HOW TO: Securely Configure the External Interface on an ISA Server Computer (310220)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q310220

IN THIS TASK

SUMMARY

This step-by-step article describes how to securely configure the external interface on a Microsoft Internet Security and Acceleration (ISA) Server computer.

ISA Server 2000 provides both Web caching and firewall services to protect your network. You can place an ISA Server computer on the edge of the network to act as a secure firewall that can protect your entire network.

Although the ISA Server software provides a very high level of security, to optimize your ISA Server security solution you should configure the ISA Server's external interface in the most secure way that is possible. There are only a few steps you need to take to harden the external interface from attack.

There are four basic configuration steps that are required to lock down the external interface:
  • Make the required changes to the external interface properties dialog box.
  • Disable the H.323 gateway.
  • Enable ISA Server packet filtering.
  • Confirm open ports by using the Netstat.exe utility.
back to the top

Configure the External Interface Characteristics

  1. Click Start, point to Settings, click Control Panel, and then double-click Network Connections.
  2. In the Network and Dial-up Connections pane, right-click the external interface of the ISA Server computer, and then click Properties.
  3. On the interface properties page, click to clear the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks check boxes.
  4. Click OK.
back to the top

Disable the H.323 Gateway

The H.323 gateway allows users to connect to external clients by using NetMeeting through ISA. If you do not require this functionality, it is recommended that you disable the filter during installation. To disable the H.323 application filter, follow these steps:
  1. Start the ISA Management console. Expand your server or array, and then expand the Extensions node in the left pane.
  2. Expand the Application Filters node in the left pane.
  3. Right-click H.323 Filter, and then click Properties
  4. On the General tab, click to clear the Enable this filter check box.
back to the top

Configure Packet Filtering on the ISA Server Computer

You can use the ISA Server Packet Filtering feature to control which packets can enter or leave the external interface of the ISA Server. After you enable packet filtering, you must create a packet filter, protocol rule, or publishing rule for packets to traverse the external interface of the ISA Server computer.

To configure packet filtering on the external interface of the ISA Server computer:
  1. Start the ISA Management console. Expand your server or array, and then expand the Access Policy node in the left pane.
  2. Right-click the IP Packet Filters node, and then click Properties.
  3. Click to select the Enable Packet Filtering check box, click OK, and then restart the Firewall service.
  4. Review the default packet filters in the right pane. These ICMP and DNS filters are used for network management and should be left enabled unless you have a compelling reason to disable them. Note that by default, the DHCP Client packet filter is disabled .
back to the top

Confirm Open Ports on the External Interface of the ISA Server Computer

The most reliable way to confirm open ports on the external interface of the ISA Server is to use the Netstat.exe command. To view open ports:
  1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
  2. At the command prompt, type netstat -na, and then press ENTER.
  3. First check the port numbers that are open for the local address that represents the IP address on the external interface of the ISA Server computer. These ports listen only on the external interface. Next, check the ports that are listening on the local address 0.0.0.0. These ports may be listening on the external interface of the ISA Server. If you have enabled packet filtering, only the ports that you have allowed by using protocol rules, publishing rules, or packet filters will be open on the external interface, and because of this, the 0.0.0.0 entries will only be listening on the external interface.
NOTE: Some services or application filters will open a port on the external interface in spite of the absence of a packet filter, protocol rule or publishing rule. The H.323 Gatekeeper service is an example. This explains why you may see open ports that were not explicitly opened.

back to the top


The following example demonstrates port usage with NetBIOS disabled and enabled for comparison:

*******************************************************
- NetBIOS over TCP/IP set to Disabled
- All ISA services offline
*******************************************************

C:\Documents and Settings\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1692 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3004 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3390 0.0.0.0:0 LISTENING
TCP 0.0.0.0:15185 0.0.0.0:0 LISTENING
TCP 0.0.0.0:42510 0.0.0.0:0 LISTENING
TCP 66.57.140.80:28607 207.71.92.193:80 TIME_WAIT
TCP 66.57.140.80:28609 207.71.92.193:443 TIME_WAIT
TCP 66.57.140.80:28610 207.71.92.193:443 TIME_WAIT
TCP 192.168.0.1:139 0.0.0.0:0 LISTENING
TCP 192.168.0.1:1692 192.168.0.4:1998 ESTABLISHED
TCP 192.168.0.1:15185 192.168.0.2:445 ESTABLISHED
TCP 192.168.0.1:28614 0.0.0.0:0 LISTENING
TCP 192.168.0.1:28614 192.168.0.2:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3001 *:*
UDP 0.0.0.0:3021 *:*
UDP 0.0.0.0:3033 *:*
UDP 0.0.0.0:3034 *:*
UDP 0.0.0.0:3901 *:*
UDP 0.0.0.0:5557 *:*
UDP 0.0.0.0:19085 *:*
UDP 66.57.140.80:500 *:*
UDP 66.57.140.80:43508 *:*
UDP 192.168.0.1:137 *:*
UDP 192.168.0.1:138 *:*
UDP 192.168.0.1:500 *:*
UDP 192.168.0.1:43508 *:*
********************************************************
- Set NetBIOS over TCP/IP to Default
- ipconfig /release
- ipconfig /renew
**********************************

C:\Documents and Settings\>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1692 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3004 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3390 0.0.0.0:0 LISTENING
TCP 0.0.0.0:15185 0.0.0.0:0 LISTENING
TCP 0.0.0.0:42510 0.0.0.0:0 LISTENING
TCP 66.57.140.80:139 0.0.0.0:0 LISTENING
TCP 192.168.0.1:139 0.0.0.0:0 LISTENING
TCP 192.168.0.1:1692 192.168.0.4:1998 ESTABLISHED
TCP 192.168.0.1:15185 192.168.0.2:445 ESTABLISHED
TCP 192.168.0.1:28614 0.0.0.0:0 LISTENING
TCP 192.168.0.1:28614 192.168.0.2:139 ESTABLISHED
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3001 *:*
UDP 0.0.0.0:3021 *:*
UDP 0.0.0.0:3033 *:*
UDP 0.0.0.0:3034 *:*
UDP 0.0.0.0:3901 *:*
UDP 0.0.0.0:5557 *:*
UDP 0.0.0.0:19085 *:*
UDP 66.57.140.80:137 *:*
UDP 66.57.140.80:138 *:*
UDP 66.57.140.80:500 *:*
UDP 66.57.140.80:43508 *:*
UDP 192.168.0.1:137 *:*
UDP 192.168.0.1:138 *:*
UDP 192.168.0.1:500 *:*
UDP 192.168.0.1:43508 *:*

back to the top
Modification Type:MajorLast Reviewed:10/24/2003
Keywords:kbenv kbHOWTOmaster kbnetwork KB310220 kbAudDeveloper kbAudITPro
©2003 Microsoft Corporation. All rights reserved.