The heart and soul of ISA functionality lies in the Firewall Policy settings. These settings control the behavior of ISA and how it responds to traffic sent to it, and are therefore very important. It is critical to understand the functionality and terminology of the Firewall Policy settings, or run the risk of a misconfiguration that could jeopardize the server's security.
Examining the Firewall Policy Node
The Firewall Policy node, shown in Figure 3.12, contains several critical and commonly used tools in the ISA Console. The Central Details pane details the rules deployed on the server. The rules are, by default, sorted by the order in which they are applied, with the first rules applied at the top of the list. This concept, familiar to many who are used to working with other firewalls, is a new concept for ISA Server 2004; ISA 2000 did not apply rules in a logical order.
In the Tasks pane on the right, three tabs are presented. The requisite Help tab displays common questions and help topics related to firewall policy. The Tasks tab contains a list of common tasks related to the node. Lastly, the Toolbox tab contains a very useful list of the elements in the ISA Server, such as network entities, content types, protocol descriptions, and the like.
Understanding Firewall Access Rules
A Firewall Access rule is simply a mechanism by which access is granted or denied for specific types of traffic through the ISA server. Rules are the means by which specific ports, applications, and other types of network traffic are either blocked or opened. If, for example, web access to the Internet is necessary for clients on the Internet network of an ISA configuration, a specific Firewall Access rule needs to be configured to specifically allow this type of access.In Figure 3.13, for example, several default rules that were created from the Network Template Wizard are illustrated.
In this example, four rules control the flow of traffic and specify what is allowed and what is denied through the firewall. Each rule in the CCentral Details pane can be sorted by multiple variables, listed as follows:Order
The order of the rule determines when it is processed. Whenever any type of traffic arrives at the ISA server, the firewall rules are applied in order, from lowest number to highest. If a match is made for the type of traffic, that firewall rule is processed and no further rules are parsed.Name
Names of rules are displayed in the console to aid in the identification of what each rule does. Names chosen for rules should ideally indicate the rule's function.Action
The action of a rule is one of two choices: Allow or Deny. For obvious reasons, it is critical to ensure that the rules have this field set properly.Protocols
The Protocols column displays to what common or custom-defined protocols the particular rule applies, such as HTTP, FTP, DNS, and others.From/Listener
The From/Listener column displays the network or listener from which rule traffic will arrive. ISA examines only the traffic from this network when applying the rule.To
The To column represents the destination of traffic. Only traffic sent to this network or set of networks will have the particular rule applied.Condition
The Condition column allows for individual rules to only apply to particular users or groups of users. User granularity can be allowed only when the Firewall Client is deployed, so this is often simply set to All Users when the full client is not deployed.
Advanced information on configuring access rules can be found in Chapter 5.
Examining Publishing Rules and the Concept of Reverse Proxy
A server publishing rule is more complicated than a simple network access rule, in that it allows the ISA Server to mimic a destination server such as a web server and act as a reverse proxy server to the client requests. A reverse proxy server is a system that acts as a bastion host for requesting clients, protecting the server from direct attack by proxying all requests that are sent to it, making them go through the reverse proxy server itself.Chapters 5 and 7, "Deploying ISA Server as a Reverse Proxy into an Existing Firewall DMZ. "
Understanding System Policy Rules and the System Policy Editor
System policies are often misunderstood or not taken into consideration, but are a fundamental component to every ISA installation. System policies are essentially a default set of firewall policies that allow the ISA Server to perform various system functions. Without system policies in place, ISA would be unable to perform any network functions at all, such as Windows Update, without them being specifically designated in manually created firewall policies.Basically speaking, system policies are really just firewall policies that have been preconfigured, but are hidden from view. Because the task of configuring an ISA Server would be time-consuming and ominous, these policies were configured as part of the firewall installation. It is wise, however, to examine each of these policies to ensure that they are truly necessary for the role that the ISA server will play in the organization. To view the system policies, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. Some of the default system policies are illustrated in Figure 3.14.
Defining the Contents of the Firewall Policy Toolbox
The Firewall Policy toolbox, shown in Figure 3.16, is an extremely useful function that organizes all the individual components of the firewall policies into one logical area. The toolbox is easily accessed by clicking on the toolbox tab in the Task pane.
Figure 3.16. Examining the Firewall Policy toolbox.
To examine individual items in the toolbox, click the down arrow to expand the particular section, such as Schedules or Users, and then select the object and click the Edit button. To create new objects, select the object container and click the New button.The toolbox comprises the following elements:Protocols
The Protocols toolbox contains a list of defined protocols that are used to communicate across networks. Common protocols such as DNS, HTTP, SMTP, POP, Telnet, MSN Messenger, and Ping are listed here, as well as more obscure protocols such as RIP, H.323, MMS, RTSP, and many others. By containing definitions for these protocols, you can easily configure ISA to create rules to block or allow them as necessary. In addition, you can create custom rules for protocols not in ISA's default list by clicking the New button in the toolbox. For information on creating custom and advanced protocol support, see Chapter 15.Users
The Users toolbox contains groupings of users that are useful for bulk application of firewall rules and other settings. The default groups created by ISA are All Authenticated Users, All Users, and System and Network Service. New groups can be created to logically organize different types of users to facilitate the creation of policies and rules. For more information on users and groups within ISA Server, refer to Chapter 11.Content Types
The Content Types toolbox allows for different applications and files to be organized according to the type of content they are. For example, a file that is downloaded via the web may be an audio file, an image, text, video, or any of several other options. Files that are grouped by content type can be controlled more easily, giving the ISA administrator an easy way to perform such actions as not allowing specific types of dangerous executables or other file types to be accessed. For more information on configuring and creating Content Types, see Chapter 15.Schedules
The Schedules toolbox allows for custom time schedules to be created. This can be extremely useful if there are organization-specific schedules that need to be consistently applied to multiple rules or parameters within projects. For example, a custom schedule could be created for scheduled maintenance, such as the dialog box shown in Figure 3.17 illustrates. This schedule can then be applied to default rules that deny connections during those periods of time.
Figure 3.17. Creating a custom schedule.
The Network Objects toolbox is perhaps the most important and commonly used of the toolboxes. All the configured network-related objects are listed in the toolbox, such as the Network Sets, Computer Sets, URL Sets, Address Ranges, and more. Even though the logical location for this toolbox would normally be under the network node, it has been placed with the rest of the toolboxes in the Firewall Policy node, so it is important to understand that distinction when looking for network settings, such as the location and configuration of web listeners and subnets. More information on using the Network Objects toolbox, including step-by-step descriptions, can be found in Chapter 5.
The toolbox serves as a "one-stop-shop" for many configuration settings in ISA, and can make the life of an administrator much easier through the creation of custom schedules, content types, users, protocols, and network objects. For these reasons, it is highly advisable to become familiar with these options.