Firewalling with ISA Server 

PCQ Bureau
New Update

ISA (Internet Security and Acceleration) Server 2004 is the latest application-layer firewall, VPN (Virtual Private Network), and Web cache solution from Microsoft. It offers various new and improved features over ISA Server 2000-a firewall and web cache solution.


ISA Server 2004 contains an application-layer-aware firewall that can perform inspection of application-layer protocols such as HTTP, which enables it to detect threats that packet filtering and circuit level firewalls cannot detect. The integrated firewall and VPN architecture of ISA Server supports stateful filtering and inspection of all VPN traffic, which is useful in protecting networks from attacks that enter through a VPN connection. In addition, ISA 2004 has new, easy-to-use interface, wizards, templates, and management tools that make it easier to manage and configure, as compared to ISA Server 2000.

Direct Hit!

Network Administrators

ISA Server 2004 offers an integrated solution covering firewall, Web cache and VPN

More Links: isaserver/,

This article not only briefs you about the various enhancements and improvements offered by ISA Server 2004 but also elucidates how to upgrade from ISA Server 2000 to ISA Server 2004 and installing the ISA 2004 afresh.


Let's first look into some of the new and improved features offered by ISA 2004.

  • Blocking access to all executable content: It can block connection attempts to Windows executable content, regardless of the file name extension used on the file. 
  • Controlling HTTP file downloads through file name extension: HTTP policies let you control what kind of file types users are allowed or denied to download.
  • Controlling HTTP access based on "HTTP Signatures": HTTP inspection can let you create "HTTP Signatures" that can be compared to the request URL, request headers, request body, and response body. Thus you can control what content internal and external users can access through the firewall.
  • Controlling allowed HTTP methods: Using ISA 2004, administrators can monitor user access to various HTTP methods. For example, restricting HTTP 'POST' method can prevent users from sending data to websites using the HTTP POST method.
  • FTP policy: You can restrict users to only download and not upload via FTP.
  • Extensive protocol support: ISA Server 2004 lets administrators have command over accessing and using any protocol, including IP-level protocols. Users can then use applications such as 'ping' and 'tracert' to create VPN connections using PPTP. In addition, ISA Server helps enable IPSec traffic. 
  • Customizable protocol definitions: With ISA Server, you can control the source and destination port number for any protocol for which a firewall rule is created. This allows the firewall administrator a high level of keep a track of which packets are allowed inbound and outbound through the firewall.
  • Authentication: Firewall users can be authenticated using built-in Windows, RADIUS, or RSA SecurID authentication.
  • Firewall Rule wizards: The server includes a new set of rule wizards that make it easier to create user and protocol access policies than in ISA 2000.
  • User/group-based access policy: Enhanced firewall rules help administrators define the source and destination for each protocol accessible to a user or group. This increases flexibility for inbound and outbound access control.

Now let's find out how you can upgrade to ISA 2004 or install it.


Upgrading from ISA Server 2000

Currently, only Standard Edition of ISA Server 2004 is available which supports up gradation from ISA Server 2000 Standard Edition running Service Pack 1 only, and not from ISA Server 2000 Enterprise Edition.

The ISA 2004 management interface is much more intuitive and easy-to-use than ISA 2000

Export your current ISA 2000 settings, before you proceed to the next step, by pressing the export button. Select the IP address range and the network adapter that are part of your internal network

To upgrade from ISA 2004 from ISA 2000, run the setup of ISA 2004. The setup detects the installation of previous version of ISA. It then asks you to use the 'Migration Tool', provided along with the setup, to preserve the existing ISA Server 2000 configuration. If you skip this process, the existing configuration settings will be discarded and the default settings will be applied to ISA 2004. Run the Migration Tool by clicking on the "Export..." button. The Migration Tool will ask for the Default Firewall Policy for ISA 2004. For "Default Policy" you can either allow or deny clients on the 'Internal' network to access the ISA Server 2004 computer. Client access is allowed by ISA 2000 as its default behavior, but ISA 2004 provides another option of denying Internal users access to the firewall computer, which is more secure. Choose the setting according to your needs. Next the Migration Tool asks you to create the configuration file. Just press the "Create" button and the configuration file will be saved as %windir%\temp\Isa2k_Upgrade\isa 2k_config.xml. After this the Migration Tool finishes and the setup continues. However, the setup deletes all ISA Server 2000 auto-generated files, log files and cache-related files, and also informs you about all this. After the setup completes, start the ISA Server Management console. Now you need to import your previous ISA Server 2000 configuration settings into the new installation. For that open the ISA 2004 management console, select your computer name in the management console and then click on the "Action" button and select "Import". A dialog box will warn you that importing settings will overwrite existing settings. Say yes to it and now browse to the file saved at the location mentioned above. Select the file and all your previous settings will be restored onto the new installation. However, there are few settings that will not get upgraded. These are: Logging and reporting settings, Permission settings such as system access control lists (SACLs) and H.323 Gatekeeper settings.


Fresh installation of ISA Server 2004

To do a fresh installation of ISA Server 2004, just run the setup and most of the steps required after that, are simple. The thing to take care about is the "internal network address ranges". Select the network adapter, which is connected to the internal network. You can even add the private IP address ranges as your internal network address range. 

Now that we have talked about the new features of ISA Server 2004, upgrading the existing setup of ISA Server 2004 and doing a fresh install, we will look into configuring ISA 2004 for various things like firewall, VPN, and Web cache in the coming issues.

Anoop Mangla