Microsoft Internet Security and Acceleration Server 2000

Checking Access Rights

When a client requests an external connection, the Firewall service determines if the client is allowed to access the connection. The Firewall service checks:

The Firewall service can determine which protocol the connection will use, based on a protocol schema it can reference. This schema, provided to the Firewall service as a feature of ISA, recognizes a defined set of protocols. The Firewall service also uses the protocol-recognition capabilities of application filters in the identification process. The advantage of filter control of protocol recognition is that a filter can recognize which protocol is associated with a secondary connection, whereas the Firewall service cannot.

The Firewall service takes two sequential steps to determine whether a client is allowed access to the connection. If the connection is denied at any point in the process, the service stops the checking procedure and denies the connection. The two steps are:

  1. Checking site and content rules.
  2. Checking protocol rules. Checking protocol rules takes place in three sequential phases:
    1. Checking against the protocol schema.
    2. Checking whether the IFWXSession::AllowFutureConnect method has been set.
    3. Checking whether the IFWXConnection::SetProtocol method is called by a filter.

Checking Site and Content Rules

When the Firewall service checks site and content rules, the connection will be denied if the rules do not permit the client to connect to that destination. If the rules allow the client to make that connection, the service passes along the request to the second step — checking protocol rules. At this point, the permission is "unset", because the service is not authorized to allow the connection based solely on the site and content rules.

For more information about site and content rules, see the FPCSiteAndContentRule object or the ISA product documentation.

Checking Protocol Rules

After checking the site and content rules, the Firewall service checks the protocol rules configured by the administrator. These rules allow or deny connection requests based on the protocol. If not explicitly denied, the connection request is passed to the registered filters for their review.

When the Firewall service checks protocol rules it starts by referring to the protocol schema in order to recognize the protocol for the requested connection.

After checking protocol rules by using the schema, the service checks whether any filters have called IFWXSession::AllowFutureConnect.

If the AllowFutureConnect method has been called, the filter has already checked the connection against the protocol rules. Based on the protocol rules, the filter has associated the connection with the protocol and has informed the Firewall service of the association. This information is used by the service in this step of checking access rights.

If AllowFutureConnect has not been called, the Firewall service checks whether SetProtocol is called by a filter. If so, the filter has identified a protocol, and if allowed by the protocol rules, SetProtocol associates a connection with that protocol.

Note  SetProtocol associates a connection with a protocol in response to an event, whereas AllowFutureConnect creates that association in anticipation of the event.

If a filter allows the connection, the connection request is passed to the next registered filter. If each filter allows the connection, or does not relate to the connection request, the connection is allowed. If any filter relates to the request and denies it, the connection is denied.