Blocking and Logging Traffic on ISA Server Internal Interfaces

By default, Internet Security and Acceleration (ISA) Server 2000 does not apply packet filtering to the internal interfaces (as determined by the local address table). If you want to filter traffic on those interfaces, use the methods that are described in the "More Information" section of this article.

Note The hotfix cited in the "Blocking and Logging Internal Traffic Sent to ISA Server" section of this article is also available in ISA Server 2000 Service Pack 1 (SP1) and later.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Blocking and Logging Internal Traffic Sent to ISA Server

To unconditionally block and log all traffic that is sent from the internal network to ISA Server, follow these steps:

1. Start Registry Editor, and then locate and click the following registry key:
   HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MspFltEx
2. Add a registry key named Parameters (if one does not already exist).
3. Under the Parameters key, add a DWORD value named LogAllInterfaces.
4. Set the LogAllInterfaces value to any non-zero value (such as 1).

This setting blocks all traffic that is sent to the ISA Server internal IP addresses. The blocked packets are also logged in the ISA Server packet filter log as "INTERNAL."

NOTE: Setting this registry value disables various ISA Server services such as firewall clients, array functionality, Web proxy listeners, authentication to domain controllers, and so on. You can still use ISA Server as a standalone server that is not a part of any domain, and support complete SecureNAT client functionality.

Blocking and Logging Outbound ICMP Traffic

To unconditionally block and log all outbound ICMP traffic that is sent from the internal network to the external network, follow these steps:

1. Apply the Isahf51.exe hotfix. The following file is available for download from the Microsoft Download Center:
   
   Download Isahf51.exe now
   For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
   119591 How to Obtain Microsoft Support Files from Online Services
   Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. This file is also available at the following Microsoft Web site:
   http://www.microsoft.com/downloads/details.aspx?FamilyID=2C9633AC-7528-410E-BF8F-8EDB90D0A9C3
2. Start Registry Editor, and then locate and click the following registry key:
   HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MspFltEx
3. Add a registry key named Parameters (if one does not already exist).
4. Under the Parameters key, add a DWORD value named BlockOutboundICMP.
5. Set the BlockOutboundICMP value to any non-zero value (such as 1).

This setting blocks all ICMP traffic that is sent by internal clients to the external network. The blocked packets are also logged in the ISA Server packet filter log as "INTERNAL."

NOTE: Setting this registry value unconditionally blocks outbound ICMP traffic and overrides any existing ISA Server settings for ICMP.

NOTE: If you are saving a hotfix locally, please be sure to refresh it from the Hotfix servers.

NOTE: Although the above note should prevent this, you may see that three redundant values were added to the registry. These will have to be fixed for IIS to work properly. For more information, please see the following article in the Microsoft Knowledge Base: