Microsoft Internet Security and Acceleration Server 2000

Socket Implementation in ISA

Each data filter works with two objects that implement a socket interface. One represents the internal socket and the other represents the external socket, and the filter pumps data between them.

ISA has two interfaces through which you can manage socket activity:


IFWXSocket is the interface for a socket that was opened by the Firewall service. The IFWXSocket interface has limited functionality; its methods allow you to send and receive on the socket, or to close the socket.

The limited functionality of IFWXSocket is intentional: A data filter that uses two IFWXSocket interfaces to send and receive data does not know whether it is communicating with the Internet, the client, or another data filter in a chain of data filters.

Because IFWXSocket is for use only with existing sockets, there is no allowance for functions such as bind or connect.


The IFWXNetworkSocket interface is an extension of the IFWXSocket interface. IFWXNetworkSocket represents a true socket object for either the client or server. It allows you to establish a socket, then use the IFWXSocket functionality to perform send and receive operations. Therefore, in addition to the send, receive, and close functions of IFWXSocket, IFWXNetworkSocket provides methods such as Bind, Connect, and Listen.

The socket object for IFWXNetworkSocket can be created by using either IFWXFirewall::CreateNetworkSocket or IFWXSession::CreateNetworkSocket. In either case, the socket object created by using CreateNetworkSocket has full socket functionality for operations such as opening a packet filter or working with chained ISA Server computers.

A socket created by using IFWXFirewall::CreateNetworkSocket is not user specific. An example of a socket that should not be user-specific is a listening socket.

To create a user-specific socket, use IFWXSession::CreateNetworkSocket. The socket created by IFWXSession::CreateNetworkSocket has the same functionality as that created by IFWXFirewall::CreateNetworkSocket, but because it is user specific, its activities can be logged, and ISA's policies apply to it. The use of this kind of socket is appropriate when a filter will be making a connection for a specific user.


There are three reasons to create Windows Sockets (Winsock) for ISA only through the CreateNetworkSocket method: