Windows Server Gateway using ISA

Overview
ISA is Microsoft's commercial grade NAT firewall and web caching system. When installed it disables the built in consumer grade firewall (the firewall control panel) and it conflicts with the Internet Connection Sharing feature (which provides basic NAT and DHCP functionality).

Here is a quick overview of using ISA (and a few other tools) to setup a Windows server as:
 * Internet Gateway
 * NAT Firewall
 * DNS forwarder
 * DHCP server (for LAN)

Run all your Windows updates

 * 1) Run Windows update and install all security patches
 * 2) Repeat step 1 until MS offers no more patches

Set-up the network connections

 * 1) Open network connections
 * 2) Make there are two connections representing your physical NICs (or 1 NIC and a modem)
 * 3) Choose a connection that represents a physical NIC or modem to be the WAN, and rename it 'WAN'
 * 4) Rename another physical NIC to 'LAN'
 * 5) IMPORTANT: Make sure that the connections are NOT bridged and that Internet Connection Sharing is OFF on both. You can check these by selecting each NIC in order, choosing 'properties' and checking the 'Advanced' tab.
 * 6) Open 'properties' on the LAN NIC and set the IP settings to: static IP of 192.168.100.1; Net mask of 255.255.255.0; and leave gateway and DNS servers blank
 * 7) Open properties on WAN NIC and set it as appropriate (either DHCP client or static info from the upstream ISP)

Install DHCP and DNS services

 * 1) Go to 'Add/Remove Programs' and select 'Add/Remove Windows Components'
 * 2) Select 'Networking Services' from the list
 * 3) Click "Details"
 * 4) Check on the first two items "Domain Name System (DNS)" and "Dynamic Host Configuration Protocol" DHCP
 * 5) Ok out of the panel

Configure DHCP

 * 1) Go to 'Start -> Administrative Tools -> DHCP'
 * 2) In left pane, right-click the predefined server and choose 'Properties'
 * 3) Go to 'Advanced' and click 'Change server connections bindings'
 * 4) CONFIRM: the server should be bound only to the LAN NIC and has correct IP
 * 5) 'Ok' out of the panels
 * 6) Right-click the predefined server and choose 'New Scope'
 * 7) Set 'Name' to 'LAN DHCP Scope' and leave description blank
 * 8) Enter start address of '192.168.100.100' and end address of '192.168.100.199'
 * 9) Enter Subnet mask: '255.255.255.0'
 * 10) 'Next' past the 'Exclusions' pane, don't enter anything
 * 11) 'Next' past the lease duration, defaults are fine
 * 12) In 'Configure DHCP Options', leave it as 'Yes, I want to configure these options'
 * 13) 'Router' enter 192.168.100.1
 * 14) 'Domain Name and DNS Servers', add 192.168.100.1 as DNS server
 * 15) 'WINS Servers' leave blank, just 'Next' by it
 * 16) 'Activate Scope' Yes!

Configure DNS

 * 1) Go to 'Start->Administrative Tools->DNS'
 * 2) In left pane, right click predefined server and choose 'Configure a DNS server...'
 * 3) Step 1, 'Welcome': just 'Next' past this
 * 4) Step 2, 'Select Configuration Action' default is good, 'Next' onward!
 * 5) Step 3, 'Primary Server Location', default 'This Server Maintains the zone' is correct, 'Next' onward
 * 6) Step 4, 'Zone Name' enter 'lab.inveneo.org'
 * 7) Step 5, 'Zone File', default 'Create a new file...' and default file name are good, 'Next' onward
 * 8) Step 6, 'Dynamic Update', default "Don't allow" is correct, 'Next' onward
 * 9) Step 7, 'Should this DNS server forward queries': IMPORTANT: enter the IP address for your upstream DNS server. This is either provided by the ISP on paper OR via DHCP. If it's via DHCP, open the WAN network connection and enter the DNS server/servers that it received from the upstream DHCP server

Install ISA
During the standard install process from the CD, ISA will default to a standard NAT setup (this is good, it's what we want). It will ask ONE important question: Define the 'Internal' network.

In this panel, you must enter the FULL IP range of the internal (inside the firewall) network as: 192.168.100.0 &mdash; 192.168.100.255

You may enter this by:
 * 1) Clicking the 'Add Range...' button and manually entering
 * 2) Clicking the 'Add Adapter...' button and choosing the LAN NIC

IMPORTANT: all the firewall rules refer to the 'internal' network by name. If you enter this value incorrectly, the firewall will not work and may block much more than it is supposed to!

Configure ISA Firewall Rules
With the firewall, we want to achieve the following:
 * Deny ALL in bound connections from the Internet (bad scary things out there)
 * Deny ALL outbound HTTP/HTTPS/FTP requests to blacklisted bad sites (porn, violence promotion, warez)
 * Allow ALL other outbound (internal network to Internet) traffic
 * Allow ALL traffic between the Windows server and the internal machines

ISA, by default, has only one rule. This rule denies ALL traffic. Everything. This is a permanent default rule, and can't be replaced. So we need to add new rules to open up access where we want.

NOTE: Rule matching goes in order from first to last, so order is very important. The first rule to match traffic applies, allowing or denying the traffic, and no other rules are processed.

Get ready to create rules

 * 1) Go to 'Start->All Programs->Microsoft ISA Server->ISA Server Management'
 * 2) In the left pane select 'Firewall Policy'
 * 3) In the far right pane, click the 'Tasks' tab

Make rules
To setup the firewall we are adding 4 new rules, as follows, and in this order

Allow all traffic from Internal network to Internet

 * 1) Select 'Create Access Rule' to add a new rule
 * 2) Access rule name: "Allow All Traffic To Internet"
 * 3) Rule Action: 'Allow'
 * 4) Protocols: choose 'All Outbound Traffic' from pulldown
 * 5) Access Rule Sources: Add->Network Sets->All Protected Networks
 * 6) Access Rule Destinations: Add->Networks->External
 * 7) User Sets: All Users (default)

Create Blacklist Rules to block traffic to bad sites
Note: here we only create the rule to block traffic. We don't load in the black lists themselves until late.

Why? Because the ISA Manager gets unusably slow once the blacklists are loaded.

Create 'Domain Name Sets' and 'URL Sets' to hold lists of bad sites
We want to create empty placeholder sets that we can use to define the firewall rule.

We do not at this time want to load in the long list of sites to block.

We want to create a Domain Name Set and URL Set for each of the following:
 * Porn
 * Violence promoting sites
 * Warez sites (illegal downloads, often malware infested)


 * 1) In far left pane, select 'Firewall Policy'
 * 2) In far right pane, select 'Toolbox' tab
 * 3) Under 'Toolbox' tab select 'Network Objects' heading
 * 4) For each Domain Name or URL set you wish to create, select: New->Domain Name Set or New->URL Set
 * 5) Name: A descriptive name like 'Porn Domains'

Create access rules

 * 1) Select 'Create Access Rule' to add a new rule
 * 2) Access rule name: "Block Bad Internet Sites"
 * 3) Rule Action: 'Deny'
 * 4) Protocols: choose 'Selected Profiles' from pulldown
 * 5) Protocols: Add->Web->FTP/HTTP/HTTPS
 * 6) Access Rule Sources: Add->Network Sets->All Protected Networks
 * 7) Access Rule Destinations: Add->Domain Name Sets->
 * 8) Access Rule Destinations: Add->URL Sets->
 * 9) User Sets: All Users (default)

Allow all traffic from Internal network to Server (Localhost)

 * 1) Select 'Create Access Rule' to add a new rule
 * 2) Access rule name: "Allow Internal Traffic To Server"
 * 3) Rule Action: 'Allow'
 * 4) Protocols: choose 'All Outbound Traffic' from pulldown
 * 5) Access Rule Sources: Add->Network Sets->All Protected Networks
 * 6) Access Rule Destinations: Add->Networks->Localhost
 * 7) User Sets: All Users (default)

Allow all traffic from Server (Localhost) to Internal network

 * 1) Select 'Create Access Rule' to add a new rule
 * 2) Access rule name: "Allow Server Traffic To Internal Net"
 * 3) Rule Action: 'Allow'
 * 4) Protocols: choose 'All Outbound Traffic' from pulldown
 * 5) Access Rule Sources: Add->Network Sets->Localhost
 * 6) Access Rule Destinations: Add->Networks->All Protected Networks
 * 7) User Sets: All Users (default)

Confirm rules are in correct order!
From top to bottom, the rules should be in this order:
 * 1) Allow Server Traffic To Internal Net
 * 2) Allow Internal Traffic To Server
 * 3) Block Bad Internet Sites
 * 4) Allow All Traffic To Internet
 * 5) (Last) Default Rule

If they are not in this order, select the out-of-order rule and in the far right pane, use the 'Move Selected Rules Up' and 'Move Selected Rules Down' links to put the rules in the correct order.

Set up cache file location

 * 1) In left pane, select 'Configuration->Cache'
 * 2) In right pane, select 'Cache Drives' tab
 * 3) Right-click the drive where you want to store cached pages and select 'Properties'
 * 4) Set the maximum cache size to something between 4g and 10g (4048 and 10240)
 * 5) 'Ok' out of panel

Set up cache rule

 * 1) Select 'Cache Rules' tab
 * 2) In far right pane, select 'Create a Cache Rule'
 * 3) Cache rule name: 'Cache Internet Content'
 * 4) Cache Rule Destination: Add->Networks->External
 * 5) Content Retrieval: first option (default) is correct "Only if a valid version..."
 * 6) Cache Content: default (second option only selection) is correct
 * 7) Cache Advanced Configuration: default ('Cache SSL responses') is correct
 * 8) HTTP Caching: defaults are correct EXCEPT 'No more than:' -- set this to '7 Days'
 * 9) FTP Caching: also set TTL to 7 days
 * 10) Make sure the rule is the first one on the list. If not, select the new rule and use the 'Move Selected Rules Up' link in the far right panel to make it so

Internet connection

 * Connect the WAN port of the server to the Internet
 * Launch IE and confirm that you can reach the Internet

Didn't work? Make sure the WAN connection is properly configured in 'Start->Control Panel->Network Connections'

Internal network services

 * Connect a DHCP client machine (laptop is good) to the server's internal network.
 * Confirm that the client machine gets an IP address
 * On the client, open a web browser and confirm that the client machine can connect to the Internet

Didn't work?
 * Renew your IP address on the client and confirm that it is receiving a proper IP from the DHCP server
 * Confirm that the DHCP server has properly handed out a DNS server IP address
 * Attempt to 'ping' the server
 * If DHCP and DNS settings look correct, review your ISA firewall settings on the server, they are probably incorrect.

Load in blacklist of bad web sites
NOTE: Once the black lists have been loaded, making changes to ISA config becomes VERY VERY slow. Specifically, applying config changes can take 10 to 20 minutes to complete. So make sure you've tested everything before you do this.

Preparing the blacklists
Freely usable black lists are available here: SquidGuard's list of Blacklists

We like Shalla's List, which is free for non-commercial use, but not if you are charging for it.


 * 1) Download your Blacklist of choice
 * 2) Use this black list conversion script to convert the standard blacklist format to Microsoft's XML format

Load blacklists into ISA

 * 1) In the ISA manager, select 'Firewall Policy'
 * 2) In the far right pane, select the 'Toolbox' tab

For each Domain Name and URL set you created earlier:
 * 1) Right click the set and choose 'Import to Selected...'
 * 2) File name: Browse the the converted blacklist XML file that matches this set e.g. blacklists/porn/domains.xml or blacklists/point/urls.cml NOTE: for large lists, like porn, the panel will hang for a long time when you hit next as it reads in the very big file.
 * 3) Import Preferences: default to not import server-specific info is correct. 'Next' past this