Understanding ISA’s Services.


As a fundamental part of ISA it is crucial that you as an administrator understand the principles of how the ISA services work with each other, and how they interoperate with the clients that attach to them.

I have drawn up a diagram and written about how these services interact with each other to give you a better understanding of how these services function within ISA.


1.  All requests to an ISA server are filtered by the packet filters.

2.  Secure NAT requests are sent to the NAT protocol driver and then to the Firewall service where it will pass though the rule engine.

NOTE: Secure NAT clients do not send authentication information.

3.  Firewall client requests are sent to the Firewall service, if this is a HTTP request the HTTP redirector will pass this onto the Web proxy service.

4.  All HTTP/S FTP and gopher requests are sent to the Web proxy service.

The services are outlined bellow.


ISA Control Service (MSPADMIN.EXE)

The ISA control service manipulates these ISA functions:

1.  IP packet filters, when you enable, open and log the filters.

2.  Producing alerts and running actions associated with that alert.

3.   Synchronizing each ISA server with the array.

4.   Updating client configuration files (msplat.txt and mspclnt.ini) and deletes any unused log files.

5.  Restarting other ISA services when certain changes are made through ISA Management.

To stop the service, type the following at a command line:

Net stop mspadmin

If you stop the ISA Server Control Service, all the other ISA Server services will also be stopped.


Scheduled Cache Content Download Service (W3PREFCH.EXE)

1.  This service enables you to pre-download HTTP content into ISA Server cache, on request or if scheduled, this can be content that you anticipate your users will request from the Internet.

2.  You can configure which content ISA Server should pre-cache, and schedule when the content should be cached. This makes content available from the cache rather than from the Internet.

3.  Use this service to schedule downloads of HTTP files from a Web site to a local cache. You can download an entire Web site if you specify to do so.

Note:  Websites containing pop-up scripts, cookies or offers of language packs installation, cannot be downloaded.


HTTP redirector filter

This filter allows Firewall and Secure NAT clients to benefit from the ISA caching features, when the HTTP redirector is enabled (This is done by Default).This service redirects HTTP request sent to other services to the Web proxy service.


NAT protocol driver

Note: It is not recommended running RRAS on the ISA server as it will conflict with this driver.

This driver allows client on the private network to access internet resources. These can be the client with private IP addresses discussed in RFC 1597. When a client is connecting to a resource on the internet the request is sent to this driver, the packet header is changed to the external interface of the ISA server and the ISA server retrieves the resource on behalf of the client.


Firewall Service(FWSRV.EXE)

1.  The Firewall service is a circuit-level proxy for Winsock applications.

2.  The ISA Firewall service gives Winsock client applications the ability to perform as if they were directly connected to the Internet.

3.  If the HTTP redirector is set to (“default” no one has configured it) then the HTTP requests are sent to the Web proxy service and caching can be used.

4.  The Firewall service runs as a stand-alone service on W2k if installed as firewall mode. Note: if you installed ISA in firewall mode ISA Server does not maintain a cache.

5.  It establishes gateway connections between the Winsock applications on the client and the Internet host. The LAN remains secure, because communication is channeled through ISA.

6.  The Firewall service can be enhanced by using application filters.

7.  The Firewall client captures API calls from the Winsock applications and redirects it to the Firewall service, which makes the actual call.

8.  The control channel manages remote Winsock messages and delivers the LAT to the firewall client. It also establishes TCP connections from the client to ISA and this channel is used to build the virtual connections while connecting with a remote applications.

9.  This service uses a control channel to communicate service management, connection and authentication information on UDP port 1745.

10. This service uses the LAT do determine what clients are on the trusted network.


Web Proxy Service (W3PROXY.EXE)

1.  This service allows any CERN client the ability to access internet resources using the HTTP, HTTPS, Gopher and FTP protocols on behalf of the client.

2.  It is an application level service that uses CERN-compliant applications and is configured to use the Web proxy service. It functions irrelevant of the OS.

3.  Web proxy service runs as a Win2k process (W3proxy.exe).

4.  ISA uses Secure Web publishing and reverse hosting to send requests to Web-publishing servers connected behind the ISA proxy computer, without compromising the internal LAN security.

5.  The Web proxy service supports SSL and Web (ISAPI) filters.

6.  The Web proxy service includes the ISA cache.

In this tutorial I have outlined how the services work and how they function.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top