How to use an ISA Server 2006 or an ISA Server 2004 computer to block transparent HTTP clients without requiring authentication (884505)

INTRODUCTION

This article describes how to block transparent HTTP clients without requiring authentication by using Microsoft Internet Security and Acceleration (ISA) Server 2006 or Microsoft Internet Security and Acceleration (ISA) Server 2004. The HTTP protocol makes it possible for Web site authors to put multiple versions of the same information under a single URL. Several computers can connect through a single connection on an ISA Server computer and it appears that the clients are connecting directly themselves and not connecting through an ISA Server computer. Transparent content negotiation is named "transparent" because it makes all variants that exist on the ISA Server computer visible to the external network.

MORE INFORMATION

To create a new policy in ISA Server that blocks transparent HTTP clients without requiring authentication, you must create a new protocol in ISA Server, create a new access rule, and then remove the HTTP protocol from the Web Proxy Filter. To do this, follow these steps:

Create a new protocol that is named Transparent HTTP. To do this, follow these steps:
1. Start the ISA Server Management tool.
2. Expand name of your ISA Server computer, click Firewall Policy, and then click the Toolbox tab in the right-pane.
  
  Note For ISA Server Enterprise Edition, expand Arrays, expand Array_Name, and then click Firewall Policy.
3. In the right-pane, right-click Protocol, and then click New Protocol.
4. Type a name for the new protocol. Use a descriptive name, such as Transparent HTTP Protocol, and then click Next.
5. Click New on the Primary Connection Information page.
6. Under Protocol type, click TCP, and then click Outbound under Direction.
7. Under Port Range, type 80 in the From box, type 80 in To box, and then click OK.
8. Click Next, click No on the Secondary Connections page, and then click Next.
9. Click Finish.
Create a new access rule that denies transparent HTTP traffic from the internal network to the external network. To do this, follow these steps:
1. In the ISA Server Management Tool, right-click Firewall Policy, point to New, and then click Access Rule.
2. Type a name for the new access rule. Use a descriptive name, such as Transparent HTTP rule, and then click Next.
3. Click Deny, and then click Next.
4. In the This rule applies to list, click Selected Protocols, and then click Add.
5. Expand User-Defined, click Transparent HTTP Protocol, click Add, and then click Close.
6. Click Next.
7. On the Access Rule Sources page, click Add.
8. Expand Networks, click Internal, click Add, and then click Close.
9. Click Next.
10. On the Access Rule Destinations page, click Add.
11. Expand Networks, click External, click Add, and then click Close.
12. Click Next.
13. On the User Sets page, click All Users, and then click Next.
14. Click Finish.
  
  Note Put the new access rule before any other rules that permit HTTP traffic.
Remove the HTTP protocol from the Web Proxy filter. To do this, follow these steps:
1. In the ISA Server Management Tool, click Firewall Policy, and then click the Toolbox tab in the right-pane.
2. In the right-pane, expand Common Protocols, right-click HTTP, and then click Properties.
3. Click the Parameters tab.
4. Under Application Filters, click to clear the Web Proxy Filter check box, and then click OK.