SolutionBase: Get ISA Server features without having ISA Server installed

ISA Server 2004 can be a powerful firewall, but it also doesn't come cheap. Properly configured, Windows Server 2003 can give you some of ISA Server 2004's features. Check this article to see if you really need ISA Server 2004.

Until a few years ago, if you wanted to implement NAT on your network, you had to be prepared to spend some money. There were basically three ways that you could deploy NAT. You could either buy a router that incorporated NAT, you could get a copy of Microsoft's ISA Server, or you could find some third party software product that would function as a NAT router.

If you have the budget for it, then I highly recommend implementing either ISA Server or a hardware based router that offers similar functionality. If those are a bit out of reach though, there is a way that you can make a Windows 2003 Server function as sort of a poor man's ISA server. Here's how.

Author's note

Of course setting up Windows as a low budget alternative to an ISA Server isn't free. You will need a dedicated machine and a Windows Server license. The dedicated machine doesn't have to be a high end server though. Unless you have a really big organization (in which case you would probably have the budget for ISA Server), you can just use a high end PC in place of server hardware. The only special requirement is that the machine that you choose must be multihomed (have two network cards).

How NAT works

Before you start configuring Windows to work as a NAT server, you need to understand a bit more about how NAT works. If you already have a good understanding of NAT, then you can skip this section and move on to the section below.

The first thing that you need to understand is that there are several different types of NAT. You will have to determine which type of NAT is the most appropriate for your own organization. Below are descriptions of the four most common types of NAT.

  • Static NAT Static NAT is used when you have enough registered (publicly accessible) addresses to go around, but don't want to make the machines on your network directly accessible from the Internet. In this situation, a static NAT would be configured that maps each registered address to a corresponding unregistered address in a one to one configuration.
  • Dynamic NAT Dynamic NAT is used when there is a block of registered IP addresses available, but there are not enough registered IP addresses to map one to every client. In this case, unregistered IP addresses are assigned to clients, and these unregistered addresses are mapped to one of the registered addresses on a first come, first serve basis.
  • Overlapping Overlapping describes a situation in which the unregistered addresses used on an internal network are actually valid Internet IP addresses owned by someone else. NAT maintains an address lookup table to ensure that any time a PC with an overlapping address accesses the network, the PC's address is replaced with a unique IP address.
  • Overloading Overloading describes a technique by which all of the unregistered IP addresses on a network are mapped to a single registered IP address. This is made possible by the fact that the TCP and UDP protocols can be sub divided into multiple ports.

Keep in mind that these are not the only types of NAT in existence. For example, my own personal network uses a form of NAT that is basically a combination of overloading and overlapping. It is important to use a type of NAT that is most appropriate for your network.

Configuring NAT

Now that you know how NAT works, let's look at how you can turn a Windows 2003 Server into a NAT router. To do so, enter the MMC command at the server's Run prompt. This will open an empty Microsoft Management Console. When the console opens, select the Add/Remove Snap-In command from the File menu. When you do, you will see the Add/Remove Snap-In properties sheet appear. Click the Add button found on the properties sheet's Standalone tab to reveal a list of available snap in components. Select the Routing And Remote Access snap-in and click Add, followed by Close and OK.

At this point, right click on the Routing And Remote Access container and select the Add Server command from the resulting shortcut menu. Select either the This Computer option or enter the name of the appropriate server and click OK. The computer name that you enter will now be displayed beneath the Server Status container.

Right click on the server's name and select the Configure And Enable Routing And Remote Access command from the resulting shortcut menu. When you do, Windows will launch the Routing And Remote Access Server Setup Wizard. Click Next to bypass the wizard's Welcome screen and you will see a configuration screen asking you what the primary role of the Routing And Remote Access Server will be. Select the Network Address Translation (NAT) option and click Next.

As you may recall earlier when I discussed the server's hardware requirements, I mentioned that the server would require two network interface cards. The reason for this is because the NAT server acts as a gateway between your private network and the Internet. One of the network cards will therefore connect the NAT server to the private network, while the other will connect to the Internet (or to the router or modem that connects your network to the Internet).

The wizard's next screen will ask you to select the network card that connects to the Internet. Before you click Next, verify that the Enable Security on the Selected Interface option has been selected. This will cause Windows to apply a firewall to the NAT connection. This is extremely important because it will keep hostile packets from the Internet from reaching your private network.

Click Next, and the wizard will ask you to select the network interface that the server uses to connect to your private network. Click Next, followed by Finish, and NAT will be configured.

Packet filtering

My purpose in writing this article is to show you how you can use Windows Server 2003 to act as a sort of low budget ISA Server. So far I have shown you how to configure Windows to act as a NAT Server, but there is a lot more to ISA Server than its abilities to perform network address translation. ISA Server is first, and foremost, a firewall. Windows Server 2003 by itself lacks many of the more advanced features offered by ISA Server, but it is possible to configure Windows Server 2003 to act as a NAT firewall.

You have already seen a hint of Windows' NAT firewall capabilities during the initial configuration when the setup wizard asked you if you wanted to enable security for the selected interface. However, you can have much more granular control over the firewall if you choose.

To customize the firewall, navigate through the Routing And Remote access console to Routing And Remote Access | your server | IP Routing | NAT / Basic Firewall. When you select the NAT / Basic Firewall container, you will see the pane to the right display a list of the server's network interfaces. Right click on the network interface that connects to the Internet and select the Properties command from the resulting shortcut menu. When you do, you will see the Local Area Connection Properties sheet.

At this point, select the properties sheet's NAT / Basic Firewall tab. Verify that the Public Interface Connected to the Internet button is selected; otherwise, you have selected the wrong network interface. Once you have verified that you are looking at the correct network interface, look to make sure that both check boxes beneath the Public Interface Connected to the Internet option are selected.

The first check box is marked Enable NAT On This Interface. This check box simply turns NAT on and off. The Second check box is marked Enable A Basic Firewall on This Interface. As long as the check box is selected, Windows is acting as a NAT firewall. This check box must be selected, but the Basic Firewall Only option should not be selected.

Now that you have verified that the interface is configured for NAT and is also configured to act as a firewall, turn your attention to the Inbound Filters and Outbound Filters buttons at the bottom of the window. These buttons allow you to customize the behavior of the basic firewall. The basic firewall has one primary rule that it follows. It does not allow any outside traffic to reach machines behind the firewall, unless that traffic is in response to a request made by a machine on the private network.

Before I show you how to configure firewall, I want to take a moment and talk about the importance of inbound and outbound filters. The importance of an inbound filter is fairly obvious. Inbound filters shield your network from malicious packets coming in from beyond your network's perimeter (usually the Internet). You might be wondering however why outbound filters are so important.

Outbound filters prevent unauthorized types of packets from flowing from your private network onto the Internet (or what ever lies beyond your network's perimeter). Since your network is presumably secure, it might at first seem that outbound filters are unnecessary. However, outbound filters are a great way to prevent sensitive information from leaving your network.

Think about it for a moment. Current statistics indicate that anywhere from 85% to 95% of the computers that are connected to the Internet are infected with spyware. Some of the most common types of spyware are data miners and keystroke loggers. These modules are designed to look for things like passwords or credit card numbers, and then transmit that information over an obscure port to a collection server on the Internet. Although it is difficult to prevent spyware infections, you can prevent such modules from "phoning home" by blocking outbound traffic on ports known to be used by spyware.

If this strategy sounds high maintenance you're right. There are over 65,000 TCP ports and over 65,000 UDP ports. Currently, only a relative few of these port numbers are known to be used by spyware modules. While it would be easy to block those particular ports, a new type of spyware could be created tomorrow that uses a different port number.

Fortunately, Microsoft makes things easy on you by allowing exception rules. This means that you can tell Windows to either accept all traffic except for traffic flowing across ports that you specifically deny, or you can tell Windows to deny traffic flowing across all ports, except for those that you specifically allow.

By default, both the inbound and outbound filters are configured to allow all types of traffic. Keep in mind though that the inbound filter will allow any type of traffic as long as it is in response to a packet sent out by a computer on your network. Normally, the default inbound filter settings are OK, unless you have specific types of traffic that you want to block.

For example, if you wanted to prevent users on your network from using IRC based chat software, you could block ports related to IRC. That way, even if a user initiated a chat, they would never receive a response because the inbound filters are blocking the port that the response is flowing through.

When configuring the outbound filters, I recommend blocking all ports except for those that you specifically allow. The reason for this is because there are relatively few ports used for day-to-day operations in most companies. Some examples of commonly used ports are those used for HTTP, SMTP, and POP3. If you can make a list of the ports that are used legitimately within your business, you can block outbound traffic on all other ports. This will prevent spyware from phoning home (unless it is set to use one of the ports that you have allowed), and it will also make it a lot tougher for users to use unauthorized applications that communicate across the Internet.

A poor man's ISA server

Although an ISA Server or a firewall appliance is the preferable means for securing your network's perimeter, such devices can be expensive and might be beyond the budget of smaller companies. As an alternative, you can configure Windows Server 2003 to work as a sort of poor man's ISA Server. All it takes is configuring Windows Server 2003 to act as a NAT Server and as a perimeter firewall.