of contiguous IP addresses, a set of URLs, or a domain set.
You define network rules to specify whether network objects can communicate, and whether a network address translation (NAT) or route relationship should be applied to traffic flowing between the network objects. To learn more about configuring network objects and network rules, see Best Practices for Configuring Networks in ISA Server 2004 at the Microsoft TechNet Web site. When creating access rules to control traffic flowing between your internal networks protected by ISA Server, use the following guidelines:
ISA Server is designed so that communication between different networks should traverse ISA Server. It is not intended that clients on a specific network should go through ISA Server to access resources on the same network. Such a configuration is known as looping back through the ISA Server computer. Using ISA Server like this may cause a reduction in performance of the ISA Server computer, and may cause Domain Name System (DNS) configuration issues when internal clients try to access internal resources through an external interface. Because ISA Server is not designed to link traffic between resources on the same network, you cannot use a network to specify the source or destination in an access rule you create to control communication between two hosts in the same network. In such a scenario, there are several alternatives:
You can use network objects such as computers, subnets, and address ranges to control traffic between such hosts. For example, if your Internal network definition consists of 172.16.10.0/24, and includes a routed subnet with a 192.168.3.0/24 address range, you can create two different address sets from a subset of the Internal network Internet Protocol (IP) address ranges, and use these as source and destination in an access rule. Where appropriate, use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.
Top of page
Publishing Access Rules

ISA Server access rules determine how clients on a source network can access resources on a destination network. They are generally used to give internal computers protected by ISA Server access to resources on external networks, or to control traffic between the Internal network and servers located in a perimeter network. ISA Server publishing rules are most often used to allow external clients to access resources protected by ISA Server. For example, you may allow public access from the Internet to a Web server published with a Web publishing rule, or allow external access to a specific server using server publishing rules. Server publishing in a NAT relationship hides the actual address of the published server (a SecureNAT client), so
21. 1. 2007
Page 3 of 8
that the user requesting the object sees the IP address of the ISA Server computer rather than the private IP address of the internal server being published. There are some circumstances in which you may consider giving internal clients access to resources in other networks by using a server publishing rule, rather than by means of an access rule permitting access using a specific protocol. One common scenario is when you have a perimeter network defined, and you want to allow computers in the perimeter network to contact Internal network hosts, or to allow computers in the Internal network to contact hosts in the perimeter network. When choosing whether to use access rules or server publishing rules, consider the following:
A server publishing rule can only publish a single server. Port translation can easily be performed with server publishing. Some built-in application filters, such as the Simple Mail Transfer Protocol (SMTP) filter are designed to work with server publishing rules, and not with access rules. In a NAT relationship, you cannot use an access rule to permit access to a computer if that computer is a SecureNAT client. In this scenario, you must use a server publishing rule. If there is a route relationship, an access rule will work. When using server publishing in a route relationship, the server publishing rule works like an access rule to allow access to the published server. Clients send requests directly to the IP address of the server being published, and not to the IP address of the ISA Server client-facing network interface. If you are using Network Load Balancing (NLB), use server publishing rules in preference to access rules. Server publishing rules allow correct load balancing of traffic to the published server. An access rule allowing Hypertext Transfer Protocol (HTTP) always uses NAT in both directions by default, even between networks with a route relationship. If you choose to configure a route relationship rather than NAT between two separate networks, there is no loss in functionality using server publishing rules. Filters (for example SMTP, POP3, or DNS) should work as they would for server publishing rules across networks with a NAT relationship. Note that the H.323 filter does not support server publishing.
In the scenario described, there may be either of the following relationships between the perimeter network and the Internal network:
You have a route relationship between the perimeter network and the Internal network. You have a NAT relationship between the perimeter network and the Internal network.
The following table summarizes how the use of access rules or server publishing rules is affected in a NAT or route network relationship. Perimeter and internal relationship NAT Control traffic with access rules Control traffic with server publishing rule
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer. For example, if a NAT relationship is defined from source Network_A to destination Network_B, the IP address of client computers on Network_A are replaced with the IP address of the network adapter connected to Network_B on the ISA Server computer. Packets from Network_B returned to clients on
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer unless you
21. 1. 2007
Page 4 of 8
Network_A are not translated.
configure the rule to forward the original client source IP address. Note that there is a difference between server publishing (where the default is to pass the client address, and Web publishing, where the default is to use the ISA Server internal address.
Route
ISA Server listens on the IP address of the published server. Published server log shows original client source IP address. Note that if access rules allow HTTP traffic, this will go through Web Proxy Filter and be subject to NAT, even in a route relationship. To override this default behavior, you would disable the filter for the HTTP traffic. For more information, see Troubleshooting Web Proxy Traffic in ISA Server 2004 at the Microsoft TechNet Web site.
ISA Server listens on the IP address of the published server. Clients should request the actual IP address of the published server. Use the From part of the server publishing rule to limit clients who can use the rule.
Configuring Network Objects with NAT and Route Relationships

There may be circumstances in which you want to set up network objects for both NAT and route relationships. For example:
Set up a NAT relationship between hosts in Network_A and hosts in Network_B. Set up a route relationship between other hosts in Network_A and hosts in Network_B.
Do this as follows: Create a computer set (ComputerSet_1) for the computers in Network_A that require a route relationship with clients in Network_B. You could also use a different network object such as an IP address range or a computer. Create a computer set (ComputerSet_2) for the computers in Network_A that require a NAT relationship with clients in Network_B. Create a network rule with a route relationship. Specify ComputerSet_1 in the From part of the rule, and specify Network_B in the To part of the rule. Create a network rule with a NAT relationship. Specify ComputerSet_2 in the From part of the rule, and specify Network_B in the To part of the rule.
When you set up the server publishing rule for the server in Network_B, there are essentially two listeners for the network: the ISA Server network adapter serving Network_A, and the published servers IP address. ComputerSet_1 can use either of these listeners. ComputerSet_2 can only use the listener on the ISA Server network adapter for Network_A.
Top of page
Setting Up Clients for Direct Access

There may be some scenarios in which you want to set up Firewall clients or Web Proxy clients for direct access to resources. Typical scenarios where this configuration is required include:
Allow clients direct access to external Web sites without going through ISA Server. This may be useful
21. 1. 2007
Page 5 of 8
where connecting to the Web site through ISA Server is problematic, for example, if Web sites are running some Java applications.
Allow clients direct access to published servers located on the same network as the client making the request. Direct access allows Web Proxy clients to bypass Web Proxy configuration settings when accessing resources. They can then leverage SecureNAT or Firewall Client settings where appropriate. Direct access allows Firewall clients to bypass the Firewall Client configuration settings when connecting to resources on the same network as the Firewall client computer making the request.
Enabling Firewall Clients for Direct Access

Enabling direct access for Firewall clients configured as Web Proxy clients consists of the following:
In ISA Server Management, specify the list of IP address ranges, computers, and site URLs that should be accessed directly by the clients. The specified list is sent to the Web browser in the automatic configuration script when the browser makes a request to ISA Server either for automatic discovery (using http://wpad.dat) or to the http://ISAServer_Name:8080/array.dll?Get.Routing.Script URL, which returns configuration settings. If Internet Explorer is not already configured on Firewall client computers, you can configure Web Proxy client settings for Firewall clients in ISA Server Management. These Web browser configuration settings are applied when Firewall Client software is installed on the client computer, or when Firewall Client configuration settings are updated (every six hours by default). If Firewall Client is installed and you specify sites for direct access by Web Proxy applications, Firewall Client can still handle authentication requirements on access rules. Firewall Client can pick up the traffic transparently and authenticate with ISA Server on behalf of the Web Proxy application. You can restart client computers, or click Detect Now in the Firewall Client dialog box to refresh client computers with updated settings. Computers with Firewall Client installed have settings for each application that specify whether ISA Server does name resolution on behalf of the client. When you specify domains and computers for direct access on the Domains tab, Firewall client computers will attempt to resolve the name without going through ISA Server. Client computers will need a DNS server specified in the TCP/IP parameters so that they can resolve names correctly. In particular, they must be able to resolve the name of published resources to an internal IP address.
Specifying Sites for Direct Access

To configure sites that the Firewall client should access directly, or that the Web Proxy client running on the Firewall client computer should access directly, do the following: 1. In the tree of ISA Server Management, click Networks:

2. 3. 4. 5.
For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Networks. For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Networks.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Web Browser tab, click the Add button. In the Add Server dialog box, select Domain or computer, and enter the name of the site to which you want to allow direct access. Repeat for each direct access site, and then click OK. Click Apply to save the changes.
6. 7.
21. 1. 2007
Page 6 of 8
Configuring Web Browser Settings on Firewall Client Computers

On the network on which the Firewall client computers requiring direct access are located, do the following: 1. In the tree of ISA Server Management, click Networks:

2. 3. 4.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Firewall Client tab, set the following:
To specify that the Web browser should automatically detect the ISA Server computer with configuration settings, click Automatically detect settings. Note To configure Firewall clients for auto-discovery against ISA Server 2004 Standard Edition, install ISA Server 2004 Standard Edition Service Pack 1. For more information, see Microsoft Knowledge Base article 885683 "You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery." This problem does not exist on ISA Server 2004 Enterprise Edition.
To specify that the Web browser should be configured to use the default configuration script, click Use automatic configuration script, and then click Use default URL. To specify that the Web browser should be configured to use a custom configuration script, click Use automatic configuration script, and then click Use custom URL. To manually specify the ISA Server computer that Web Proxy clients should use as a proxy, click Use a Web proxy server, and then in ISA Server name or IP address, specify the ISA Server computer that clients should use.
Enabling Web Proxy Clients for Direct Access

Enabling direct access for Web Proxy clients that do not have Firewall Client software installed consists of the following:
In ISA Server Management, specify the list of IP address ranges, computers, and sites that should be accessed directly by clients. The specified list is sent to the Web browser in the automatic configuration script. Configure Internet Explorer to use the automatic configuration script containing the direct access list. Internet Explorer can either be configured to automatically detect ISA Server configuration settings, by means of a Web Proxy Automatic Discovery (WPAD) entry in DNS or DHCP, or you can manually specify the location of the configuration script.
Note the following:
In normal circumstances, requests from Web Proxy clients going through ISA Server are resolved by ISA Server on behalf of the client. For direct access destinations, Web Proxy clients must be able to do name resolution themselves, and will need a DNS server specified in TCP/IP properties for the client computer. For published resources, clients must be able to resolve the name of the published resource to an internal IP address. Client computers configured as Web Proxy clients only will require an access rule allowing anonymous access to the direct access site without requiring authentication. Place the rule above other rules requiring authentication for the same protocol.
Specifying Sites for Direct Access
21. 1. 2007
Page 7 of 8
On the network on which the Web Proxy clients requiring direct access are located, do the following: 1. In the tree of ISA Server Management, click Networks:

2. 3. 4. 5.
In the results pane, click the Networks tab, and then select the applicable network. On the Tasks tab, click Edit Selected Network. On the Web Browser tab, click the Add button. In the Add Server dialog box, select Domain or computer, and enter the name of the site to which you want to allow direct access. Repeat for each direct access site, and then click OK. Click Apply to save the changes.
6. 7.
Configuring Web Browsers to Use the Automatic Configuration Script Containing the Direct Access List
This procedure assumes Internet Explorer as the Web browser. To configure Web browsers to use the automatic configuration script, do the following:
In Internet Explorer, click the Tools menu, and then click Internet Options. Click the Connections tab, and then click LAN Settings. To use automatic detection of configuration settings, click Automatically detect settings. To specify the location of the configuration script that the Web browser should use, click Use automatic configuration script, and in Address, specify the script location. Click OK to save the settings. Note For more information about setting up automatic detection for Web Proxy clients, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site.
Top of page
Additional Information
This section provides a description of ISA Server client types and a list of additional resources.
ISA Server Clients

The following table summarizes ISA Server client types. Client type Firewall client Feature Computers with Firewall Client software installed and enabled. Firewall Client uses a common Winsock provider, and intercepts requests from applications making Winsock requests. The Firewall client decides on a per-application basis how to deal with such requests. This is the only client that can use secondary protocols. Computers with a default route through the network to the ISA Server computer as a means of communication to other networks. No Firewall Client software is installed and enabled. In a simple network, ISA Server is configured as the default gateway. In a complex network, the client points indirectly to ISA Server through routers, with ISA
SecureNAT client
21. 1. 2007
Page 8 of 8
Server as an endpoint. Web Proxy client Computer running Web-enabled application (such as Internet Explorer) that can be configured to proxy Web requests to ISA Server.
Note Computers can be configured as more than one client type. For example, a computer may have Firewall Client software installed, or be configured as a SecureNAT client with a default gateway to the ISA Server computer, and be configured to also act as a Web Proxy client by pointing Web Proxy settings to ISA Server. The client type used is in the context of the request made to ISA Server.
Resources
Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page. Also, refer to the following Microsoft Knowledge Base articles and Microsoft TechNet Web site articles:
Microsoft Knowledge Base article 312864 "Automatic Proxy Discovery in Internet Explorer with DHCP requires specific permissions" Microsoft Knowledge Base article 838122 "How to deploy the ISA Server 2004 Firewall Client program" Automatic Discovery for Web Proxy and Firewall Clients at the Microsoft TechNet Web site Microsoft Knowledge Base article 816320 "How to configure firewall client and Web proxy client Autodiscovery in Windows Server 2003" ISA Server 2004 Standard Edition Service Pack Pack 1 at the Microsoft Download Center.
Do you have comments about this document? Send feedback.
Top of page
Manage Your Profile 2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
21. 1. 2007

Configuring Internal Client Access To Internal Resources in ISA Server 2004

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuring Internal Client Access To Internal Resources in ISA Server 2004

Hochgeladen von

Copyright:

Verfügbare Formate

Configuring Internal Client Access to Internal Resources in ISA Server 2004