Controlling Outgoing Requests

One of the primary functions of ISA Server is to connect your local network to the Internet while protecting your local network from malicious content. To facilitate this connectivity, you use ISA Server to create an access policy that permits internal clients access to specific Internet hosts. The access policy, together with the routing rules, determines how clients access the Internet.

When ISA Server processes an outgoing request, it checks routing rules, site and content rules, and protocol rules to determine if access is allowed. A request is allowed only if both a protocol rule and a site and content rule allow the request and if there is no rule that explicitly denies the request.

Some rules can be configured to apply to specific clients. In this case, the clients can be specified either by Internet protocol (IP) address or by user name. ISA Server processes the requests differently, depending on which type of client requests the object and on how you configure ISA Server.

For an outgoing request, rules are processed in the following order:

1. Protocol rules. First, ISA Server checks the protocol rules. ISA Server allows the request only if a protocol rule specifically allows the request and if no protocol rule specifically denies it.
2. Site and content rules. Next, ISA Server checks the site and content rules. ISA Server allows the request only if a site and content rule specifically allows the request and if no site and content rule specifically denies it.
3. IP packet filters. ISA Server then checks if an IP packet filter has been configured to specifically block the request, to determine if the request should be denied.
4. Routing rules or Firewall chaining configuration. Finally, ISA Server checks the routing rules (if a Web proxy client requested the object) or the firewall chaining configuration (if a SecureNAT or firewall client requested the object) to determine how the request should be serviced.