Protocols

Microsoft Internet Security and Acceleration (ISA) Server 2006 includes a variety of preconfigured protocols, which you can use when you create access rules or server publishing rules.

You can further expand the set of protocols by using ISA Server Management to create your own. User-defined protocols can be edited or deleted. Protocols included with ISA Server cannot be modified or deleted. Protocols installed with application filters cannot be modified, although they can be deleted. However, you can configure a protocol so that an application filter does not apply to the protocol. For more information, see Application filters and protocols.

When you create a protocol, you specify the following:

Note

For instructions, see Create a protocol.

Enterprise-level protocols

ISA Server 2006 Enterprise Edition only

Enterprise administrators can create and modify enterprise-level protocols. Enterprise-level protocols can be used in array-level access rules and in enterprise-level access rules. Array-level protocols can only be used in access rules for that array.

ISA Server is preconfigured with a large set of enterprise-level protocols.

Ports

More than one protocol can be associated with the same port.

If you create a rule denying access to a specific protocol, be sure to include all protocols that use the same port in the exception list. Alternatively, you can create a rule denying any one of the protocols that use the port, and place the deny rule before the access rule in the rules order.

Consider for example this scenario. If you create a protocol to be used in a rule that denies access to a virus, do not create an access rule that allows access to everything except the new protocol. Instead, create a rule that denies access to the new protocol. Place this rule before any other access rules that allow protocols on the same ports as the new protocol.

Direction

ISA Server uses protocol direction to specify whether traffic is considered outbound or inbound.

For access rules, protocol direction is usually defined as outbound. This allows traffic from the network entities specified as the rule sources (From) to the network entities specified as the rule destinations (To). Generally, this means that a client behind ISA Server is allowed to send traffic to other network objects or networks, such as the External network (Internet).

For server publishing rules, protocol definition must be defined as inbound. This allows traffic from the network entities specified as the network sources to the published service on the server.

For server publishing rules, predefined protocols are always identified with the suffix, Server. For example, DNS Server protocol allows requests for DNS services to reach the published DNS server. When you define protocols for server publishing, you are not required to add the suffix. However, you must define the protocol as inbound.

Application filters and protocols

Protocol definitions with attached application filters usually do not have predefined secondary connections. The following describes the process:

  1. The client opens a primary connection to a server on the Internet.
  2. The ISA Server computer notifies the filter about the connection.
  3. The filter examines the data that is flowing through the primary connection and determines which secondary connection the client is going to use.
  4. The filter informs the ISA Server computer to allow that particular secondary connection.
  5. The ISA Server computer opens the specific port, as indicated by the application filter.

Some application filters create and install new protocols. These protocols are complex protocols, meaning that they have secondary connections. By translating the ports used by these complex protocols, the application filter enables them, allowing traffic that uses these protocols to pass. The primary connections for these protocols function, whether the application filter is enabled or not.

Other application filters filter traffic of existing protocols, either user-defined or configured by ISA Server. When these application filters are disabled, the protocols that they filter are not disabled. For example, even if you disable the Simple Mail Transfer Protocol (SMTP) filter, SMTP protocols might still be allowed to pass (unfiltered).

You can apply one or more application filters to a protocol, to control how this protocol is used. For example, the Web Proxy application filter applies to HTTP. When you disable the Web Proxy application filter, Web filters will not apply to traffic that matches this rule.

For instructions, see Apply an application filter to a protocol.

RPC protocols

When you install ISA Server, an outbound remote procedure call (RPC) protocol is defined. All universally unique identifier (UUID) interfaces are used for this protocol definition.

You can create access rules that allow use of this outbound RPC protocol definition. This can allow internal clients to use the RPC protocol to access external resources. For example, you can allow clients on the Internal network access to an external Exchange server. Similarly, you can create outgoing RPC protocol definitions, and use these in access rules, to allow internal clients access to external resources.

Outbound RPC protocols can be configured on a per-rule basis, to enforce strict RPC compliance. By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as DCOM, will not be allowed through ISA Server.

When you install ISA Server, two default RPC protocol definitions are provided for incoming requests:

The RPC (any interface) protocol is defined for outgoing requests.

You can create additional RPC protocol definitions. Using the wizard, you can select UUID interfaces from a list of interfaces available on the RPC server. Or, you can define the interfaces manually. If you do not specify any interfaces for the incoming RPC protocol definition, server publishing rules that allow this protocol definition do not allow any traffic.

After you create incoming RPC protocol definitions, you can use them in a server publishing rule.

Protocol categories

In the Toolbox, protocols are categorized in functional groups. These categories were created to facilitate selection of the appropriate protocol for your specific scenario. Some protocols are listed in more than one category. All protocols are listed in the All Protocols category. Protocols that you define are listed in the User-Defined category.

Protocol category Description
Infrastructure This category includes protocols used for common networking infrastructural needs, such as address assignment (DHCP), Active Directory (LDAP), and name resolution (DNS).
Mail This category includes protocols used by mail servers, such as SMTP, IMAP4, POP3, and others.
Instant Messaging This category includes protocols required for instant messaging, including MSN Messenger, ICQ, H.323, and others.
Remote Terminal This category includes protocols required to allow remote management, including RDP, Telnet, and others.
Streaming Media This category includes protocols required for streaming media, including MMS, RTSP, and others.
VPN and IPsec This category includes protocols required for VPN connections, such as IKE Client, IKE Server, L2TP, and others.
Web This category includes protocols used to access Web sites, such as HTTP, HTTPS, FTP, and others. You can select protocols only from this category when creating Web publishing rules.
Authentication This category includes protocols required for authentication, such as RADIUS, RSA SecurID, and Kerberos.
Server Protocols This category includes server protocols, used in server publishing rules, such as RPC server, Microsoft SQL Server, FTP server, and others.

For a full list of protocols used by Microsoft Windows products and subcomponents, see Service overview and network port requirements for the Windows Server system at Microsoft Help and Support(http://www.microsoft.com/).




web link Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/).
Send feedback about this page Send feedback about this page.