Vous êtes sur la page 1sur 21



What is ISA Server 2006?

What is ISA Server 2006?

ISA Server 2006 is the integrated edge security gateway that helps protect your IT environment from Internet-based threats
while enabling your users to be more productive with secure, anytime, anywhere access to Microsoft applications and data. ISA
Server 2006 helps you Secure your Microsoft application infrastructure, Streamline your network and Safeguard your IT
environment. ISA Server 2006 will be available in two versions: Standard Edition and Enterprise Edition

A Pre-configured Virtual MachineThis download comes as a pre-configured VHD. ISA Server 2006 is the integrated edge security gateway that helps protect your IT
environment from Internet-based threats while providing users with fast and secure remote access to applications and data.ISA Server 2006 provides security for
corporate applications accessed over the Internet by pre-authenticating users before they gain access to published servers, inspecting even encrypted traffic at the
application layer in a stateful manner, and providing automated publishing tools. In addition, by providing HTTP compression, caching of content including software
updates, and site-to-site VPN capabilities integrated with application-layer filtering, ISA Server 2006 enables you to securely expand corporate networks. ISA Server 2006
also enables you to manage and protect your network with a hybrid proxy-firewall architecture, deep content inspection, granular policies, and comprehensive alerting and
monitoring capabilities.The files offered on Microsoft's site my be downloaded, extracted and opened with VMware virtualization products (no need to install MS Virtual
Server). Conversion is automatic. Simply open the .VMC file and VMware Workstation, Server, or Player will perform the conversion for you.

More information : http://www.microsoft.com/isaserver/2006/default.mspx

1.0 Securely Publishing Your Content for Remote Access

Businesses need to provide employees and partners with secure and appropriate remote access to applications, documents
and data from any PC and device.

Secure Application Publishing with ISA Server 2006 enables greater control over intranet resources, yet provides increased
productivity by making them available to remote users. ISA Server 2006 helps protect your corporate applications, services and
data across all network layers with stateful packet inspection, application-layer filtering and comprehensive publishing tools.

More information : http://www.microsoft.com/isaserver/2006/sap.mspx

2.0 Connecting and Securing Your Branch Offices

Businesses need to connect remote-site branch offices to their corporate headquarters, provide security-enhanced Internet
access from branch offices and utilize limited bandwidth more efficiently.

With ISA Server 2006 as your Branch Office Gateway, you will be able to simplify your administration and user experience
through a unified firewall and VPN architecture, with web caching and bandwidth management, an optimized firewall and
filtering engine and comprehensive access control.
More information : http://www.microsoft.com/isaserver/2006/bog.mspx

3.0 Defending Your Environment Against External and Internal Web-based Threats

Businesses need to eliminate the damaging effects of malware and attackers through comprehensive tools for scanning and
blocking harmful content, files and websites.

ISA Server 2006 helps provide Web Access Protection with its hybrid proxy-firewall architecture, granular policies, deep content
inspection, comprehensive alerts and monitoring capabilities.

More information : http://www.microsoft.com/isaserver/2006/wap.mspx

Does ISA Server 2006 support VMWare ESX Server

Hi, are you asking if it is officially supported by Microsoft or are you asking if it will work? I see no reason why it wouldn't work.
You can even download ISA 2006 appliance from VMware's Virtual Appliance Marketplace if you wanted to do some initial
testing outside of ESX:

How to Configure ISA Server

Create a New Protocol Definition That Is Named "Citrix ICA TCP"

1. Start the ISA Management console, open the Policy Elements container, right-click Protocol Definitions,

point to New, and then click Definition. Note that if an Enterprise policy is applied to your array, you must create the

protocol definition at the Enterprise level.

2. Name the protocol definition Citrix ICA TCP, and then click Next.

3. Type 1494 in the Port number box. Leave the "Protocol type" setting as TCP. Change the "Direction"

setting to Inbound, and then click Next.

4. Leave the "Do you want to use a secondary connection." setting at No, click Next, and then click Finish.

Why can i not access a particular website from behind the isa ser...?

The site tries to redirect you to another location on a different port number (8080) - you need to create a protocol for tcp 8080
and add this to your list of outbound protocols on that rule - ie http/https and 'new_protocol_for _8080'

ISA Server 2004 FAQ: Installing and Upgrading

This frequently asked questions (FAQ) document provides answers to questions commonly asked during
installation and upgrade of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q Can I upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 Standard Edition?
A No, an upgrade path is only supported from ISA Server 2000 Standard Edition running at least
Service Pack 1.
Q Can I upgrade from ISA Server 2000 Enterprise Edition to ISA Server 2004 Standard Edition?
A No, an upgrade path is only supported from ISA Server 2000 Standard Edition running at least
Service Pack 1.
Q What do I need to do to preserve my ISA Server 2000 settings during the upgrade?
A If you do an in-place upgrade and install ISA Server 2004 on the same computer running ISA
Server 2000, the configuration is automatically migrated to ISA A
If you uninstall ISA Server 2000 before installing ISA Server 2004, or install ISA Server 2004 on a
different computer, you should run the Migration Tool on the ISA Server 2000 computer before
upgrading to ISA Server 2004. Upgrade to ISA Server 2004, and then import the migrated
Remember that before exporting and importing settings, you should back up your current ISA
Server 2000 configuration.
Q Are all my settings preserved during an upgrade?
A Most of the settings are preserved, but there are a number of settings that are not preserved:
Bandwidth rules are not supported in ISA Server 2004 and are not upgraded.

• Logging and reporting settings and information are not upgraded.

• Permission settings such as system access control lists (SACLs) are not upgraded.

• The H.323 Gatekeeper installed with ISA Server 2000 is removed.

For detailed information, read the upgrade guide, available from autorun when you run ISA Server
Q What happens to the permissions I specified for particular objects in ISA Server 2000?
A These permissions are not migrated to ISA Server 2004. Instead, the default permissions are
Q Are application filters migrated?
A Yes, as follows:

• FTP Access filter. Protocol rules for FTP, and protocol rules applying to FTP Server are
migrated to access rules with read-only disabled. Protocol rules applying to FTP download are
migrated to access rules with read-only enabled.

• H.323 filter. When allowing incoming calls, after upgrading, this filter listens on the
External network. For allowing outgoing calls, after upgrading, this filter listens on the Internal
network. The Internal network does not include the VPN Clients network or the Local Host
network, and you should modify filter settings to listen on these networks if required.

• SMTP filter. For SMTP commands, this is the same as in ISA Server 2000. Attachments,
keywords, and users and domains are migrated to an SMTP server publishing rule on a per-rule

• RPC filter. The RPC filter configuration in ISA Server 2000 is replaced with per-rule

• HTTP Redirection filter. Not upgraded (not supported in ISA Server 2004).

• SOCKS v4 filter. After upgrading, this filter listens on the Internal network. The Internal
network does not include the VPN Clients network or the Local Host network, and you should
modify filter settings to listen on these networks if required.

• Streaming Media filters (RTSP, MMS, PNM): Same as in ISA Server 2000. MMS
stream splitting is not supported.

• DNS filter (intrusion detection). Migrated directly to ISA Server 2004.

• POP filter (intrusion detection). Migrated directly to ISA Server 2004.

Note that third-party filters are not upgraded.

Q What happens to the cache during migration?
A The cache drive configuration is retained. If you migrate to a different computer, the hardware and
drive should be similar to the ISA Server 2000 computer. Most cache properties are migrated
directly, with the following exceptions:

• General cache properties that specify whether cache objects should be updated are set to
the ISA Server 2004 default settings.

• General cache properties specifying whether objects exceeding certain size should be
cached are not migrated.

• General cache properties specifying whether dynamic content is cached are set on the
ISA Server 2004 default cache rule.

Q What happens on an upgrade from ISA Server 2000 with a single network adapter?
A A single network adapter configuration is upgraded as follows:

• The Internal network on ISA Server 2004 is configured to include all addresses associated
with the single network adapter on the ISA Server 2000 computer.
• An access rule is created to allow HTTP, FTP, and HTTPS access from the Internal network
to the Internal network.

Q Are packet filters supported in ISA Server 2004?

A No, for more information on how packet filters are migrated, see the migration document
(ISA2000migrate.htm). This document is available from autorun, or on the ISA Server 2004 CD.
Q What happened to URLScan in ISA Server 2004?
A This feature, provided with ISA Server 2000 Feature Pack 1, is renamed HTTP Filter in ISA Server
2004. Some functionality is no longer available, including:

• EnableLogging

• PerProcessLogging

• AllowLateScanning

• PerDayLogging

• RejectResponseUrL

• UseFastPathReject

• DenyUrlSequences

Q What will happen to my routing rules?

A Each ISA Server 2000 routing rule is duplicated on ISA Server 2004, as a cache rule and as a
routing rule. Routing rules are created with identical properties to those of the original ISA Server
2000 routing rule. Destinations are mapped to specific networks in the ISA Server 2004 routing
rule properties. If the routing rule used a dial-up entry, a dial-up entry with the same properties is
created on the External network of ISA Server 2004. A new caching rule is created based on the
original ISA Server 2000 routing rule. Note that the bridging and action properties of ISA Server
2000 routing rules are not migrated.
Q Is streaming media and live stream splitting supported on ISA Server 2004?
A No, these features are not available with ISA Server 2004. ISA Server 2004 streaming media filters
focus only on enabling firewall traversal for the media protocols.
Q What file name should I provide for the exported policy when I run the migration tool?
A You can specify any file name, but if the file already exists, it will be overwritten.
Q I am running an import that includes SSL certificates and the import failed. What could be wrong?
A This could occur if the target computer does not support certificates, or has a different certificate
configuration. In this case, you must disable SSL on the incoming and outgoing Web listener pages
on the ISA Server computer before exporting the file configuration. Alternatively, you can copy the
certificate to the target computer before beginning the export.
Another reason this may occur is that you did not select Import cache drive settings and SSL
certificates in the Import dialog box. Ensure this is selected and try running the import again.
Q I am running ISA Server 2000 with Administration Tools only (for remote management). Can I
upgrade to ISA Server 2004?
A No, you cannot upgrade to ISA Server 2004 from ISA Server 2000 in Administration mode. First
reinstall ISA Server 2000 with ISA Server Services, and then upgrade.
Q Can I remotely install ISA Server using RDP from a computer in the External or Internal network?
A ISA Server can be installed remotely from a computer in the Internal network, or in the External
network. If you choose to install ISA Server 2004 from an untrusted computer in the External
network, Setup will add the external computer running Setup to the predefined Remote
Management Computers set, used in system policy rules allowing remote management of ISA
Server from selected computers.
Q Can I install ISA Server 2004 on a computer running Microsoft Windows® 2000 Server?
A Yes. Note the following:

• Windows 2000 Service Pack 4 (SP4) or later must be installed.

• Internet Explorer 6 or later must be installed.

• All critical updates should be installed.

• If you are using the Windows 2000 SP4 slipstream, you must also install the hotfix
specified in the Microsoft Knowledge Base article 821887, "Events for Authorization Roles Are
Not Logged in the Security Log When You Configure Auditing for Windows 2000 Authorization
Manager Runtime."

• If you install on Windows 2000, you cannot configure the L2TP IPSec preshared key.

• Quarantine mode for VPN clients is not supported.

• On servers running Windows 2000, all ISA Server services run using the local system
account. (These run under the Network Service account on computers running Windows
Server„¢ 2003.)

Q What services are affected during ISA Server installation?

A As part of the installation process, the following services are disabled:

• Internet Connection Firewall or Internet Connection Sharing

• IP Network Address Translation

In addition, the following services are stopped during installation:

• SNMP service

• FTP Publishing service

• Network News Transfer Protocol (NNTP)

• IIS Admin service

• World Wide Web Publishing service

Q In the Export Configuration dialog box, what does "Export user permission settings" and "Export
confidential information (encryption will be used)" mean?
A The Export user permission settings check box relates to the permissions on the ISA Server
Management configuration. Typically, you would select this if you want to replicate an existing
configuration inside the same organization.
The Export confidential information check box relates to any configuration data that should remain
confidential, including:

• User credential passwords used in your ISA Server configuration. For example, in logging
to an SQL server, running a program as a result of an alert, or L2TP remote authentication.

• RADIUS shared secret

• VPN preshared IPSec key

ISA Server 2004 FAQ: Adminstering

This frequently asked questions (FAQ) document provides answers to questions commonly asked during
adminstration and management of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q How can I allow someone to perform specific tasks, but not all tasks, in ISA Server?
A ISA Server provides role-based administration, to allow user permissions for specific tasks, using
Windows users and groups. You can assign Full Administrator role to allow users to perform all
tasks. Use Extended Monitoring role to allow users to perform monitoring, log configuration, alert
definition, and export and import secret configuration information. Use Basic Monitoring role to
allow users to view monitoring, but not configure.
Q How can I remotely administer my ISA Server computer?
A You can use Terminal Services or Remote Desktop to connect to the ISA Server computer.
Alternatively, you can install the ISA Server Management Microsoft Management Console (MMC)
and use that for remote administration. There are two system policy rules that allow remote
management of the ISA Server computer - one for MMC management, the other for Terminal
Server (Remote Desktop) management. Add the computer you want to use for remote
administration to the predefined Remote Management Computers set used by these rules.
Q What is the difference between import and export, and backup and restore?
A The import and export feature, and the backup and restore feature are similar. But generally you
would use them for different purposes. You can use the export and import to save and then import
the entire ISA Server configuration, or parts of it. For example the entire firewall policy, the system
policy, or a selected rule. Confidential information is encrypted. Information is exported to an .xml
file, and then imported from that file. The export and import feature are used primarily to clone
server settings, or for exporting configuration settings to a file for troubleshooting purposes.
The backup and restore feature enables you to save and restore most configuration information.
ISA Server backs up a server€™s general configuration information, cache configuration, and VPN
configuration. The configuration parameters are stored locally in an .xml file. The primary use of
this feature is for disaster recovery, and we recommend that you back up the configuration after
any major changes. For example, after changes to network definitions, cache configuration, or
system policy rules.
Q What services does ISA Server use?
A When you install ISA Server, the following Microsoft® Windows® operating system services are
also installed:

• Microsoft Firewall service. Wspsrv.exe (fwsrv). Windows service supporting requests

from Firewall and SecureNAT clients.

• Microsoft ISA Server Control service. Mspadmin (isactrl). Windows service

responsible for restarting other ISA Server services, generating alerts, running actions, and
deleting log files.

• Microsoft ISA Server Job Scheduler service. W3Prefch.exe (isasched). Windows

service that downloads cache content from Web servers.

• Microsoft Data Engine (MSDE). Used to save log information in MSDE format.

• ISA Server Storage service. Isastg.exe (isastg). Windows service used to manage read
and write access to the ISA Server configuration store, which is registry based, with some file

Q When does ISA Server go into lockdown mode?

A Lockdown mode is triggered when an event triggers the Firewall service to shut down, or if the
Firewall service is manually shut down.
When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as
previously. The effects of lockdown mode are documented in ISA Server online Help. When the
Firewall service restarts, ISA Server exits lockdown mode. Any changes made to the ISA Server
configuration are applied after ISA Server exits lockdown mode.
Q What system account does the Firewall Service run under?
A The Firewall Service (and ISA Server service) runs under the Network Service account.
Q Does the Network Service account require any special permissions?
A For SecurID to work in ISA Server on a computer running Windows Server 2003, the
NetworkService account requires the following permissions:

• Read/write access on HKEY_LOCAL_MACHINE\Software\SDTI\ACECLIENT

• Read permission on %SystemRoot%\system32\sdconf.rec

Q I have just created a rule denying specific traffic. I had a previous rule allowing such traffic, and
when I check, it seems that the deny rule is not working, and that the traffic is still getting
through. What is wrong?
A This behavior is by design. When you create a new rule, the rule is applied to new connections, and
not existing ones. If an existing connection is still active, you might see the behavior described.
You can wait a few minutes for the connection state to time out, close existing sessions, or restart
the service to force the removal of old connection states.
Q When I install ISA Server in my network environment (with IPSec enforced), the ISA Server can be
managed remotely for a short time, but after the existing IPSec session expires, the ISA Server
computer is not available for remote access. What happened?
A The ISA Server does not allow Internet Key Exchange (IKE) traffic, and thus the IPSec session
cannot be renewed. As a workaround, to allow remote management of ISA Server in an IPSec
environment, you must create a rule that allows IKE protocol traffic to the Local Host network.
There is a predefined protocol definition for IKE, available in Toolbox, Protocols (VPN and IPSec
protocols) in ISA Server Management. The IKE Client protocol definition defines a primary
connection for UDP port 500 (SendReceive).
Q I have NLB set up for ISA Server. How can I ensure that each ISA Server computer can
communicate with the other?
A At each ISA Server computer, you need to include the IP address of the other ISA Server computer
within one of its networks. For example, include the IP address of ISAServer1€™s internal adapter
in the Internal network of ISAServer2. Also at time of writing, you need Multicast mode.
Q I cannot use DCOM from a computer in the Remote Management Computers set to the ISA Server
computer. Why not?
A In the system policy rule, there is no option to configure remote management to allow non-strict
RPC traffic. All DCOM traffic between Remote Management computers to the Local Host computer
will be dropped. The RPC filter cannot be configured not to enforce RPC filtering, allowing DCOM.
As a workaround, remove the computer from the Remote Management Computer set, and create
an additional policy rule for the same traffic as the system policy rule. Then right-click the rule,
click Configure RPC Protocol, and clear Enforce strict RPC compliance for this rule.
Q What is the significance of NAT and Route relationships between networks?
A If you have a network rule that defines a network address translation (NAT) relationship between
two networks (for example Internal and External), the following will apply:

• Internal to External traffic will be defined by access rules.

• External to Internal traffic will be defined by publishing rules.

If you have a route relationship, you can use access rules in both directions.
Q What is the Local Host network?
A The Local Host network represents the ISA Server computer. That is, all traffic that comes from or
to ISA Server is considered to have passed by way of the Local Host network. It includes all the IP
addresses of the ISA Server computer, and the reserved loopback IP address
Q How can I filter undesirable sites?
A The HTTP filter in ISA Server 2004 allows you to block content based on URL length, strings, file
name extensions, and other means. You can specify the HTTP filter settings per access rule or Web
publishing rule. Select the rule, and then on the Tasks tab, click Edit Selected Rule. On the
Traffic tab (Web publishing), or Protocols tab (access rules), click Configure HTTP. For more
information, see the HTTP Filter topic in online Help.
Q Certain attacks use a large amount of data in the HTTP header for security exploits. How can I limit
the length of HTTP headers?
A Setting a maximum length for request headers is done by the HTTP filter, and applies to all rules.
There is a default length of 32,768 bytes. To modify the default value, in the details pane of the
Firewall Policy node, right-click the required rule, and then click Configure HTTP. You can also
modify the value using a script provided in the Configuring Add-Ins topic of the ISA Server SDK
Limiting the length of response headers is global, and is controlled by admin COM property
Q I want to configure an inbound access rule, but I cannot select an inbound protocol for the rule.
What is wrong?
A In ISA Server 2004 inbound protocols are only used for publishing rules. For access rules, protocols
are outbound.
Q In a localized language environment, chained requests using Integrated authentication are failing.
What is the cause?
A The problem is in the translation of credentials. Integrated authentication fails, and the
downstream proxy is identified as a guest account on the upstream proxy.
Q Is bidirectional affinity (BDA) supported when using network load balancing (NLB) with ISA Server?
A No, BDA is not supported.
Q I see the Startls command in the SMTP command list. Does that means that SMTP TLS encrypted
connections are allowed by the SMTP filter?
A The SMTP filter works in passthrough mode if you are using the STARTTLS command, and no
filtering of SMTP traffic is performed.

ISA Server 2004 FAQ: Application Publishing

This frequently asked questions (FAQ) document provides answers to questions commonly asked about
publishing in Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q In the Outlook Web Access Publishing Wizard, there is an option to enable high-bit characters.
What does this mean?
A The default for this setting is enabled, and if you need to support clients who will connect to
Exchange servers using non-English characters, you should leave this enabled. If English is the
only language in use, you can disable the setting.
Q If I have a single IP address on the external interface of ISA Server, can I use multiple Web
listeners on the same IP address and port?
A No, ISA Server does not allow duplicate Web listeners with the same IP address and port.
Q Can I add content types to the predefined types?
A Yes, you can create your own content types in addition to the predefined ones. Common content
types you may want to add include:

• Common Windows media types:

• .wma = windows media audio

• .wmv = windows media video

• (.asf is either audio or video)

• Potentially dangerous files:

• .jse = encoded JScript

• .vbe = encoded VBScript

• .wsf= Windows Script file

• .reg = Windows registry file

• .pl = PERL script

• .com = executable

Q Does ISA Server support RPC-over-HTTP publishing?

A Yes.
Q Can I publish my Outlook Web Access server on a non-standard port?
A Creating a publishing rule that uses non-standard ports on the ISA Server computer or the Outlook
Web Access server is not supported. Standard ports are 80 (for HTTP) and 443 (for HTTPS).
Q I tried to create a Web listener and get an ADDRESS_IN_USE error. What might be wrong? I have
tried restarting the Firewall service.
A This is a known issue. If you get this error, try the following:

• Check that the IIS service is not listening on the same port.

• Wait approximately five minutes and restart the Firewall service.

• Restart the ISA Server computer.

• Reduce the waiting time with the following registry keys if the error is persistent.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tc
pTimedWaitDelay (DWORD). Set the required value in seconds.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Str
ictTimeWaitSeqCheck (DWORD). Set the value to 1.

Q When trying to create a Web listener for Outlook Web Access publishing, I receive an error
message that no certificates are configured on the server. What might be wrong?
A Check the following:

• You imported the certificate into the wrong store. Server authentication certificates
should be in the personal store of the local computer.

• When you exported the certificate from another computer you forgot to export the private
key with the certificate. (You need to select the private key check box.)

Q I cannot use the Certificate Request Wizard in the Certificates MMC, or the Web Site Certificate
Request Wizard. What can I do?
A Disable the RPC filter and create an all open rule between the source and destination. Be sure to
reenable the RPC filter and remove the all open rule when you are done.
Q Publishing fails when I publish a secure Web server and present a wildcard certificate. For example,
when I publish myserver.adomain.com and present a wildcard certificate *.adomain.com,
publishing fails. Why?
A This is by design. ISA Server can use a wildcard certificate on a listener, but will not accept a
wildcard certificate from a published website.
Q I want to publish a site with /* for the path, but it is producing an error. What might be wrong?
A Using /* provides access to the entire site you are publishing. Note that for this to work, you
require a default document on the site, or an error will be generated.
Q I want to use a certificate with multiple CN names in it. For example to reference
https://server_name and https://www.server_name.com. Can ISA Server handle these multiple CN
A No, ISA Server will only reference the first CN in the certificate, and does not support multiple

ISA Server 2004 FAQ: Caching

This frequently asked questions (FAQ) document provides answers to questions commonly asked about caching
in Microsoft Internet Security and Acceleration (ISA) Server 2004.

Q What is the maximum cache size?

A The maximum size for a single cache file is 64 gigabytes (GB). If you require a larger cache store,
you can split it into several files over different drives.
Q In Cache Settings, what does the term "percentage of free memory to use for caching" mean? Is it
a percentage of available free memory, or total RAM?
A This option does not indicate the percentage of available memory that ISA Server uses for caching,
but rather the percentage of total RAM ISA Server uses for caching. This memory is allocated
during the startup of the Microsoft Firewall service, and changes to this setting only take effect
when you restart the Microsoft Firewall service. To reset this, do the following: On the
Configuration node of ISA Server Management, right-click Cache, and then click Properties. On
the Advanced tab, specify the required value in Percentage of free memory to use for
Q Can I change the location of the default cache file?
A When you configure a drive for caching, ISA Server creates a cache content file (Dir1.cdat) in the
drive:\urlcache folder. You can specify an alternative cache file location on the drive, including an
environment variable such as %cacheDirectory%. If the specified folder does not exist, ISA Server
will warn you that the specified location is not valid and will try to create the folder. For any
alternative cache folder, the Network Service must have read permissions from the root partition
and any parent folder for the folder. On the cache folder itself, the following permissions are

• Network Service: Full Control

• System: Full Control

• Administrators: Full Control

If you do not set permissions correctly, the following error event may be issued in the Event

• Event ID: 14176. Disk cache drive:\urlcache\Dir1 failed to initialize. Identify the reason
for cache failure by examining previous recorded events, or the error code. Check that the disk
is connected and that it is not corrupt.

Q When configuring caching I received event 14193 "Cache was initialized with less memory cache
than configured. This is because there is not enough free memory available for ISA Server
caching." What does this indicate?
A This event is generated when the Web proxy fails to allocate memory cache based on: (size of
RAM) × percentage of free memory to use for caching. It may happen when there is no free
virtual memory to allocate. In this case, the Web proxy will allocate a smaller size and issue the
Q When the cache is full, how does ISA Server determine what to purge from the cache, to make
space available for new items?
A To make space, random URLs are removed as required. However, there is some built-in logic that
means that the most recently used objects are less likely to be removed.
Q People connecting to my publishing Web site seem to be getting an old version. Why?
A Ensure reverse caching is not enabled. Create a rule to ensure that nothing is cached for requests
for the published Web site from outside your enterprise.
Q Is reverse caching enabled by default? If so, how can I disable it?
A After installation, the cache is disabled by default, and you enable it by configuring a cache drive
and space for it. When you enable caching, both forward and reverse caching are enabled. To
disable reverse caching for specific sites, create a cache rule that disables caching of
http://published_size/* urls.
Q How can I determine if caching is working?
A You can view cache performance counters in the operating system Performance Monitor. To do
this, click Start, click Run, and in the Open dialog box, type perfmon.
Right-click the graph pane, and then select Add Counters. In the Performance Object drop-
down list, select ISA Server cache. Then select the counters you want to view from the list. You
can read about cache counters under the Additional Resources section in ISA Server online Help.
Q Can I cache Secure Sockets Layer (SSL) responses?
A Yes, you can configure that SSL responses should be cached by right-clicking the cache rule, and
selecting Cache SSL responses on the Advanced tab. Note that this setting only affects SSL
traffic that is bridged. Tunneled SSL traffic cannot be cached.
Q In ISA Server 2004 by default, 10 percent of the RAM is allocated for caching objects. Why is the
default RAM allocation so low?
A The optimal allocation will depend on the configuration. You can read more about optimal cache
settings in different scenarios in ISA Server Performance Best Practices.
Q When ISA Server starts, I see an alert message that the cache did not initialize properly. What
could be causing this?
A This often happens when the cache was not shut down properly, for example, if a service
terminated unexpectedly or the computer stopped.
Q Can I ensure availability of updates and fixes by caching Windows Update?
A No, Windows Update transfers data used Background Intelligent Transfer Service (BITS). BITS
allows an application to download a file in portions, and uses HTTP range headers to do this. ISA
Server does not support caching of ranges.
Q Can I cache compressed content?
A In a Web publishing scenario, ISA Server allows the traversal of compressed responses from the
Web server to the client, if the client sends an Accept-Encoding header indicating that it will accept
compressed content. However, compressed content will not be cached. Note that ISA Server does
not support traversal of compression responses in a forward proxy scenario, and does not support
inspection of compressed response bodies in any direction.

ISA Server 2004 FAQ: Monitoring and Logging

This frequently asked questions (FAQ) document provides answers to questions commonly asked about
monitoring, logging and reporting in of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q Why do I see entries for destination hosts in my Web log?

A Sometimes only a URL is available for the destination host, and in this case, the IP address appears
as This happens when a request has been denied and no DNS name resolution lookup was
performed for it.
Q Why do I see fields displayed in the Firewall and Web Proxy logs, even when I have not selected
those fields to display in the log?
A This is a known issue, and certain fields are displayed even though they are not selected in the
logging configuration. In the Firewall logs, the following fields are logged:

• Action

• Server
• Resultcode

In the Web Proxy logs, the following fields are logged:

• Server Name

• Transport

• Bytes Received

• Bytes Sent

• Service

• Authenticated Client

• HTTP Status Code

• Action

Q In the log files I see a client user name marked with a question mark (?). What does this mean?
A The question mark indicates that the client user name has not been authenticated. This happens
when a request arrives from a Firewall client, but the firewall policy does not require
authentication. The Firewall client always sends the user name, and therefore it is always logged.
Q How can I manually delete log files in MSDE mode?
A You can use an SQL query to detach the database from SQL, and delete the files from the disk, as


Q I have tried connecting to MSDE on the ISA Server 2004 computer with either a DSN or with
Enterprise Manager from another computer. Why does this fail?
A The MSDE instance used by ISA Server 2004 has network protocols disable, and you cannot
connect to it remotely. You can only connect using Enterprise Manager when Enterprise Manager is
installed on the ISA Server computer.
Q My reports seem to be scheduled and running correctly, but have no data in them. What could be
A Reports can be saved from Internet Explorer only on the computer running ISA Server
Management. On any other computer, the report shows either empty data or empty frames with a
message that the "Page cannot be displayed."
Q What happens if I configure my ISA Server computer to log to SQL, and the database file becomes
A A "log failure" alert is issued, and the service will stop.
Q How can I see a report on the current day's activity, rather than from yesterday?
A ISA Server reports are based on a daily summary task, which runs once a day by default at 00:30
(12:30 A.M.) and summarizes the data in the logs for fast report generation. Because the reports
are not available before the daily summary runs, you can only view reports for the previous day.
Q I have blocked anonymous access, but the logs show requests from anonymous users. Why?
A The user sends an anonymous request. ISA Server responds with a 407 error and terminates the
connection. An anonymous request is logged.
The user sends the same request with Keep-Alive and NTLM authentication user information. ISA
Server responds again with a 407 error€”and with an authentication challenge. The connection is
not terminated. Another anonymous request is logged.
The user sends the same request with the authentication response. Now the request is
authenticated and served.
If anonymous log entries are followed by requests from an actual, authenticated user, the reason is
probably this configuration. If not, check your configuration settings.
Q User names are not showing up in the log file. What is wrong?
A ISA Server does not always require that clients authenticate themselves. If not authenticated, they
are granted anonymous access, and authentication information is not logged. You can require that
users always authenticate themselves.
Q The logs are overflowing. How can I reduce this?
A When you create a rule, any requests that match the rule are logged by default. The Default Rule
denies all traffic, and any requests not specifically allowed by the rule will be logged. This can fill
your log quickly. Look at your log data. If you notice a large amount of data from a specific
protocol or source, create a new rule for that type of traffic, and do not require logging.
Q There seems to be more current users (according to the Firewall service performance counters)
than sessions (in the Sessions view of ISA Server Management). Why?
A ISA Server considers a session a unique combination of IP address and user name. A connection is
considered a new session from a given IP address only if a unique user logs on. System Monitor, in
contrast to ISA Server, counts all connections.
Q Why does ISA Server not run an action defined for an alert?
A Read the document entitled Troubleshooting Alert Action Failures, available from the Guides
and Articles page on the ISA Server website.
Q Every time I restart the Microsoft Firewall service a new Firewall Log and Web Proxy Log database
is created. Why is this?
A This is by design and does not affect logging or log viewing. These databases are empty and will
eventually be deleted in accordance with database maintenance policy.
Q Why is the link in my daily e-mail report broken? The report location is correct, but the link does
not work.
A This is a known limitation. To work around this issue and get the link working, publish the report to
a path that does not contain spaces. The report name should not contain spaces either, because
the folder name is determined by the report name.
Q When do URLs appear in the logs?
A URLs appear in the Web Proxy logs for all Web requests.
Q In the daily report I see the IP address of websites visited, and not the resolved name. How can I
ensure the name is displayed in the report?
A Only clients that are configured as Web Proxy clients resolve sites through the ISA Server
computer. Other clients handle name resolution themselves, and so the ISA Server computer only
knows about the IP address. Ensure that the required clients are configured as Web Proxy clients.
Q The Firewall service (Wspsrv.exe) process seems to be leaking memory slightly. What might cause
A A handle leak may occur in the SQL Server process when the Firewall service connects and
disconnects from an MSDE database. ISA Server creates and closes connections every time a new
database is created. Each log database has three associated connections, and there are at least
two databases per day (Firewall logs and Web Proxy logs). For more information about this leak,
see Microsoft Knowledge Base article 37748.
Q The Firewall service does not start and the following alert is issued: "The Microsoft Firewall was
unable to connect to the MSDE database". What is wrong?
A The database needs to be deleted manually. For more details, see the preceding item about
deleting a database.
Q What time format is used in ISA Server logs and reports?
A The following time formats are used:

• Text log files (ISA Server file format). Local time.

• Test log files (W3C extended log file format). Coordinated Universal Time (UTC),
also known as Greenwich Mean Time (GMT).

• MSDE log files. Local time.

• SQL (ODCB) logs. Coordinated Universal Time (UTC).

Reports are created in local time. Note that different time formats do not affect reporting accuracy.
Q What is new in client session counters in ISA Server 2004?
A ISA Server lists client sessions, including Firewall clients, SecureNAT, and Web Proxy clients. Unlike
ISA Server 2000, ISA Server 2004 does not separate out session counters for all client types, and
active sessions are accounted for by the Firewall service. With this configuration, note the

• Web Proxy sessions have a corresponding SecureNAT session, one SecureNAT session for
all Web Proxy sessions from a particular computer.

• Firewall clients have a corresponding SecureNAT session. For a computer with Firewall
Client installed, there will be a SecureNAT session, as well as a Firewall client session, for that

• If a computer has both Web Proxy and Firewall client sessions, there will only be one
SecureNAT session for it, because it is defined per computer.

Q Can logs be saved in an alternate location?

A By default, ISA Server log files in a file format or MSDE 2000 format are saved in the ISALogs
folder of the ISA Server installation folder. You can specify an alternative log file location, including
an environment variable such as %logDirectory%. If the specified folder does not exist, ISA Server
will warn you that the specified location is not valid and will try to create the folder. For any
alternative logging folder, the Network Service must have read permissions from the root partition
and any parent folder for the folder. On the logging folder itself, the following permissions are

• Network Service: Full Control

• System: Full Control

• Administrators: Full Control

If you change the log folder location and do not set the correct permissions, the following error
event may be issued in the Event Viewer:

• Event ID 11002: Microsoft Firewall failed to start. The failure occurred during creation of
logging module because the configuration property PropertyName is not valid.

ISA Server 2004 FAQ: Virtual Private Network (VPN)

This frequently asked questions (FAQ) document provides answers to questions commonly asked about
configuring and managing VPN functionality in Microsoft® Internet Security and Acceleration (ISA) Server

Q Can I view IP addresses that are dynamically assigned to clients in the VPN Clients network?
A The ISA Server logs hold a unique entry for each VPN client connection, including the IP address
Q How many concurrent connections are supported by ISA Server VPN?
A For ISA Server 2004 Standard Edition, the number of concurrent VPN remote access connections is
limited to 1,000. This limitation exists even if you install the product on a Windows operating
system that supports more than 1,000 concurrent VPN connections.
Q Can I create an IPSec site-to-site tunnel where one of the ISA Server computers receives a
dynamic address from DHCP?
A No, this is a limitation of IPSec tunnel mode. For dynamic addresses, use PPTP or L2TP over IPSec.
Q I am running ISA Server on Windows 2000, and I cannot create a remote site with IPSec tunneling.
Why not?
A To create a remote site network that uses the IPSec protocol tunneling mode on a computer
running Windows 2000, you must install the IPSecPol tool from the Microsoft website. The tool
must be installed to the ISA Server installation folder.
Q I have ISA Server running on a computer running Windows 2000 and it is not accepting any VPN
connections. Why not?
A If Internet Authentication Service (IAS) was running while ISA Server was installed, ISA Server will
not accept VPN connections. Restart IAS.
Q Traffic originating from the IP address of the remote site gateway is denied by ISA Server. What
could be wrong?
A In a remote site network scenario that uses PPTP or L2TP tunneling protocols, the ISA Server
computer may not have a default gateway configured. When no default gateway is defined, a static
route is not added between ISA Server and the remote site gateway. Because there is no route,
traffic from the remote site gateway is perceived as spoofing€”and the traffic is denied. Add a
default gateway. You can specify a dummy default gateway.
Q In Routing and Remote Access, I've configured several dial attempts with time intervals between
events. When I change any settings of a site-to-site network, time interval is reset to one second
and the redial value to 0. What's wrong?
A ISA Server overwrites a number of demand dial configuration settings. This may be an issue on
slow, modem-based demand dial connections, where dialing may not succeed on the first attempt.
As a workaround, you can use the Routing and Remote Access APIs to configure the redial settings,
and run the program every time Routing and Remote Access starts. However, ISA Server will
overwrite Routing and Remote Access setting each time the Firewall service, or the computer,

Internet Security and Acceleration (ISA) Server 2006

View all answers
Q. What is ISA Server 2006?


ISA Server 2006 is the integrated edge security gateway that helps protect IT environments from
Internet-based threats, while providing users with fast and secure remote access to applications and
data. ISA Server 2006 provides value to IT managers, network administrators, and information security
professionals who are concerned about the security, performance, manageability, or reduced cost of
network operations. ISA Server 2006 can help you:

• Securely Publish Content for Remote Access. ISA Server 2006 helps streamline
the implementation providing security for corporate applications accessed over the

• Connect and Secure Branch Offices. ISA Server 2006 provides a robust way to
securely expand corporate networks, reducing network costs by leveraging existing
network connections.
• Defend Against External and Internal Web-Based Threats. ISA Server 2006
was engineered to deliver stronger security to manage and protect your networks.
Q. What's new in Microsoft ISA Server 2006?


ISA Server 2006 demonstrates the Microsoft commitment to provide solutions that maximize customer
security and productivity. To achieve this goal, Microsoft is continuing its product innovation for next-
generation security as well as working with a broad ecosystem of security partners to offer complete
end-to-end solutions. ISA Server 2006 provides a comprehensive set of publishing tools for Microsoft
Exchange and Microsoft Windows SharePoint Services, streamlined security and connectivity for
branch offices, as well as network edge protection. Read about the new features of ISA Server 2006.
Q. Who should consider Microsoft ISA Server 2006?


Enterprises are facing an onslaught of increasingly targeted and sophisticated attacks on their
networks. Protecting corporate resources at their headquarters as well as at their branch offices, while
providing seamless access for legitimate business functions, requires a sophisticated and
multifunctional edge gateway. ISA Server follows a scenario-based design, ideal for mid-market to
enterprise environments, with single or multiple sites, and varied access and publishing needs.
Businesses in verticals, such as financial services, retail, or government/public sector, will see great
benefits in deploying ISA Server to help protect Internet clients and make internal resources available
to remote employees.
Q. What is the pricing and availability for ISA Server 2006?


Read more about How to Buy ISA Server 2006.

Q. Where can I get more information about ISA Server 2006?


A selection of evaluation tools and material is available here.

Q. Will I receive a free upgrade?


Customers who subscribe to Software Assurance at the time the final product releases will be eligible
to upgrade their licenses to ISA Server 2006 at no cost (media/ shipping and handling fees may apply).
Other customers with enterprise or volume licensing agreements should contact either their reseller or
their Microsoft account representative.
Q. What are the specific feature upgrades?

Integrated Security: ISA Server 2006 provides improved security through integration with Microsoft
application infrastructure and Windows services.

• Increase security and deployment flexibility for Web application servers through
enhanced multifactor authentication (smartcards, one-time passwords), flexible
integration with Active Directory (Lightweight Directory Access Protocol), and
customizable forms-based authentication for almost any Web application and client

• Easily integrate ISA Server with your existing authentication infrastructure through
enhanced authentication delegation (including NTLM, Kerberos, and SecurID),
and gain more access control with improved session management that detects non-
user traffic through automatic idle-based timeouts.

• Maintain secure branch office infrastructure using Background Intelligent

Transfer Service (BITS) caching to accelerate the deployment of software
updates and keep remote computers protected.

• Help defend your network with enhanced flood resiliency features for event
handling and monitoring that provide better resistance to denial-of-service (DoS) and
distributed-denial-of-service (DDoS) attacks.

• Mitigate the effects infected machines have on your network with enhanced worm
resiliency through simplified client IP alert pooling and connection quotas.

• Enhanced attack remediation through comprehensive alert triggers and

responses can quickly notify administrators of network problems.
Efficient Management: Reduced TCO via simplified deployment and management tools.

• Simplify the process of securely publishing Exchange, Windows SharePoint Services,

and other Web servers with automated wizards for multiple sites and enhanced
certificate administration to avoid configuration errors.

• Web publishing load balancing makes it easy to deploy entire farms of Web
servers behind ISA Server deployments using session- and IP-based affinity with
automatic out-of-service detection.

• Easily deploy and configure ISA Servers in branch offices by using answer files on
removable media for unattended installation and with automated virtual private
network (VPN) wizards to streamline connectivity.

• Manage remote ISA Servers more effectively with faster propagation of enterprise
policies, reduced server requirements, and low-bandwidth optimizations.

• Log throttling and control of memory consumption and pending Domain

Name System (DNS) queries provides enhanced resource control.

• Unify management and monitoring across your ISA Server infrastructure with the
Management Pack for Operations Manager 2005, and use enterprise- and array-
level policies to easily control security and access rules across your organization.
Fast, Secure Access: Secure, high-speed, and seamless user access to corporate applications and

• Enable a smoother user experience for published Web applications, document

libraries, and content through single sign-on and comprehensive link translation to
help ensure secure and consistent access.

• Improve Web page load times and reduce WAN costs for users in branch offices with
HTTP traffic compression and caching.

• Help ensure that the highest priority applications get precedence over other network
traffic through DiffServ IP settings, providing better bandwidth utilization and
response times for critical Web resources.
Q. How does ISA Server compare with other competing solutions on the market today?


ISA Server has led the market by bringing together application layer firewall, VPN, and Web cache
services into a single edge solution. And, by integrating with back-end application infrastructure such
as Windows/IIS, Exchange Server, Windows SharePoint Services, and others, ISA Server provides a
unique security and access mechanism. Tools, such as wizards for automatically publishing server
resources, forms-based pre-authentication, customizable security settings for Exchange and Windows
SharePoint Services, and many other enhancements give ISA Server something that no other edge
platform can deliver: a seamless, policy-based gateway for Windows servers and clients, Windows
Server System application infrastructure, and data resources.
Q. Why would I consider ISA Server if I'm already perfectly happy with my existing firewall?


ISA Server 2006 has been optimized to help protect Microsoft applications, such as Exchange. What
this means is that it's a great solution for customers who are interested in taking advantage of the
remote access capabilities of Microsoft Outlook Web Access (OWA) but have some security concerns.
We've also made this product extremely easy to deploy and manage, an important benefit that can
help customers save time, money, and reduce the risk of misconfiguration, which can lead to security
breaches. And it's extensible, meaning you can easily add third-party security solutions, such as
intrusion prevention and virus protection that make sense for your business. All of this makes ISA
Server an ideal solution for small-to-midsized businesses, but it can also be a great complement to
your existing firewall implementation, providing added application layer protection against new and
emerging attacks.
Q. Will ISA Server 2006 be common-criteria certified as well?


Yes, we have commenced the certification process for EAL4+ (Evaluation Assurance Level), which is
the highest level granted to a commercial product.
Q. Will there be updated appliances?


Microsoft continues to work with a broad base of partners to provide flexible hardware-based ISA
Server solutions. ISA Server 2006 Enterprise Edition is now also available on appliances.
Q. What is an ISA Server 2006–based hardware solution?


Microsoft has joined with several Original Equipment Manufacturers (OEMs) to bring ISA Server 2006–
based security appliances to market. These solutions combine the best of ISA Server 2006 with a
hardened version of Microsoft Windows Server 2003 and optimized hardware. To learn more, visit the
Partner Hardware Solutions page.
Q. Why should I consider a hardware solution?


Purchase a hardware solution if you want an ISA Server device built specifically to run ISA Server 2006.
These devices come with a preinstalled hardened version of Windows Server 2003 and ISA Server
2006, ready for deployment. Several hardware vendors have also added additional components and
technology to their products such as protocol accelerators, antivirus gateways, and content filtering
software to extend the value of ISA Server 2006 for your infrastructure. Lastly, some hardware
vendors have created security appliances that you can quickly deploy and automatically update. In
addition, these security appliances feature added management tools and Web-based user interfaces
for remote management.
Q. What are the differences between the various solutions from different OEMs?


All OEM solutions include Windows Server 2003 and ISA Server 2006 Standard Edition or Enterprise
Edition. Some solutions might only be available in certain countries or regions and might include
optional value-added components. For more information, see the Hardware Partners page.
Q. Can I reuse my existing ISA Server 2006 license on a hardware solution?


ISA Server 2006 hardware solutions have a special OEM license that is specific to the piece of
hardware you purchase. Only those OEM licenses may be used with these hardware solutions. For
more information, see the on the Microsoft Licensing site.
Q. What scenarios are most appropriate for ISA Server 2006 hardware solutions?

You can use ISA Server 2006 hardware solutions for any application or scenario that you would use ISA
Server 2006 software. Learn more about deploying ISA Server 2006 for Secure Remote Access, Branch
Office Security, and Internet Access Protection.
Q. Is ISA Server 2006 Enterprise Edition available as a hardware solution?


Yes, ISA Server 2006 Enterprise Edition is available as a hardware solution. However, ISA Server 2004
Enterprise Edition is not available as a hardware solution.