Security

SolutionBase: Providing remote access to the ISA firewall's Web proxy services

ISA Server 2004 includes a Web proxy service that allows you to provide Internet access to users while securing your network. Here's how you get it to work.

The ISA firewall (ISA Server 2004) is a stateful packet and application layer inspection firewall. One of the ISA firewall's most popular application layer inspection extensions is its Web proxy filter. The Web proxy filter enables the ISA firewall to act as a Web proxy device. Web proxy devices (or servers) support computers with Web browsers configured to use the Web proxy to access the Internet. Here's how you configure the Web proxy filter in ISA Server 2004.

What does the Web proxy filter do?

The ISA firewall's Web proxy filter enables you to:

  • Control which sites users can and can't access on the Internet
  • Filter out viruses and worms from Web (HTTP) downloads
  • Force authentication on all connections before allowing access to the Internet
  • Provide comprehensive logging and reporting for the sites and content users access and enables you to report on all sites a users accesses at any point in or internal of time
  • Accelerate the end user Web browsing experience by providing content from its Web proxy cache

In most deployments, the ISA firewall provides Web proxy services to computers on the corporate network. Corporate network administrators configure managed computers on the network to use the ISA firewall as their Web proxy server for outbound Web access. This is sometimes referred to as a forward proxy. The ISA firewall's Web proxy filter also enables external users to access Web servers, such as Outlook Web Access (OWA) and SharePoint servers, on the corporate network. This is often referred to as a reverse proxy or Web publishing.

Although the typical forward proxy scenario has internal network clients accessing the Internet through the ISA firewall, it is possible to allow machines located on an external network to access the ISA firewall for forward proxying.

For example, suppose you have a company with a main office that uses an ISA firewall at the main office. This company has six branch offices with 10-30 computers located at each branch office. Because each branch office has so few users, corporate IT has decided to use a simple NAT device to provide Internet access for each branch office. The simple NAT devices do not support site to site VPN connections, so corporate IT cannot use site to site VPN connections to connect the branch offices to the main office and they do not want to allow remote access VPN connections from each individual host at each office because of the administrative overhead.

Corporate IT does want some method to control and log Web site access for users at the branch offices in the same way that they control and log access for users at the main office. They can accomplish this goal by publishing the Web proxy listener on the main office ISA firewall and configuring the browsers at the branch offices to use the IP address used on the external interface of the ISA firewall to publish the main office ISA firewall's Web proxy listener. Web browsers at the branch offices can be configured manually, or via automated methods such as the Web Proxy AutoDiscovery protocol (WPAD) or the Internet Explorer Administration Kit (IEAK).

Publishing the Web proxy listener

Publishing the Web proxy listener is fairly straightforward. The process includes:

  • Configuring the Web proxy listener to force authentication
  • Creating the protocol definition and server publishing rule
  • Creating the access rule to allow connections to the Internet

Configure the Web proxy listener to force authentication

The first step is to configure the Web proxy listener to force authentication before allowing connections to itself and subsequently to the Internet. Because this Web listener will be accessible to anyone on the Internet, you want to make sure that that no anonymous connections are allowed to use the Web listener. Anonymous Web proxies can be abused and open your company up to potential litigation or worse.

Another option is to configure the Server Publishing Rule so that only a limited set of IP addresses are allowed to use the Server Publishing Rule. You can use this option if the branch offices have static IP addresses. You will not be able to use this option if the branch offices do not use static addresses, because Server Publishing Rules do not allow you to control access based on the FQDN of the remote client. We'll go over these issues in more detail when we create the Server Publishing Rule.

Here's the procedure:

  1. Open the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console.
  2. Click the Networks node and then double click the Internal entry on the Networks tab in the middle pane of the console.
  3. In the Internal Properties dialog box, click the Web Proxy tab.
  4. On the Web Proxy tab, put a checkmark in the Enable Web Proxy clients checkbox. Put a checkmark in the Enable HTTP checkbox and leave the HTTP port value as 8080, as shown in Figure A.

Figure A:

Enabling the Web proxy listener on the default Internal Network
  1. Click the Authentication button. In the Authentication dialog box, you'll notice that the default authentication protocol is Integrated. You will want to use Integrated authentication for your remote clients connecting to your Web proxy listener because you cannot use SSL to encrypt user credentials when logging into the ISA firewall through the Web proxy listener. This is not a limitation of the ISA firewall, because the ISA firewall can be configured with an SSL Web listener. The problem is that there are no browsers available at this time that support the Web proxy client using an SSL secured connection to the Web proxy server. None of the other authentication options are secure enough to use over the Internet except for SSL certificate. We won't discuss the SSL certificate option in this article.
  2. Put a checkmark in the Require all users to authentication checkbox. When this option is enabled, the Web proxy listener will force users to authenticate before the ISA firewall even gets to the point of evaluating Firewall Policy to determine which sites the users may access. This protects from situations where you or an assistant may have inadvertently configured an anonymous access rule that would allow unauthenticated users access to the Internet through the Web proxy listener.

Author's Note:

One drawback of Integrated authentication is that both the ISA firewall and the user machines must be members of the same domain, or you must mirror the local user accounts on the ISA firewall. For example, if the branch office computers are not domain members, you must have the user name and password information for all the users at each branch office and create accounts on the ISA firewall's local SAM that mirror those user accounts. This can lead to significant administrative overhead, depending on how you enforce password change policy for branch office users.

  1. Click OK to save the changes in the Authentication dialog box, shown in Figure B.
  2. Click OK to save the changes in the Internal Properties dialog box.

Figure B:

Setting the authentication protocol on the Web proxy listener

Author's Note

Keep in mind that the Internal Web listener is also the one that will be used by the Web proxy clients on the corporate network will be using. Integrated authentication isn't a problem on the corporate network when the ISA firewall is a domain member because all clients are also domain members and this enables transparent authentication. There is no need to mirror user accounts because the ISA firewall authenticates domain members against an Active Directory domain controller.

Creating the Protocol Definition and Server Publishing Rule

A Server Publishing Rule allows the ISA firewall to accept incoming connections to a specific IP address and post on its external interface and forward those connections to another IP address and port. In our example of publishing the Web proxy listener, we want the ISA firewall to listen on an IP address on its external interface using TCP port 8080 and forward the connection request to TCP port 8080 on the IP address used on the internal interface of the ISA firewall.

However, before we can create a Server Publishing Rule that publishes the Web proxy listener on the internal interface of the ISA firewall, we need to create a Protocol Definition that defines the protocol that we want to forward. In this case, we want to create a Protocol Definition for inbound TCP port 8080 connections.

Create the Web Proxy Protocol Definition

In the ISA firewall console, expand the server name and then click the Firewall Policy node. Perform the following steps:

  1. Click the Toolbox tab on the Task Pane and then click the Protocols heading. This will expand the list of protocol groups. Click the New menu and then click Protocol.
  2. On the Welcome to the New Protocol Definition Wizard page, enter Web proxy in the Protocol Definition name text box and click Next.
  3. On the Primary Connection Information page, click the New button.
  1. In the New/Edit Protocol Connection dialog box, set the Protocol type to TCP. Set the Direction as Inbound. In the Port range frame, set the From and To values to 8080, as shown in Figure C. Click OK.

Figure C:

Creating the Web proxy Protocol Definition
  1. Click Next on the Primary Connection Information page and click Next on the Secondary Connections page.
  2. Click Finish on the Completing the New Protocol Definition Wizard page.
  3. Click Apply to save the changes and update the firewall policy and click OK in the Apply New Configuration dialog box.

When you click on the User Defined protocols folder you'll see the new Web proxy Protocol Definition you created in the list, as shown in Figure D.

Figure D:

Viewing the new Web proxy Protocol Definition

Create the Server Publishing Rule

Now that we have the Protocol Definition in place, we can create the Server Publishing Rule. We'll being by using the New Server Publishing Rule Wizard and then we'll look at the details of the rule and make some changes to support our scenario.

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. Click the Tasks tab in the Task Pane and then click the Create a New Server Publishing Rule link.
  3. On the Welcome to the New Server Publishing Rule page, enter Publish Web Proxy Listener in the Server Publishing Rule name text box and click Next. On the Select Server page, enter the IP address on the internal interface of the ISA firewall, as shown in Figure E. Click Next after entering that address.

Figure E:

Setting the IP address to send the redirect request
  1. On the Select Protocol page, select the Web proxy protocol from the Selected protocol drop-down list, as shown in Figure F. This is the protocol you created when you created the Web proxy Protocol Definition. Click Next.

Figure F:

Selecting the network protocol to redirect
  1. On the IP Addresses page, put a checkmark in the External checkbox and click Next.
  2. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Now we need to make a change to the Server Publishing Rule, so double click the Publish Web Proxy Listener firewall policy entry. In the Publish Web Proxy Listener Properties dialog box, click the To tab. On the To tab, select the Request appear to come from the ISA Server computer option, as shown in Figure G.

Figure G:

Configuring the Server Publishing Rule to replace the source IP address with the ISA firewall's IP address

We need to do this because the ISA firewall's Web proxy listener will not accept requests from source IP addresses that are not on the same ISA firewall Network that the Web listener is listening on. Since the Web proxy listener is listening for connections coming from the default Internet Network in this example, the source IP address must be one included in the definition of the default Internal Network. We can accomplish that goal by allowing the ISA firewall itself to impersonate the IP address of the original external client.

Click on the From tab. Notice the default is to allow connections from Anywhere, shown in Figure H. Although this might seem to imply that the ISA firewall will allow connections from anywhere for the Server Publishing Rule, it actually allows connections from anywhere located on the same Network as the listener for the rule is listening on. In this example we configured the listener to listen on the External Network, so only requests from the default External Network will be serviced by this listener.

Figure H:

Controlling what hosts can connect using the Web proxy Server Publishing Rule

You have the option to limit what machines can connect via the Server Publishing Rule by removing the Anywhere entry and clicking the Add button. This will bring up the Add Network Entities dialog box shown in Figure H. Here you can select a Network Element or create a new one and allow only that Network Element access to the Server Publishing Rule that allows access to the Web listener. You can create new Network Element using the New menu. For the scenario discussed at the beginning of the article, you can create a Computer Network Element for the IP address on the external interface of each branch office NAT device and allow only those IP addresses access to the Server Publishing Rule.

Creating the Access Rule to Allow Connections to the Internet

The listener and the Server Publishing Rule is now in place to support use of the Web proxy listener. However, no traffic will move through that interface until there is a firewall policy rule that allows traffic through the Web proxy listener.

The Web proxy filter supports only three protocols:

  • HTTP
  • HTTPS (SSL)
  • HTTP tunneled FTP (FTP communications are tunneled in an HTTP header from the Web proxy client to the Web proxy listener and then detunneled at the ISA firewall and send to the FTP server)

Any firewall policy we create must be limited to one or more of these three protocols. We will create an Access Rule that allows all authenticated users access to HTTP, HTTPS (SSL) and FTP.

Create the Access Rule

In the ISA firewall console, expand the server name and then click the Firewall Policy node. Perform the following steps:

  1. Click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  2. On the Welcome to the New Access Rule Wizard page, enter Web Protocols to Internet and click Next.
  3. Select the Allow option on the Rule Action page and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list and then click the Add button.
  5. In the Add Protocols dialog box, click the Web folder and then double click on the FTP, HTTP and HTTPS protocols as shown in Figure I and then click Close.

Figure I:

Selecting protocols allowed by the Access Rule
  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the Networks folder and then double click on the Internal network as shown in Figure J. Click Close.

Figure J:

Selecting the Source Network for the Access Rule
  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click Add.
  3. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close.
  4. Click Next on the Access Rule Destinations page.
  5. On the User Sets page, click the All Users entry and click Remove. We don't want to allow anonymous connections to the Internet through the ISA firewall, so we must remove the All Users entry.
  6. Click the Add button. In the Add Users dialog box, shown in Figure K, double click the All Authenticated Users entry and click Close.

Figure K:

Configuring the Access Rule to require authentication
  1. Click Next on the User Sets page.
  2. Click Finish on the Completing the New Access Rule Wizard page.

At this point remote users and users on the default Internal network will be able to access all Web sites as long as they successfully authenticate

That's all there is to it!

Web proxy devices can provide secure connections to machines configured as Web proxy clients. The ISA firewall includes a Web proxy filter, which enables it act as a Web proxy server. The Web proxy filter uses a Web proxy listener to accept connections from Web browsers configured as Web proxy clients. Web proxy clients connecting from the corporate network to the Internet use the Web proxy server as a forward Web proxy.

In some circumstances, such as a branch office scenario, you might want to use enable the ISA firewall's Web proxy listener to accept connections from remote hosts. You can configure the ISA firewall to support remote host connections to its Web proxy listener by creating a Web proxy Protocol Definition, Server Publishing Rule and Access Rule to support these connections. This article provided details instructions on how to carry out these configuration requirements.

Editor's Picks

Free Newsletters, In your Inbox