Filter Setup

You must install filters on the ISA Server computer, where they must reside locally. Filters must be registered as COM servers and in the ISA configuration.

Filters that register a protocol need to have the protocol registered on the enterprise level. This is particularly important in a situation where only enterprise policy is used. Developers of application filters should therefore provide two installation facilities, one for installing a filter in the array, and one for registering the filter at the enterprise level.

The registration process includes the following steps:

1. Copying the DLLs and any other necessary files to the ISA Server computer (array setup only).
2. Registering the COM objects. The registration is typically implemented in the DllRegisterServer function, which can be activated by the RegSvr32 utility.
3. Register the filter in ISA Storage as an application filter for the firewall service, on either the enterprise or array level by using IFWXFilterAdmin::InstallFilter. You should implement this step using the DllInstall function. Whether the filter is installed on the enterprise or array level will depend on the command-line parameters used with DllInstall, as shown in the Setup Examples.
4. Register the filter protocols, primary connection ports, and alert events, as necessary.

Note  When an ISA administrator installs a filter on ISA servers, there may be functions that should be performed during the first installation of the filter on a server, such as IFWXFilterAdmin::RegisterProtocolForFilter. More importantly, during uninstallation there may be functions that should only be performed by the last uninstallation, such as IFWXFilterAdmin::UnregisterProtocolForFilter. In that case, the protocol might be unregistered while filters on some servers still require that the protocols be registered. For this reason, when you develop a filter, you should consider using a mechanism to synchronize filter installation in an array.

One solution is to use the VendorParametersSets collection (accessed through the FPCServer.VendorParametersSets property) to write to the server storage a value under the vendor name and filter GUID. The server storage will thus have a record that the filter is installed, and your filter can use that information to keep track of its relative order in the installation or uninstallation process.

Setup Examples

Provided here are examples of the commands used to perform application filter setup on the array and enterprise level.

Setup on array

To set up the application filter on an array

1. Copy the DLL to the ISA Server computer
2. Call DllRegisterServer.
3. Call DllInstall(TRUE, L"array")

As an alternative to steps 2 and 3, you can run:

regsvr32 /i:array mydll.dll  

Setup on enterprise

To set up the application filter on an enterprise

• Call DllInstall(TRUE, L"enterprise") or run regsvr32 /n /i:enterprise mydll.dll

Note  There is no need to install the DLL on the computer.

Uninstall on array

To uninstall an application filter from an array

1. Call DllInstall(FALSE, L"array")
2. Call DllUnregisterServer

As an alternative to these two steps you can run:

regsvr32 /u /i:array mydll.dll

Uninstall on enterprise

To uninstall an application filter from an enterprise

• Call DllInstall(FALSE, L"enterprise") or run regsvr32 /u /n /i:enterprise mydll.dll

Note  Because the filter objects are created when the Firewall service starts, the server must be stopped and then restarted after setup is completed.

The RegSvr32 utility is not a required part of the setup. A setup utility can use RegSvr32, or load the DLL and call the registration code directly.

Services may not have the necessary permissions to allow them to write vendor-specific information to the DS. For this reason, you should perform the saving of vendor parameters to ISA during filter setup.