Understanding Firewall Policy RulesFirewall policy rules are distinct from network rules in that they define what types of traffic and applications will be supported between the network segments. For example, an administrator may want to configure a firewall rule to allow web traffic from internal clients to the Internet. Firewall Policy Rules, shown in Figure 5.9, are the heart of ISA's firewall functionality. They define what is allowed and what is denied for specific networks, users, and protocols.
Figure 5.9. Examining firewall policy.[View full size image]
Modifying Firewall Policy RulesIf the Network Template Wizard was run, and a default policy other than Block All was enacted, then a set of predefined rules should already exist on the newly configured ISA server. Double-clicking on these rules individually is the way to modify them. The properties box for a rule, shown in Figure 5.10, contains multiple configuration options on each of the tabs as follows:General tab The General tab allows for modification of the rule name and also can be used to enable or disable a rule. A disabled rule still shows up in the list, but is not applied.Action tab The Action tab defines whether the rule allows or denies the type of traffic defined in the rule itself. In addition, it gives the option of logging traffic associated with the rule (the default) or not.Protocols tab The Protocols tab is important in the rule definition. It defines what type of traffic is allowed or denied by the rule. The rule can be configured to apply to all outbound traffic, selected protocols, or all outbound traffic except for the types selected. Default protocol definitions that come with ISA server can be used, as well as any custom protocol definitions that are created. In addition, this tab is where the port filtering and Application-layer filtering options are accessed, via the Filtering and Ports buttons.From tab The From tab simply defines from which network or networks the originating traffic to which the rule applies will come.To tab The To tab reverses this, and makes it possible to define for what source network or networks the particular traffic is aimed.Users tab The Users tab, normally set to All Users by default, is used only when the full ISA Firewall client is deployed on client desktops. The client software allows unique users to be identified, allowing for specific rules to apply to each one as a group or individual user. For example, a group could be created whose members have full web access, whereas others are restricted.Schedule tab The Schedule tab allows for the rule to apply during only specific intervals and to be inactive in others.Content Types tab The Content Types tab enables an administrator to specify whether the rule is applied to only specific types of HTTP traffic, or whether it applies to all traffic.
Figure 5.10. Modifying Firewall Policy Rules.
Creating Firewall Policy RulesFirewall policy rules are powerful and highly customizable, and can be used to set up and secure access to a wide range of services and protocols. So it may seem surprising that creating an access rule to allow or deny specific types of traffic is relatively straight forward. To set up a new rule, perform the following steps:
|1.||From the ISA Management Console, click on the Firewall Policy node in the console tree.|
|2.||Click on the Tasks tab in the Tasks pane.|
|3.||Click the link titled Create New Access Rule.|
|4.||Enter a descriptive name for the new rule and click Next.|
|5.||Select whether the rule will allow or deny traffic and click Next.|
|6.||On the next dialog box, choose whether the rule will apply to all traffic, all traffic except certain protocols, or selected protocols. In this example, Selected protocols is selected. Click the Add button to add them.|
|7.||To add the protocols, select them from the Protocols list shown in Figure 5.11 and click Add and then Close. The list is sorted by category to provide for ease of selection.|
Figure 5.11. Creating firewall access rules.
|8.||Click Next to continue to the Source Network dialog box.|
|9.||Click Add to add a source for the rule and then select the source network by clicking Add and then clicking Close.|
|10.||Click Next to continue to the Destination Network dialog box.|
|11.||At the Destination Network dialog box, click Add to add a source for the rule, select the source network by clicking Add and then clicking Close, and click Next to continue.|
|12.||Leave the User Sets dialog box at the defaults and click Next.|
|13.||Review the settings and click Finish.|
|14.||Click Apply in the Central Details pane and click OK after it has been confirmed.|