Examining Advanced ISA Firewall Concepts
In general, creation of Firewall Policy rules and network policy rules comprise the bulk of the types of activities that an ISA Firewall Administrator will perform. Specific advanced tasks, however, should be understood when deploying ISA Server as a firewall.
Publishing Servers and Services
ISA Server 2004 can secure and "publish" a server to make it available to outside resources. The "publishing" of servers, such as web servers, OWA servers, SharePoint sites, Citrix servers, and the like is generally referred to as "reverse proxy" capabilities. The advantage to using ISA to publish servers is that it enables the ISA server to pre-authenticate connections to services and act as a bastion host to the network traffic, making sure that internal servers are never directly accessed from the Internet.Part III of this book, "Securing Servers and Services with ISA Server 2004."
Reviewing and Modifying the ISA System Policy
By default, ISA Server 2004 uses a set of Firewall Policy rules that grant the Localhost network specific types of functionality and access. Without system policies, for example, an ISA server itself would not be able to perform tasks such as pinging internal servers or updating software on the Windows Update website. Because the default rule is to deny all traffic unless otherwise specified, it is necessary to set up system policy rules to support specific types of access from the local ISA Server.System policy rules are enabled but are not shown by default in ISA Server 2004. To view the system policy rules, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. The system policy rules, partially shown in Figure 5.12, are extensive, and it is important to understand what types of functionality are provided by each individual policy rule.
Figure 5.12. Viewing default system policy rules.
[View full size image]
Figure 5.13. Editing system policies in the System Policy Editor.
[View full size image]
The Network Services configuration group contains the DHCP, DNS, and NTP configuration groups, which allow for the designation of how the ISA server interacts with these services. For example, configuring the DNS configuration group enables an ISA server to communicate using DNS protocols to the servers listed in the group.Authentication Services
The Authentication Services group contains the configuration groups for Active Directory, RADIUS, RSA SecurID, and CRL Download. Modifying these settings makes it possible to specify these types of authentication services, as well as enforce strict RPC compliance to AD servers.Remote Management
The Remote Management group contains the Microsoft Management Console, Terminal Server, and ICMP (Ping) configuration groups. Modifying these settings allows for management of the ISA server, such as pinging ISA and using MMC consoles to access the server.Firewall Client
The Firewall Client configuration group allows administrators to specify which systems have rights to access the Firewall Clients access share that may exist on an ISA server.Diagnostic Services
The Diagnostic Services group contains the ICMP, Windows Networking, Microsoft Error Reporting, and HTTP Connectivity Verifiers configuration groups, which enable the ISA server itself to report on health-related issues, as well as ping other systems on a network.Logging
The Logging group contains the Remote NetBIOS Logging and Remote SQL Logging configuration groups, which enable the ISA server to send its logs to other servers, such as an internal SQL database.Remote Monitoring
The Remote Monitoring group contains the Remote Performance Monitoring, Microsoft Operations Manager, and SMTP configuration groups, which enable monitoring services such as MOM to access the ISA server and SMTP emails to be sent from ISA.Various
The Various group contains the Scheduled Download Jobs and the Allowed Sites configuration groups. Of particular note is the Allowed Sites configuration group, which defines the System Policy Allowed Sites, as shown in Figure 5.14. Unless specific websites are added into this list, the ISA server cannot access them.
Figure 5.14. Viewing the System Policy Allowed Sites list.
Troubleshooting why an ISA server cannot perform certain functionality should always include a visit to the System Policy Editor. The built-in system policy rules allow for the configuration of multiple deployment scenarios with ISA Server 2004.