Administering stand-alone servers,

arrays, and the enterprise

You install Microsoft Internet Security and Acceleration (ISA) Server as a stand-alone
server or as an array member. In both cases, ISA Management shows the server as
belonging to an array.
When you install an array member, you specify the array to which it belongs.
For stand-alone servers, as part of the installation process, an array with the same name
as the ISA Server computer is created.
For more information, see The enterprise, arrays, and stand-alone servers.

Array policy for stand-alone servers

Stand-alone servers have an array policy. Depending on installation mode, the array
policy consists of:
 Policy elements. Includes schedules, bandwidth priorities, destination sets, client address sets,
protocol definitions, content groups, and dial-up entries. For more information, see Policy
elements.

 Access policy rules. Includes site and content rules, protocol rules, and Internet Protocol (IP)
packet filters. For more information, see Configuring access policy.

 Publishing rules. Includes server publishing and Web publishing rules. For more information, see
Configuring publishing.

 Cache configuration. Includes cache size, expiration policy. For more information, see
Configuring ISA Server cache.

 Routing rules. Determine whether a Web Proxy client request is retrieved directly from the
specified destination or redirected to an upstream server. For more information, see Routing Web
requests.

 Bandwidth rules. Set priorities for any request passing through ISA Server. For more
information, see Configuring bandwidth rules.

 Local address table and local domain table configuration. These tables include the IP
addresses or names of all internal computers. For more information, see Configuring the local
address table and Configuring the local domain table.

Array and enterprise policies for array members

If you install ISA Server as an array member, enterprise policy settings determine
whether an array policy can be created and which types of rules can be included in the
array policy. See Applying enterprise policy for more information.
The enterprise administrator is responsible not only for creating and configuring
enterprise policy, but also for determining how and if that policy should be applied to all
the arrays in the enterprise.
The enterprise policy includes site and content rules and protocol rules. The enterprise
policy can be applied to any array and can be augmented by the array's own policy. This
enables administrators at branch and departmental levels to adopt governing enterprise
policies.
More than one enterprise policy can be created. Each enterprise policy can be applied to
one or more arrays. You can configure permissions for the enterprise policies, limiting
which administrators can configure the rules. For more information, see Configuring
permissions.
You can also create policy elements at the enterprise level. These policy elements can be
used by enterprise-level rules or by array-level rules.
If the array uses only an array policy (no enterprise policy), then you cannot modify the
array's policy settings to use an enterprise policy. Likewise, if the array uses an enterprise
policy, you cannot change the array's policy settings to use only an array policy (set to
Array policy only.
For configuration instructions, see Create an enterprise policy.

Managing remote arrays

You can use ISA Server to manage more than one stand-alone server at a time. Each
stand-alone server belongs to its own array. Each has its own array policy, which you can
configure by creating rules and modifying properties. For more information, see Using
remote administration.
For array members, all the arrays in the enterprise are displayed in ISA Management.
You can only configure the arrays in the enterprise only if you have the appropriate
permissions. For more information, see Configuring permissions.

Policy elements
Some rule properties can be set to values that are defined beyond the scope of the rule
itself. The group of these properties is called policy elements. You can create policy
elements for each array policy and for the enterprise policy. Policy elements include:
 Bandwidth priorities

 Client address sets

 Content groups

 Destination sets
  Dial-up entries

 Protocol definitions

 Schedule

For more information, see Configuring destination sets, Configuring client address sets,
Configuring bandwidth priorities, Configuring protocol definitions, Configuring content
groups, and Configuring dial-up entries.

Array-level and enterprise-level policy elements

As an enterprise administrator, you can define enterprise-level policy elements.
Enterprise-level policy elements can be used when you create enterprise-level rules.
When array policies and enterprise policies are used together, you can also apply array-
level rules to enterprise-level policy elements.
For stand-alone servers, you can only create array-level policy elements.

Configuring destination sets

A destination is a computer name, Internet Protocol (IP) address, or IP range and can
include a path. Destination sets include one or more computers or folders on specific
computers.
Rules can be applied to all destination sets, to all computers except for the specified
destination sets, or to one specific destination set. For more information, see Create a
destination set.
Computers can be specified by domain name or by a range of IP addresses. You can use
an asterisk (*) as a wildcard when you specify the computer name. For example, to
specify all computers in the microsoft.com domain, type the destination as
*.microsoft.com. Note that the asterisk can appear only at the start of the domain name,
and can be specified only once in the name.
You can also indicate specific paths on a computer that can or cannot be accessed by
clients. The path can also include an asterisk as a wildcard. For example, to specify all
URLs under path /somedir, type the path as /somedir/*. The asterisk can appear only
once and can be specified only at the end of the path.
Use this format when you specify a destination. The computer name, path, and file name
are not case sensitive.
 Specify computer name, using the fully qualified domain name (FQDN). For example, write
computer_name.microsoft.com, and not //computer_name.

 To include a specific folder in the destination set:

 /Path/Folder_Name
 To include all the files in a folder:

/Path/Folder_Name/*
 To select a specific file in a folder:

/Path/Folder_Name/Filename
Rules can be applied to internal destination sets or external destination sets. Internal
destination sets are groups of computers within your local network. External destination
sets include computers outside the local network.
The following rules can specify destination sets:
 Site and content rules.

 Bandwidth rules.

 Web publishing rules.

 Routing rules.

For site and content rules and bandwidth rules, destination sets usually include computers
that are not on your internal network. For Web publishing rules, destination sets usually
include computers on your internal network. For routing rules, destination sets include
external computers (on the Internet) for rules that route outgoing Web requests. Routing
rules that route incoming Web requests include internal computers.
For more information, see Site and content rules, Configuring bandwidth rules, Routing
Web requests, and Web publishing rules.

Configuring client address sets

Client address sets include one or more computers. You can apply rules to one or more
specific client address sets or to all addresses except the specified client address sets. The
following rules can specify client address sets:
 Site and content rules

 Protocol rules

 Bandwidth rules

 Server publishing rules

 Web publishing rules

For more information, see Site and content rules, Protocol rules, Configuring bandwidth
rules, and Create a client address set.
Users and groups
When you create rules, you can specify the internal clients to which the rule is applied.
Clients can be specified either by user name or by Internet Protocol (IP) address.
For secure network address translation (SecureNAT) clients, you must specify clients by
IP address. You can create client address sets, which group client computers by IP
address.
For Firewall clients, when you specify clients by user name, you can use the
Windows 2000 groups.
For configuration instructions, see Configure users for an access rule.

Site and content rules

You can grant or deny access to the Internet by creating site and content rules. Site and
content rules determine if and when content on specific destination sets can be accessed
by users or client address sets.
When a client requests an object, Microsoft Internet Security and Acceleration (ISA)
Server checks the site and content rules. If a site and content rule specifically denies the
request, access is denied. Furthermore, the request will be fulfilled only if a site and
content rule specifically allows the client access to the content and if the client is allowed
to communicate using the specific protocol. In other words, to allow access to the
Internet, you must perform the following steps:
1. Create a site and content rule indicating clients that are allowed access to specific destination sets.

2. Create a protocol rule indicating which protocols can be used to access the specific destinations.

For configuration instructions, see Create a site and content rule.

Processing order
Although site and content rules are not ordered, rules that deny access are processed
before rules that allow access. For example, if you create two rules, one of which allows
access to all clients and one of which denies access to all users in the Sales department,
the Sales department cannot gain access to the Internet.
For more information on how ISA Server processes requests, see Controlling outgoing
requests and Rules and authentication.

Action
Site and content rules can either allow or deny access to specific sites. If access is denied,
then for Hypertext Transfer Protocol (HTTP) objects, the request can be redirected to an
alternate Uniform Resource Locator (URL)—typically a page on an internal server—
explaining why access is denied.
When you specify the destination to which to redirect the request, you can specify a
whole different location by typing http:// and then the URL of the location to which to
redirect the request.
When access is denied, ISA Server sends the URL specified here to the Web browser
client. The client Web browser then tries to access the object from the destination to
which ISA Server redirected.
For example, suppose a site and content rule denies access to
http://example.microsoft.com/, redirecting requests for this site to
http://widgets.microsoft.com/accessdenied.htm. When a client requests an object on
http://example.microsoft.com/, ISA Server denies the request, and returns
http://widgets.microsoft.com/accessdenied.htm to the client. The client then requests
http://widgets.microsoft.com/accessdenied.htm.
Important
 If you choose to redirect the request, then the URL that you specify must be accessible to the
selected clients or users. In other words, either the URL must be on an internal computer or some
rule must explicitly allow access to the URL.

For more information, see Configure an action for a site and content rule.

Destination sets and path processing

When you create a site and content rule, you specify which destinations are accessible.
Destination sets can include Internet protocol (IP) addresses of specific computers or
computer names. In either case, you can specify a particular path on the computer to
include in the destination set. For more information, see Configuring destination sets.
ISA Server processes the site and content rule differently, depending on which type of
client requests the object and what type of content is requested. In particular, ISA Server
may ignore any path specified in the destination set, for particular clients or protocols
used. The table below details whether ISA Server processes the path specified for the
computers in the destination set.
Web Proxy Secure network address translation Firewall
client (SecureNAT) client client
File Transfer Protocol (FTP) content Yes No No
HTTP content Yes Yes Yes
Secure Hypertext Transfer Protocol
No No No
(HTTPS) content
This is true only when the HTTP is enabled and configured to redirect to the local Web
Proxy service. For more information, see HTTP redirector filter.
When ISA Server processes a request for which path processing is not supported (for
example, any non-HTTP request), ISA Server ignores all destinations for which a path is
specified. This does not imply that ISA Server ignores the rule that references the
destination. For example, assume that you have a rule that denies access to two
destinations: //example.microsoft.com/example and widgets.microsoft.com. A request to
access Network News Transfer Protocol (NNTP) content from example.microsoft.com
will not be denied. A request to access NNTP content from widgets.microsoft.com will
be denied.
For Secure Hypertext Transfer Protocol (HTTPS) requests, if a rule denies requests to a
destination that specifies a path, ISA Server denies all content on the computer, not
limited to the path. For example, if a rule is configured to deny HTTPS access to
example.microsoft.com/example, then ISA Server will deny access to all access at
example.microsoft.com.

Array-level and enterprise-level site and content rules

Site and content rules can be created at both the array level and at the enterprise level.
When an array policy is allowed, then its site and content rules can only further restrict
enterprise-level site and content rules. The array-level site and content rules can only
deny access to specific sites or content. For more information on enterprise policy, see
Applying enterprise policy.

Example
If you want to deny access to all images in http://example.microsoft.com/stuff, create a
site and content rule with the following properties:
 Set Destination set to a set that includes the following path:

example.microsoft.com/stuff/*
 Set Schedule to Always.

 Set Action to Deny access to the requested site.

 Set Applies to to All requests.

 Set Content to the Images content group.

For a deployment scenario that illustrates the use of protocol rules, see Firewall scenario.

Protocol rules
Protocol rules determine which protocols clients can use to access the Internet. You can
define protocol rules that allow or deny use of one or more protocol definitions. For more
information, see Create a protocol rule.

Protocols
You can configure protocol rules to apply to all Internet protocol (IP) traffic, to a specific
set of protocols definitions, or to all IP traffic except selected protocols.
If Microsoft Internet Security and Acceleration (ISA) Server is installed in cache mode,
protocol rules can be applied only to Hypertext Transfer Protocol (HTTP), Secure
Hypertext Transfer Protocol (HTTPS), Gopher, and File Transfer Protocol (FTP)
protocols.
ISA Server includes a list of preconfigured, well-known protocol definitions, including
the Internet protocols which are most widely used. You can also add or modify additional
protocols. For more information, see Configuring protocol definitions.
When a client requests an object using a specific protocol, ISA Server checks the
protocol rules. If a protocol rule specifically denies use of the protocol, the request is
denied. Furthermore, the request will be processed only if a protocol rule specifically
allows the client to communicate using the specific protocol, and if a site and content rule
specifically allows access to the requested object. In other words, you must perform the
following to allow access:
1. Create a protocol rule, indicating which protocols can be used to access the specific destinations.

2. Create a site and content rule, indicating clients that are allowed access to specific destination sets.

Some application filters create and install new protocol definitions. When the application
filter is disabled, all its protocol definitions are also disabled. That is, traffic that uses the
protocol definition is blocked. For example, if you disable the streaming media filter,
then all traffic that uses the Windows Media and Real Networks protocol definitions is
blocked.
Other application filters traffic of existing protocol definitions, either user-defined or
configured by ISA Server. When these application filters are disabled, the protocol
definitions that they filter are not disabled. For example, even if you disable the Simple
Mail Transfer Protocol (SMTP) filter, SMTP protocol definitions might still be allowed
to pass, left unfiltered.
For more information, see Using extensions.

Protocol rules for SecureNAT clients

Protocol rules apply to Firewall clients and to secure network address translation
(SecureNAT) clients. If the protocol is defined by an application filter, then the protocol
rule applies to both Firewall and SecureNAT clients. If the protocol rule applies to a
protocol that has only a primary connection—for example, HTTP—then the rule applies
to both Firewall and SecureNAT clients.
If a protocol has secondary connections, and it is not defined by an application filter, then
the protocol rule applies only to the primary connection. In other words, if an application
uses a protocol that has secondary connection, then this application will work only on
Firewall client.
For SecureNAT clients, if you configure a protocol rule to apply to all IP traffic, the rule
will actually apply only to all defined protocols.
For more information on clients, see Firewall clients and SecureNAT clients.

Processing order
Although protocol rules are not ordered, rules that deny protocols are processed before
rules that allow access. For example, if you create two rules, one rule that allows use of
all protocols and one rule that denies use of the SMTP protocol, the SMTP protocol will
not be allowed.
For more information on how ISA Server processes requests, see Controlling outgoing
requests and Rules and authentication.

Array-level and enterprise-level protocol rules

Protocol rules can be created at both the array level and at the enterprise level. When an
array policy is allowed, then its protocol rules can only further restrict enterprise-level
protocol rules. In other words, the array-level protocol rules can only deny use of specific
protocols. For more information on enterprise policy, see Applying enterprise policy.

Examples
Suppose you want to prohibit a group of users in your organization from using MSN
Messenger during work hours. You can create a protocol rule to enforce this policy by
configuring the following parameters:
 Select the MSN Messenger protocol.

 Select the Work Hours schedule.

 Select Requests coming from specified users and groups.

 Select the appropriate user group.

 Set Action to Deny the request.

For a deployment scenario that illustrates the use of protocol rules, see Firewall scenario.

Configuring bandwidth rules

Bandwidth rules set priorities for any request passing through Microsoft Internet Security
and Acceleration (ISA) Server, as defined by the following parameters:
 One or more protocol definitions

 Users or Internet Protocol (IP) addresses

  Destination sets

 Schedule

 Content types

For configuration instructions, see Create a bandwidth rule.

You can set the bandwidth priority either to the default scheduling priority or to a
bandwidth priority you have configured. If you select the default setting, then the
specified communication is guaranteed a minimum network bandwidth.
Note that connections that have specific bandwidth priorities will require some additional
overhead while establishing the connection.
Note
 Bandwidth rules are not applied when ISA Server returns cached content to an internal computer
or to intra-array communication.

Rule order
Bandwidth rules are ordered, with the default bandwidth rule processed last. For each
new connection, the ISA Server computer processes the bandwidth rules in order. The
first rule is processed first. If the request matches the conditions specified by the rule, the
bandwidth priority is applied to the request. Otherwise, the next rule is processed. This
continues until the last default rule is processed and applied to the request. For
instructions on ordering rules, see Change the order of a bandwidth rule.

Default bandwidth rule

When you install ISA Server, it configures a default bandwidth rule. The default rule
assures that communication without an assigned bandwidth rule will be allocated the
minimum bandwidth assured by the Windows 2000 default scheduling.
The default bandwidth rule is always last in order. It cannot be modified or deleted.

Scenario
For example, imagine that you create a bandwidth rule called VIP that uses a bandwidth
priority called Maximum, which sets outbound and inbound bandwidth to the maximum
rate of 200. The bandwidth rule might allow a client set that includes all senior executives
and specifies all protocols, any content, and at any time.
In the scenario, it is assumed that the network is fairly congested and only a limited
amount of bandwidth remains. When two requests arrive, one from two senior executives
and one from any other employee, the VIP bandwidth will be split between the two
requests from the senior executives and the remaining bandwidth will be allocated to the
other employee.
To create a client address set
1. In the console tree of ISA Management, right-click Client Address Sets, point to New, and then
click Set.

For array policy client address sets, where?

o Internet Security and Acceleration Server

o Servers and Arrays

o Name

o Policy Elements

o Client Address Sets

For enterprise policy client address sets, where?

o Internet Security and Acceleration Server

o Enterprise

o Policy Elements

o Client Address Sets

2. In Name, type a name for the set.

3. (Optional) In Description, type a description for the set.

4. Click Add.

5. In From, type an Internet protocol (IP) address for the lowest IP address in the set.

6. In To, type an IP address for the highest IP address in the set.

Notes
 To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and
then click ISA Management.

 To edit an address, in Members, click the address, then click Edit.

 To delete an address, in Members, click the address, then click Remove.

 If you want to include only one IP address in the set, type the same address in From and To.

To configure users for an access policy rule

1. In the console tree of ISA Management, click one of the following:

o For array policy, Access Policy.

 Where?
 Internet Security and Acceleration Server

 Servers and Arrays

 Name

 Access Policy

o For enterprise policy, click the applicable enterprise policy.

Where?
 Internet Security and Acceleration Server

 Enterprise

 Policies

 Enterprise Policy

2. On the View menu, select Advanced.

3. In the details pane, right-click the applicable rule and then click Properties.

4. To specify clients for the rule, on the Applies To tab, do one of the following:

o Click Any request.

o Click Client address sets specified below.

o Click Users or groups specified below.

5. If you selected Requests from specified users or groups or Requests from specified client
address sets, then do the following:

o To add users or clients to Applies to requests coming from, click Add.

o To add users or clients to Exceptions, click Add.

Notes
 To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and
then click ISA Management.

 You can configure users for site and content rules and for protocol rules.

 Users will be authenticated differently, depending on how you configure ISA Server.

Configuring bandwidth priorities

Bandwidth priorities define the priority level applied to connections that pass through
Microsoft Internet Security and Acceleration (ISA) Server. Network connections without
an assigned bandwidth priority have lower priority than connections with assigned
priorities and network connections with lower priorities have less of a chance to pass
through ISA Server than a connection with a higher bandwidth priority.
Bandwidth priorities are directional and can be controlled as:
 Outbound bandwidth, the bandwidth priority allocated for requests from internal clients for
objects on the Internet.

 Inbound bandwidth, the bandwidth priority allocated for requests from external clients for
objects on the local network.

The bandwidth priority can be any number between 1 and 200.

You can use the bandwidth priority to create and configure bandwidth rules, which
determine how much scheduling priority is allocated for specific network connections.
For example, you can create a bandwidth priority called Best Access with outbound and
inbound bandwidth priority set to 10. You can also create a bandwidth priority called
Good Access, with outbound and inbound bandwidth set to 1. Then you can use these
bandwidth priorities when you configure bandwidth rules.
For more information, see Configuring bandwidth rules. For configuration instructions,
see Create a bandwidth priority.

Configuring bandwidth rules

Bandwidth rules set priorities for any request passing through Microsoft Internet Security
and Acceleration (ISA) Server, as defined by the following parameters:
 One or more protocol definitions

 Users or Internet Protocol (IP) addresses

 Destination sets

 Schedule

 Content types

For configuration instructions, see Create a bandwidth rule.

You can set the bandwidth priority either to the default scheduling priority or to a
bandwidth priority you have configured. If you select the default setting, then the
specified communication is guaranteed a minimum network bandwidth.
Note that connections that have specific bandwidth priorities will require some additional
overhead while establishing the connection.
Note
  Bandwidth rules are not applied when ISA Server returns cached content to an internal computer
or to intra-array communication.

Rule order
Bandwidth rules are ordered, with the default bandwidth rule processed last. For each
new connection, the ISA Server computer processes the bandwidth rules in order. The
first rule is processed first. If the request matches the conditions specified by the rule, the
bandwidth priority is applied to the request. Otherwise, the next rule is processed. This
continues until the last default rule is processed and applied to the request. For
instructions on ordering rules, see Change the order of a bandwidth rule.

Default bandwidth rule

When you install ISA Server, it configures a default bandwidth rule. The default rule
assures that communication without an assigned bandwidth rule will be allocated the
minimum bandwidth assured by the Windows 2000 default scheduling.
The default bandwidth rule is always last in order. It cannot be modified or deleted.

Scenario
For example, imagine that you create a bandwidth rule called VIP that uses a bandwidth
priority called Maximum, which sets outbound and inbound bandwidth to the maximum
rate of 200. The bandwidth rule might allow a client set that includes all senior executives
and specifies all protocols, any content, and at any time.
In the scenario, it is assumed that the network is fairly congested and only a limited
amount of bandwidth remains. When two requests arrive, one from two senior executives
and one from any other employee, the VIP bandwidth will be split between the two
requests from the senior executives and the remaining bandwidth will be allocated to the
other employee.

To create a bandwidth priority

1. In the console tree of ISA Management, right-click Bandwidth Priorities, click New and then
click Bandwidth priority.

Where?
o Internet Security and Acceleration Server

o Servers and Arrays

o Name

o Policy Elements

o Bandwidth Priorities
 2. In Name, type the name of the bandwidth priority.

3. (Optional) In Description, type a description for the bandwidth priority.

4. In Outbound bandwidth, type a number between 1 and 200.

5. In Inbound bandwidth, type a number between 1 and 200.

Notes
 To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and
then click ISA Management.

Configuring content groups

Content groups specify Multipurpose Internet Mail Extensions (MIME) types and file
name extensions. When you create a site and content rule or a bandwidth rule, you can
limit the rule application to specific content groups. This allows you to be more specific
when you configure security policy, as you can limit access not only to a particular
destination, but also to specific content.
Content groups apply only to Hypertext Transfer Protocol (HTTP) and tunneled File
Transfer Protocol (FTP) traffic, which passes through the Web Proxy service.
When a client requests FTP content, Microsoft Internet Security and Acceleration (ISA)
Server checks the file name extension of the requested object. ISA Server determines if a
rule applies to a content group that includes the requested file name extension and
processes the rule accordingly.
When a client requests HTTP content, ISA Server sends the request to the Web server.
When the Web server returns the object, ISA Server checks the object's MIME type or its
file name extension, depending on the header information returned by the Web server.
ISA Server determines if a rule applies to a content group that includes the requested file
name extension, and processes the rule accordingly.
Content groups do not apply to HTTPS content.
When you create content groups, it is recommended that you specify the content's MIME
type and file name extension. For example, to include all Director files in a content
group, select the following file name extensions and MIME types:
 .dir

 .dxr

 .dcr

 application/x-director
When you configure a content group, specifying the MIME type, you can use asterisks as
wildcards. For example, to include all application types, enter application/*. The asterisk
wildcards can be used only with MIME types (and not with file extensions). The asterisk
can appear only once and can be specified only at the end of the MIME type after /.
For configuration instructions, see Create a content group.
ISA Server comes preconfigured with the following content groups: Application,
Application data files, Audio, Compressed files, Documents, HTML documents, Images,
Macro documents, Text, Video, and VRML.
Depending on the Web server, different MIME types are associated with different file
name extensions. The table below lists the Internet Information Services (IIS) default
associations.
File Name Extension MIME Type
.hta application/hta
.isp application/x-internet-signup
.crd application/x-mscardfile
.pmc application/x-perfmon
.spc application/x-pkcs7-certificates
.sv4crc application/x-sv4crc
.bin application/octet-stream
.clp application/x-msclip
.mny application/x-msmoney
.p7r application/x-pkcs7-certreqresp
.evy application/envoy
.p7s application/pkcs7-signature
.eps application/postscript
.setreg application/set-registration-initiation
.xlm application/vnd.ms-excel
.cpio application/x-cpio
.dvi application/x-dvi
.p7b application/x-pkcs7-certificates
.doc application/msword
.dot application/msword
.p7c application/pkcs7-mime
.ps application/postscript
.wps application/vnd.ms-works
.csh application/x-csh
.iii application/x-iphone
.pmw application/x-perfmon
.man application/x-troff-man
.hdf application/x-hdf
.mvb application/x-msmediaview
.texi application/x-texinfo
.setpay application/set-payment-initiation
.stl application/vndms-pkistl
.mdb application/x-msaccess
.oda application/oda
.hlp application/winhlp
.nc application/x-netcdf
.sh application/x-sh
.shar application/x-shar
.tcl application/x-tcl
.ms application/x-troff-ms
.ods application/oleobject
.axs application/olescript
.xla application/vnd.ms-excel
.mpp application/vnd.ms-project
.dir application/x-director
.sit application/x-stuffit
.* application/octet-stream
.crl application/pkix-crl
.ai application/postscript
.xls application/vnd.ms-excel
.wks application/vnd.ms-works
.ins application/x-internet-signup
.pub application/x-mspublisher
.wri application/x-mswrite
.spl application/futuresplash
.hqx application/mac-binhex40
.p10 application/pkcs10
.xlc application/vnd.ms-excel
.xlt application/vnd.ms-excel
.dxr application/x-director
.js application/x-javascript
.m13 application/x-msmediaview
.trm application/x-msterminal
.pml application/x-perfmon
.me application/x-troff-me
.wcm application/vnd.ms-works
.latex application/x-latex
.m14 application/x-msmediaview
.wmf application/x-msmetafile
.cer application/x-x509-ca-cert
.zip application/x-zip-compressed
.p12 application/x-pkcs12
.pfx application/x-pkcs12
.der application/x-x509-ca-cert
.pdf application/pdf
.xlw application/vnd.ms-excel
.texinfo application/x-texinfo
.p7m application/pkcs7-mime
.pps application/vnd.ms-powerpoint
.dcr application/x-director
.gtar application/x-gtar
.sct text/scriptlet
.fif application/fractals
.exe application/octet-stream
.ppt application/vnd.ms-powerpoint
.sst application/vndms-pkicertstore
.pko application/vndms-pkipko
.scd application/x-msschedule
.tar application/x-tar
.roff application/x-troff
.t application/x-troff
.prf application/pics-rules
.rtf application/rtf
.pot application/vnd.ms-powerpoint
.wdb application/vnd.ms-works
.bcpio application/x-bcpio
.dll application/x-msdownload
.pma application/x-perfmon
.pmr application/x-perfmon
.tr application/x-troff
.src application/x-wais-source
.acx application/internet-property-stream
.cat application/vndms-pkiseccat
.cdf application/x-cdf
.tgz application/x-compressed
.sv4cpio application/x-sv4cpio
.tex application/x-tex
.ustar application/x-ustar
.crt application/x-x509-ca-cert
.ra audio/x-pn-realaudio
.mid audio/mid
.au audio/basic
.snd audio/basic
.wav audio/wav
.aifc audio/aiff
.m3u audio/x-mpegurl
.ram audio/x-pn-realaudio
.aiff audio/aiff
.rmi audio/mid
.aif audio/x-aiff
.mp3 audio/mpeg
.gz application/x-gzip
.z application/x-compress
.tsv text/tab-separated-values
.xml text/xml
.323 text/h323
.htt text/webviewhtml
.stm text/html
.html text/html
.xsl text/xml
.htm text/html
.cod image/cis-cod
.ief image/ief
.pbm image/x-portable-bitmap
.tiff image/tiff
.ppm image/x-portable-pixmap
.rgb image/x-rgb
.dib image/bmp
.jpeg image/jpeg
.cmx image/x-cmx
.pnm image/x-portable-anymap
.jpe image/jpeg
.jfif image/pjpeg
.tif image/tiff
.jpg image/jpeg
.xbm image/x-xbitmap
.ras image/x-cmu-raster
.gif image/gif