About the Microsoft Firewall Service

Internet Security and Acceleration Server 2004/2006 SDK

The Microsoft® Firewall service (fwsrv) is a generic, circuit-level proxy for Windows Sockets (Winsock) applications. The Firewall service makes Telnet, e-mail, news, Microsoft Media Player, RealNetworks RealAudio, Internet Relay Chat (IRC), and other Winsock-compatible client applications perform as though they were connected directly to the Internet. The client application makes Winsock application programming interface (API) calls to communicate with an application running on an Internet-based host. The Firewall service redirects the necessary functions to the ISA Server computer, thus establishing a communication path from the internal application to the Internet application through the ISA Server computer. This redirection eliminates the need for a specific gateway for each protocol, such as Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Telnet, or File Transfer Protocol (FTP). The Firewall service allows applications with no built-in support for a proxy to benefit from proxy service without using the protocols.

The Firewall service runs as a stand-alone service on Microsoft Windows Server™ 2003 and Windows® 2000 Server operating systems. It establishes gateway connections between the Windows Sockets (Winsock) applications on the client and the Internet host. The local network remains secure, because communication is channeled through the ISA Server computer. The Firewall service can be enhanced by using application filters.

You can determine whether the Firewall service is running through the FirewallServiceStatus property of the FPCServer object. The Firewall service can be started by calling the StartFirewallService method, and it can be stopped by calling the StopFirewallService method.

The Firewall service can be stopped manually in ISA Server Management, or programmatically using a script. The Firewall service can also be shut down when an event signals an alert (an FPCAlert object) that is configured to shut it down. Whenever the Firewall service shuts down, ISA Server enters lockdown mode. Lockdown mode combines the need for isolation with the need to stay connected.

In lockdown mode, the following functionality applies:

  • The kernel-mode packet filter driver (fweng) applies the firewall policy.
  • Only the following system policy rules continue to allow incoming traffic to the Local Host network:

    • Allow remote management from selected computers using MMC.
    • Allow remote management from selected computers using Terminal Server.
    • Allow DHCP replies from DHCP servers to ISA Server.
    • Allow ICMP (PING) requests from selected computers to ISA Server.
    • Allow access from trusted servers to the local Configuration Storage server (only on a Configuration Storage Server in Enterprise Edition).
  • Outgoing traffic from the Local Host network to all networks is allowed. If an outgoing connection is established, that connection can be used to respond to incoming traffic. For example, a DNS query can receive a DNS response, on the same connection.
  • VPN remote access clients cannot access ISA Server. Similarly, access is denied to remote site networks in site-to-site VPN scenarios.
  • Any changes to the network configuration while in lockdown mode are applied only after the Firewall service restarts and ISA Server exits lockdown mode.
  • ISA Server does not issue any alerts.

This section contains the following topics: