How to use ISA Server Packet Filters.

ISA Server uses packet filtering to control inbound and outbound access to and from the external interface of the ISA Server. Packet filtering is the ISA Server’s first line of defense against inbound attack. The ISA packet filtering feature supplements the RRAS packet filtering. If you have RRAS packet filtering enabled, you should not use it to control inbound and outbound access to and from the external interface of the ISA Server.

In order for packet filtering to work, it has to be enabled. Perform the following steps to see if packet filtering is enabled on the ISA Server:

Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder

  1. Right click on the IP Packet Filters node in the left pane of the ISA Server Management console and click Properties.

  2. On the General tab put a checkmark in the Enable packet filtering checkbox to activate packet filtering.

  3. While you’re there, you might want to enable IP Routing, if you wish internal SecureNAT clients to have access to non-TCP/UDP protocols such as ICMP and GRE.

Packet Filtering is only available when you are running the Firewall Service. The Firewall Service is present when you install ISA Server in either Integrated or Firewall only mode. If you install ISA Server in Cache mode only, you will not be able to implement packet filtering.

You can find the ISA Server Mode right clicking on your server name in the left pane of the ISA Management console and clicking the Properties command. You’ll see the Mode in the General tab.

When should I enable packet filtering and when do I create packet filters?

You should enable packet filtering in the following situations:

  • When the ISA Server is at the edge of the network
  • When you configure a trihomed ISA Server
  • When you need to run services and applications on the ISA Server

ISA Server at the Edge of the Network

When you enable packet filtering, ISA Server closes off all ports on the external interface that do not have a packet filter explicitly created to allow inbound and/or outbound access. If you have packet filtering enabled and you have no packet filters, then there will be no inbound or outbound access unless you have created Protocol or Publishing rules.

Note that the absence of packet filters does not prevent inbound or outbound access to and from the internal network. You should always use Protocol Rules to allow outbound access to external network resource for internal network clients. You should Web Publishing and Server Publishing Rules to allow inbound access from external network clients to internal network servers.

Packet filtering should always been enabled when the ISA Server is at the edge of the network. When the ISA Server has an interface on the Internet, you can make sure that no ports have been opened inadvertently by enabling packet filtering. By default, the only traffic that is allowed when packet filtering is enabled are some ICMP packets required for basic network management, and a DNS filter that allows the ISA Server to make DNS queries on the behalf of Web Proxy and Firewall clients on the internal network.

Packet Filtering for DMZ Servers

If you create a trihomed ISA Server with a DMZ segment, you need to enable packet filtering and configure packet filters. Traffic to and from the DMZ segment is controlled by packet filters. If there is no filter that allows traffic into or out of the DMZ, then the traffic will be blocked at the external interface of the ISA Server.

A special note regarding the configuration of the packet filters for the DMZ segment.
A few people have commented to me that when they configure a filter to allow All IP Traffic to and from the trihomed DMZ segment, that it does not work. That is true. You must create individual packet filters to move traffic into and out of the DMZ segment. However, ISA Server does create dynamic packet filters so you do not have to create filters for response ports.

Packet Filtering for Services and App’s on the ISA Server

Services and Applications running on the ISA Server require packet filters. For example, if you want to run a mail client use as Outlook Express on the ISA Server itself, you must create a packet filter for outbound access to TCP Port 25 and TCP Port 110 at a minimal in order to allow access to external SMTP and POP3 servers. You can add other packet filters such as TCP 119 for NNTP or TCP 143 for IMAP access.

An exception is when you configure the web browser running on the ISA Server itself. In this case, you can configure the web browser to be a Web Proxy client. In this way, you can get around creating a packet filter for outbound HTTP.

Be careful about your web proxy configuration on the Web Browser if you are using a dial-up connection. The Web Proxy client configuration for the web browser on an ISA Server using a dial-up connection is difference than the configuration for ISA Server’s using a dedicated connection. Check my article regarding this issue.

When Should I Not Create Packet Filters?

Packet filters should not be used for the following purposes:

  • To control inbound access to internal network servers
  • To control outbound access from ISA Server clients

I find that a lot of people posting on the message boards claim that they must create packet filters to make their access policies work correctly. This is not the case in the vast majority of cases. However, there are some special circumstances where you need to configure Packet Filters instead of Protocol Rules to support outbound access.

Packet Filters and Inbound Access Control

Access to servers on the internal network is accomplished by using either Server Publishing or Web Publishing rules. These rules allow you to “publish” servers to external network users. When you create the publishing rules, ISA Server will open the ports required to allow access to the internal servers.

There is a misconception that you need to manually enable packet filters for Server Publishing or Web Publishing Rules to work. This is not true. You can confirm that the Publishing Rule has opened up the port by running the command:

netstat –na

In the output, scroll to the entries for the external interface of the ISA Server and see what ports it is listening on. You should see the Port for the service that you published. If you don’t see this port opened, there may have been a server publishing failure.

You can use the following command to help you find a port of interest more quickly:

netstat –na | find “:25”

Replace the 25 with the port number you are looking for in the print out.

Packet Filters and Outbound Access Control

Outbound Access Control for ISA Server clients should be done with Protocol Rules and Site and Content Rules. However, only the Protocol Rules have influence on protocol access, since Site and Content rules are focused only on site names.

When you create a Protocol Rule, ISA Server will allow inbound and outbound access to ports specified in the rule. You should never need to create packet filters to support your Protocol Rules. If the Protocol Rule is not working, then you should check for other factors that may be causing this situation.

The only exception to the above is when you need to allow outbound access to non-TCP/UDP protocols. Protocol Rules are based on Protocol Definitions. You can only create Protocol Definitions for TCP and UDP based protocols. Therefore, if you need to allow outbound access to protocols such as ICMP or GRE, you must create packet filters to allow SecureNAT clients outbound access to these non-TCP/UDP protocols.

Keep in mind that while you can allow SecureNAT clients to access these non-TCP/UDP protocols using packet filters, you cannot apply access controls. For example, if you enable outbound PPTP through the ISA Server, ALL SecureNAT clients will have access to outbound PPTP. The same is true for ICMP based protocols, such as PING. All SecureNAT clients will have access to outbound ICMP and PING.

Something to keep in mind regarding Protocol Rules is that if you enable a rule that allows “All IP Traffic, it will work differently depending on what type of client is accessing that rule. Firewall Client computers will have outbound access to all TCP/UDP ports, but SecureNAT clients only have access to the protocols that are specified in the Protocol Defintions that are configured in the ISA Server.


Packet filters are used to control inbound and outbound access on the external interface of the ISA Server. When packet filtering is enabled, a packet filter, Protocol Rule or Publishing Rule must exist in order to allow traffic into and out of the ISA Server.

Packet filtering should be enabled when the ISA Server is on the edge of the network. You should also enable packet filter when you create a Trihomed DMZ, since you must use packet filters to control inbound and outbound access to and from the DMZ segment. Packet filters are also used to allow applications and services on the ISA Server itself to work properly.

You should not use packet filters instead of, or to support, Protocol Rules and Publishing Rules. The Rules themselves will allow inbound and outbound access required to open the ports specified in the rules.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top