A Plethora of Applications

A few words about allowing access via ISA Server to a whole plethora of applications.

The nice thing about ISA Server is that, when you first install, you can rest assured that only traffic specifically allowed by the system policy is actually going to pass through to your corporate network.

On the other hand, this implies that you’re going to have to do some configuration work if you want to actually allow additional access. For standard applications--say Web browsers--where you only want to allow access to HTTP, this is fairly straightforward. But when you want to allow access to more complex applications, you may find yourself in that oh-so-tempting predicament: maybe I should just open up all those darn ports in order to finally allow this access?

That, however, is definitely NOT what you want to do. I hope that this post will help you realize how you should actually approach this conundrum...

Let’s consider the following example: some application that runs over HTTPS, using some unidentified (by you, as of yet) protocols.

Here’s what you should do to allow that access:

1. Have a client try to access that application.
2. Check the ISA Server logs to determine which traffic is being denied. Specifically, identify the protocol that was denied.
3. Create a new protocol, carefully specifying the primary and secondary connections required for that application (as you identified in step 2).
4. Create an access rule, allowing use of that new protocol for any clients in your network that require access.
5. Deploy Firewall Client software on the clients requiring access; otherwise, secondary connections will not work.