ISA Server 2004 :: Upgrading ISA Server 2000 Access Policy Configuration

» Main page
- » Support
  - » Documentation
    - » Microsoft ISA Server

Upgrading ISA Server 2000 Access Policy Configuration

Most ISA Server 2000 access policy rules are upgraded to ISA Server 2004, as detailed in the following sections.

Bandwidth Rules

Bandwidth rules (and associated policy elements) are not supported in ISA Server 2004. They are not upgraded.

IP Packet Filters

ISA Server 2000 packet filters are not explicitly configurable in ISA Server 2004. Packet filters in ISA Server 2000 were used to:

Publish servers on a perimeter network.
Run applications or other services on the ISA Server computer.
Allow outgoing traffic from the ISA Server computer.
Allow access to protocols that are not based on User Datagram Protocol (UDP) or Transmission Control Protocol (TCP).

The table below lists how custom ISA Server 2000 packet filters are upgraded to ISA Server 2004 access rules.

Property	ISA Server 2000 packet filter	ISA Server 2004 access rule
Name, description, servers, enabled		Same as ISA Server 2000 values
ISA Server 2000 IP Protocol upgraded to ISA Server 2004: Protocol definition	TCP/UDP/ICMP/Custom IP protocol	Same protocol
Any	No new protocol. Migration tool sets Protocol to All outbound IP traffic
Protocol number	Same protocol number
Local port	Source port is defined in the access rule, destination (or source, depending on the protocol direction) port is defined in the protocol connection
Local port number	Source port range (on the Protocol tab of the access rule)
Direction	Outbound	Outbound
Inbound	Outbound (To and From fields changed accordingly)
Send Receive	Send Receive
Receive Send	Send Receive (To and From fields changed accordingly)
ISA Server 2000: Local computer (Applies To) upgraded to ISA Server 2004: Access Rule "To" property	Default IP address	Local host network
Local Computer set to the IP address of the ISA Server 2000 computer	Computer element with the IP Address of the ISA Server 2004 computer
Local Computer set to the a specific IP address	Computer element with the specific IP address
Local Computer set to a perimeter network	Address range object with with the IP addresses of the perimeter network
ISA Server 2000: Remote computer (Applies To) upgraded to ISA Server 2004: Access Rule "From" property	All remote computers	All External networks
This remote computer	Computer object set to the IP address of the remote computer
This range of computers	Subnet with the specified address range

NOTE: If the Direction of the ISA Server 2000 packet filter is Both (or "Received and Sent"), then two rules are created on ISA Server 2004, with the To and From properties switched for the second rule.

The access rules (created to replace the ISA Server 2000 packet filters) that deny access are ordered first. The rules that allow access are ordered subsequently.

Example

ISA Server 2000	ISA Server 2004
Packet filter with these properties Protocol: UDP Direction: Send Receive Local port: 53 Remote port: 78 Local computer applies to: default IP addresses on the external interface Remote computer: All remote computers	Access rule with these properties: Source network is set to Local host Port: 53 Destination network is set to All External networks Protocol definition with these properties: Protocol: UDP Port: 78 Direction: Send Receive

IP Packet Filters: Pre-defined

ISA Server 2000 includes several pre-defined IP packet filters. The migration tool creates system policy rules, based on these IP packet filters, as detailed in the table below.

ISA Server 2000 IP packet filter	ISA Server 2004 system policy rule
DHCP Client	Allow DHCP request from firewall
DNS filter	DNS from local host to Anywhere
ICMP outbound	ICMP from firewall to Anywhere
ICMP Ping response (in), ICMP Timeout in, ICMP source quench, ICMP unreachable in	Allow all ICMP from firewall to networks
IP Replay (out)	Allow all ICMP(PING) from trusted server to firewall

When running the ISA Server Migration Tool, you can choose whether to allow traffic from the Internal network to the ISA Server computer. If you select this option, then a rule is created that allow traffic from the Internal network to the Local Host network, and vice versa.

Protocol Rules

ISA Server 2000 access policy consisted of protocol rules and site and content rules. ISA Server 2004 includes only access rules, which are based on a combination of the original protocol rules and site and content rules.

ISA Server 2000 protocol rules that deny access are upgraded directly to ISA Server 2004 access rules.

ISA Server 2000 protocol rules are upgraded to ISA Server 2004 access rules. Most properties are directly upgraded to ISA Server 2004. The Applies To property is upgraded, as detailed in the table below.

ISA Server 2000 protocol rule	ISA Server 2004 access rule
Any Request	Source network set to Internal and Local Host
Client address sets	From is set to a computer set with specific IP addresses in original client address set. Source network is set to Internal.
Users and groups	From is set to a user set with the specific users originally specified. Source network is set to Internal.

Note that third-party application filters are not upgraded. Similarly, any protocol definitions that are installed with the application filter are not upgraded. Any rules that apply to these protocol definitions are not upgraded.

Users can configure an ISA Server 2000 registry key, IgnoreContentTypeIfNotApplicable that determines whether a content group is ignored for protocol rules that do not apply to HTTP. If this registry key is enabled, then the migration tool creates two access rules for any protocol rule that applied to both HTTP and additional protocols. For example, if ISA Server 2000 includes a protocol rule that applies to POP3 and HTTP protocols, the migration tool creates two access rules on ISA Server 2004: one for POP3 and another for HTTP.

Site and Content Rules

ISA Server 2000 site and content rules that deny access are upgraded directly to ISA Server 2004 access rules.

ISA Server 2000 site and content rules that allow access are upgraded to ISA Server 2004 access rules. Most properties are directly upgraded to ISA Server 2004. Exceptions are detailed in the table below.

Property	ISA Server 2000 site and content rule	ISA Server 2004 access rule
Applies To	Any Request	Source network set to Internal and Local Host
Client address sets	From is set to a computer set with specific IP addresses in original client address set. Source network is set to Internal and Local Host.
Users and groups	From is set to a user set with the specific users originally specified. Source network is set to Internal.

Merging Site and Content Rules and Protocol Rules

Some site and content rules and protocol rules are merged into a single access rule when upgrading to ISA Server 2004.

Naming Conventions

The table below details the naming conventions for the new access rules.

ISA Server 2000 Rule	ISA Server 2004 Rule Name	Example
Protocol Deny rule	ISANumber-ISA_Rule_Name	ISA12-DenyNimda
Site and content deny rule	ISANumber-ISA_Rule_Name	ISA13-BlockBadStuff
Packet filter	ISANumber-ISA_Rule_Name	ISA14-ICMP
Bi-directional packet filter	ISANumber-ISA_Rule_Name(Inbound) ISANumber-ISA_Rule_Name(Inbound)	ISA18-NNMP(Inbound) ISA19-NNMP(Outbound)
Merged protocol and site and content rule	ISANumber-ISA_Rule_Name+ISA_Rule_Name	ISA15_InternetAccess+BlockBadStuff

Documentation for Microsoft ISA Server 2004

Upgrading ISA Server 2000 Access Policy Configuration

Bandwidth Rules

IP Packet Filters

Example

IP Packet Filters: Pre-defined

Protocol Rules

Site and Content Rules

Merging Site and Content Rules and Protocol Rules

Naming Conventions

Additional Links

Search

Support

Documentation

Authorization

Subscribe

Secondary Information

Login:
Password:
	Remember me on this computer