Tag - Name resolution

What is Internet Security and Acceleration Server (ISA Server)?

Internet Security & Acceleration Server (2004)

History:  Proxy 1.0, Proxy 2.0, ISA 2000, ISA 2004, ISA 2006


  1. Introduction to ISA Server
  2. ISA server Installation
  3. Configuring ISA as Caching Server
  4. Configuring ISA as Firewall
  5. Configuring ISA as VPN Gateway
  6. ISA Server Maintenance

Books: ISA Server and Beyond (Thomas Shinder)


  1. netstat –r or route print (to see routing table)
  2. paktender.com website by corvit networks
  3. Net view PCNAME or PCNAME To see share folders on computer
  4. dyndns.com site free software to resolve live IP at VPN server
  5. www.who.is site for DNS domain name resolution


Internet Assigned Number Authority (IANA.org)

It provides network IDs if you need IP then contact to ISPs

From this web site you can check ports which are being used by application like yahoo messenger or web chat which ports are using etc

Introduction to ISA Server

In a Security language: (Two Network type)

ISA as a Firewall in between trusted and UN trusted network

In ISA name there are two words security and acceleration;

Security word:   By default ISA block all kind of traffic (inbound/outbound) except some ISA own traffic e.g. ISA can ping to any clients on LAN (ping traffic from ISA to client is allowed

Trusted Network:            Secure network, legitimate traffic, no virus, Trojan etc. e.g. LAN

Un-trusted Network:     Unsecure network e.g. Internet

Basic purpose of ISA is a Firewall & caching only server

Installation type Custom:

Firewall Services                                             (selected by default)

ISA server management                               (selected by default)

Firewall client installation share (not select; select it)

It make “mspclnt” share folder to install firewall client

wed by default)

Acceleration word:          It provides high speed cache

ISA server Installation 2004

1-      Message screener                                   (not selected)

Select it if you want to use it to scan incoming SMTP traffic for Exchange

Note; Net view PCNAME or PCNAME

To see s                hare folders on computer and when you install “Firewall client

Installation share” then mspclnt folder will be available on computer

Internal Network:

Private scheme / address (“RFC-1918”Internet Assign Numbers Authority)

Class A:                         

Class B:                  

Class C:                

Option: Allow computers running earlier versions of firewall client software to connect.

This allows computers that have old version of ISA firewall can be connected.

————End Installation————-

ISA Clients:

Three types of ISA clients

  1. Web proxy client:    (IE-Internet Explorer proxy settings)
  2. Firewall client            (Install firewall client: mspclnt)
  3. Secure NAT client    (Configure default gateway with address of ISA server at client)

This is also call transparent proxy. Recommended way

If security is not main concern then use transparent proxy

Configuring ISA as a Cache Server:

Cashing Type:

Note: By default when we talk about cache its means we talk about RAM, in case of ISA Server cache means space on HD. By default cache is not configure in ISA server & its need NTFS drive to configure when configure ISA server cache then URLCACHE folder created with file name dir1.cdate

Group 1:              Active/Passive Cache: One cache type will be used at a time

Master Site tell ISA how much time you can hold site in his cache e.g. 60 min etc

  1. Active caching                                           Automatic Update of Object
  1. Passive caching (default)                    On demand object update on client request

When object/Page expire it remains in cache until client request; on client request it refresh from master site.

Group2:               Forward/Reverse Cache

  1. 3.        Forward caching     

Forward caching used against out bound or outgoing request by private network

  1. 4.       Reverse caching

Reverse caching used against in bound or incoming request from internet

Group 3:              These both types are different to each other

  1. 5.       Distributed caching

Caching that involves more than one ISA servers is called distributed caching e.g. array or chain

  1. 6.       Negative caching (by default enable)

Definition: Caching of http status code other than 200 is called negative caching

You know Protocols communication is done in form of status code

  • Status code (SMTP):               250
  • Status code (HTTP):200

When ISA access any site from master server and if it finds that site then its protocol status code will be ok (means 200 in case of http request) and anything other than 200 will be a problem. May be master server available but site not available for 1 hour etc

ISA server caches all error codes in its negative caching and show on client request that error codes description when time span end/reach and again try to get that site on client request.

Cache hit-Ratio:                Reduced internet traffic

Cache Pre-Fetching:       ISA server is configured to populate its cache before client request

ISA Serve -> Configuration -> Networks

Internal Network:           All internal networks e.g. LAN

External Network:           public networks e.g. Internet

Local Host:                          By default ISA is a part of Local host network, means all

ISA LAN cards IPs included.

ISA Serve -> monitoring (ISA help)

Dashboard tab:                                 All information related to ISA server

Report tab:                         User generated reports

ISA Serve -> Configuration -> Cache

(Property of Cache) by default no cache set you can set it

Active Cache tab:             “Enable active caching”                 by default uncheck mean passive cache is active

When active cache is enabled then these options are available (Cache behavior)

Note:                    Cache-hit ratio means reduced internet traffic

Frequently:        Client cache-hit ration is more important than reduced network traffic

  1. Bandwidth is high
  2. ISA traffic more frequently goes on internet
  3. Mostly client request fulfill by ISA cache

Normally:            By default Client cache-hit ratio and reduced network traffic are both equally important

Less frequently:               Reduced network traffic is more important than client cache-hit ratio

  • Bandwidth is low
  • ISA traffic less frequently goes on internet
  • Less mostly client request fulfill by ISA cache

Advance tab: 

Two ways of TTL calculation:

  1. Age:               Content age is the amount of last time since an object is

Created / modified

  1. Expiration/TTL:         Define by master site; TTL is the amount of time content

Remains valid in cache before it expires

If expiration is disabled or un-defined then age method is used & by default 20 TTL uses by age

Option 1:             Checked “Cache objects that have an unspecified last modification time”

Option 2:             Checked “cache object even if they do not have an HTTP status code of 200” its means by default negative cache enable (in negative cache store error messages)

Example:             Telnet to SMTP server (SMTP Status Code)

telnet exchange-IP 25

220 EXCH1.mcse.com Microsoft SMTP MAIL Service etc (220 = welcome)


250 EXCH1.mcse.com Hello [EXCH1 IP] (250=ok)

mail from:administrator@mcse.com

250 2.1.0 adminstrator@mcse.com …. Sender ok (250=ok)

rcpt to: administrator

250 2.1.5 administrator@mcse.com

type anything wrong

500 5.3.3 unrecognized command (500=>error)


354 start mail input: end with CRLF (354=start mail)


220 etc (220=ok)

Maximum size of URL cached in memory (bytes)              12800 defaults

URL structure:   http://                  www.mcse.com                               /index.htm                                                         Protocol                Fully Qualified Domain Name     Path to server

  • URL include all these three things
  • Any application working set / running things are in RAM same in ISA
  • So can define URL length to avoid the buffer flood / overflow attack

If website of expired object cannot be reached:               Object in cache expires and master site un-available

Option1:              Do not return the expired object (return an error page)                                                Option2:                Return the expired object only if expire action was:

  • At less than this percentage of original                   50 (TTL)
  • But no more than (minutes)                                       60
  • Percentage of free memory to use for caching   10

Note:    % of free RAM to be used for ISA caching e.g. 20 means to increase ISA processing speed

Cache -> Last Default Rule (properties) -> HTTP tab

This is related to AGE

Enable HTTP caching (by default it is enabled)

Note: unless the source specifies expiration (means if expiration is defined in master site then no need to consider it) suppose if not define expiration/TTL then consider

Set TTL of objects (% of content age):    20 default (this % apply on object as an age & answer will become expiration)

TTL time boundaries:

  • No less than:      lower limit           15 minutes
  • No more than: upper limit          1 day

Option: Also apply these TTL boundaries to sources that specify expiration

(If I select this option then TTL time boundaries will be applied on both TTL & expiration)

Cache -> Right click -> New -> Content Download Job

Using content download job rule we can define Pre-Fetching (population of cache without client request). OR (INCREASING O F  ISA CACHING)

Two conditions for Content Download Job

  1. The local host network is configured to listen for web proxy client requests
  2.  The scheduled download job configuration group is enabled (system policy)

Note: if you proceed with these conditions then you don’t know from where these option rollback. So I will configure them manually.

ISA Serve -> Configuration -> Networks -> Local Host (Property) -> web proxy tab

Condition1 done

Enable web proxy clients (default it is disable, now enable it).

ISA Serve -> Firewall Policy -> show system policy ->

Condition2 is done

29(red mark means disable): allow HTTP from ISA server to selected computers for content download jobs  -> Right click -> Edit system policy -> enable it.

Cache -> Right click -> New -> Content Download Job

Content Download Rule Name:                                 MCSE

Download frequency/time:                         Daily

Job starts / end date & repeat options

Define URL:                                        http://www.mcse.com/

Job limits:

  1. Do not follow link outside the specified URL domain name: (select it)

(Don’t fetch links that are outside links at mcse.com domain page)

  1. Maximum depth of links per page: (select it) 400

(Means on one page it goes up to 400 hyperlinks on it)

  1. Limit number of objects retrieved to maximum of: 200

(When any page same, additional folder created for supporting objects)

  1. Max number of concurrent (concurrent means , Similarity, same decision of several person )TCP connections to create for this job: 4

Defaults can set e.g. 10

Next -> content caching & TTL

Cache content

Cache all content             (Select it)

Time-to-Live (TTL)

  1. Expire content according to the cache rule   (select it)
  2. Set TTL if not defined in response (if TTL not define in master site)
  3. Override objects TTL (if TTL defines in master site and want to override it)

Mask download objects with new TTL in minutes: 60 (this option available with both 2 & 3 options)

If master site does not tell expiration then ISA server have to calculate the age percentage

Configuring ISA as Firewall

  • When ISA install it block all incoming /outgoing traffic for example to see configuration go to

ISAPC-> Firewall Policy -> Last Default Rule (see all networks in from & to tab are deny in Action tab)

  • By default ISA system can ping any computer (ISA traffic allow) but clients cannot ping to ISA.
  • If at ISA you capture remote desktop of any computer even remote access is allowed but you cannot access.
  • Note: by default OR operator in between rules (with in rule AND operator) and checked by upper to down and finally last default rule

New Access Rule (allow remote desktop from ISA to Clients)

Name:                                  Remote desktop

Action:                                  Allow

Protocols:                            Selected protocols -> remote terminal

RDP (Terminal Services) + RDP (Terminal Services) Server

From/Source:                    local host

To/Destination:                                internal network

Users:                                   all users

Note: During new access rule wizard it does not ask for Schedule & Content type. This means these things are not compulsory so these are optional

New Access Rule (allow ping from Clients to ISA)

Name:                                  Ping traffic

Action:                                  Allow

Protocols:                            Selected protocols -> ping

From/Source:                    Internal network

To/Destination:                                Local host

Users:                                   All users

Note: Now you can ping from any client to ISA server

New Access Rule (allow Internet traffic from clients to Internet)

Name:                                  Internet traffic

Action:                                  Allow

Protocols:                            Selected protocols ->                                                                                                     FTP, FTP Server, HTTP, HTTPS, HTTPS Server, MSN Messenger

POP3, POP3 server, SMTP, SMTP server (for exchange traffic)

DNS, DNS Server (allow DNS oriented traffic e.g. in POP or SMTP use name instead of IP like mail.mobiserve.com.pk, DNS server protocol if primary DNS server over the internet available at other site)

By default no protocols for yahoo msn so you have to define

From/Source:                    Internal network

To/Destination:                                External network (internet)

Users:                                   All users

Note: in ISA 2004 some time you select all outbound traffic but still traffic not allow from clients then add manually protocols as per requirements by using selected protocols.

Create new Protocols (For yahoo messenger)

Firewall policy -> Toolbox -> Protocols -> New

  1. Name:                                          Yahoo-TCP

Protocol type:                   TCP

Destination:                       Outbound

Port Range from:                             5000-5010, 5050

  1. Name:                                          Yahoo-UDP

Protocol type:                   UDP

Destination:                       Send Receive

Port Range from:                             5000-5010

New Access Rule (allow yahoo messenger)

Name:                                  Yahoo messenger

Action:                                  Allow

Protocols:            Selected protocols -> User – defined ->

Yahoo-TCP & Yahoo-UDP

From/Source:                    Internal network

To/Destination:                                External network (internet)

Users:                                   All users

Define URL for specific Web Sites

Network entities -> URL Set -> new -> URL Set

Name:                                  Yahoo-hotmail

URLs                                      http://www.yahoo.com/*


New Access Rule (Allow traffic for specific Web Sites)

Name:                                  Allow Yahoo-hotmail

Action:                                  Allow

Protocols:                            All outbound traffic

From/Source:                    Internal network

To/Destination:                                Yahoo-Hotmail

Users:                                   All users

Note: Instead of default all users set in ISA we can define user sets in ISA and map ADS groups & users with it.

Publishing Rules:

You need publishing rules when your resources like exchange or mail server and web server are at private network and user want to access them through public network (internet)

When information receive at ISA through public IP it read port number to decide which service is requested & which server this request redirect; for this purpose we use publishing rule

Publishing rule is also called Reverse Proxy

Note: When you need to live your exchange or web server then need to host at ISP for exchange MX + A Host Record (Reverse DNS/Proxy)

Mail Server (two type of request)

  1. Client to Server
  2. Server to Server

Rule:      This rule allow external client to connect our internal mail server behind the ISA 2004

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                                  Publish Email

Access Type:                      Client access: RPC, IMAP, POP3, And SMTP (for outlook)                               Services:                              Client access      Standard ports  secure ports

Outlook (RPC)

POP3                                     yes

IMAP4                                  yes

SMTP                                    yes

Servers:                                              Define IP addresses which you want to publish (Mail server IP)

IP Addresses:                    listen for request from these networks


Finish (Standard port means for http use 80 & secure means for https use 443)

Note:    Client access: RPC, IMAP, POP3, And SMTP (for ms outlook)

Web client access: outlook web access (OWA) ->              for web email

Server to server communication: SMTP, NNTP -> for srv to srv

Now three rules automatically created in ISA firewall policy

  1. Name            : Publish Email SMTP Server (Server Publishing Rule)

Action           : Allow

Traffic           : SMTP server

From             : Anywhere

To                   : + Request appear to come from original client

Network      : External

  1. Name            : Publish Email POP3 Server (Server Publishing Rule)

Action           : Allow

Traffic           : POP3 server

From             : Anywhere

To                   : + Request appear to come from original client

Network      : External

  1. Name            : Publish Email IMAP4 Server (Server Publishing Rule)

Action           : Allow

Traffic           : IMAP4 server

From             : Anywhere

To                   : + Request appear to come from original client

Network      : External + Internal

Rule:      Rule to access outlook web access from clients over internet

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                  OWA Publish Mail Server

Action:                  Allow

From:                    Anywhere

To:                          exch.mobiserve.com.pk

Forward Original host header instead of actual (specified above)

Request appear to come from ISA server computer

Traffic:                  Http

Listener:              OWA Listener

Publish Name:   All requests

Paths                     /exchange/*                      same a published folder

/exchweb/*                       same a published folder

/public/*                             same a published folder

Bridging:              Web Server

Redirect request to Http port 80

Users                    All users

Web Listener for web client access (outlook web access – OWA)

When you create mail server publishing rule for outlook web access then this listener will be used.

ISAPC -> Firewall Policy -> Network Object -> New Web Listener

Name:                  OWA Listener

IP Address:         Listen request from the networks

External, Internal, Local host

Select External & click Address “select specify IP addresses” & enter IP address as you like

Port specify:       Enable HTTP 80

Click Authentication & select basic + integrated


Rule: This rule allow mail server to mail sever communication

ISAPC -> Firewall Policy -> New -> Mail Server Publishing Rule

Name:                  Server2server

Access Type:      Server to server communication: SMTP, NNTP

Services:              SMTP & Secure SMTP

Newsgroups (NNTP)

Servers:                               define IP addresses which you want to publish (mail server IP)

IP Addresses:    listen request from these networks



Note: now your mail server is available on internet because of these two rules

This is impossible; one resource is being published by ISA and same resource is available at ISA

If resource is available at ISA it will offer, if available on other server then it will publish

Rule: This rule allow remote desktop connection

ISAPC -> Firewall Policy -> New -> Sever Publishing Rule

Name:                  RDP server


Protocols:            RDP (Terminal Services) Server

See in properties RDP uses port number 3389

IP Addresses:    listen request from these networks



Rules: Create new rules as per requirement

Array à ISA Server Name à Firewall Policy

Name:                  Front End Internet Access (Array access Rule)

Action:                  Allow

Protocol:              All outgoing traffic

From:                    SMTP (computer) + Local Host

To:                          External + Internal + Local Host

Users:                   All Users

Name:                  RDP for ISA (Array access Rule)

Action:                  Allow

Protocol:              Select Protocol

RDP (terminal services) + RDP (terminal service) server +

MTP + SMTP Server + SMTPS + SMTP Server

From:                    All Network (and local host) + External + Local Host

To:                          ISA (PC) + ISA External (PC) + Internal + Local Host

Users:                   All authenticated user + All Users

Define New Network:

Firewall policy depend on network set

Suppose two network IDs are being used in enterprise network, one in Lahore and one In Islamabad.

Concept of ISA VPN concentrator, so traffic from Lahore office ISA to Internet or Lahore office ISA to Islamabad office by using VPN tunnel

By using single Net ID you cannot access two different networks so define separate networks.

Networks -> Internal (IP address range:

Networks -> New -> Network

Name:                                  Islamabad

Network type:                  Internal Network

Address range:       

New Access Rule (allow traffic from Lahore to Islamabad)

Name:                                  Islamabad

Action:                                  allow

Protocols:                            all outbound traffic

From/Source:                    internal network

To/Destination:                                Islamabad

Users:                                   all users

Note: by default right request for FTP traffic (upload) is not allow even FTP protocols are defined because default FTP status is Read Only.

So configure FTP options are available with rules in which FTP protocol is addressed. Right click on Rule -> Configure FTP -> uncheck Read Only option (when read only is select, FTP uploads will be blocked)

Lahore to Islamabad

Suppose ISA at Lahore site and user at Islamabad office want to use internet from Lahore proxy, then need to do three tasks & make sure VPN tunnel between Lahore to Islamabad established.

  1. 1.       First add Islamabad subnet in internal network at ISA
  2. 2.       Second add static route at Lahore ISA machine. Route add mask –p
  3. 3.       New Access Rule (allow internal & local host)

Name:                  Allow Internal

Action:                  allow

Protocols:                            all outbound traffic

From/Source:    Internal network + Local Host

To/Destination:                Internal network + Local Host

Users:                   all users

NAT & Route Case:

When request come at ISA for outbound/outgoing then it can perform two tasks

  1. NAT               translation

NAT (network address translation) used when pool of live IPs

PAT (port address translation) used when single live IP, ISA use it

  1. Route            no translation

Example (PAT): Source Port will be greater than 1024

SIP                          DIP                         SP           DP

Client to ISA                1059       80

ISA to Hotmail                1100       80

Hotmail to ISA           80           1100

ISA to Client               80           1059

PAT Table: 

The port numbers are divided into three ranges:

Well Known Ports            0-1023                   Registered by IANA

Registered Ports                              1024-49151         Registered by IANA

Dynamic and/Private Ports          49152-65535       free

A value of 0 in the port numbers registry below indicates that no port has been allocated.

If no live IP at ISA & ISA has both private IPs but there is router involve and live IP on router then router perform NAT process, at ISA simply configure the ISA to perform routing not NAT (by default ISA do NAT)

Networks -> Network Rules -> Internet Access (by default NAT, configure it as Route)

De Military Zone (DMZ):

A network in which such machines/servers are available those are accessible by Internet. We can say public nature area is placed in private premises called DMZ.

DMZ used worldwide and in Microsoft it is called Screened Subnet or Perimvcer Network

Benefits:              At private network (LAN card 1) you can disable all inbound traffic because Internet traffic only needs DMZ network (LAN card 2) access where mail & web servers are available.

If you are using private IPs at web/mail server then we publish web/email server at ISA, if we are using public IP at web/mail server this mean you purchase live IP pool for them e.g. 202.154.224-230, now you have to make new network & network rule to route the traffic from Internet to DMZ network

Public IPs is routable so there is no need of NAT for them.

ISAPC -> Configuration -> Network -> New Network

Name:                                  DMZ

Network type:                  Internal network

Network address:  


ISAPC -> Configuration -> Network -> New Network Rule

Name:                                  DMZ2Internet

Net traffic source:           DMZ

Net traffic destination:  External

Net relationship:              Route

ISA as IDS (Intrusion Dvcection System):

Protect against Layer 2 attacks by deploying security solutions such as Layer 2 IDS and static MAC or port associations on switches. ISA has functionality of layer 2 IDS but it does not provide protection against layer 2 attacks (MAC)

General -> Additional security policy -> Enable Intrusion Dvcection and DNS Attach Dvcection

Common attacks tab & DNS attacks tab

Configuring ISA as VPN:

Recommended way is to use hardware based VPN (routers), software based VPN is not good (ISA VPN). Multiple ways to connect the remote sites for example Lahore & Islamabad two sites

  1. leased line: costly, both sites will be connected by leased lines
  2. VPN: cost efficient, both sites ISA will be connected to internet using local ISPs

Provide ability to pass private IP over public network through tunnel

ISA support two types of VPNs,

  1. 1.       Site to Site VPN

Compulsory tunnel: tunnel always up

Tunnel establish between devices/servers, client does not know about it

No mandatory IP address pool

  1. 2.       Remote Access VPN

On Demand Tunnel: temporary tunnel, based on user demand

Client request for tunnel and server assign IP (existing pool) to client

Mandatory IP address pool of private IPs

Case1:   If only outbound traffic then no need of fix live IP at ISA server because only traffic go outbound then replay, if inbound traffic means any body through Internet want to access then need fix live IP because client have to know about IP to dial.

Note:    dyndns.com site free software to resolve live IP at VPN server

VPN Protocols:

VPN created based on VPN ports

  1. L2TP                               Access VPN or Remote access VPN
  2. PPTP                              Access VPN or Remote access VPN
  3. IPSEC                             Site to site VPN or LAN to LAN VPN

See VPN Ports:

Routing & remote access -> Right click on pc name -> configures and enables routing & remote access -> Custom configuration -> VPN access -> finish

PC Name -> Ports (to see default created ports) & Property of Ports (default PPTP: 128 ports, L2TP: 128 ports etc can increase these ports.

Now disable this because we are not creating windows based VPN but we are making ISA based VPN

  1. 1.      Site to Site VPN (LAN to LAN VPN)

Connectivity between more than two branches and static live IP required for each site

ISA use IPSec for site to site VPN because IPSec is an industry standard.

IPSec authentication methods

  1. Kerberos                                     Microsoft support
  2. Shared key                                 Industry standard
  3. Certificate authority (CA)     Industry standard


I am at Lahore Site

ISAPC -> Virtual Private Network (VPN) -> Remote site -> Add remote site network

Site name:                          Islamabad

VPN Protocol:                    IP Security Protocol (IPSec) tunnel mode

Connection settings:

Local VPN gateway IP address               (live IP of Lahore ISA)

Remote VPN gateway IP address         (live IP of ISB ISA)

IPSec authentication:     Use pre-shared key for authentication (key is: 1256789)

Network address:            add Islamabad IP rang (

Note: if show error message to add Islamabad network IPs then remove it from LAT table.

Now make same tunnel at Islamabad ISA server, just swap local/remote VPN gateway IPs & Lahore IP address range.

  1. 2.      Remote Access VPN


Configuring Remote Access VPN

ISAPC -> Virtual Private Network -> VPN Clients -> Enable VPN Client Access (enable it)

If it shows you error message that IP pool is not define, so define first IP Pool

Virtual Private Network -> Properties -> Address Assignment tab -> two ways to assign IP address to clients: Static address pool or DHCP, select Static Address Pool -> Add

Select Server:                    ISAPC

Start address:                               end address:

ISAPC -> Virtual Private Network (VPN) -> VPN Clients -> Configure VPN client access

General Tab:      Enable VPN client access (checked automatically) Max VPN client allowed is 5 default

Protocols tab:    Enable PPTP or enable L2TP use IPSec for authentication so default PPTP enable

PPTP older & in NT PPTP available only; L2TP more secure & in 200X both available

PPTP support all clients (NT, 2000, 2003) & L2TP support only (2000 & 2003)

Group tab:          Add domain groups whose remote access VPNs are allowed e.g. domain users

User Mapping:  User without specifying domain name or user do not contain domain, than use user mapping, here enable user mapping & when username does not contain a domain than use this domain

Specify any domain name e.g. mcse.com

Now apply this VPN it automatically configure Routing & Remote Access of windows

Configuring Client for VPN 

First of all client is connected to internet through any dialup to ISP

Second create a VPN connection: Create a new connection -> select “Connect to the network at my workplace” -> select “Virtual Private Network connection” -> Name of connection: VPN -> Give live IP of ISA server

ISA Designs

Two types/ways of design

  1.  3 Homed firewall configuration (singe ISA server)
  2. Back to back firewall/DMZ configuration (more than one ISA server)


  1. 3 Homed firewall configuration (singe ISA server)

Three adaptor at ISA server, one connect to Internal network (LAN) one for DMZ network where you will use public IPs at your servers and one adaptor to connect external network(internet) here also use public IP

Internal LAN card:            Private IP             Private IP at network

DMZ LAN card:                  private IP             Public IP at network

External Card:                    public IP

  1.  Back to back firewall/DMZ configuration (more than one ISA server)

In this design DMZ network come between Internal and external networks.

ISA Backup/Restore

Make a backup it will capture all existing configuration of ISA.

ISA -> Right Click -> Backup ->file name: ISABackup.xml -> 8 char pass: 12345678 (backup ok)

ISA -> Right Click -> Restore ->select: ISABackup.xml -> Restore -> 8 char pass: 12345678 (ok)

Now apply the setting.

Note: For fault tolerance and disaster recovery make system state & ISA backup and then restore first system state & ISA backup but computer name must be same

ISA Bandwidth Control

ISA cannot control the bandwidth if you want to control bandwidth then use third party tools like; Bandwidth splitter it has no snap-in (free for 10 users: for license 180000 Rs)

GFI Web Monitor

Third party tool for bandwidth monitor tool

ISA-> Monitoring -> Reports

Generate report to check activity before one day

Here you will see reports by IP of clients, if you want to see by user name then install firewall client or secure NAT client

DNS (Domain Name System)

DNS (Domain Name System): –It performs name resolution, means conversion of name to IP address, such as in our mobile we have both names & phone numbers (IP address), name normally can be easier to learn & remember as compared to numbers(IP address),but technically communication is done on IP (phone number in case of cellular company), not on name.


History of internet: –The old name of internet was Arpanet, in those days there was no concept of DNS server & even internet was not a commercial at the beginning (early 1980s), means only used for specific tasks such as N.G.Os, hospitals, research groups etc. A company named INTERNIC had a host file (acts as a DNS server), which had websites names & IP addresses. And if someone wanted to make a member of Arpanet, 1st got a connection & downloaded a host file & this file come into his computer, this file loaded in RAM. But the issue was that if new websites launched then again one had to ping or download that host file for fetching new website’s IP address & we know that number of users were being increased, by this way host file was also being increased. Then Arpanet realized that no. of users, no. of websites & host file are expanded day by day then they replaced this method with DNS.

DNS was designed to solve issues that arose when there was an increase in; a) number of host on the internet b) traffic generated by the updated process c) size of the host file

A technology that translates internet address names into numerical addresses (IP addresses) so that the address can be found over the internet. For example, if we type www.microsoft.com into a web browser, the name is translated into a numerical address & that address is used to connect us to the Microsoft website.

Websites have both a “friendly” address called a Uniform Resource Locator (URL) & an IP address. People use URLs to find websites, but computers use IP addresses to websites. DNS translate URLs into IP addresses & vice versa. For example if we type http://www.microsoft.com into the address bar in our web browser, our computer sends a request to a DNS server. The DNS server translates URL into IP address so that our computer can find the Microsoft web server.

Net BIOS name resolution method: – Lmhost file, WINS & broadcast are used to resolve NetBIOS name.

Characteristic of DNS: – 1. Hierarchical         2. Distributed

Hierarchical means FQDN i.e. House No., St. No., Block No., Model town, Lahore, Pakistan. With the reference of internet name convention, there is no centralized body to handle all websites conversion of name to IP, it is impossible because internet size is too large to handle. If database will be on one place it disadvantage is single point of failure. That’s why distributed databases are much feasible as compare to centralized database because in this case databases are on multiple places. The benefit of distributed database is Dedicated Administration means every company (hotmail) is responsible for its own database (DNS server). If hotmail DNS server goes down, its own website will not be opened. There will be no affect on yahoo DNS server; yahoo will be in running condition because every company has its own DNS server. There is no DNS server in the world which has complvce database (name & IP address) of all companies’ DNS servers. But in spite of this all websites are opened, even no DNS has complvce database; the answer is that then all DNS servers are required to communicate with one another. There should be required a parallel system to make DNS servers to be communicated with one another.

DNS Queries: – 1. Recursive query       2. Iterative query

Recursive query: – It is operated from DNS client to DNS server & this query has complvce answer means “IP or error”. It means when a client send query (recursive query) to DNS server for a website’s IP, then the DNS server will reply either with IP or error.

Iterative query: – It is operated from DNS server to DNS server & it has referral answer means not complvce answer. In this referral answer DNS server is told to redirect to other DNS server & by this way it collects the complvce answer. It is used to locate authoritative DNS server.

Inverse query: – In this query we send IP to DNS server to resolve name of website. In this case we’ve already an IP, no problem in communication because communication is done on the basis of IP. But here issue exist else rather than communication. Let’s assume if ORKUT site has been blocked & when user write IP( of ORKUT in browser, site should be opened but when request reach to Firewall(Microsoft ISA server), F/W will ask DNS server to resolve name against this IP. This query from ISA to DNS server is Inverse query. F/W will ask DNS server whether there isn’t any website (name) against this IP that is restricted, and then DNS server will tell F/W that ORKUT site has been restricted. It means that basically inverse query related to security not accessibility. Security is implemented on the basis of name rather than IP because IP can be changed & name can also do but in rare cases.

A website like www.hotmail.com. & actually at the end of every website there is a dot (.) but it is hidden & this dot (.) represents Root Domain. The order of website is something like that, dot represents root domain, com represents top level domain, hotmail represents 2nd level domain & www represents hostname. Root DNS is responsible of top level domain; top level domain is responsible of 2nd level domain & so on. It means that root domain (.) will tell IP of top level domain/com DNS server & so on. It should be kept in mind that there is only sever that knows about all DNS servers & that is ROOT Server.

Note: – The question is that how our local DNS (Brain net ISP) reach to root server. The answer is that IP of root server of internet are present in local DNS server’s properties which has 30 IPs of root servers. Root DNS servers are managed by Milnet & Espanet. DNS operates on application layer while TCP/UDP works on transport layer. DNS uses these both TCP/UDP with port number of 53 for both. DNS communication is mostly done on UDP.

Note: – www.hotmail.com.    In this website last one dot represents Root domain & middle two dots represent Level separator.

Zone: – Partition of domain namespace represented by domain name OR DNS database file (name & IP mapping) is called Zone. And those DNS that have zone’s file is called Authoritative DNS server.

Types of Zone: – 1) Primary DNS Zone, 2) Secondary DNS Zone, 3) AD Integrated DNS Zone, 4) Stub DNS Zone….. In each type of zone there is a mapping of name &IP but difference exist in other things.

Primary DNS Zone: – When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, & it stores the master copy of zone data in a local file or in AD DS. It has writeable copy of zone, means we can modify the zone in case of primary zone. When the zone is stored in a file, by default the primary zone file is named zone_name.dns & it is located in the %windir%system32dns folder on the server. The basic level/standard zones are primary zone & secondary zone. These two zones can be possible on each & every DNS server in the world such as Microsoft DNS server, SUN, LINUX etc while AD Integrated & stub zones are Microsoft implementation. When we change something in primary zone, automatically secondary zone will adopt these changes. We can create one primary zone & multiple secondary zones. It has a single master structure, means we can change only in primary zone & these changes transfer to secondary zone automatically.

Secondary zone: – When a zone that this DNS server hosts is a secondary zone, this DNS server is the secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because the secondary zone is merely a copy of a primary zone that hosted on another server, it cannot be stored in AD DS. It has read-only copy of zone, means we cannot modify the zone in case of secondary zone.

AD Integrated zone: –If DNS server is also in Active Directory Domain Services (AD DS) domain controller, primary zones & stub zones can be stored in AD DS, means it is only available on Domain Controller. It is more secure than primary zone. It has multi-master structure, means that if we have three AD Integrated zone & these three zones have writeable copy of zone, anywhere we perform changes (on either AD Integrated zone), changes will be replicated to other zones too. Zone database will be replicated as a part of domain replication.

Stub zone: – Typically stub means single exit point. It has not a complvce zone database, only three or four entries exist in stub zone that’s why it doesn’t perform name resolution. It is used to locate Authoritative DNS server. It means if a client request for an IP (, local DNS server (stub zone) can’t tell about an IP because it has not a complvce zone database. It will pass through router & locate other DNS server to fetch an IP then local DNS server stored this entry in its CATHE & if again others client request for this IP, then it will resolve from its own cache. It has read only copy of zone like secondary zone. It has only three kinds of records, NS (name server) record, SOA (Start of Authority) record & Glue A record.

Forward lookup zone: – name to IP mapping

Reverse lookup zone: – IP to name mapping

Dynamic update: – It is also called dynamic DNS (DDNS)

Copyright ©2010 - 2022 Ciscoforall.com | Privacy Policy | Terms & Conditions