Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall policies into Excel 2007.

Applications involved:

•      ISA Server 2004
•      Windows 7 on client side {As I have performed it on windows 7}
•      Excel 2007
•      ISA2XLSV2.hta {Use to read rules from xml file}


Step # 1: Move on to Server Machine on which ISA Server 2004 is installed
Step # 2: Now open ISA Server Management Console
Step # 3: Expand the server
Step # 4: Select Firewall policy
Step # 5: Right click on “Firewall policy” and select Export
 Firewall policy exportStep # 6: Now save the file on your desired location. This will export all the group policies into an xml file at the location you selected.
Step # 7: Here we require a tool named ISAInfo2XLS.hta which can be downloaded from Here
Step # 8: Now import your xml file in this tool
Step # 9: Expand “Firewall Policy” tab and click on “Array Rules”
Step # 10: Copy all the data from right pane and past it into a text file.
Step # 11: Now open MS Excel and press open select file type to “All Files” and now locate your text file, press ok
Step # 12: It will run automatically run “Text Import Wizard” from here select “Delimited” and press next
Text Import WizardStep # 13: On this screen select others and type a pipe sign from keyboard “ | ” looks like this and press next
Delimatting with pipe sign
LVL 51

Administrative Comment

by:Keith Alabaster

Thanks for taking the time to put forward this article which is now published.

MS Forefront Page Editor
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of these items are directly caused by TMG / UAG / ISA.

A.) Make sure your TMG / UAG / ISA is up to date
As some of the problems are fixed with service packs or rollup packages, download the latest service pack and rollup package for your product.
This article is based on the following Updates:

TMG 2010: Service Pack 2 - Rollup Package 2 (Build 7.0.9193.540)

UAG 2010 Service Pack 2 (Build 4.0.2095.10000)

ISA 2006 Service Pack 1 + Security Fixes (Build 5723.514)

Read the installation instructions and preconditions for these updates! There are some special procedures especially if load balanced as well as they are not necessarily cumulative. As TMG is also part of UAG, both updates may be relevant.

Save all the time the configuration before you update.

B.) Verify correct NIC settings
LVL 51

Administrative Comment

by:Keith Alabaster
Thanks for your efforts in pulling the article together which is now set to published.

Page Editor
LVL 51

Administrative Comment

by:Keith Alabaster
Experts Exchange Approved status awarded for the article Bembi.

Well done!


So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages:

1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishing Rule.
The error occurred on object 'Autodiscovery Publishing Rule' of class 'Policy Rule' in the scope of array 'HKFW1'.
2. When trying to delete the problematic rule: The item selection could not be completed due to an unexpected error.
2.1 Error: 0x80070002
2.2 Error Details: The system cannot find the file specified

The only icon that is listed in the faulty rule is the allow Icon as seen in the solution below.

1. Going through the steps, you have the following rule (With a different name) and the only icon that is listed in the faulty rule is the allow Icon.
 Faulty rule2. When trying to delete the rule you get an error that "The system cannot find the file specified" after clicking on the Details button
 Error Message3. Ok so the only way to resolve this is by opening ADSIEdit on your proxy server.
4. To open ADSIEdit, on your Proxy server click start and type "ads" and you will notice "ADSI Edit" in the Programs section as seen below, hit Enter or click on ADSI Edit to open it.
 Open ADSI Edit5. When ADSI Edit opens right click on ADSI Edit and click Connect to... as seen in the below image
 ADSI Edit - Connect to...6. In the Configuration Settings Tab do the following:
6.1 Tick the

Expert Comment

by:Ahmed Shareef
The blog and best that is extremely useful to keep I can share the ideas of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much. hd videos and more hd

Expert Comment

by:shariq khatri
This was really an interesting topic and I kinda agree with what you have mentioned here!      <a title="internation dating site" href="">internation dating site</a>
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the initiated or trained, looking at the log files or reading the output from a set of trace files created from the 'repro' tool within the best practice analyser is sufficient; and fairly easy to do if you understand what you are looking at.

For the less knowledgeable - or for those who do not have the time to deep-dive and work it out for themselves - there is diagnostic logging, a new option that works really well in Forefront TMG 2010.

This brief article walks through the diagnostic logging routine and brings together a sample view of what can be picked up from it including the sequencing of events.

Diagnostic logging is disabled by default - it stands to reason that it takes up a fair bit of processing power and storage so should only be used when troubleshooting a specific issue rather than leaving it running all the time.

To enable the function, open the FTMG GUI, select Troubleshooting and then the Diagnostic Logging tab along the top on the right-hand-side.  Open the task pane on the far right and click enable diagnostic logging.

FTMG will now commence its inspection of events that take place and attempt to put them into an intelligible framework but note that you will NOT see anything appear on the screen. It …
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has been EAL 4+ accredited through its duration, the highest non-miltary security accreditation achievable. It is aslo notable in that it acheived this status long before anything comparable from Cisco or other manufacturers, except for the Sidewinder from Secure Computing. The last incarnation of ISA, ISA 2006 SP1, goes end of mainstream support at the beginning of 2012.

In the last few years of ISA Server Microsoft invented the brand name of Forefront and this umbrella term covers a fair number of component products. One of these is the Forefront Threat Management Gateway - known as FTMG or just TMG. In short, FTMG fulfils all the capabilities that ISA 2006 SP1 couild deliver plus a fair bit more.

The purpose of this article is to highlight the improvements and to provide some context around them.

ISA Server 2006 - 32-bit but Forefront TMG - 64-bit
ISA Sever 2006 was only available in a 32-bit version and could only be used on Windows 2003 x86 whereas FTMG is 64-bit and only operable on Windows 2008 SP2 or Windows 2008 R2. Both ISA 2006 and FTMG are fully supported on virtualised environments as per the MS supported hardware list.

AntiVirus and Malware Detection
FTMG 2010 has the ability to monitor for …
LVL 15

Administrative Comment

by:Eric AKA Netminder

A very nice piece of work, and it should be required reading for anyone interested in securing Microsoft servers.

I have published this, and awarded it Community Pick and EE-Approved status.

Page Editor

Expert Comment

by:Mohamed Khairy
Thank you for your effort.
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  This includes:

•Lost reputation
•Inability for personnel to communicate over IM
•Inability of personnel to research
•Ultimately – lost productivity and profitability

This really depends on the industry and the specific industries reliance on Internet Connectivity.  Online traders for example would require a significantly more reliable Internet Experience than say, your local school.

Attempts to get around ISP failures include trying to fool your ISA server through multiple metric default gateways (  However, this only gives one ISP all of the traffic and the other get’s nothing.  In the event of a failure of the primary ISP, manual intervention is required as ISA only does what you tell it (Default gateway means ‘default’).

Another way to try and avoid this is to give equal metric Default Gateways.  This doesn’t work either.  When one of your ISPs goes down, you have 50% Internet Connectivity.  Not exactly a solution…

So, that said, with the exception of the Malware Detection built into Threat Management Gateway 2010 (TMG), the ISP redundancy feature of TMG is brilliant!  Business value in 60 minutes.

Here’s how I have set it up at a few customers:

•2 Data Centres (one is primary and the other is DR)…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself.

To get to the cmd prompt, click on start - run and enter cmd in the run box.

In the cmd box, type in "cd \" without the quote marks followed by pressing the enter or return key.

Open a web browser and go to then using the tabs along the middle, select the version of ISA or FTMG tools relevant to your installation.
Find and download the Tunnel Port Range Extender utility saving it to the c:\ folder of the ISA/FTMG box - this is the root of your c: drive. The file name will be isa_tpr.js.

The site is hosted by Jim Harrison - a top-bloke within Microsoft's ISA and FTMG area and access to this file is by his kind permission.
Go back to your cmd prompt window and type the following: isa_tpr.js /? to get a list of commands & options.
I have provided an example to add TCP port 5100 to the list of ports that ISA will recognise as being authorised to carry HTTPS traffic.

 isa_tpr.js /add port5100 5100 5100

This example calls the isa_tpr script, tells it that I want to add a single port, that I want to name the new port description as 'port5100' and finally provides a start port and end port.

Once completed, stop and restart the ISA firewall service for the change to take…
LVL 61

Expert Comment

by:Kevin Cross
Nice work, Keith!

Expert Comment

by:ryan donald
It is good to see that the people are active in responding. Thank you for all the responses. I was trying to look up for it, and i found it here.
thanks again.
If anyone needs assistance in comepleting their written work can get in touch with me at do my master's essay for me.
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (the IAG product from Whale Technologies) to name but a few. This manifests itself now into three core areas which are:

Forefront Client security;
Forefront for Sharepoint and Forefront for Exchange; and finally,
Forefront Edge - Forefront Threat Management Gateway and the Unified Access gateway or UAG for short.

The Forefront Threat management Gateway - or FTMG - is the replacement for ISA Server 2006 SP1 and is currently in its RC or Release Candidate stage. The next stages will include RTM or Release to Manufacturer before being made publicly available within the next two - three months.

There are some significant differences to the new version, not least of which is that FTMG is only available to run on a 64-bit operating system. Another key point to note is that FTMG is not supported on a Domain Controller. Actually, to be more specific, FTMG cannot even installed on a system that is a Domain Controller although, strangely, the pre-installation checks that are now familiar within many Microsoft installation CDs all pass successfully. However, once the installation commences, an error message will be seen when the host server tried to create the required services forcing a rollback to be undertaken.

Graphically …
LVL 58

Expert Comment

Thanks for the article Keith. Voted Yes above!
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs

What does this mean and how can one go about correcting it?

In simple terms, this error message indicates that traffic has arrived at an ISA Server interface where ISA would not have expected to see it arrive.

In reality, this is a simple error to correct if you consider how ISA Server operates. ISA Server is NOT a router - despite common beliefs to the contrary. ISA is a server application that uses the host operating system to provide underlying services such as network addressing and routing.

To demonstrate, lets take a new ISA Server installation with two network cards as an example. The  following attributes are set within the operating system via the Control Panel - Network Connections - TCP/IP settings:

Interface	| IP Address	| Mask		| Gateway
External	|	|	|
Internal	|	|	| None

Open in new window

By default, ALL IP addresses are treated as hostile by ISA Server and therefore they are associated with the ISA Server External network entity. Any IP address that needs to be identified as associated with the internal network must be added to the Local Address table or LAT. The LAT is updated using the ISA GUI by selecting the following options - Configuration - Networks - Internal -…
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime that I will blog this so that I don't keep retyping the same thing over and over again. Having been asked about it again, now is a good time to get on with as it is not hard to do.

In respect to DNS, the approach is simple and is based upon ensuring that ISA Server uses a consistent source for its name resolution. This does not mean that ISA can only use DNS, far from it, but setup correctly it means that ISA only uses controlled - and secured - resolution services. In respect to networking, this information does not really apply to ISA as a product but follows standard networking techniques of which ISA expects to be present and configured correctly. I will take the standard implementation of an ISA Server that has two or more NICs inserted and follows the best-practice guideance that states that ISA will be a member of an Active Directory based domain.

ISA Server - despite views to the contrary, is not a router. It uses the routing tables that are formed by the host operating system through local subnets, routing protocols if implemented, static routes and default gateways. Therefore before ISA or FTMG is even installed, network connectivity should be checked between itself (localhost) and the resources that the ISA/FTMG host …
There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server

SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its default gateway pointing to the ISA Server internal ip address or routes its default traffic to the ISA server internal ip address.

Web Proxy. A Web Proxy client for ISA server is a client machine, work station or server, that has its browser proxy settings pointing to the ISA IP address and the port set to match the port configured for web proxy traffic in the ISA GUI. The ISA Server default port number for web proxying is 8080.

ISA Firewall client. The ISA firewall client is a separate application supplied with the ISA Server installation media that can be installed on each work station as required. The purpose of the ISA firewall client application is to pass all traffic to ISA server and to carry the user credentials of the looged-in user for applications that, by default, cannot do so. An example would be an FTP client application - FTP packets do not have the ability to carry the user credentials within the data stream; if the ISA Server firewall policy has been set to allowed authenticated users only to use ftp then ISA will receive the initial packets and review its rule base. After seeing that the rule requires authentication, it will deny the request and pass a request back to the client asking for authentication …

Microsoft Forefront ISA Server





Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.

Top Experts In
Microsoft Forefront ISA Server