You need to configure protocol rules if you want to allow clients on your internal network to access the Internet. Together with site and content rules and IP packet filters, protocol rules define your access policy. Protocol rules specify which particular protocols are allowed to pass through ISA Server from which clients and at what times.
After this lesson, you will be able to Describe the function of protocol rules Give several examples of protocol definitions preconfigured in ISA Server Create and configure protocol rules in ISA Server Estimated lesson time: 40 minutes Protocol Rules
Protocol rules determine which protocols clients can use to access the Internet. You can define protocol rules that allow or deny use of one or more protocol definitions. You can configure protocol rules to apply to all IP traffic or to a specific set of protocols definitions.
For SecureNAT clients, you can apply protocol rules to all computers or to a set of computers specified by IP addresses. For Firewall clients, you can apply protocol rules to all computers, to a set of computers specified by IP addresses, or to specific users and groups defined in Windows 2000.
Follow these steps to create a protocol rule: In the console tree of ISA Management, right-click Protocol Rules, point to New, and then click Rule. In the New Protocol Rule Wizard screen, type the name of the protocol rule, and then click Next. On the Rule Action page, specify whether the rule allows or denies the request, and then click Next. On the Protocols page, specify the protocols to which the rule applies, and then click Next. On the Schedule page, specify when the rule is applied, and then click Next. On the Client Type page, specify to which clients the rule applies, and then click Next.
If an enterprise policy is applied to this array, only deny-type rules can be created.
You can also modify protocol rules you have previously created at any time. To do this, simply access the protocol rule's properties dialog box in ISA Management.
Follow these steps to modify a protocol rule: In the console tree of ISA Management, click Protocol Rules. On the View menu, select Advanced. In the details pane, right-click the applicable protocol rule, and then click Properties. On the Protocol tab, do one of the following: If the rule applies to all protocols, even those not explicitly defined by ISA Server, click All IP Traffic. If you want the rule to apply to protocols that you select, click Selected Protocols. If the rule applies to all IP traffic except those protocols you select, click All IP Traffic Except Selected. If you chose Selected Protocols or All IP Traffic Excepted Selected, in Protocols, select one or more protocol definitions.
If the protocol definition that you want to specify does not exist, you can click New to create it, and then select it in the list.
Protocol Rule Configuration Scenario
Suppose you want to prohibit a group of users in your organization from using MSN Messenger during work hours. If the Firewall Client software has been installed and enabled on all your client computers, you can create a protocol rule to enforce this policy by configuring the following parameters:
Set Action to Deny The Request. Choose Selected Protocols. Select the MSN Messenger protocol. Select the Work Hours schedule. Select the Specific Users And Groups radio button, as shown in Figure 4.9. Select the appropriate user group.
Figure 4.9 Applying a protocol rule to specific users
ISA Server includes a list of 86 preconfigured, well-known protocol definitions, including the most widely used Internet protocols. You can also add or modify additional protocols. Note that if ISA Server is installed in Cache mode, protocol rules can be applied only to HTTP, HTTPS, Gopher, and FTP protocols.
When a client requests an object by using a specific protocol, ISA Server checks the protocol rules. If a protocol rule specifically denies use of the protocol, the request is denied. Furthermore, the request is processed only if a protocol rule specifically allows the client to use the specific protocol and if a site and content rule specifically allows access to the requested object. In other words, you must perform the following procedure to allow access:
Create a protocol rule, indicating which protocols can be used to access the specific destinations. Create a site and content rule, indicating which clients are allowed access to specific destination sets. When you install ISA Server in Integrated mode or Firewall mode, a site and content rule is already enabled by default that allows access to all sites and content types. Application Filters and Protocol Availability
ISA Management provides information about all 86 preconfigured protocols, along with any new protocols you define, in the Protocol Definitions folder of the Policy Elements node. When you look at the list of protocol definitions on the details pane in ISA Management, you will see that some of these protocols are defined by ISA Server, and others are defined by application filters.
The list of protocol definitions is shown in Figure 4.10.
Figure 4.10 Protocols may be defined by ISA Server or by application filters.
For the protocols created and installed by application filters, when the source application filter is disabled, all corresponding protocol definitions are also disabled. That is, traffic that uses this protocol definition is blocked. For example, if you disable the streaming media filter, all traffic that uses the Windows Media and Real Networks protocol definitions is blocked.
Note that some application filters work with protocols that are defined by ISA Server and not by the application filter itself. When these application filters are disabled, the corresponding protocol definitions are not disabled. For example, even if you disable the SMTP filter, SMTP packets may still be allowed to pass because the SMTP protocol is defined by ISA Server and not by the SMTP filter.
Unlike routing rules, protocol rules are not given order of priority, but deny-type protocol rules take priority over rules that allow access. For example, if you create two rules, one that allows use of all protocols and one that denies use of the SMTP protocol, the SMTP protocol will not be allowed.
Array-Level and Enterprise-Level Protocol Rules
Protocol rules can be created at both the array level and at the enterprise level. When an array policy is permitted in addition to an enterprise policy, the array policy's protocol rules can only further restrict enterprise-level protocol rules. In other words, the array-level protocol rules can only deny use of specific protocols when an enterprise policy is applied.
When you select Protocol Rules on the scope pane in ISA Management, you can use the taskpad in the details pane to create a protocol rule that allows users to access the Internet by using only specific Web protocols. You can achieve this by clicking the icon named Allow Web Protocols. Table 4.1 lists these Web protocol definitions, all of which are preconfigured when you install ISA Server, either by ISA Server or by an application filter installed with ISA Server.
Table 4.1 Protocols Configured by Allow Web Protocols
| Name | Port number | Protocol type | Defined by | Description |
|---|---|---|---|---|
FTP client |
21 |
TCP |
FTP access filter |
FTP, used for copying files between hosts |
FTP download only |
21 |
TCP |
FTP access filter |
FTP, used for copying files between hosts |
Gopher |
70 |
TCP |
ISA Server |
Menu-driven front end to other Internet services, including Archie and Wide Area Information Server (WAIS) |
HTTP |
80 |
TCP |
ISA Server |
HTTP, used to implement the World Wide Web |
S-HTTP (HTTPS) |
443 |
TCP |
ISA Server |
Version of HTTP that uses Secure Sockets Layer (SSL) for encryption |
Protocol Definitions that are Installed with ISA Server
Table 4.2 lists the protocol definitions that are included with ISA Server.
Table 4.2 Predefined Protocols in ISA Server
| Protocol name | Description |
|---|---|
Any RPC Server |
Allows all RPC interfaces |
AOL Instant Messenger |
|
Archie |
|
Chargen (TCP) |
Character generator (TCP) |
Chargen (UDP) |
Character generator (UDP) |
Daytime (TCP) |
|
Daytime (UDP) |
|
Discard (TCP) |
|
Discard (UDP) |
|
DNS Query |
Domain Name System |
DNS Query Server |
Domain Name System – Server |
DNS Zone Transfer |
|
DNS Zone Transfer Server |
|
Echo (TCP) |
|
Echo (UDP) |
|
Exchange RPC Server |
Allows publishing Exchange server for RPC access from external network |
Finger |
|
FTP |
File Transfer Protocol |
FTP Download only |
File Transfer Protocol – Read only |
FTP Server |
File Transfer Protocol – Server |
Gopher |
|
H.323 |
H.323 video conferencing |
HTTP |
Hyper Text Transfer Protocol |
HTTPS |
Secure Hyper Text Transfer Protocol |
HTTPS Server |
Secure Hyper Text Transfer Protocol – Server |
ICA |
Citrix Intelligent Console Architecture |
ICQ |
ICQ instant messenger protocol (legacy) |
ICQ 2000 |
|
Ident |
|
IKE |
Internet Key Exchange |
IMAP4 |
Interactive Mail Access Protocol |
IMAP4 Server |
|
IMAPS |
Secure Interactive Mail Access Protocol |
IMAPS Server |
|
IRC |
Internet Relay Chat |
Kerberos-Adm (TCP) |
Kerberos administration (TCP) |
Kerberos-Adm (UDP) |
Kerberos administration (UDP) |
Kerberos-IV |
Kerberos IV authentication |
Kerberos-Sec (TCP) |
Kerberos V authentication (TCP) |
Kerberos-Sec (UDP) |
Kerberos V authentication (UDP) |
LDAP |
Lightweight Directory Access Protocol |
LDAP GC (Global Catalog) |
|
LDAPS |
Secure Lightweight Directory Access Protocol |
LDAPS GC (Global Catalog) |
|
Microsoft SQL Server |
|
MMS – Windows Media |
|
MMS – Windows Media Server |
|
MSN |
MSN Internet Access |
MSN Messenger |
|
Net2Phone |
|
Net2Phone Registration |
|
NetBIOS Datagram |
|
NetBIOS Name Service |
|
NetBIOS Session |
|
NNTP |
Network News Transfer Protocol |
NNTP Server |
|
NNTPS |
Secure Network News Transfer Protocol |
NNTPS Server |
Secure Network News Transfer Protocol |
NTP (UDP) |
Network Time Protocol (UDP) |
PNM (Real Networks) protocol Client |
Real Networks Streaming Media Protocol – Client |
PNM (Real Networks) protocol Server |
Real Networks Streaming Media Protocol – Server |
POP2 |
Post Office Protocol v.2 |
POP3 |
Post Office Protocol v.3 |
POP3 Server |
|
POP3S |
Secure Post Office Protocol v.3 |
POP3S Server |
|
Quote (TCP) |
Quote of the day (TCP) |
Quote (UDP) |
Quote of the day (UDP) |
RADIUS |
Remote Authentication Dial-In User Service |
RADIUS Accounting |
|
RDP (Terminal Services) |
Remote Desktop Protocol (Terminal Services) |
RIP |
Routing Information Protocol |
Rlogin |
Remote login |
RTSP |
Real Time Streaming Protocol – Client |
RTSP Server |
Real Time Streaming Protocol – Server |
SMTP |
Simple Mail Transfer Protocol |
SMTP Server |
|
SMTPS |
Secure Simple Mail Transfer Protocol |
SMTPS Server |
|
SNMP |
Simple Network Management Protocol |
SNMP Trap |
Simple Network Management Protocol – Trap |
SSH |
Secure Shell |
Telnet |
|
Telnet Server |
|
TFTP |
Trivial File Transfer Protocol |
Time (TCP) |
|
Time (UDP) |
|
Whois |
Nickname/Whois protocol |
Practice: Assigning Protocol Rules to User Accounts
In this practice, you observe that Web sessions are handled anonymously by default; that is, when the default array properties have not been modified to require user identification and when no allow-type rule has been configured that requires authentication. Under these conditions, users connecting to the Internet through Web browsers are not affected by deny-type policy rules applied to Windows 2000 user accounts. After configuring ISA Server to pass account information along with all client Web sessions, you will create a protocol rule that denies Internet access for a specific user. Finally, you log on as that user to observe the effects of this new protocol rule.
Exercise 1: Monitoring Sessions in ISA Management
In this exercise, you review client session information in ISA Management that is generated by a Web Proxy client.
To monitor a client Web session in ISA Management On Server1, open the ISA Management console. Click the View menu and then click Advanced. In the console tree, expand the Monitoring node and then select the Sessions folder. If any sessions are listed in the details pane, close them by right-clicking them and selecting Abort Session. On Server2, log on to Domain01 as user1, open Internet Explorer, and browse to http://www.msn.com. While the MSN Web site is downloading, switch to Server1. On Server1, with the Sessions folder still open in the ISA Management console, right-click the details pane and click Refresh.
You should see a new Web Session session type with the user Anonymous, with no client computer name, and with an IP address of 192.168.0.2 (the address of Server2).
Web sessions are anonymous by default. When Web sessions are anonymous, they will not be affected by any deny-type rules you define for specific users. You can force user identification with Web sessions if you create an allow-type rule that requires authentication or if you modify the array properties to require user identification with outgoing Web requests.
Exercise 2: Requiring Authentication for Web Sessions
In this exercise, you disable anonymous Web access and require users accessing the Internet through Web browsers to authenticate themselves. This allows access policy rules configured for specific Windows 2000 users and groups to affect all client Web sessions.
To provide account information with Web sessions On Server1, open the ISA Management console and navigate to MyArray in the console tree. Right-click the MyArray node and select Properties.
The MyArray Properties dialog box appears.
Select the Outgoing Web Requests tab. In the Connections area, select the Ask Unauthenticated Users For Identification check box. Verify that the Resolve Requests Within Array Before Routing check box is selected. Click OK.
An ISA Server Warning dialog box appears.
Select the Save The Changes But Don't Restart The Service(s) radio button and click OK. Stop and restart the Firewall and Web Proxy services in ISA Management. On the Server2 computer, while you are logged on as user1, open a Web browser and browse to http://www.msn.com. While this page is still downloading, switch to Server1, select the Sessions folder in the ISA Management console tree, right-click the details pane, and select Refresh.
A new Web session is listed in the details pane with a user name DomainName\user1 and client address 192.168.0.2.
Now that you have configured account information to be passed through Web browsers, you can apply ISA Server rules to Windows 2000 users accessing the Internet through Web browsers.
Exercise 3: Assigning a Protocol Rule to a Windows 2000 User
In this exercise, you configure an ISA Server rule to block Internet access for a particular Windows 2000 user.
To assign a protocol rule to a Windows 2000 user On Server1, open the ISA Management console and navigate to MyArray, Access Policy, Protocol Rules. Right-click the Protocol Rules folder, point to New and then click Rule.
The New Protocol Rule Wizard appears.
In the Protocol Rule Name text box, type DenyUser1. Click Next. On the Rule Action screen, select Deny, and then click Next. On the Protocols screen, leave All IP Traffic as the default, and then click Next. On the Schedule screen, leave Always as the default, and then click Next. On the Client Type screen, select the Specific Users And Groups radio button, and then click Next. On the Users And Groups screen, click Add.
The Select Users Or Groups window appears.
In the top pane, select user1, click Add, and then click OK.
The Users And Groups screen appears and DOMAIN01\user1 is listed in the Account box.
Click Next.
The Completing The New Protocol Rule Wizard screen appears.
Click Finish.
The ISA Management console appears.
DenyUser1 is listed as a protocol rule in the details pane of the Protocol Rules folder.
In the console tree, select the Services folder of the Monitoring node, and then restart the Web Proxy and Firewall services. Switch to Server2. While you are logged on as user1, open Internet Explorer. If you already have an open browser, refresh your browser window.
The Enter Network Password dialog box appears. The user1 account name associated with the Web session has been blocked because of the DenyUser1 protocol rule. If you want to browse the Web while logged on as user1, you must provide the user name and password of another Windows 2000 account that has not been blocked by an ISA Server rule.
By creating protocol rules, you allow or refuse to allow clients to pass through ISA Server based on particular protocols or a sets of protocols. Protocol rules, along with site and content rules and IP packet filters, comprise an ISA Server's access policy.
Whenever a client requests an object beyond the firewall, ISA Server checks the protocol rules first. If a protocol rule does not exist allowing the client to communicate using the specific protocol of the request, or if a protocol rule specifically denies use of the protocol, the request is denied.
The protocols you can reference in protocol rules include a list of preconfigured definitions in ISA Server of the most commonly used protocols for networking and Internet services. You can also configure your own additional protocols for use in protocol rules.