Microsoft Internet Security and Acceleration Server 2000

How the Firewall Service Works

The Firewall client captures an API call and redirects it to the Firewall service, which makes the actual call. That is, there are actually two connections: one on the private network from the client to the ISA server and one over the Internet from the Internet host to the ISA server.

The Firewall service consists of two parts: a dynamic-link library (DLL) running on the Firewall client and a service running on the ISA Server computer.

When ISA Firewall client software is installed on the computer, it installs two .dll files. The files intercept Winsock API calls from applications on the client and forward them to the ISA Server computer by using a control channel.

The control channel manages remote Winsock messages, and is designed to do the following:

The ISA Firewall client .dll is initialized when the first Winsock connection is attempted. Then a control channel with the ISA Firewall service is established, and then designated as active through the channel. Finally, the LAT is copied from the server to determine which networks are on the Internet and which are local.

Note  The Firewall service of ISA Server makes use of a Windows Sockets 2.0 layered service provider (LSP) architecture. For more information on LSPs, see MSDN.