Using the Browser on the ISA Firewall (2004)

Using the Browser on the ISA Firewall (2004)

By Thomas W Shinder MD

Got Questions?
Discuss this article at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=31;t=000005

One of the most popular requests I see on the ISAserver.org Web boards and mailing list is “how do I use the browser on my ISA firewall”. This is a painful question for me to hear. In an ideal firewall security environment, you would never use the Web browser on the firewall.

The ISA firewall should never be used as a workstation, file server, Web server or any other kind of server. It’s a firewall, and the ISA firewall one of the best and most secure firewalls on the market today. Introducing potential exploits through the browser does nothing to enhance the ISA firewall’s security posture.

However, in the real world of network computing, things don’t always work the way security wonks want them to. When we move out of the “clean room” environment most security experts live in, we see that firewall admins want to use the browser on the ISA firewall for a number of reasons. It might be to visit the Windows Update site, download scripts to the ISA firewall, or any number of other reasons.

Get the New Book!

This article will explain how to configure the ISA firewall to support Web browser from the ISA firewall machine. However, before I continue, I want to make my official stateful on this subject:

Never use the Web browser or any other client application from the ISA firewall. Using client applications on the ISA firewall significantly reduces the overall security posture of the ISA firewall and can have potentially adverse effects not only on the ISA firewall, but on your entire network infrastructure

.

The default ISA firewall configuration includes a System Policy allowing to you visit a list of trusted sites. You can view the ISA firewall’s System Policy by opening the Microsoft Internet Security and Acceleration Server 2004 management console, expanding the server name, and clicking on the Firewall Policy node. In the Task Pane, click the Tasks tab. In the list of System Policy Tasks, click the Show System Policy Rules.

Note:

Firewall System Policy controls traffic originating from the ISA firewall and terminating at the ISA firewall. System Policy does not control traffic moving through the ISA firewall. You must use Access Rules and Publishing Rules to control traffic moving through the ISA firewall.

You’ll see that the System Policy rules are listed before the Firewall Policy Rules. This means that these rules are processed before any Firewall Policies you create yourself. There are two System Policy Rules that allow the ISA firewall to connect to the Web:

  • Allow HTTP/HTTPS requests from ISA Server to specified site (System Policy Rule #17)
  • Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites (System Policy Rule #23)

System Policy Rule #17 allows connections from the ISA firewall to the System Policy Allowed Sites Domain Name Set. The following sites are included by default:

  • *.microsoft.com
  • *.windows.com
  • *.windowsupdate.com
  • This rule allows the ISA firewall to connect to resources anywhere on the Microsoft Web site, including the Windows Update Site. This rule is useful even when the browser isn’t used, as the automatic updating mechanism included in the base operating system can use this System Policy Rule to download updates from the Microsoft Web sites.

    System Policy Rule #23 allows the ISA firewall to send error information to the sites listed in the Microsoft Error Reporting sites Domain Name group. The default entries in this group include:

  • *.watson.microsoft.com
  • watson.microsoft.com
  • When an application crashes or there is some other error on the ISA firewall, the ISA firewall can use this rule to connect to the error reporting sites to upload information. You can also use the browser to get to these sites.

    Your connection attempt will be denied if you try to go to any site not allowed by these two System Policy Rules. If you want to visit any other site, you must add the sites to the Domain Name Sets included in the System Policy Rules or create a Firewall Policy enabling access to the sites you want to visit.

    The easiest way to do this to allow create an Access Rule allowing HTTP and HTTPS access from the Local Host Network to the External Network. The less easy way, but more secure method, is to enable the Web Proxy listener on the Local Host Network, create an Access Rule allowing the Local Host Network to use HTTP and HTTPS to connect to the Internet, and configure the Web browser as a Web Proxy client.

    Let’s take a look at the easy way first, then we’ll go over the less easy, but more secure, method.

    Get the New Book!

    Method 1: Less Secure Method

    All you need to do with the less secure method is create an Access Rule allowing outbound access to HTTP/HTTPS from the Local Host Network to the Internet. This method doesn’t expose the connection request to the Web Proxy filter unless the Web Proxy filter is enabled. Many ISA firewall administrators are unbinding the Web Proxy filter from the HTTP protocol so that they can simplify the process of Direct Access. I routinely do this in my ISA firewall environments, although it is not absolutely required nor is it recommended unless you have a specific reason for doing so.

    I can do this because I demand that all Windows clients are configured as both Firewall and Web Proxy clients. If the company wants a firewall, they want security, so they’ll take advantage of the high-security technologies the ISA firewall provides. If they want to cross their fingers and hope to be lucky, then they’ll use PIX packet filter or Sonicwall NAT server, not an ISA firewall.

    For more information on unbinding the Web Proxy filter from the HTTP protocol, check out the this KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;838368.

    However, even if the Web Proxy filter is bound to the HTTP protocol, the logged on user will not be able to send credentials to the ISA firewall for the connection request. The reason for this is that this setup does not support the Web Proxy client configuration (you need to enable the Web listener on the Local Host Network in order to support the Web Proxy client configure for the browser on the ISA firewall) and you cannot install the Firewall client on the ISA firewall itself. Using this method, you must allow anonymous connections from the ISA firewall’s browser to the Internet.

    Perform the following steps to create the Access Rule:

    1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and click the Firewall Policy node. In the Task Pane, click the Tasks tab.
    2. On the Tasks tab, click the Create a New Access Rule link.
    3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule. In this example we’ll name the rule Less Secure Method ISA Firewall to Web. Click Next.
    4. On the Rule Action page, select the Allow option and click Next.
    5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
    6. In the Add Protocols dialog box, click the Common Protocols folder. Double click the HTTP and HTTPS protocols. Click Close.
    7. Click Next on the Protocols page.
    8. On the Access Rule Sources page, click the Add button.
    9. In the Add Network Entities dialog box, click the Networks folder and double click the Local Host network. Click Close.
    10. Click Next on the Access Rule Sources page.
    11. On the Access Rule Destinations page, click the Add button.
    12. Click the Networks folder and double click the External network. Click Close.
    13. Click Next on the Access Rule Destinations page.
    14. On the User Sets page, accept the default entry All Users and click Next.
    15. Click Finish on the Completing the New Access Rule Wizard page.
    16. Click Apply to save the changes and update the firewall policy.
    17. Click OK in the Apply New Configuration dialog box.
    18. Test the configuration by opening the Web browser on the ISA firewall. Visit www.isaserver.org. The connection is successful.

      Get the New Book!

    Method 2: The Secure Method

    A more secure method for allowing outbound access from the ISA firewall to the Internet using the Web browser is to require authentication. The logged on user must authenticate to use the Web and that user’s actions are logged. I consider any anonymous access outbound or inbound a potential security issue. That’s true even when the communications are sourcing from the ISA firewall itself. That’s why the ISA firewall is a critical network resource: all communications are logged with a user name and application. No other firewall currently provides this security for all TCP and UDP protocols and does so transparently.

    In order to control access on a per user basis when using the browser on the ISA firewall, you must enable the Web Proxy listener on the Local Host network and then configure the browser to be a Web Proxy client. The Web listener accepts outgoing Web request from browsers configured as Web Proxy clients.

    Perform the following steps to enable the Web listener on the Local Host network:

    1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.
    2. On the Networks node, click the Networks tab in the Details pane. On the Networks tab, right click the Local Host network and click Properties.
    3. In the Local Host Properties dialog box, click the Web Proxy tab.
    4. On the Web Proxy tab, put a checkmark in the Enable Web Proxy clients checkbox. Leave the default HTTP port at 8080. Do not enable the Enable SSL checkbox. Click Apply and then click OK.

    1. Click Apply to save the changes and update the firewall policy.
    2. Click OK in the Apply New Configuration dialog box.

    The next step is to configure the browser as a Web Proxy client:

    1. Right click the Internet Explorer icon on the desktop and click Properties.
    2. In the Internet Properties dialog box, click the Connections tab.
    3. On the Connections tab, click the LAN Settings button.
    4. In the Local Area Network (LAN) Settings dialog box, remove the checkmarks from the Automatically detect settings and Use automatic configuration script checkboxes. Put a checkmark in the Use a proxy server for your LAN checkbox. In the Address text box, enter Localhost. In the Port text box, enter 8080. Click OK in the Local Area Network (LAN) Settings dialog box.
    5. Click OK in the Internet Properties dialog box.

    The last step is to create and Access Rule that allows outbound access to the Internet from the Local Host network to the Internet using the HTTP and HTTPS protocols. We could create the new Access Rule from scratch, or we can modify the rule we already created. Let’s modify the rule we created earlier:

    1. In the Microsoft Internet Security and Acceleration Server 2004 management console on the Firewall Policy node, double click the Less Secure Method ISA Firewall to Web Access Rule.
    2. In the Less Secure Method ISA Firewall to Web Properties dialog box, click the General tab. In the Name text box, rename the rule to Secure Method ISA Firewall to Web. Click Apply.
    3. Click the Users tab. On the Users tab, click the All Users entry and click Remove. Click the Add button.
    4. In the Add Users dialog box, double click the All Authenticated Users entry and click Close.
    5. Click Apply and then click OK.

    1. Click Apply to save the changes and update the firewall policy.
    2. Click OK in the Apply New Configuration dialog box.
    3. Your Access Rule should look like the figure below.

    1. Open the Web browser and visit the http://forums.isaserver.org Web site and read some of the questions and answers.
    2. If you check the log file entries for this communication, you’ll see the connections to the ISAserver.org forums are authenticated. Notice the Client IP address. The client IP address indicates that the local host connected to the Web via the Web Proxy listener. You can also see the connections to the Web Proxy listener where the Destination Port is 8080.

    Summary

    In this article we discussed the risks of using the Web browser on the ISA firewall. However, we acknowledged that not all ISA firewall administrators are going to use best security practices and they will end up using the browser on the ISA firewall at one time or another. We discussed two methods you can use to allow browser access on the ISA firewall: an authenticated method (secure) and unauthenticated method (not secure).

    Get the New Book!

    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=31;t=000005 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

    Leave a Comment

    Your email address will not be published.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top