Microsoft Internet Security and Acceleration Server 2000

IP Packet Filters

The packet filtering feature of ISA Server allows you to control the flow of Internet protocol (IP) packets to and from ISA Server. When you enable packet filtering, all packets on the external interface are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically by access policy or publishing rules.

Even if you do not enable packet filtering, communication between your local network and the Internet is allowed only when you explicitly configure rules that permit access.

In most cases, it is preferable to open ports dynamically. Therefore, it is usually recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, but the access policy and publishing rules open the ports dynamically (as a request arrives). For example, suppose you want to grant all internal users access to Hypertext Transfer Protocol (HTTP) sites. You should not create an IP packet filter that opens port 80. Rather, you should create the necessary site and content rule and protocol rule that allow this access.

You can create IP packet filters that filter packets based on service type, port number, source computer name, and destination computer name. IP packets filters are static - communication through a specific port is either always allowed or always blocked. Allow filters are exception filters in that all packet types are blocked except for those you specify. If you do not have a packet filter activated for a specific port, then the service cannot listen on that port unless the port is opened dynamically.

Block filters close the specified ports. You can create and configure block filters to further define the traffic allowed through the ISA Server computer. For example, you can create an allow filter that allows Transmission Control Protocol (TCP) traffic on port 25 between all internal and external hosts, thus activating Simple Mail Transfer Protocol (SMTP) communication. You can then limit access, creating a block filter that blocks a set of external hosts, such as potential intruders, from sending TCP packets to port 25 on your ISA Server computer.