How to Allow Third-Party Internet Application Connections Through ISA Server 2000

This article describes how to allow connections to third-party Internet-based update services. The typical scenario that is addressed in this article is the connection to a software vendor update service from an update application that is connected to the Internet through Microsoft Internet Security and Acceleration Server (ISA) 2000. Update programs include, but are not limited to, programs that download software updates automatically (such as program updates, anti-virus updates, and so forth) or programs that connect to a service provider and update account information, such as Internet postage stamp programs, or Internet shipping management programs.

Requests to the Internet are recognized by ISA as HTTP requests and are sent to the HTTP redirector filter, which is enabled by default in Microsoft Small Business Server 2000. If the HTTP redirector is configured to forward requests to the Web Proxy, the Web Proxy in ISA evaluates the request based on the configuration for outgoing Web requests, protocol rules are checked, and then the Web Proxy authenticates the connection.

The information in this article is based on the following assumptions:

• Applications connect to an update server over port 80 (HTTP) or port 443 (HTTPS).
• The ISA server is installed in Firewall mode or Integrated mode, which is the default in SBS.
• The Microsoft Firewall Client is properly installed and configured on the client computer.
  
  -OR-
• The client computer is configured to use ISA as its default gateway (Secure-NAT client).
• The Site and Content rules are correctly configured for the sites that you want to access.

There are four different methods that you can use to open access on your ISA server for these connections. Use one of the following methods based on your specific network needs and requirements.

Method 1: Create an Allow Protocol Rule

If your network needs do not dictate the enforcing of rules by limiting users to specific sites, the simplest way to open up access is to create an "Allow All/All/All" rule. However, this type of rule effectively disables any deny rules and limits your ability to restrict users' Internet use on your network, but you may find this rule useful for troubleshooting.

To create an "Allow All/All/All" rule:

1. In ISA Management, click your server to select it.
2. Click to expand Access Policy.
3. Right-click Protocol Rules, and then click New.
4. Create an allow protocol rule, and then click Next.
5. Enable the rule to apply to all IP traffic, and then click Next.
6. Click to select the schedule, and then click Next.
7. Click Any Request, click Next, and then click Finish.

Method 2: Enable Basic Authentication for Outgoing Web Requests

If you want to control access to certain users, and your browser and third-party application allow you to configure a proxy server and support basic authentication, you can enable basic authentication for Outgoing Web Requests:

1. In ISA Management, right-click your server, and then click Properties.
2. On the Outgoing Web Requests tab, click the configured listener that you want to change, and then click Edit.
3. Click Basic authentication, and then select the domain in which the accounts exist that you want to authenticate.

NOTE: this method works only if you can configure your application to use a proxy server and provide credentials for that proxy server.

Method 3: Grant Access to a Specified Computer

To grant access to a specific computer, you have to enable ISA to pass this connection by creating a Client Address Set and a protocol rule that allows the specific protocols from the specific client computers (based on IP address):

1. In ISA Management, right-click your server, and then click Properties.
2. Click to expand Access Policy.
3. Right-click Protocol Rules, and then click New.
4. Create a protocol rule that applies to the specific protocol that you want to allow (such as HTTP) or click All Protocols.
5. Select the schedule for this protocol rule.
6. Click Specific Computers (client address sets) as the client type to which this rule should apply.
7. Create a client address set or use an existing one that contains the clients to which you want to grant access.
8. Click Next, and then click Finish.

To resolve this, create a protocol rule that allows all HTTP and HTTPS traffic for the specific IP address of the computer that is in use.

Method 4: Forward All Requests to the Internet

You can configure the HTTP Redirector Filter to forward all requests directly to the Internet instead of passing them to the Web Proxy. This configuration causes these requests to not utilize the performance gains that are provided by the Web Proxy Cache. To do this:

1. In ISA Management, navigate to Servers and Arrays, Server_name, Extensions
2. Click to expand Extensions, and then click the Application Filters folder.
3. Click Http Redirector Filter, and then click Properties.
4. On the Options tab, click to select the option that you want. For example, if you click Send to requested Web server, this bypasses the Web proxy on your ISA server, which skips the authentication checking.