Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Blocking and Logging Traffic on ISA Server Internal Interfaces


View products that this article applies to.

Summary

By default, Internet Security and Acceleration (ISA) Server 2000 does not apply packet filtering to the internal interfaces (as determined by the local address table). If you want to filter traffic on those interfaces, use the methods that are described in the "More Information" section of this article.

Note The hotfix cited in the "Blocking and Logging Internal Traffic Sent to ISA Server" section of this article is also available in ISA Server 2000 Service Pack 1 (SP1) and later.

↑ Back to the top


More information

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Blocking and Logging Internal Traffic Sent to ISA Server

To unconditionally block and log all traffic that is sent from the internal network to ISA Server, follow these steps:
  1. Start Registry Editor, and then locate and click the following registry key:
    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MspFltEx
  2. Add a registry key named Parameters (if one does not already exist).
  3. Under the Parameters key, add a DWORD value named LogAllInterfaces.
  4. Set the LogAllInterfaces value to any non-zero value (such as 1).
This setting blocks all traffic that is sent to the ISA Server internal IP addresses. The blocked packets are also logged in the ISA Server packet filter log as "INTERNAL."

NOTE: Setting this registry value disables various ISA Server services such as firewall clients, array functionality, Web proxy listeners, authentication to domain controllers, and so on. You can still use ISA Server as a standalone server that is not a part of any domain, and support complete SecureNAT client functionality.

Blocking and Logging Outbound ICMP Traffic

To unconditionally block and log all outbound ICMP traffic that is sent from the internal network to the external network, follow these steps:
  1. Apply the Isahf51.exe hotfix. The following file is available for download from the Microsoft Download Center:
    For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    119591 How to Obtain Microsoft Support Files from Online Services
    Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. This file is also available at the following Microsoft Web site:
  2. Start Registry Editor, and then locate and click the following registry key:
    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MspFltEx
  3. Add a registry key named Parameters (if one does not already exist).
  4. Under the Parameters key, add a DWORD value named BlockOutboundICMP.
  5. Set the BlockOutboundICMP value to any non-zero value (such as 1).
This setting blocks all ICMP traffic that is sent by internal clients to the external network. The blocked packets are also logged in the ISA Server packet filter log as "INTERNAL."

NOTE: Setting this registry value unconditionally blocks outbound ICMP traffic and overrides any existing ISA Server settings for ICMP.

NOTE: If you are saving a hotfix locally, please be sure to refresh it from the Hotfix servers.

NOTE: Although the above note should prevent this, you may see that three redundant values were added to the registry. These will have to be fixed for IIS to work properly. For more information, please see the following article in the Microsoft Knowledge Base:
296638 Starting Internet Services Manager May Cause Error Message

↑ Back to the top


Keywords: KB283213, kbwin2000presp2fix, kbinfo, kbgraphxlinkcritical, kbfix, kbdownload, kbdownload, kbhotfixserver, kbqfe, kbproductlink

↑ Back to the top

Article Info
Article ID : 283213
Revision : 7
Created on : 10/26/2007
Published on : 10/26/2007
Exists online : False
Views : 449