How to permit non-Microsoft programs to connect to the Internet through Internet Security and Acceleration Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition

Article translations Article translations
Article ID: 837831 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

Certain non-Microsoft programs require Internet access to obtain program updates or to gain access to a particular Internet-based service. To permit these programs to gain access to the Internet, you can configure access rules in Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition. Depending on your security requirements, you can configure an access rule to permit all users to gain access to the Internet at all times; to require the non-Microsoft program to provide Basic authentication credentials to gain access to the Internet; or to restrict access by users, by groups, by computers, or by IP addresses. One of these methods requires that the client computer gain access to the Internet by using a proxy server.

INTRODUCTION

This article describes how to permit connections to non-Microsoft Internet-based update services. The typical scenario that this article describes involves the connection to a program vendor's update service from an update program that must connect to the Internet through Microsoft Internet Security and Acceleration Server (ISA) 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition. Update programs include, but are not limited to, programs that download software updates automatically, such as program updates and antivirus updates. They also include programs that connect to a service provider and that update account information, such as Internet postage stamp programs or Internet shipping management programs.
Use one of the following methods to allow the non-Microsoft program to gain access to the Internet. Base your choice of method on your specific network requirements.

Create an access rule to allow all protocols to gain access to the Internet

If your network requirements limit internal users to particular Web sites, you may decide to create a rule that allows all protocols access to the Internet. Although this is the easiest method to allow the non-Microsoft program to gain access to the Internet, this type of rule disables any "deny" rules that you may have created, and it also limits your ability to restrict an internal user's Internet use. This method is also useful as a troubleshooting tool.

To create this rule, follow these steps:
  1. Start the ISA Server Management tool or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Management tool.
  2. Expand ServerName, where ServerName is the name of the computer that is running ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, and then click Firewall Policy.
  3. Click the Tasks tab, and then click Create New Access Rule.

    Note In ISA Server 2006, click Create Access Rule.
  4. In the Access rule name box, type a descriptive name for the access rule, and then click Next.
  5. Click Allow, click Next, clickAll outbound protocolsin the This rule applies to list.

    Note In ISA Server 2006, click All outbound traffic in the This rule applies to list.
  6. Click Next.
  7. On the Access Rule Sources page, click Add.
  8. Expand Networks, click Internal to allow all users who are connected to the internal network to gain access to the Internet, click Add, click Close, and then click Next.
  9. Click Add, expand Networks, click External to allow users to gain access to the external network, click Add, click Close, and then click Next.
  10. Leave the default option of All Users in the This rule applies to requests from the following user sets box. Click Next, and then click Finish.
  11. Click Apply to save your changes and to update the firewall policy. Click OK.
Note Sometimes, you must modify your firewall rule hierarchy to make sure that a firewall that is already in place does not prevent your new rule from being processed. To move a firewall rule up or down, right-click that rule, and then click Move Up, or click Move Down. When you have finished modifying your firewall rules hierarchy, click Apply to save your changes and to update the firewall policy, and then click OK.

Configure Basic authentication for outbound Web requests

If you want to restrict access by certain users, and if your Web browser program and the non-Microsoft program allow you to configure a proxy server and to support Basic authentication, you can enable Basic authentication for outgoing Web requests. To do this, follow these steps:
  1. Start the ISA Server Management tool or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Management tool.
  2. Expand ServerName, expand Configuration, and then click the Networks tab.
  3. Right-click the network that listens for the outbound Web requests, and then click Properties. For example, to configure authentication for users who are connected to the internal network, right-click Internal, and then click Properties.
  4. Click the Web Proxy tab, and then click Authentication.
  5. Click to select the Basic check box, click Yes when you are prompted to confirm the use of this authentication method, click to clear the Integrated check box, click to select the Require all users to authenticate check box, and then use one of the following methods:
    • Click Select Domain to select the domain that contains the user accounts that you want to authenticate.
    • Click RADIUS Servers to select a Remote Authentication Dial-In User Service (RADIUS) server to authenticate the users who connect to the Internet.
  6. After you have configured a domain or a RADIUS server, click OK.
  7. Click OK, click Apply to save your changes and to update the firewall policy, and then click OK.
Note This method works only if you can configure the non-Microsoft program to use a proxy server and to provide credentials to that proxy server.

Allow access to specific groups or computers

You can create an access rule to allow a particular computer, user, or group to gain access to the Internet. To do this, follow these steps:
  1. Start the ISA Server Management tool or the Microsoft Forefront Threat Management Gateway, Medium Business Edition Management tool.
  2. Expand ServerName, and then click Firewall Policy.
  3. Click the Tasks tab, and then click Create New Access Rule.

    Note In ISA Server 2006, click Create Access Rule.
  4. In the Access rule name box, type a descriptive name for the access rule, and then click Next.
  5. Click Allow, and then click Next.
  6. In the This rule applies to list, click Selected protocols, and then click Add.
  7. Use one of the following methods:
    • Add a predefined protocol. To do this, expand the protocol type that you want, click the protocol that you want to allow, click Add, and then click Close. For example, expand Web, click HTTP, click Add, and then click Close.
    • Create a new protocol. To do this:
      1. ClickAdd, clickNew, and then click Protocol.
      2. Follow the steps in the New Protocol Definition Wizard to create the new protocol definition.
      3. Expand User-Defined, click the new protocol that you created, click Add, click Close.
  8. Click Next.
  9. Click Add, and then use one of the following methods:
    • To add a particular computer:
      1. Click New, and then click Computer.
      2. In the Name box, type the computer name, type the computer's IP address in the Computer IP Address box, and then click OK.
      3. Click the name of the computer that you added, click Add, and then click Close.
    • To add a range of computers:
      1. Click New, and then click Computer Set.
      2. In the Name box, type a descriptive name for the computer set, and then click Add.
      3. Click Computer to add a particular computer, click Address Range to specify a range of IP addresses, or click Subnet to specify a particular subnet.
      4. When you have finished adding computers, IP address ranges, subnets, or a combination of these three items to the computer set, click OK.
      5. Click the name for the computer set that you created, click Add, and then click Close.
      Click Next.
  10. On the Access Rule Destination page, click Add.
  11. Expand Networks, click External to allow access to the external network, click Add, click Close, and then click Next.

    Note To configure this rule to gain access to a particular domain, create a domain name set, and then specify that domain name set instead of specifying the external network.
  12. In the This rule applies to requests from the following user sets box, leave the default All Users user set option on the list if you want this rule to apply to all users. If you want to specify a particular user or group, follow these steps:
    1. Click All Users, click Remove, and then click Add.
    2. Click New, type a descriptive name for this new user set in the User set name box, and then click Next.
    3. Click Add, and then click Windows users and groups.
    4. Click Locations, click the location that contains the user or the group that you want to add, and then click OK.
    5. Type the name of the user or the group in the Enter the object names to select box. Click Check Names, click OK, click Next, and then click Finish.
    6. In the Add Users dialog box, click the new user set that you created. Click Add, click Close, click Next, and then click Finish.
  13. Click Apply to save your changes and to update the firewall policy, and then click OK.
Note Sometimes, you must modify your firewall rule hierarchy to make sure that a firewall that is already in place does not prevent your new rule from being processed. To move a firewall rule up or down, right-click that rule, and then click Move Up, or click Move Down. When you have finished modifying your firewall rules hierarchy, click Apply to save your changes and to update the firewall policy, and then click OK. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

REFERENCES

For additional information about how to configure authentication, search on "Configure authentication" in ISA Server Help.

Properties

Article ID: 837831 - Last Review: December 4, 2007 - Revision: 4.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
Keywords: 
kbisa2006swept kbfirewall kbinfo kbhowtomaster KB837831

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com