Providing Branch Office Access to the ISA 2006 Firewall’s Web Proxy Listener
The ISA firewall is a stateful packet and application layer inspection firewall. One of the ISA firewall’s most popular application layer inspection extensions is its Web proxy filter. The Web proxy filter enables the ISA firewall to act as a Web proxy device. Web proxy devices (or servers) support computers with Web browsers and other Web proxy-enabled applications to use the ISA Firewall’s Web proxy to access the Internet.
Discuss this article
The ISA firewall’s Web proxy filter enables you to:
- Control what sites users can access on the Internet
- Filter out viruses and worms from Web (HTTP) downloads
- Force authentication before allowing access to the Internet
- Provide comprehensive logging and reporting for what sites and content users access
- Enables you to report on all sites a user accesses at any point in time
- Accelerate the end user Web browsing experience by providing content from its Web proxy cache
In most deployments, the ISA firewall provides Web proxy services to computers on the corporate network. Corporate network administrators configure managed computers on the network to use the ISA firewall as their Web proxy for outbound Web access. This is sometimes referred to as forward proxy. The ISA firewall’s Web proxy filter also enables external users access to Web servers, such as Outlook Web Access (OWA), OMA, ActiveSync and SharePoint servers, on the corporate network. This is often referred to as reverse proxy or Web publishing.
Although the typical forward proxy scenario has internal network clients accessing the Internet through the ISA firewall, it is possible to allow machines located on an external network to access the ISA firewall for forward proxy.
For example, suppose you have a company that uses an ISA firewall at the main office. This company has six branch offices with 10-30 computers located at each branch office. Because each branch office has so few users, corporate IT has decided to use a simple NAT device to provide Internet access for each branch office.
The simple NAT devices do not support L2TP/IPSec site to site VPN connections, so corporate IT will not use site to site VPN connections. IPSec tunnel mode site to site VPN connections are relatively unsecure because of the weak authentication support for IPSec tunnel mode and therefore IPSec tunnel mode is banned.
In addition, they do not want to allow remote access VPN connections from each individual host at each office because of the administrative overhead.
Corporate IT does want some method to control and log Web site access for users at the branch offices in the same way that they control and log access for users at the main office. They can accomplish this goal by publishing the Web proxy listener on the main office ISA firewall and configuring the browsers at the branch offices to use the IP address of that used on the external interface of the ISA firewall to publish the main office ISA firewall’s Web proxy listener. Web browsers at the branch offices can be configured manually, or via automated methods such as WPAD or IEAK.
Publishing the Web Proxy Listener
Publishing the Web proxy listener is easy. The process includes:
- Configuring the Web proxy listener to force authentication
- Creating the Protocol Definition and Server Publishing Rule
- Creating the Access Rule to allow connections to the Internet
Configure the Web proxy Listener to Force Authentication
The first step is to configure the Web proxy listener to force authentication before allowing connections to itself and subsequently to the Internet. Because this Web listener will be accessible to anyone on the Internet, you want to make sure that that no anonymous connections are allowed to use the Web listener. Anonymous Web proxies can be abused and open your company up to potential litigation or worse.
If you don’t want to force authentication on the Web listener, another option is to configure the Server Publishing Rule that publishes the Web proxy listener so that only a limited set of IP addresses are allowed to use the Server Publishing Rule. You can use this option if the branch offices have static or relatively predictable IP addresses. You will not be able to use this option if the branch offices do not use static addresses, because Server Publishing Rules do not allow you to control access based on the FQDN of the remote client. We’ll go over these issues in more detail when we create the Server Publishing Rule.
Open the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Networks node and then double click the Internal entry on the Networks tab in the middle pane of the console.
In the Internal Properties dialog box, click the Web Proxy tab. On the Web Proxy tab, put a checkmark in the Enable Web Proxy clients checkbox. Put a checkmark in the Enable HTTP checkbox and leave the HTTP port value as 8080.
Click the Authentication button. In the Authentication dialog box, you’ll notice that the default authentication protocol is Integrated. You will want to use Integrated authentication for your remote clients connecting to your Web proxy listener because you cannot use SSL to encrypt user credentials when logging into the ISA firewall through the Web proxy listener. This is not a limitation of the ISA firewall, because the ISA firewall can be configured with an SSL Web listener. The problem is that there are no browsers available at this time that support the Web proxy client using an SSL secured connection to the Web proxy server.
None of the other authentication options are secure enough to use over the Internet except for SSL certificate. We won’t discuss the SSL certificate option in this article, but it’s an option well worth investigating in a future article to see if the Web browser will provide a User Certificate to the ISA Firewall to provide more secure browsing from a remote client.
Put a checkmark in the Require all users to authentication checkbox. When this option is enabled, the Web proxy listener will force users to authenticate before the ISA firewall even gets to the point of evaluating Firewall Policy to determine which sites the users may access. This protects from situations where you or an assistant may have inadvertently configured an anonymous access rule that would allow unauthenticated users access to the Internet through the Web proxy listener.
A dialog box will appear informing you of limitations you will encounter when you force authentication at the Web listener. The problems are potentially quite serious and you need to consider these side effects before you force authentication at the Web listener. The only other option you have is to make sure that all Access Rules you create require authentication. If you trust yourself to do that, then you are not required to force authentication at the Web listener.
One drawback of Integrated authentication is that both the ISA firewall and the user machines must be members of the same domain, or you must mirror the local user accounts on the ISA firewall or in the target domain in which the ISA Firewall participates.
For example, if the branch office computers are not domain members, you must have the user name and password information for all the users at each branch office and create accounts on the ISA firewall’s local SAM that mirror those user accounts or mirror those accounts in the main office Active Directory domain. This can lead to significant administrative overhead, depending on how you enforce password change policy for branch office users.
Click OK to save the changes in the Authentication dialog box.
Click OK to save the changes in the Internal Properties dialog box.
Keep in mind that the Internal Web listener is also the one that will be used by the Web proxy clients that the corporate network will be using. Integrated authentication isn’t a problem on the corporate network when the ISA firewall is a domain member because all clients are also domain members and this enables transparent authentication. There is no need to mirror user accounts because the domain member ISA firewall authenticates domain members against an Active Directory domain controller.
Creating the Protocol Definition and Server Publishing Rule
A Server Publishing Rule allows the ISA firewall to accept incoming connections to a specific IP address and port on its external interface and forward those connections to another IP address and port. In our example of publishing the Web proxy listener, we want the ISA firewall to listen on an IP address on its external interface using TCP port 8080 and forward the connection request to TCP port 8080 on the IP address used on the internal interface of the ISA firewall.
However, before we can create a Server Publishing Rule that publishes the Web proxy listener on the internal interface of the ISA firewall, we need to create a Protocol Definition that defines the protocol that we want to forward. In this case, we want to create a Protocol Definition for inbound TCP port 8080 connections.
Create the Web Proxy Protocol Definition
In the ISA firewall console, expand the server name and then click the Firewall Policy node. Click the Toolbox tab on the Task Pane and then click the Protocols heading. This will expand the list of protocol groups. Click the New menu and then click Protocol.
On the Welcome to the New Protocol Definition Wizard page, enter Web proxy in the Protocol Definition name text box and click Next.
On the Primary Connection Information page, click the New button.
In the New/Edit Protocol Connection dialog box, set the Protocol type to TCP. Set the Direction as Inbound. In the Port range frame, set the From and To values to 8080. Click OK.
Click Next on the Primary Connection Information page and click Next on the Secondary Connections page.
Click Finish on the Completing the New Protocol Definition Wizard page.
Click Apply to save the changes and update the firewall policy and click OK in the Apply New Configuration dialog box.
When you click on the User Defined protocols folder you’ll see the new Web proxy Protocol Definition you created in the list.
Discuss this article
Create the Server Publishing Rule
Now with the Protocol Definition in place, we can create the Server Publishing Rule. We’ll begin by using the New Server Publishing Rule Wizard and then we’ll look at the details of the rule and make some changes to support our scenario.
In the ISA firewall console, expand the server name and then click the Firewall Policy node. Click the Tasks tab in the Task Pane and then click the Create a New Server Publishing Rule link.
On the Welcome to the New Server Publishing Rule page, enter Publish Web Proxy Listener in the Server Publishing Rule name text box and click Next.
On the Select Server page you enter the IP address on the internal interface of the ISA firewall. Click Next after entering that address.
On the Select Protocol page, select the Web proxy protocol from the Selected protocol list. This is the protocol you created when you created the Web proxy Protocol Definition. Click Next.
Figure 7: Selecting the network protocol to redirect
On the IP Addresses page, put a checkmark in the External checkbox and click Next.
Click Finish on the Completing the New Server Publishing Rule Wizard page.
We need to make a change to the Server Publishing Rule, so double click the Publish Web Proxy Listener firewall policy entry. In the Publish Web Proxy Listener Properties dialog box, click the To tab.
On the To tab, select the Request appear to come from the ISA Server computer option.
We need to do this because the ISA firewall’s Web proxy listener will not accept requests from source IP addresses that are not on the same ISA firewall Network that the Web listener is listening on.
Since the Web proxy listener is listening for connections coming from the default Internal Network in this example, the source IP address must be one included in the definition of the default Internal Network. We can accomplish that goal by allowing the ISA firewall itself to impersonate the IP address of the original external client.
Click on the From tab.
Notice the default is to allow connections from Anywhere. Although this might seem to imply that the ISA firewall will allow connections from anywhere for the Server Publishing Rule, it actually allows connections from anywhere located on the same Network as the listener for the rule is listening on. In this example we configured the listener to listen on the External Network, so only requests from the default External Network will be serviced by this listener.
You have the option to limit what machines can connect via the Server Publishing Rule by removing the Anywhere entry and clicking the Add button.
This will bring up the Add Network Entities dialog box. Here you can select a Network Element or create a new one and allow only that Network Element access to the Server Publishing Rule that allows access to the Web listener. You can create a new Network Element using the New menu.
For the scenario discussed at the beginning of the article, you can create a Computer Network Element for the IP address on the external interface of each branch office NAT device and allow only those IP addresses access to the Server Publishing Rule.
Creating the Access Rule to Allow Connections to the Internet
The listener and the Server Publishing Rule are now ready to support remote use of the Web proxy listener. However, no traffic will move through that interface until there is an Access Rule allowing traffic through the Web proxy listener.
The Web proxy filter supports only three protocols:
- HTTPS (SSL)
- HTTP tunneled FTP (FTP communications are tunnelled in an HTTP header from the Web proxy client to the Web proxy listener and then detunnelled at the ISA firewall and sent to the FTP server)
Any firewall policy we create must be limited to one or more of these three protocols. We will create an Access Rule that allows all authenticated users access to HTTP, HTTPS (SSL) and FTP.
Create the Access Rule
In the ISA firewall console, expand the server name and then click the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
On the Welcome to the New Access Rule Wizard page, enter Web Protocols to Internet and click Next.
Select the Allow option on the Rule Action page and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list and then click the Add button.
In the Add Protocols dialog box, click the Web folder and then double click on the FTP, HTTP and HTTPS protocols and then click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click the Add button.
In the Add Network Entities dialog box, click the Networks folder and then double click on the Internal network. Click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close. Click Next on the Access Rule Destinations page.
On the User Sets page, click the All Users entry and click Remove. We don’t want to allow anonymous connections to the Internet through the ISA firewall, so we must remove the All Users entry. Click the Add button.
In the Add Users dialog box, double click the All Authenticated Users entry and click Close. Click Next on the User Sets page.
Click Finish on the Completing the New Access Rule Wizard page.
At this point remote users and users on the default Internal network will be able to access all Web sites as long as they successfully authenticate.
Discuss this article
Web proxy devices can provide secure connections to machines configured as Web proxy clients. The ISA firewall includes a Web proxy filter, which enables it act as a Web proxy server. The Web proxy filter uses a Web proxy listener to accept connections from Web browsers configured as Web proxy clients. Web proxy clients connecting from the corporate network to the Internet use the Web proxy server as a forward Web proxy. In some circumstances, such as a branch office scenario, you might want to use enable the ISA firewall’s Web proxy listener to accept connections from remote hosts.
You can configure the ISA firewall to support remote host connections to its Web proxy listener by creating a Web proxy Protocol Definition, Server Publishing Rule and Access Rule to support these connections. This article provided detailed instructions on how to carry out these configuration requirements.