About URL Scanning

ISA Server Feature Pack 1 installs URLScan version 2.5, as a Web filter. URLScan screens all incoming Web requests to the ISA Server computer, and only allows requests that comply with a configurable rule set to pass through to the published Web servers. This significantly improves the security of the IIS Server computer, by helping ensure that it only responds to valid requests.

With URL scanning, you can filter requests based on length, character set, content, and other parameters. You can specify which verbs (HTTP methods), headers, extensions, and strings are acceptable in users' HTTP requests.

The URLScan Web filter applies only to incoming traffic.

URL scanning is applied to all Web publishing rules, including Microsoft® Exchange Outlook® Web Access (OWA) servers. By enabling URL scanning on all traffic destined for the Outlook Web Access server, you can discard suspect messages, before they enter your network.


The URLScan Web Filter is enabled when installation completes. The filter helps block traffic that may pose a security risk to your network. After installation, some Web sites may be inaccessible to users. See Enable or disable URL Scanning for instructions on enabling and disabling the URLScan Web filter.


To help ensure optimal security, install latest security patches on the IIS Server computer. Also, install Urlscan 2.5 on each published IIS Server.

Functional differences: URLScan 2.5 for IIS Server vs URLScan Web Filter for ISA Server

The URLScan Web filter functions differently when installed on an ISA Server computer than it does on an IIS Server computer. There are two major differences:

When the URLScan Web filter is installed on ISA Server, it does not block requests that include directory traversal. To block directory traversal requests, you can create Web publishing rules on ISA Server, which apply to specific destination sets.

The URLScan Web filter processes requests before passing them on to the published IIS Server computer. For this reason, the AllowLateScanning option in the URLScan Web filter configuration file is not relevant.

For more information about the URLScan options, see About URLScan.ini.

URLScan Configuration Files

A default rule set is provided in a configuration file, which can be customized to meet the needs of a particular server. When you install the URLScan Web filter, two configuration files are installed to the ISA Server installation folder.

URLScan_owa.ini. This configuration file is optimized to help securely publish Microsoft® Exchange Outlook® Web Access (OWA) servers. Note that this configuration file is not compatible with other versions of URLScan.

URLScan_iis.ini. This configuration file is useful for standard IIS Server publishing.

As part of the installation process, you select the configuration file to be used by the URLScan Web filter. The selected configuration file is copied to the URLScan.ini file, which is also located in the ISA Server installation folder.

For more information on the URLScan configuration file, see About URLScan.ini. Additional URL scanning configuration files are available from the ISA Server Feature Pack 1 Web site(http://www.microsoft.com/).

URLScan and Arrays

The URLScan Web filter must be installed on all ISA Server computers in the array. This means that the Feature Pack should be installed on all the servers in the array. Furthermore, be sure that you select the same configuration file for each ISA Server computer in the array.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies