Protocols

Microsoft Internet Security and Acceleration (ISA) Server 2006 includes a variety of preconfigured protocols, which you can use when you create access rules or server publishing rules.

You can further expand the set of protocols by using ISA Server Management to create your own. User-defined protocols can be edited or deleted. Protocols included with ISA Server cannot be modified or deleted. Protocols installed with application filters cannot be modified, although they can be deleted. However, you can configure a protocol so that an application filter does not apply to the protocol. For more information, see Application filters and protocols.

When you create a protocol, you specify the following:

Protocol type. This includes TCP, UDP, ICMP, or IP-level.
Direction. For UDP, this includes Send, Receive, Send Receive, or Receive Send. For TCP, this includes Inbound and Outbound. For ICMP and IP-level, this includes Send and Send Receive.
Port range. For TCP and UDP, this is a range of ports between 1 and 65535 that is used for the initial connection.
Protocol number. For IP-level protocols, this is a number between 0 and 254.
ICMP properties. For ICMP, this is the ICMP code and type.
(Optional) Secondary connections. This is the range of ports, protocol types, and direction used for additional connections or packets that follow the initial connection. You can configure one or more secondary connections.

Note

You cannot define secondary connections for IP-level primary protocols.

For instructions, see Create a protocol.

Enterprise-level protocols

ISA Server 2006 Enterprise Edition only

Enterprise administrators can create and modify enterprise-level protocols. Enterprise-level protocols can be used in array-level access rules and in enterprise-level access rules. Array-level protocols can only be used in access rules for that array.

ISA Server is preconfigured with a large set of enterprise-level protocols.

Ports

More than one protocol can be associated with the same port.

If you create a rule denying access to a specific protocol, be sure to include all protocols that use the same port in the exception list. Alternatively, you can create a rule denying any one of the protocols that use the port, and place the deny rule before the access rule in the rules order.

Consider for example this scenario. If you create a protocol to be used in a rule that denies access to a virus, do not create an access rule that allows access to everything except the new protocol. Instead, create a rule that denies access to the new protocol. Place this rule before any other access rules that allow protocols on the same ports as the new protocol.

Direction

ISA Server uses protocol direction to specify whether traffic is considered outbound or inbound.

For access rules, protocol direction is usually defined as outbound. This allows traffic from the network entities specified as the rule sources (From) to the network entities specified as the rule destinations (To). Generally, this means that a client behind ISA Server is allowed to send traffic to other network objects or networks, such as the External network (Internet).

For server publishing rules, protocol definition must be defined as inbound. This allows traffic from the network entities specified as the network sources to the published service on the server.

For server publishing rules, predefined protocols are always identified with the suffix, Server. For example, DNS Server protocol allows requests for DNS services to reach the published DNS server. When you define protocols for server publishing, you are not required to add the suffix. However, you must define the protocol as inbound.

Application filters and protocols

Protocol definitions with attached application filters usually do not have predefined secondary connections. The following describes the process:

The client opens a primary connection to a server on the Internet.
The ISA Server computer notifies the filter about the connection.
The filter examines the data that is flowing through the primary connection and determines which secondary connection the client is going to use.
The filter informs the ISA Server computer to allow that particular secondary connection.
The ISA Server computer opens the specific port, as indicated by the application filter.

Some application filters create and install new protocols. These protocols are complex protocols, meaning that they have secondary connections. By translating the ports used by these complex protocols, the application filter enables them, allowing traffic that uses these protocols to pass. The primary connections for these protocols function, whether the application filter is enabled or not.

Other application filters filter traffic of existing protocols, either user-defined or configured by ISA Server. When these application filters are disabled, the protocols that they filter are not disabled. For example, even if you disable the Simple Mail Transfer Protocol (SMTP) filter, SMTP protocols might still be allowed to pass (unfiltered).

You can apply one or more application filters to a protocol, to control how this protocol is used. For example, the Web Proxy application filter applies to HTTP. When you disable the Web Proxy application filter, Web filters will not apply to traffic that matches this rule.

For instructions, see Apply an application filter to a protocol.

RPC protocols

When you install ISA Server, an outbound remote procedure call (RPC) protocol is defined. All universally unique identifier (UUID) interfaces are used for this protocol definition.

You can create access rules that allow use of this outbound RPC protocol definition. This can allow internal clients to use the RPC protocol to access external resources. For example, you can allow clients on the Internal network access to an external Exchange server. Similarly, you can create outgoing RPC protocol definitions, and use these in access rules, to allow internal clients access to external resources.

Outbound RPC protocols can be configured on a per-rule basis, to enforce strict RPC compliance. By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as DCOM, will not be allowed through ISA Server.

When you install ISA Server, two default RPC protocol definitions are provided for incoming requests:

Any RPC server. If this protocol definition is allowed in a server publishing rule, ISA Server will map any inbound RPC requests to the published RPC server. If the UUID is registered on the RPC server, access to the procedure is given. If the UUID is not registered on the RPC server, the request is dropped.
Exchange RPC server. A list of UUID interfaces used for Exchange is defined as an RPC protocol definition. You can use this protocol definition in server publishing rules to deny or allow access to specific Exchange functions.

The RPC (any interface) protocol is defined for outgoing requests.

You can create additional RPC protocol definitions. Using the wizard, you can select UUID interfaces from a list of interfaces available on the RPC server. Or, you can define the interfaces manually. If you do not specify any interfaces for the incoming RPC protocol definition, server publishing rules that allow this protocol definition do not allow any traffic.

After you create incoming RPC protocol definitions, you can use them in a server publishing rule.

Protocol categories

In the Toolbox, protocols are categorized in functional groups. These categories were created to facilitate selection of the appropriate protocol for your specific scenario. Some protocols are listed in more than one category. All protocols are listed in the All Protocols category. Protocols that you define are listed in the User-Defined category.

Protocol category	Description
Infrastructure	This category includes protocols used for common networking infrastructural needs, such as address assignment (DHCP), Active Directory (LDAP), and name resolution (DNS).
Mail	This category includes protocols used by mail servers, such as SMTP, IMAP4, POP3, and others.
Instant Messaging	This category includes protocols required for instant messaging, including MSN Messenger, ICQ, H.323, and others.
Remote Terminal	This category includes protocols required to allow remote management, including RDP, Telnet, and others.
Streaming Media	This category includes protocols required for streaming media, including MMS, RTSP, and others.
VPN and IPsec	This category includes protocols required for VPN connections, such as IKE Client, IKE Server, L2TP, and others.
Web	This category includes protocols used to access Web sites, such as HTTP, HTTPS, FTP, and others. You can select protocols only from this category when creating Web publishing rules.
Authentication	This category includes protocols required for authentication, such as RADIUS, RSA SecurID, and Kerberos.
Server Protocols	This category includes server protocols, used in server publishing rules, such as RPC server, Microsoft SQL Server, FTP server, and others.

For a full list of protocols used by Microsoft Windows products and subcomponents, see Service overview and network port requirements for the Windows Server system at Microsoft Help and Support(http://www.microsoft.com/).

Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/).

Send feedback about this page.

English-to-Russian translation