Enterprise Firewall on Windows 

In the last couple of months we have done articles on configuring network firewalls on Linux (IPCop Firewall Appliance, October 2003, page 90 and Linux Firewalls, November 2003, page 44). This time we will see how to configure an enterprise-class firewall on Windows using Microsoft ISA (Internet Security and Acceleration) Server 2000. ISA Server 2000 has two functions: an enterprise firewall and a Web cache server. You can use these functions separately or together. The firewall provides filtering at the packet, circuit and application layers; stateful inspection to examine data crossing the firewall; control of access policy and routing of traffic. The cache improves network performance and enhances end-user experience by storing frequently requested Web content.

ISA Server 2000 can be used on Windows 2000 Sever or Windows Server 2003. Though its configuration on both OSs is the same, its installation on Windows Server

2003 requires a couple of additional steps.

ISA Server Network Scenario



For a machine to function as a firewall, it needs two network interfaces: an internal interface to connect to the LAN and an external one to connect to the Internet. The latter connection can be either directly or through a cable or DSL modem. You need a static private IP address on your LAN to configure the internal interface and a static or dynamic public or private IP address (depending on your setup) to configure the external interface. For a Web cache only setup, single network interface will also do. 

Setup on Windows 2000 Server



Run the setup file of ISA Server 2000 and choose ‘Typical setup’. On the screen that will show up, select the mode for the server. You have a choice of three modes: firewall, cache server and integrated mode (this installs both firewall and cache server). On the next screen, select the NTFS drives where

the cache will be located and the size of the cache. Next, give the internal IP range of your LAN and click on Continue. The setup will then copy all required files on your system.

Setup on Windows Server 2003



Setup on Windows 2003 is nearly the same as on Windows 2000, the only difference being that it requires the installation of ISA Server 2000 SP1 and ISA Server 2000 Hot Fix for Windows 2003 after the installation is over. You’ll find the required files on our this month’s Essential CD or you can download them from

www.microsoft.com/isaserver/.

Configuring ISA Firewall 



By default, ISA Server blocks all traffic to and from your system and requires the following configuration for your network users to access the Internet.

Enable DHCP packet filter for external interface



If your external interface uses a dynamic IP address assigned to it via DHCP by your ISP then you must enable DHCP packet filter. Start the ISA Management Console and in that expand the Servers and Arrays nodes and then the Server Name. Expand the Access Policy node and click on IP Packet Filters. Double click on DHCP Packet Filter and then on the General tab of DHCP Client Properties, check Enable the Filter.

Provide Net access to internal users



To provide internal users Internet access, you have to create protocol rules to allow them to use specific application protocols when connecting to Internet servers. Expand the Access Policy node and right click on the Protocol Rules node. Select New and click on Rule. Give a name to it, say Internet access, and click on Next. In the Rule Action screen, select Allow for client requests to use protocols and click on Next. In the Protocols screen, go to Apply This Rule To list box and select All IP Traffic. Click on Next. Use the Always schedule and click on Next. In the client type screen, select Any Request to allow everybody to use the firewall or to restrict access to specific computers or users. Then click on Next. Review your settings and click on Finish to close the wizard.






Configure IP routing and intrusion detection



IP routing will make your server work as a routing device and will also let users use ICMP (Internet Control Message Protocol) on the Internet. Though users can access the Internet without enabling IP routing, enabling it will significantly improve performance. To configure these, right click on IP Packet Filters in Access Policy and select Properties. In the General tab check Enable Packet Filtering, Enable Intrusion Detection and Enable IP Routing. On the Packet Filters tab, check Enable Filtering IP options. On the Intrusion Detection tab, select the type of attacks you want to detect from Ping of Death, Port Scan and UDB Bomb. If you want to enable internal users to access VPN servers on the Internet, then put a checkmark on PPTP Through Firewall under the PPTP tab. Click on OK to apply the settings.

Configuring Cache Server



There’s not much to configure in the cache server. If you are installing ISA Firewall in integrated mode, then you would have already done the above mentioned configurations. No further changes are required. However, if you are using ISA only as a cache server then you do not need to configure IP routing and intrusion detection. Protocol rules settings would be definitely required, while DHCP filter support may not be required as the cache server will have a fixed IP. By default the cache server listens on port number 8080. If you want to change the default port number, right click on the server name in the Management Console and click on Properties. In the Outgoing Web Requests tab, change the port number to the desired port number. 

Configuring Client



For ISA Server there are two types of clients. Firewall clients are the ones that use the ISA Server Firewall as their default gateway for Internet access and do not use the cache server for Web proxy. And Web browser clients use ISA Server as their Web proxy server and do not directly connect to the Internet using the server as their gateway. However, a single client can be of both kinds. For firewall clients, assign the ISA Server’s internal IP address as the default gateway on user machines. Do this either manually or using DHCP. For Web browser clients, just put the IP address and port number of the ISA Server in the user’s Web browser’s proxy settings.

Now your firewall and cache server are ready to use. While the internal LAN users have full access to the Internet, they are completely hidden from the outside world. The external interface simply blocks all external traffic from coming in to network. But there are certain cases in which you may want to expose some internal servers to the Internet and may want to give some users VPN access to the LAN. For that ISA Server has got many more features such as server publishing and providing VPN access.

Anoop Mangla