Traffic filtering in Microsoft Internet Security and Acceleration (ISA) Server is the foundational multi-layer mechanism that allows network administrators to control, block, or permit packet streams entering or leaving a network edge.
Microsoft ISA Server (which evolved into Forefront TMG before its retirement) does not rely on a standalone application named “TrafficFilter.” Instead, it enforces traffic filtering across three native layers: Packet Filtering (Kernel Mode), Circuit-Level Filtering, and Application-Layer Filtering (User Mode). The 3 Layers of ISA Server Traffic Filtering
ISA Server evaluates traffic sequentially from the lowest network layer to the highest application layer to maintain a tight security perimeter.
[ Incoming Packet ] │ ▼ ┌──────────────────────────────────┐ │ 1. Packet Filtering (Kernel) │ ──► Drops unapproved ports/protocols └──────────────────────────────────┘ │ ▼ ┌──────────────────────────────────┐ │ 2. Circuit-Level Filtering │ ──► Validates connection state (TCP/UDP) └──────────────────────────────────┘ │ ▼ ┌──────────────────────────────────┐ │ 3. Application Filtering (User) │ ──► Inspects payloads (HTTP signatures, DNS) └──────────────────────────────────┘ │ ▼ [ Internal Network ] 1. Packet Filtering (IP Layer)
Operating directly within the Windows network protocol stack in kernel mode, packet filtering inspects IP and TCP/UDP header information.
Static Packet Filtering: Administrators can manually open or close specific external ports (e.g., blocking all inbound ICMP/ping traffic).
Default Deny: By default, all traffic is dropped unless explicitly permitted by an access rule. 2. Circuit-Level Filtering (Session Layer)
This layer uses stateful inspection to monitor the state of active network connections. It ensures that inbound packets are only permitted if they are a direct response to a valid outbound request initiated from inside the network. 3. Application-Layer Filtering (Application Layer)
Operating in user mode, this is the most advanced tier of filtering. It intercepts data streams to inspect the actual payloads of the packets. For example:
Securing the network using Microsoft ISA Server 2004 – markwilson.it
Leave a Reply