ISA server can support three client types; SecureNAT, Web Proxy and Firewall. How well it supports them depends on the infrastructure you provide for ISA to work within. Since ISA operates in conjunction with Windows 2000, you should provide both internal and external DNS servers. That way, ISA can use its favorite name resolution for all names and it and its clients will be all the happier for it. DNS options for ISA server are outlined in this article.
If you’re looking for a tutorial on how to set up the ISA server before you install ISA, then you want this article.
Note: all screen shots in this article are made using the ISA Management MMC in Advanced mode.
ISA Operating Modes:
ISA Server Configuration:
By default, ISA enables the proxy service on all of the ISA internal IPs at port 8080 (including 127.0.0.1; the localhost IP), regardless of operating (Firewall, Integrated, Cache) mode. That port is used because the ISA Auto Discovery functionality operates at port 80 on all of the ISA internal IPs. To disable the Outgoing Web Requests listener, simply select Configure listeners individually per IP address and don’t select any IPs to listen on.
If you don’t need or want Auto Discovery, then just uncheck Publish automatic discovery information. That will free up port 80 on the internal IPs.
The setting we’re interested in is “Enable IP routing”. By enabling this, we allow ISA to use “kernel mode data pumping” to pass traffic. This is explained in KB article Q297347.
Here, we can decide how SecureNAT and Firewall client web requests are handled. If you want to force all users through the Web proxy service, then Redirect to local Web Proxy service is your desired choice. You’ll notice that this option also provides us the ability to allow bypassing the Web proxy service should it be unresponsive. This has the benefit of allowing SecureNAT and Firewall clients to still reach the Internet, but it also allows them to bypass the Web Proxy filtering.
The values are displayed in hexadecimal, but the windows calculator can convert this for you if you set it to “scientific” mode. What they translate to is a default DNS cache of 3K bytes each that allows each record to live for 21,600 seconds (6 hours). While this may seem like an efficient way to make Internet name resolution really zippy for the Web and Firewall clients, it’s also a great way to lock them into some bad data for a very long time. Plus, a “DNS server” that fails to observe the record TTL is non RFC-compliant.
I hope you’ve found this article both informative and useful. If you have any comments or criticism, please direct them to me.