The Unihomed Web Cache Mode ISA Server, Part 1: Outbound Access
By Thomas W Shinder, M.D.
I spend most of my time installing and configuring ISA Servers to be firewalls. You need to install it in firewall or integrated mode if you want to make the ISA Server a firewall. I usually install ISA Server in integrated mode. In that way I can leverage all the features of the Firewall and Web Proxy services. I trust the ISA Server to protect itself and the rest of the network, so why wouldn’t I use it as my firewall?
You don’t have to use ISA Server as a firewall. Many organizations already have firewalls in place that they’ve spend big money on, and they’re not interested in wasting the tens or hundreds of thousands of dollars they’ve spent on their existing firewalls. Other companies may be interested in using ISA Server as a firewall, but they’re not quite sure yet if they can trust it. Still other companies are very happy with the firewall they’re using, but they’d like to take advantage of ISA Server’s advanced Web Proxy service that allows both outbound access control and Web Publishing.
It’s for these reasons and more that Microsoft decided to implement the Cache Mode installation of ISA Server. Cache Mode allows you to install ISA Server on a machine with a single network interface card and use that machine as both a caching proxy and Web Publishing server. This unihomed ISA Server can connect to the Internet through your existing firewall.
The figure below shows the basic infrastructure. You have a firewall that sits at the edge of the network. This is typically a packet filtering device, such as a PIX or Checkpoint firewall, and there may be one or more of them at the network edge. The unihomed ISA Server and the Web Proxy clients are on the internal, trusted network. The unihomed ISA Server is configured in cache mode and accesses the Internet through the existing firewall solution. The ISA Server can be configured to exert access control over the Web Proxy clients on the internal network, and the existing firewall can be configured to exert its own access control over the ISA Server’s outbound access attempts.
What happens when the Web Proxy client sends a request to the unihomed, caching only ISA Server? Take a look at the figure below.
- A machine configured as a Web Proxy client sends a request for http://www.stuff.com to the ISA Server. The request is sent directly to the ISA Server’s IP address because the Web Proxy client knows the IP address of the Web Proxy server. This allows you to put the ISA Server on any network segment that Web Proxy clients can reach.
- The ISA Server checks its cache to see if it already has the Web object. If it already has the Web object, it will send a cached copy to the client and end the transaction. If the ISA Server doesn’t have the page cached, or if the page has expired, then the ISA Server will send the request to the Internet through the existing firewall solution.
- The existing firewall solution handles the request based on its own configuration. The existing firewall solution can have its own inbound and outbound access controls that can influence whether the page is accessible by the ISA Server. Keep in mind that the ISA Server is like any other network client trying to access the Internet. The ISA Server and the black box are not aware of each other, so the black box doesn’t make any special allowances for the ISA Server.
- The Web object is returned from the Internet server through the existing firewall to the ISA Server. The ISA Server puts the Web object in its cache.
- The ISA Server then forwards the cached object to the Web Proxy client.
Notice that this is just about the same as how it works when the ISA Server is also acting as the firewall. The difference here is that the unihomed ISA Server is subject to access controls of the existing firewall solution.
You can even configure an enterprise caching array using unihomed caching-only ISA Servers, as seen in the figure below. Caching arrays allow you to significantly improve the user experience and they also provide load balancing and fault tolerance for Web protocol access for Web Proxy clients.
The unihomed ISA Server can also be configured to publish Web servers on your internal network. Most black box firewalls don’t understand higher level protocols, or do so on a superficial level. For example, one thing these black boxes don’t do is inspect content in SSL sessions. What you can do is configure the black box to pass TCP 443 to the unihomed caching only ISA Server. That will allow you to use Web Publishing Rules to securely publish SSL Web sites, including Outlook Web Access sites. We’ll go into the details of how you can use Web Publishing Rules on the unihomed caching only ISA Server next week. (BTW – its really cool!)
In this article I’ll go over how to use the unihomed caching-only ISA Server to control outbound access and provide high speed caching for Web Proxy clients. The procedure is fairly simple and you should be able to get it up and running in no time. Things you need to do to make it work include:
Let’s take a closer look at the steps.
Configure the non-ISA Server Firewall/Internet Access Device
The Internet access device or gateway needs to be configured to allow the ISA Server to access HTTP, HTTPS, FTP and Gopher content you want it to be able to access. The ISA Server is a client to the Internet access device just like any other client on the internal network. It’s not expected that the Internet gateway device and the ISA Server share any special information with one another.
If you are try to exert strong outbound access controls, you could configure your packet filtering device to allow the IP address of the unihomed caching only ISA Server to access outbound TCP 80, TCP 443, TCP 21 and TCP 70. If you don’t use Gopher, you can go without the TCP 70 filter.
If you are going to use the unihomed caching-only ISA Server to allow FTP downloads for your Web Proxy clients, you probably can’t take it for granted that your Internet access device has the intelligence to handle Standard mode FTP. To solve this problem you can force the Web Proxy service to use PASV mode FTP connections to the Internet. Any stateful packet filtering device can handle PASV mode. Perform the following steps on the ISA Server to force FTP connections to be PASV mode:
- Open regedit.
- Locate the following registry key:
- In the right pane of the Registry Editor, right-click NonPassiveFTPTransfer, and click Modify.
- In the Value data box, type 0 (zero), then click OK. Note: the default value of this setting is 1.
- Quit Registry Editor, and then restart the ISA Server Web Proxy service. You do not need to restart the server.
Note that if you have an intelligent packet filtering device, or even a simple NAT Internet connection device with an FTP NAT editor, you can allow the Web Proxy service to use its default, which is PORT or Standard mode, to access Internet FTP sites. For more information on how ISA Server and Web Proxy clients handle FTP, check out Stefaan Pouseele’s article on this subject.
Configure the Supporting Network Infrastructure
OK, I know I’ve gone over this about a million times, but its very important and its worth mentioning a million times. You need to configure the network to support the ISA Server solution. Fortunately, in the instance of your unihomed web caching only ISA Server, it’s a lot easier to create the supporting infrastructure.
DNS is critical to all networks. You need to configure your internal DNS infrastructure so that internal network clients are able to identify the ISA Server by its Fully Qualified Domain Name. All network clients should be able to do this, including those clients belonging to domains different from the ISA Server’s domain. If Web Proxy clients are configured to resolve the name of the ISA Server by its host name only, then you must make sure that when the clients fully qualify the unqualified name that the result is the correct name of the ISA Server.
This is especially important when using WPAD entries to support Autodiscovery. When the Web Proxy client is configured to use Autodiscovery to find the Web Proxy server, it will send a DNS query for wpad.domain.com. The "domain.com" is based on how the Web Proxy client computer fully qualifies unqualified names. For Windows 2000 and Windows XP clients, the DNS client software will append the Web Proxy client computer’s primary domain name to the unqualified names before sending them for name resolution. However, you don’t have to do it this way. The important thing to remember is that Web Proxy clients need to resolve both the ISA Server’s host name and WPAD correctly.
You can configure WINS servers to take the place of DNS. But given the way that Windows 2000 and later Windows clients resolve network names, you only slow things down by using WINS to support the ISA Server.
You need to ensure that your routing infrastructure is correct. All Web Proxy clients need to know a route to the unihomed caching-only ISA Server, and the unihomed caching only ISA Server need to be able to route back to the Web Proxy clients. The nice thing about the Web Proxy client configuration is that you don’t have to make profound changes to your network’s routing infrastructure to support it. The Web Proxy clients already know the IP address of the Web Proxy server. Rather than depending on the default gateway configuration on potentially multiple routers (which is the case with the SecureNAT client), Web Proxy clients send the requests directly to the Web Proxy server.
The primary routing concern is that the unihomed caching-only ISA Server must be configured with a default gateway that knows the route to your Internet access device. This means your unihomed caching-sonly ISA Server is a "de facto" SecureNAT client to your existing firewall solution. You might consider putting the ISA Server on the network ID directly connected to the internal interface of Internet access device. This will get around the possibility of needing to change default gateway settings on network routers.
Configure the ISA Server for Outbound Access
Configuring the TCP/IP Settings on the unihomed caching-only ISA Server is a lot easier than configuring them on a fully functional ISA Server firewall. All you need to do is assign the ISA Server a valid IP address and subnet mask, a default gateway that will route Internet bound requests to your Internet access device, and a DNS server that can resolve Internet host names. The best option for the DNS server is an internal network server that has been configured to use a Forwarder to resolve Internet host names.
Installing the ISA Server in cache only mode is a bit different then what you might be used to if you usually install in integrated mode. The main difference is that there is no LAT to configure. The unihomed caching-only ISA Server doesn’t use a LAT because it’s connected to a single network; there is no concept of internal and external, trusted or untrusted. The unihomed caching-only ISA Server accepts requests for Web objects, obtains the objects from the Internet servers, and sends these objects back to the Web Proxy clients using the same interface. The Incoming Web Requests and the Outgoing Web Requests listeners are on the same physical adapter.
Perform the following steps to install ISA Server in cache-only mode:
- Let the ISA Server CD autorun, or open ISAAutorun.exe from the CD.
- Click the Install ISA Server link on the install page.
- Click Continue on the Welcome to the Microsoft ISA Server installation page.
- Enter your CD Key in the CD Key dialog box. Click OK.
- Note your product ID. Write it down just in case. Click OK.
- On the License Agreement page, read the EULA and click I Agree.
- On the installation type page, click on the Custom Installation button.
- On the Options list page, click Continue.
- In this example we’re installing ISA Server as a stand-alone server. Click Yes in the dialog box that explains that you haven’t performed the enterprise initialization.
- On the ISA Server Mode page, select the Cache Mode option and click Continue.
- If IIS is installed on the ISA Server, click OK to allow the ISA Server to stop the IIS WWW service during installation. Note that the WWW service be stopped only until the ISA Server is restarted. You should disable IIS on the ISA Server, or configure the ISA Server with multiple IP addresses and configure all Web sites to listen on IP addresses not used by the Web Proxy listeners. Click OK.
- On the cache size page, select the drive and configure the size of the cache. Click OK.
- The files are installed. Leave the checkmark in the Start ISA Server Getting Started Wizard checkbox and click OK.
- If everything works out, you’ll be taken to the Getting Started page.
- Now install ISA Server Service Pack 1. After Service Pack 1 is installed, install ISA Server Feature Pack 1.
I typically recommend that you immediately switch the ISA Server view to Advanced, but in caching-only mode, there is a handy button you can press to create an "Internet Access" Protocol Rule:
- Expand the Servers and Arrays node and expand your server name.
- Expand the Access Policy node and click on the Protocol Rules node. Click on the Create a Protocol Rule for Internet Access icon.
- Type in a name for the rule on the Welcome to the New Protocol Rule Wizard page. In this example, I’ll call this All Open. Click Next.
- On the Protocols page, remove the checkmarks from any protocols you don’t want applied to this rule. Since we’re creating an All Open rule, we’ll leave all the protocols selected. Click Next.
- On the Schedule page, select the Always schedule. You would change this based on your network’s requirements. Click Next.
- On the Client Type page, select the appropriate option. In most circumstances you’ll select the Specific users and groups option. You would select this option because the Web Proxy client can leverage user/group membership to control outbound access. Select Specific users and groups and click Next.
- On the Users and Groups page, click the Add button. Select your domain and then select the Domain Users group. Double click on the group and click OK. This will allow members of the domain to access the Internet via this Protocol Rule. If users can’t authenticate, they won’t be able to connect to the Web. Click Next.
- Review your settings and click Finish on the Completing the New Protocol Rule Wizard page.
You don’t need to create any packet filters or Site and Content Rules at this point. Packet filtering isn’t available with the unihomed caching-only ISA Server, and there is a default Site and Content Rule that allows everyone access to all sites at all times. You will want to change this site and content rule or disable it later so that you can have better control over what sites users can access. For a discussion on creating Site and Content Rules for Web Proxy client access control, check out Controlling Outbound Access for Web Proxy Clients with Site and Content Rules.
Configure the Clients for Proxy Use
Browsers must be configured to use the ISA Server as their Proxy server. This is what makes them Web Proxy clients. You can manually configure the browsers or you can take advantage of WPAD entries and allow the browsers to automatically detect the address of the Web Proxy server. Automatic discovery is supported by Internet Explorer 5.0 and above. The following steps take place when the IE 5+ attempts to autodiscover the Web Proxy server:
- When the client makes a Web request, the client connects to a DNS or DHCP server.
- The DNS server or the DHCP server has a WPAD entry that points to a WPAD server which is the ISA Server computer.
- Client requests are fulfilled by the ISA Server computer which was identified by the WPAD entry in the DNS server or DHCP server. The ISA Server can also provide the Autoconfiguration script if it is configured to advertise Autodiscovery information.
The trace below shows Internet Explorer sending a query to DNS for the wpad alias and receiving a response.
The figure below shows the Internet Explorer dialog box you use for proxy configuration. The Automatically detect settings option causes the browser to query DHCP or DNS for the WPAD entry. The Use automatic configuration script option allows you to manually configure the client to use the Autoconfiguration script. I highly recommend that you configure clients to use the Autoconfiguration script because it provides valuable information that is used for Direct Access and client side CARP routing. The Use a proxy server for your LAN option allows you to manually enter the IP address or name of the proxy server.
The Automatically detect settings option behaves in different ways, depending on how the ISA Server is configured. If you right click on your server name in the ISA Management console, click Properties and then click the Auto Discovery tab, you’ll see what appears in the figure below. The default setting is to disable Autodiscovery. If the Automatically detect settings option is configured on the Web browser and Autodiscovery is disabled on the ISA Server, the Web browser will only receive the IP address of the Web Proxy server. This has the same effect as selecting only the Use a proxy server for you LAN option and typing in the IP address; no Autoconfiguration information is sent to the Web browser.
However, if you configure the ISA Server to Publish automatic discovery information by putting a checkmark in the checkbox, the Web browser configured to Automatically detect settings will get the IP address of the ISA Server and will also receive the Autoconfiguration script. This has the same effect as selecting the Use automatic configuration script option and manually inputting the Autoconfiguration script address. You can see the Browser requesting the Autoconfiguration script in the figure below.
You can configure WPAD entries in either DNS or DHCP. I prefer DNS because there are issues related to DHCP deliver of wpad information that adversely affects its functionality in some cases. For more information on this problem, check out MSKB 312864. Check your Configuring ISA Server 2000 book for details on configuring the WPAD entries.
In this article we went over how you configure a unihomed caching-only ISA Server to allow you outbound access control and high performance caching for internal network clients. The unihomed caching-only ISA Server is a nice option for those organizations that already have a firewall in place and do not wish to tear it down. We went over the configuration requirements for the network, the ISA Server and the Web Proxy client. In the second part of this article, we’ll go over how you can use the unihomed caching-only ISA Server publish Web servers on the internal network.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over tohttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=4;t=000522 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom