Using the Browser on the ISA Firewall (2004)
One of the most popular requests I see on the ISAserver.org Web boards and mailing list is "how do I use the browser on my ISA firewall". This is a painful question for me to hear. In an ideal firewall security environment, you would never use the Web browser on the firewall.
The ISA firewall should never be used as a workstation, file server, Web server or any other kind of server. It’s a firewall, and the ISA firewall one of the best and most secure firewalls on the market today. Introducing potential exploits through the browser does nothing to enhance the ISA firewall’s security posture.
However, in the real world of network computing, things don’t always work the way security wonks want them to. When we move out of the "clean room" environment most security experts live in, we see that firewall admins want to use the browser on the ISA firewall for a number of reasons. It might be to visit the Windows Update site, download scripts to the ISA firewall, or any number of other reasons.
This article will explain how to configure the ISA firewall to support Web browser from the ISA firewall machine. However, before I continue, I want to make my official stateful on this subject:
Never use the Web browser or any other client application from the ISA firewall. Using client applications on the ISA firewall significantly reduces the overall security posture of the ISA firewall and can have potentially adverse effects not only on the ISA firewall, but on your entire network infrastructure.
The default ISA firewall configuration includes a System Policy allowing to you visit a list of trusted sites. You can view the ISA firewall’s System Policy by opening the Microsoft Internet Security and Acceleration Server 2004 management console, expanding the server name, and clicking on the Firewall Policy node. In the Task Pane, click the Tasks tab. In the list of System Policy Tasks, click the Show System Policy Rules.
Note:
Firewall System Policy controls traffic originating from the ISA firewall and terminating at the ISA firewall. System Policy does not control traffic moving through the ISA firewall. You must use Access Rules and Publishing Rules to control traffic moving through the ISA firewall.
You’ll see that the System Policy rules are listed before the Firewall Policy Rules. This means that these rules are processed before any Firewall Policies you create yourself. There are two System Policy Rules that allow the ISA firewall to connect to the Web:
- Allow HTTP/HTTPS requests from ISA Server to specified site (System Policy Rule #17)
- Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites (System Policy Rule #23)
System Policy Rule #17 allows connections from the ISA firewall to the System Policy Allowed Sites Domain Name Set. The following sites are included by default:
Author: Thomas Shinder
Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.
Set of free tools making the work of a Microsoft ISA Server administrator easier.
Software for monitoring the efficiency of your company's Internet bandwidth usage.
Using this product you can easily find out who, when, where to, where from and what accessed the Internet.
Works with Microsoft ISA Server and other proxy servers.
Software for monitoring the efficiency of your company's mail server operations.
Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent.
Works with Microsoft Exchange Server and other mail servers.
Software for monitoring your company's printers.
Using this product you can easily find out who, when and how many pages have been printed.
RSS