Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to use a computer that is running ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008 to block transparent HTTP clients without requiring authentication


View products that this article applies to.

Introduction

This article describes how to block transparent HTTP clients without requiring authentication by using Microsoft Internet Security and Acceleration (ISA) Server 2006, Microsoft Internet Security and Acceleration (ISA) Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008. The HTTP protocol makes it possible for Web site authors to put multiple versions of the same information under a single URL. Several computers can connect through a single connection on a computer that is running ISA Server 2006, ISA Server 2004 computer, Microsoft Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server 2008, and it appears that the clients are connecting directly themselves and not connecting through an ISA Server computer. Transparent content negotiation is named "transparent" because it makes all variants that exist on the ISA Server computer visible to the external network.

↑ Back to the top


More information

To create a new policy in ISA Server or in Microsoft Forefront Threat Management Gateway, Medium Business Edition that blocks transparent HTTP clients without requiring authentication, you must create a new protocol in ISA Server, create a new access rule, and then remove the HTTP protocol from the Web Proxy Filter. To do this, follow these steps:
  1. Create a new protocol that is named Transparent HTTP. To do this, follow these steps:
    1. Start the ISA Server Management tool or Microsoft Forefront Threat Management Gateway, Medium Business Edition.
    2. Expand the name of your ISA Server computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition computer name, click Firewall Policy, and then click the Toolbox tab in the right-pane.

      Note For ISA Server Enterprise Edition, expand Arrays, expand Array_Name, and then click Firewall Policy.
    3. In the right-pane, right-click Protocol, and then click New Protocol.
    4. Type a name for the new protocol. Use a descriptive name, such as Transparent HTTP Protocol, and then click Next.
    5. Click New on the Primary Connection Information page.
    6. Under Protocol type, click TCP, and then click Outbound under Direction.
    7. Under Port Range, type 80 in the From box, type 80 in To box, and then click OK.
    8. Click Next, click No on the Secondary Connections page, and then click Next.
    9. Click Finish.
  2. Create a new access rule that denies transparent HTTP traffic from the internal network to the external network. To do this, follow these steps:
    1. In the ISA Server Management Tool, right-click Firewall Policy, point to New, and then click Access Rule.
    2. Type a name for the new access rule. Use a descriptive name, such as Transparent HTTP rule, and then click Next.
    3. Click Deny, and then click Next.
    4. In the This rule applies to list, click Selected Protocols, and then click Add.
    5. Expand User-Defined, click Transparent HTTP Protocol, click Add, and then click Close.
    6. Click Next.
    7. On the Access Rule Sources page, click Add.
    8. Expand Networks, click Internal, click Add, and then click Close.
    9. Click Next.
    10. On the Access Rule Destinations page, click Add.
    11. Expand Networks, click External, click Add, and then click Close.
    12. Click Next.
    13. On the User Sets page, click All Users, and then click Next.
    14. Click Finish.

      Note Put the new access rule before any other rules that permit HTTP traffic.
  3. Remove the HTTP protocol from the Web Proxy filter. To do this, follow these steps:
    1. In the ISA Server Management Tool, click Firewall Policy, and then click the Toolbox tab in the right-pane.
    2. In the right-pane, expand Common Protocols, right-click HTTP, and then click Properties.
    3. Click the Parameters tab.
    4. Under Application Filters, click to clear the Web Proxy Filter check box, and then click OK.

↑ Back to the top


Keywords: KB884505, kbhowto, kbfirewall, kbinfo, kbisa2006swept

↑ Back to the top

Article Info
Article ID : 884505
Revision : 5
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 424