How ISA Firewall’s Define Networks and Network Relationships - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

How ISA Firewall’s Define Networks and Network Relationships

One of the primary limitations of the ISA Server 2000 firewall was its simplistic view of the network. The ISA Server 2000 firewall recognized only two types of networks: trusted and untrusted. Trusted networks were included in the ISA Server 2000 firewall’s Local Address Table (LAT). Any network that wasn’t in the LAT was considered untrusted. ISA firewall policy was applied to all communications between LAT and non-LAT hosts. Communications between LAT hosts were routed through the ISA Server 2000 firewall without being subjected to the ISA Server 2000 firewall’s stateful filtering and application-layer inspection mechanisms.

This was problematic for ISA Server 2000 firewall administrators who wanted to create DMZ segments that were directly connected to the ISA Server 2000 firewall. For example, an ISA Server 2000 firewall might be configured with three network interfaces. This configuration could include an internal interface connecting to the internal network, a DMZ interface connected to a public access DMZ segment, and an external interface, which connects the firewall to the Internet.

In ISA Server 2000, this trihomed DMZ configuration highlights most of the limitations of the ISA Server 2000 networking model.

All communications between LAT and non-NAT hosts had to be NATed. This meant that all connections between the internal network and the Internet, and the internal network and the DMZ segment, were NATed.

The ISA Server 2000 firewall did not apply stateful application-layer inspection to connections between Internet hosts and machines on the DMZ segment. These connections were routed by the ISA Server 2000 firewall from the Internet to the DMZ segment and only stateful filtering was done on the connections, similar to what you see with a typical hardware firewall.

Communications between DMZ hosts and hosts on the internal network had to be accomplished via Server and Web Publishing Rules because the Internal network saw the DMZ segment as just another untrusted network.

Outbound connections from the internal network to the DMZ segment were subject to the same Access Policy as those between the internal network and the Internet. For example, if you allowed outbound FTP access from the Internal network, FTP access was allowed to all non-LAT networks. If you allowed outbound access to a particular protocol, internal network users had access to that protocol at all sites.

With the ISA Server 2000 firewall, it was possible to substitute private addresses for public address in the DMZ segment. However, the ISA Server 2000 firewall did not recognize this segment as a DMZ, and the DMZ segment had to be placed on the LAT. Because the ISA Server 2000 firewall only applied firewall policy on communications between LAT and non-LAT hosts, no firewall filtering was done between the internal network and the private address DMZ segment. While you could use RRAS packet filters to create a “poor man’s” DMZ segment, the RRAS packet filters provided even less flexibility and security than a hardware firewall’s stateful packet-filtering mechanisms.

Microsoft recognized these limitations in the ISA Server 2000 firewall and corrected them. The ISA firewall no longer uses the LAT. The LAT is no longer required because the ISA firewall does not implicitly trust any network. In ISA Server 2000, the LAT determined which networks were trusted and which were not. Because the networking model of the new ISA firewall does not trust any networks by default, the LAT is not part of the ISA firewalls configuration. All communications moving through the ISA firewall are subject to the ISA firewall’s stateful filtering and stateful application-layer inspection mechanisms.

Another major improvement to the ISA firewall’s networking model is that you now have control over the routing relationship between the any two networks. For example, if you wanted to replicate the trihomed DMZ setup where you have an external interface, internal interface and DMZ interface, you can use public or private addresses on the DMZ segment and create a route or NAT relationship between the internal network and the DMZ segment. You can even choose between a route or NAT relationship between the internal network and the Internet. This is especially helpful if you have public addresses on your internal network and you want to continue using them without NATing outbound connections to the Internet.

Table 4.5 shows what’s new and improved in the ISA firewall’s networking model versus the ISA Server 2000.

We will cover all of these issues in more detail throughout this book.

ISA 2004 Multinetworking

The ISA 2004 marketing team has assigned the term “multinetworking” to the ISA firewall’s new and improved networking feature set. Like most marketing terms, it’s hard to pin down exactly what multinetworking actually means. It could mean the ISA firewall’s ability to control access between any two networks using stateful filtering and stateful application-layer inspection. It could mean the ISA firewall’s ability to create multiple types of Network Objects and use those network objects in Access Rules. Or, it could mean the ability to create multiple internal networks, multiple DMZ networks, and multiple external networks. Or, it could mean all of the above. Like the term “stateful,” it has no specific meaning and can be used in just about any way you like.

To get a better idea of how the ISA 2004 multinetworking model works, let’s look at a network diagram. Figure 4.22 shows a typical ISA firewall multinetworking configuration.

Figure 4.22: ISA Firewall Multinetworking

There are four protected networks directly connected to the ISA firewall in this example. A protected includes all networks defined on the ISA firewall except for the default External network. The default External network represents the Internet. The four protected networks in the diagram are the Wireless Network, DMZ, Internal Network and Services Network.

Using the ISA firewall’s new network model, you could create the following access rules:

Wireless clients can access the Internet but are not allowed access to any of the other protected networks. Users on the Wireless segment can VPN to the ISA firewall and gain access to the Internal network segment if access is required.

Servers on the DMZ segment are allowed access to servers on the Services Network segment. For example, the Public Web server could be granted access to the Exchange Server, but not the SQL server. In this way, the Public Web server can act as an RPC over HTTP proxy for Outlook 2003 users. Hosts on the DMZ segment would not be allowed access to the Internet and they would not be allowed access to any other protected network segments.

Users and machines on the Internal network can be granted access to resources on the Internet and the Services network. This allows them to use selected resources that you allow on the Internet and also have access to the Exchange Server. Users on the Internal network would not have access to resources on the Wireless network or the DMZ segment.

Machines on the Services Network can be granted access to selected sites on the Internet (such as the Windows Update site). They could also be allowed restricted access to the Internal network. For example, the Exchange Server may be a member of the Internet network domain and need to communicate with domain controllers on the Internal network.

VPN clients can be allowed access to resources on the DMZ, Internet, Internal Network and Services Network. You can control which VPN clients can access resources on which network via user/group based access control. For example, you may have a user group named ExchangeUsers and you want them to use the Outlook MAPI client to connect to the Exchange Server, but no other resources. You can create an access rule to allow members of the group access to the Exchange Server, but only using the secure Exchange RPC calls to get to the Exchange Server. If members of this group attempted to use any other protocol, such as HTTP or CIFS, their connection attempts would be denied.

The multinetworking features allows you very granular access control over what destination a host on any network can access. Even the VPN clients, which traditionally had access to everything on the corporate network once they connected, can now be locked down tight after establishing the VPN link.

The ISA Firewall’s Default Networks

In order to get a better understanding of the ISA firewall’s multinetworking feature and how the ISA firewall views networks and how they are used, let’s take a look at the default networks on the ISA firewall. You will see these default networks created on the ISA firewall immediately after installation is complete.

Local Host Network

Internal Network

External Network (default)

VPN Clients Network

Quarantined VPN Clients Network

ISA 2004 Networks must meet the following criteria:

The ISA firewall must have one or more adapters. If the ISA firewall has a single adapter, then all addresses are considered part of the Internal Network.

A Network Interface Card can have one or more IP addresses. The IP address on a particular interface must belong to the Local Host Network and to the Network to which that Interface is directly connected.

With the exception of the Local Host, VPN Clients, and VPN Quarantine Networks, an IP address can only belong to one Network.

All addresses belonging to a single NIC must belong to the same Network

In the following sections we will looks at each of the default networks in more detail.

Local Host Network

The Local Host Network is a built-in Network Object that defines all the IP addresses on all the interfaces on the ISA firewall. For example, if the ISA firewall has three network interfaces, and there are ten IP addresses bound to the external interface, two IP addresses bound to the DMZ interface and one IP address bound to the internal interface, then all 13 addresses would comprise the Local Host Network. You never have to explicitly define any of the addresses on the Local Host Network; addresses are automatically added to the Local Host Network when you add addresses to the interfaces.

You can find the Properties of the Local Host Network in the ServerName\Configuration\Networks node. Click on the Networks tab in the Details pane and right-click on Local Host, and click Properties. The Local Host Network’s Properties dialog box appears in Figure 4.23.

Figure 4.23: Configuring a Web Proxy Listener on the Local Host Network

There are two tabs on the Local Host Network Properties dialog box. The General tab provides an explanation of the Local Host Network. The Web Proxy tab enables a Web Proxy listener for the Local Host Network. The Web Proxy listener is disabled by default. Put a checkmark in the Enable Web Proxy clients checkbox if you want applications running on the ISA firewall to act as Web Proxy clients.

For example, if you want to use the Web browser on the ISA firewall itself, you would enable the Web Proxy listener and then configure the browser to use an IP address on one of the interfaces on the ISA firewall as its Web Proxy server. If the IP address on the Internal interface of the ISA firewall is 192.168.1.1, you would use that IP address when configuring the browser as a Web Proxy client. You must also enable the Web Proxy listener on the Local Host Network if you want to use Scheduled Content Download jobs.

An important issue regarding the Local Host Network is that, like the VPN clients and VPN Quarantine Networks, the addresses assigned to it are not mutually exclusive of addresses assigned to other networks. In all other situations, addresses assigned to other Networks cannot be assigned to any other network.

For example, if the Internal interface of the ISA firewall is assigned the address 192.168.1.1, then that address must be included in the Internal network’s list of addresses. If the ISA firewall has the address 172.16.0.1 assigned to the DMZ interface, then that address must be included in the list of addresses defining the DMZ network. It’s a common error where the ISA firewall administrator will leave out the addresses assigned to the Local Host Network because they think they cannot include these addresses because of the general principle that addresses cannot be assigned to two different Networks.

Internal Network

The ISA 2004 Internal Network is quite different from the ISA Server 2000 Internal network. In ISA Server 2000, any network contained in the LAT was considered an Internal network. All communications between LAT (Internal Network) hosts were not filtered and firewalled by ISA Server 2000 firewall. The reason for this is that only communications between LAT and non-LAT clients were firewalled by the ISA Server 2000 firewall.

In contrast to the ISA Server 2000 firewall’s approach to Internal and external networks, the ISA firewall’s concept of Internal network is related to the System Policy Rules that are automatically configured on the ISA firewall.

In order to understand the Internal Network’s role, you have to have a basic understanding of the ISA 2004 System Policy. The ISA 2004 System Policy is a collection of 30 Access Rules that control inbound and outbound access to and from the ISA firewall. These rules are created by default and you can customize them, or even disable them, if you like. Examples of ISA 2004 System Policy rules include:

Allow access to directory services for authentication purposes

Allow Kerberos authentication from ISA Server to trusted servers

Allow Microsoft CIFS from ISA Server to trusted servers

Allow NetBIOS from ISA Server to trusted servers

For each of the System Policy Access Rules, communications are by default assigned from the Local Host network to the Internal Network. The ISA firewall’s concept of the Internal network is the network where your main infrastructure servers are located. That way, the default System Policy rules allow communications with the organization’s Active Directory servers, DNS servers, DHCP servers, WINS servers, and file servers. However, this concept of the Internal network applies to make setup of the ISA firewall simple, as the Internal network is defined during setup of the ISA firewall software. You are in no way limited to that definition of the Internal network.

One thing that’s important to note that is you can create multiple internal networks. Notice that I’ve used a lower case “i” in this case. An internal network can be any network that is protected by the ISA firewall. In fact, you can create DMZ networks and call them internal networks. Only the default Internal network (with an upper case “I”) has special meaning to the ISA firewall, and that special meaning is related to System Policy.

You can view the Properties of the default Internal Network by going to the ServerName\Configuration\Networks node. The configuration options for the default Internal network are the same as any other network you create on the ISA firewall. We can use the Internal network configuration options as a model on which you can create and configure other internal or perimeter Networks on the ISA firewall.

Click on the Networks tab in the Details pane, and then double-click on the Internal network. Click on the Addresses tab, and you’ll see something like Figure 4.24.

Figure 4.24: Defining the Internal Network Addresses

On the Addresses tab, you enter the addresses on all networks located behind the Internal Network adapter. In the example shown in Figure 4.25, the internal network includes all addresses in the 192.168.1.0/24 range. These addresses were defined when the ISA firewall software was installed.

Figure 4.25: Adding Private Network Addresses

You can also easily add addresses in the private address range. Click the Add Private button to add addresses in any of the private network ID address ranges. Figure 4.25 shows the fly out menu from the Add Private button.

A better way to add addresses to the Internet network (and other networks you create) is to use the Add Adapter button. Figure 4.26 illustrates the effect of clicking the Add Adapter button.

Figure 4.26: Adding Addresses via the Routing Table

In the Select Network Adapters dialog box you can select the NIC connected to the Internal network and use the addresses in the Windows Routing Table to define the network. This is a much more reliable method of defining a particular network, since the Windows Routing Table should always have knowledge of all networks reachable from the ISA firewall. This knowledge of all reachable networks can be done either via manual configuration of the Windows Routing Table or by using a dynamic routing protocol such as RIP or OSPF.

The last method available for adding addresses to the Network is to use the Add button. Figure 4.27 illustrates the effect of clicking the Add button.

Figure 4.27: Entering an Address Range

Click the Domains tab (Figure 4.28). Here you enter a list of internal network domains. When the firewall client connects to a host located in one of these domains, the connection request bypasses the Firewall client application. The primary rationale for this is that if all the machines located in the same domain are located behind the same NIC, then the Firewall client machine can communicate directly without looping back through the ISA firewall. This reduces the overall load on the ISA firewall and improves client performance because the connection doesn’t incur any Firewall processing overhead. Further, the Domains tab can be used to control the behavior of Web Proxy clients when accessing external sites. We will discuss the relationship between the Domains tab and Web Proxy clients later in this chapter. See Figure 4.28 to see how to enter local domains.

Figure 4.28: Entering Local Domains

You have to be careful with the entries you make on the Domains tab if your internal network domain extends across multiple NICs. Figure 4.29 shows an example of one scenario where the domain extends across multiple network interfaces.

Figure 4.29: Domain Extending Across Internal Networks

This is an example of a simple campus network configuration. There are three network interfaces on the ISA firewall. One interface connects the ISA firewall to the Internet. The second interface connects the ISA firewall with the Internet network, and a third interface connects the ISA firewall to a second internal network. The Internal network (with a capital “I,” which is the Faculty and Departments network) contains the Active Directory servers and other infrastructure servers. The other internal network (the Student’s Network) contains student machines which have been made members of the campus Active Directory domain, and these machines also have the Firewall client installed.

The Internal network domain name is msfirewall.org. You would include this domain name on the Domains tab. When any host on the Internal network contacts any other host in the msfirewall.org domain, the Firewall client machines on the Internet network will bypass the ISA firewall and connect directly to the hosts in the msfirewall.org domain located behind the Internal network adapter. Since there are no hosts on the Internal network that need to initiate connections to hosts on the Student’s network, all is well. That’s because all msfirewall.org servers are located behind the Internal network adapter.

Now suppose we place enter msfirewall.org into the Domains tab on the DMZ network, and we create an access rule (we will go over the details of Access Rules in Chapter 7) that allows HTTP, HTTPS, FTP, SMTP and POP3 to authenticate clients on the Student’s Network into the Internal network. What would happen when machines configured as only Firewall clients on the Student’s network try to connect to a POP3 server on the Internal network? That’s right – the connection request fails. That’s because the Student’s Network Interface on the ISA firewall was configured with the msfirewall.org domain on its Domains tab. Since the machine configured as a Firewall client will bypass the Firewall client configuration when connecting to resources on domains listed on the Domains tab, the connect never even makes it to the ISA firewall.

What if the Firewall client machine on the Student’s Network were configured as SecureNAT client as well as a Firewall client? In this case, the connection attempt from the host on the student’s network to a member server on the Internal network in the msfirewall.org domain would be sent to the Student Network interface on the ISA firewall. The connection request in this case would be denied because the SecureNAT client cannot send credentials to the ISA firewall.

In the Internal Properties dialog box, click on the Web Browser tab. Figure 4.30 shows what you will see in the dialog box.

Figure 4.30: Configuring Domains for Web Proxy Direct Access

The settings on this tab control Web browsers on the Internal network that are configured to use the autoconfiguration script (we will discuss the autoconfiguration script in detail in Chapter 5). You have the options:

Bypass proxy for Web servers in this network. This is an interesting setting. The Help file states: “Bypass proxy for web servers in this network. Select this option if the Web browser on the Firewall client computer should bypass the ISA Server computer when accessing local Web servers.” The question is, what is a local Web server? Local to what? The answer is that local means to any Web server located at an address included in this Network’s Address range. So, in the case of the Internal network, when a Web Proxy client configured with the autoconfiguration script attempts to connect to a Web server whose address is also on the Internal network, then the Web Proxy client will bypass the Web Proxy on the ISA firewall and connect directly to the Web server on the Internal network. This is a good thing. This prevents hosts located behind the same network adapter from looping back through the ISA firewall to access resources behind the same network interface.

Directly access computers specified on the Domains tab. This allows the Web Proxy client configured with the autoconfiguration script to use the domains listed on the Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly to the destination, either via the machines SecureNAT client configuration or via the machines Firewall client configuration. This is useful if you want to leverage the domains already entered on the domains tab and use them for Direct Access. However, beware of issues like those mentioned earlier with the Student’s Network and Internal Network in the trihomed DMZ configuration.

Directly access these servers or domains. You can add a list of domains or IP addresses that you want Web Proxy clients configured with for the Autoconfiguration script to bypass the Web Proxy on the ISA firewall. In the example provided in the figure, we have entered a list of domains that should be bypassed when you want to use Outlook Express to access a Hotmail account. When the Web Proxy client computer connects to these domains, the Web Proxy client configuration is ignored, and the client uses alternate client configuration to access these sites, such as SecureNAT or Firewall client configurations.

If ISA Server is unavailable, use this backup route to connect to the Internet: Direct access or Alternative ISA Server. This option is a bit misleading because it implies that the entire ISA firewall must be unavailable before one of the options is triggered. In fact, the ISA firewall can be just fine, but if there is a problem with the ISA firewall’s Web Proxy, then one of the alternatives is used. The Direct Access option allows a machine configured as a Web Proxy client to use an alternate client configuration to access the Internet or other destination network. This can be either its SecureNAT client configuration or via its Firewall client configuration. The Alternative ISA Server option allows you to enter the FQDN or IP address of an alternate ISA firewall to which the Web Proxy client can connect to reach the Internet. Do not use the Browse button to find an alternate server. If you use a FQDN in the Alternative ISA Server text box, then make surethe ISA firewall can resolve that FQDN to the correct IP address so that the ISA firewall can locate the alternate Web Proxy.

Click on the Web Proxy tab. The Web Proxy tab defines the outbound Web Listener for the Network. Web Proxy clients on this network use this Web listener to connect to the Web Proxy on the ISA firewall. The outbound Web Proxy listener for the Network is enabled by placing a checkmark in the Enable Web Proxy clients checkbox. A checkmark must also be in the Enable HTTP checkbox for Web browsers configured as Web Proxy clients to connect to the Web Proxy on this Network. See these steps illustrated in Figure 4.31.

Figure 4.31: The Web Proxy tab

Many people have wondered for years about the Enable SSL checkbox on the Web Proxy page. This option was also available in ISA Server 2000. This setting posed a curious problem because if you enabled this option and then tried to configure the Web browser to connect to the default SSL port on the outbound Web Proxy SSL listener, the connection attempt would fail. The reason for this is that the Web browser that is configured as a Web Proxy client cannot establish an SSL connection with the Web Proxy listener. The initial connection between the Web Proxy client and the outbound Web Proxy listener must always be over HTTP.

If the connection between the Web Proxy client and the outbound Web Proxy listener must always be HTTP, then why did they make the Enable SSL option available on the Web Proxy tab? The reason is that in a Web Proxy Chaining scenario, you can configure a downstream Web Proxy server to forward Web requests to an upstream Web Proxy server using an SSL connection. This setup allows for outbound HTTP- to-SSL bridging between the downstream Web Proxy and the upstream Web Proxy.

External Network (default)

The default External network created during ISA firewall setup includes all addresses that are not already defined by another Network on the ISA firewall. The default External Network doesn’t contain any dialog boxes for you to perform customer configurations. Any address that isn’t defined by some other Network on the ISA firewall is automatically included in the default External Network.

This is especially interesting in light of the Single NIC ISA firewall configuration. When you install the ISA firewall software on a machine with a single NIC, or when you apply the Single NIC Network Template to an existing configuration, all addresses in the IPv4 address range are added to the default Internal Network. Because all possible IP addresses are included in the default Internal Network, there are no addresses available for the default External Network.

VPN Clients Network

The VPN Clients Network is one of the “virtual” or “just in time” Networks. When a VPN client or VPN gateway connects to the ISA firewall, that address is dynamically added to the VPN Clients Network. Access Rules can then be created to control traffic to and from the VPN Clients Network.

For example, suppose you use DHCP to assign addresses to VPN clients and gateways. When a VPN client connects to the ISA firewall, the address assigned to the VPN client is moved to the list of addresses included in the VPN Clients Network. Access Rules using the VPN Clients Network for Source or Destination address are then applied to the address assigned to the VPN client or gateway. When the VPN client or gateway disconnects from the ISA firewall, that address is dynamically removed from the VPN Clients Network.

Quarantined VPN Clients Network

The Quarantined VPN Clients Network is a “virtual” or “just in time” Network where addresses are dynamically assigned to this Network when quarantined VPN clients connect to the ISA firewall. The Quarantined VPN Client Network is only used when VPN Quarantine is enabled on the ISA firewall.

At the present time, VPN Quarantine represents more of a development platform than something that the average ISA firewall administrator can actually put into practice. The good news is that Frederic Esnouf, an MVP for ISA firewalls, has put together a very nice VPN Quarantine package that is easy to install and configure. Check out Frederic’s excellent VPN Quarantine solution at http://fesnouf.online.fr/programs/QSS/qssinaction/QssInAction

Creating New Networks

You will need to create new Networks whenever a new Network is introduced into your environment. A common reason to add a new Network is when you install additional NICs into the ISA firewall. Since all addresses located behind any particular NIC are considered a Network by the ISA firewall, you need to create a new Network when additional NICs are added to the firewall.

An interesting application of the Network concept relates to how you can use them for Networks located in front of the external interface of the ISA firewall. The external interface of the ISA firewall doesn’t always need to be directly connected to the Internet. Many organizations will use the ISA firewall as the back-end ISA firewall because they need the strongest level of firewall protection available closest to their corporate assets. The external interface of the back-end ISA firewall will be connected to a network under corporate control, and therefore, one that you can identify and configure as a Network Object in the ISA firewall configuration interface.

For example, suppose the back-end ISA firewall is has two NICs: one NIC is connected to a DMZ segment and one NIC is connected to a corporate asset network. Since you know the addresses used in the DMZ Network, you can create a Network Object that defines the address range used in the DMZ, and then use that Network Object to control traffic to and from the DMZ as it moves through the back-end ISA firewall.

In the following exercise, we’ll add a new Network Object to an ISA firewall where we’ve installed an additional NIC to support a DMZ segment. This ISA firewall already had an external interface on network ID 192.168.1.0/24 and an internal interface on network ID 10.0.0.0/24. The new NIC is assigned the IP address 172.16.0.1/16 and we’ll create a new Network for this DMZ interface.

Perform the following steps to create the New Network.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.

Click the Tasks tab in the Task Pane. Click the Create a New Network link.

On the Welcome to the New Network Wizard page, enter a name for the new Network in the Network name text box. In this example we’ll name it DMZ. Click Next.

On the Network Type page, select the Perimeter Network option (Figure 4.32). Notice in this dialog box that you have four options.

Figure 4.32: Defining the Network Type

Internal Network Use the Internal Network option to create new internal Networks. Internal networks are generally considered to be networks on the “inside” of the ISA firewall. This isn’t a hard and fast distinction because the ISA firewall doesn’t really see the world in terms of internal versus external, as the ISA firewall applies stateful filtering and stateful application-layer inspection on all communications moving through the firewall. The notation as “internal” is more of an accounting consideration here. When you choose this option, you will have the chance to configure this Network using the Properties dialog box, to set options similar to those you can set with the default Internal Network.

Perimeter Network Use the Perimeter Network option when creating new DMZ segments. There are no practical differences between the settings created by the Wizard when you create a Perimeter versus an Internal Network. You have the same options in the Properties dialog box after you create a Perimeter Network as you have when you create an Internal Network. The main value is that you can easily identify in the user interface which Networks are internal and which are DMZs.

VPN Site-to-Site Network Use the VPN Site-to-Site Network option when you need to create a site-to-site VPN connection with another office. This Wizard walks you through the creation of the address ranges and VPN configuration of a site-to-site VPN.

External Network Use the External Network option when you create a network that lies on the “outside” of the ISA firewall. Although the ISA firewall doesn’t really see the network world as inside or outside, you can use as a rule of thumb that any network directly reachable from the interface on the ISA firewall that has the default gateway assigned to it is considered an external network. Note that you have the same configuration options in the Properties dialog box when you create a new External Network as you have when you create new Internal or Perimeter Networks.

Click Next. See Figure 4.32 for defining the Network type and using a Perimeter Network.

On the Network Addresses page (Figure 4.33), you define the address range(s) for the new Network. You have three choices.

Figure 4.33: Selecting a Network Adapter

Add When you select the Add button, you can manually add the address range. This is useful if you don’t want to define an entire network ID, or you want to add several non-contiguous ranges of IP addresses to the Network.

Add Adapter When you select the Add Adapter button, a dialog box appears that allows you to select an adapter to define the new Network. The addresses added are based on the Windows routing table entries that apply to that adapter. If you have configured the Windows routing table correctly prior to creating the new Network, all the correct addresses will be added. This is the easiest way to define a new Network if the routing table contains the correct information.

Add Private When you select the Add Private button, a fly-out menu appears showing you’re the three private network IDs. We highly recommend that you do not use this option because most organizations will use subnets of private network IDs throughout the organization.

In this example we’ll select the Add Adapter option. This brings up the Select Network Adapters dialog box. Put a checkmark in the DMZ checkbox (in this example we renamed the adapters with meaningful names in the Network and Dial-up Connections Window). You’ll see the addresses that will be assigned to the Network based on the Route Information listed in the Network Interfaces Information section. Click OK. See Figure 4.33 for how to select a Network adapter.

Click Next on the Network Addresses page.

Click Finish on the Completing the New Network Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

The new Network appears in the list in the Networks tab (See Figure 4.34).

Figure 4.34: The New Network Appears in the List of Networks

Controlling Routing Behavior with Network Rules

Even though you’ve created a new Network, you can’t use it for anything until you define the route relationship between that Network and other Networks it communicates with. You control this route relationship using Network Rules.

There are three route relationships available when you create a Network Rule.

Route The ISA firewall documentation defines a route relationship as a “reciprocal” relationship. In practice, you use a route relationship when the Source and Destination Network defined by the Network Rule support routing between them. For example, if the source Network and the Destination Network both use public addresses, then you can define a Route relationship. If both the source and destination Network use private addresses, then you can use a route relationship. If the source network uses private addresses and the destination uses public addresses, then you can’t use a route relationship (in most cases, there are exceptions when the ISA firewall is configured with a routing table entry that allows routing from private to public networks). Another key feature of the route relationship is that the source IP address is always preserved (with the exception of Publishing Rules, where you can control whether or not the source IP address is preserved, and the Server IP address is always replaced by the listener address). Use a Route relationship when the source and destination Networks support a route relationship, and you need to support protocols that are not NAT friendly.

NAT The ISA firewall documentation defines a NAT relationship as directional. The directional nature of the NAT relationship means that you have to be mindful of the Source and Destination Network when configuring the Network Rule. When you use a NAT relationship, the source IP address is replaced with the address on the interface that connection is exiting. For example, suppose you create a NAT relationship between the default Internal Network and the DMZ Network. The source Network is the Internal Network and the destination Network is the DMZ Network. When communications leave the Internal Network to the DMZ Network, the source IP address is changed to the address on the network interface the communication is exiting, which in this case is the DMZ interface. If you created a Network Rule where the DMZ Network is the Source Network and the Internal Network is the Destination Network, then communications leaving the DMZ Network would have the source IP address replaced with the interface that the communication is exiting, which in this case is the Internal Network interface. Also note that when you define a NAT relationship, communications are one-way for both Web Publishing and Access Rules.

You must create a Network Rule for any communication between a specific Source and Destination Network. We’ve seen a number of situations where everything was set up right on the ISA firewall, but a particular Access Policy did not work because either there was no Network Rule controlling the route relationship between the Source and Destination, or the wrong route relationship was configured. We’ll talk more about these route relationships later in this chapter in the discussions on the various ISA firewall Network Templates.

In the following exercise, you’ll create a Network Rule that controls the route relationship between the Internal Network and the DMZ Network. Because both Networks are using private addresses we’ll configure a Route relationship between the Networks. We prefer to use a Route relationship in this scenario because it allows us greater flexibility in the protocols we can pass between the Internal Network and the DMZ. However, if you want to hide the IP addresses of the hosts on the Internal Network when they’re connecting to hosts on the DMZ Network, then you should use a NAT relationship, while keeping in mind that you’ll not have support for protocols that do not work with NAT.

Perform the following steps to create the Network Rule:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click on the Networks node.

On the Networks node, click the Network Rules tab in the Details pane of the console.

On the Task pane, click the Tasks tab. Click the Create a New Network Rule link.

On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule Internal < >DMZ. Click Next.

On the Network Traffic Sources page, click Add.

In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal network. Click Close.

Click Next on the Network Traffic Sources page.

On the Network Traffic Destinations page, click Add.

In the Add Network Entities dialog box, click the Networks folder. Double-click the DMZ network. Click Close.

Click Next on the Network Traffic Destinations page.

On the Network Relationship page, select the Route option (see Figure 4.35). Click Next.

Figure 4.35: Defining a Route Relationship

lick Finish on the Completing the New Network Rule Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

You will see the new Network Rule on the Network Rules tab in the Details pane of the Microsoft Internet Security and Acceleration Server 2004 management console.

The ISA 2004 Network Objects

You always need to configure a source and a destination when creating Access Policies on the ISA firewall. The ISA firewall uses Network Objects to identify sources and destinations. The ISA firewall’s Network Objects give you a lot of flexibility when creating Access Policy because you can get very granular control over what hosts can communicate with other hosts.

The ISA firewall’s Network Objects include:

Networks

Network Sets

Computers

Address Ranges

Subnets

Computer Sets

URL Sets

Domain Name Sets

Web Listeners

Networks

We’ve already spent a lot of time discussing the Network Network Object. Networks are collections of addresses that are reachable from a particular interface on the ISA firewall. For example, if you have two Interfaces on the ISA firewall with one interface connected to the Internet and one connected to the corporate network, then the definition of the Internal Network is all addresses located behind the internal interface of the ISA firewall.

You create new Network Network Objects in the Networks node of the Microsoft Internet Security and Acceleration Server 2004 management console. See our earlier discussion on creating a new Network for details on how to create and configure Network Network Objects.

Network Sets

Network Sets represent collections of Networks. There are two default Network Sets:

All Networks (and local host)

All Protected Networks

The All Networks (and local host) Network Sets Network Object includes all possible addresses. You should rarely, if ever, need to use this Network Object. You might want to use this Network Object when performing testing, or if you want to use the ISA firewall as more of a stateful filtering router rather than a firewall.

The All Protected Networks Network Object includes all Networks defined on the ISA firewall except for the default External Network. You might use the All Protected Networks Network Object when you want to apply an Access Rule that controls outbound access for all networks behind the ISA firewall.

You can view the properties of the default Network Sets Network Objects by performing the following steps:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link. The link expands and shows you a list of folders representing the ISA firewalls Network Objects.

Click on the Network Sets folder. There you will see the two default Network Sets.

Double-click the Network Sets to see the Properties of the Network Set (see Figure 4.36)

Figure 4.36: Defining Network Sets

You can also create new Network Sets if you want to create Access Policy that applies to a specific collection of Networks. Suppose you want to create a Network Set that includes the VPN Clients Network and the Internal Network. You might use this set if you want to create an Access Rule that controls communications from both of these sources. Perform the following steps to create such as Network Set.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link. The link expands and shows you a list of folders representing the ISA firewalls Network Objects.

Click on the Network Sets folder. Click the New menu and then click Network Set.

On the Welcome to the New Network Set Wizard page, enter a name for the set in the Network set name text box. In this example, we’ll name the set VPN and Internal. Click Next.

On the Network Selection page, select the Includes all select networks option. Notice that you also have the Includes all networks except the selected network option. Use this option if you want to create a large Network Set and only want to exclude a small number of Networks. In the Name list, put a checkmark in the VPN Clients and Internal checkboxes. Click Next. These steps are illustrated in Figure 4.37.

Figure 4.37: Creating a New Network Set

Click Finish on the Completing the New Network Set Wizard page.

Click Apply to save the changes and update the firewall policy

Click OK in the Apply New Configuration dialog box.

The new Network Set appears in the Network Sets list.

Computers

You can create Computer Objects to get very fined tuned control over the source and destination hosts that are allowed to communicate with one another. For example, suppose you have a DNS server on the corporate Network that is configured to use a DNS forwarder at your ISP. You don’t want to allow users to use an external DNS server, and you don’t want the DNS server on the corporate network to perform recursion. You can limit the DNS server to using the DNS protocol only when it communicates with the DNS forwarder at the ISP. The ISA firewall will drop all connections the DNS server on the corporate Network tries to make to other DNS servers.

There are no default Computer Objects. You perform the following steps to create a new computer object.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the New menu, and click Computer.

In the New Computer Rule Element dialog box, enter the name of the computer. In this example we’ll name the computer DNS Server. If you know the IP address of the computer, you can enter the address in the Computer IP Address text box. If you don’t know the address, you can use the Browse button and locate the computer and the ISA firewall will attempt to resolve the name of that machine for you. Enter an optional description for this Computer Object in the Description (optional) text box. Click OK. These steps for creating a new computer object are shown in Figure 4.38.

Figure 4.38: Creating a New Computer Object

The new computer object appears in the list of Computer Objects.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Address Ranges

The Address Ranges Network Object allows you to create collections of contiguous IP addresses. For example, you might have a group of Web servers on an ISA firewall protected- network services segment, and you want to apply the same Access Rule to all the machines on this segment. Or perhaps you’re working in a “network within a Network” environment and you want to control what users on one Network can access on another network. You can create address ranges representing each network within the Network and control access by using the Address Ranges Network Objects representing each network.

There are no default Address Ranges. You can add new address ranges by performing the following steps.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the New menu, and click Address Range.

In the New Address Range Rule Element dialog box, enter a name for the Address Range in the Name text box. Enter the first address for the range in the Start Address text box and the last address in the range in the End Address text box. Enter a description for the address range in the Description (optional) text box. Click OK. See the steps for creating a new Address Range Network Object in Figure 4.39.

Figure 4.39: Creating a New Address Range Network Object

The new Address Range appears in the list of Address Ranges.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Subnets

The Subnets Network Object allows you to define groups of hosts located on the same subnet. In the previous example we created an Address Set that included an entire subnet. A better way to do it when an entire subnet is involved is to create a Subnet Network Object. There are no default Subnet Network Objects. You can create a new Subnet Network Object by performing the following steps.

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the New menu, and click Subnet.

In the New Subnet Rule Element dialog box, enter a name for the subnet in the Name text box. Enter the network ID for the subnet in the Network address text box, and then enter the number of bits used in the subnet mask in the text box after the forward slash. The Network mask will be filled in automatically for you. Enter a description for this subnet in the Description (optional) text box. Click OK. See Creating a new Subnet Network Object in Figure 4.40.

Figure 4.40: Creating a new Subnet Network Object

The new Subnet will appear in the list of subnets.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Computer Sets

The Computer Set Network Object is a collection of IP addresses for computers that have a common function or purpose. For example, you might create a computer set for all the servers on your network that never have logged-on users, or you might create a computer set for all non-Windows machines that do not support the Firewall client and you still need some measure of access control.

There are three default Computer Sets:

Anywhere

IPSec Remote Gateways

Remote Management Computers

The Anywhere Computer Set includes all addresses in the IPv4 address range. You can use this Computer Set when you need to allow communications for broadcast-based protocols. For example, when you want to make the external interface of the ISA firewall a DHCP client, you can use the Anywhere Computer Set to allow the client to broadcast a DHCP Request message.

The IPSec Remote Gateways Computer Set is automatically populated when you create a site-to-site VPN connection using IPSec tunnel mode. You should not need to manually add entries into this Computer Set because the Remote Site VPN Wizards do the work for you.

The Remote Management Computers Computer Set is used by the ISA firewall’s System Policy to allow connections from machines running the ISA remote MMC console. You can manually add your remote management computers by doing the following:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the Computer Sets folder.

Click the Remote Management Computers icon, and click the Edit menu.

Click Add in the Remote Management Computers Properties dialog box. Click the Computer, Address Range or Subnet entry from the fly-out menu.

Fill out the information in the New Rule Element dialog box, and click OK.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

You can also create your own computer sets. We typically create Computer Sets for servers that do not have logged-on users. For example, your organization is operating a high-security environment and you require authentication for all inbound and outbound access. To meet your high-security requirements, you install the Firewall client on all your client operating systems.

The problem is that some of your servers do not have logged-on users, such as your outbound SMTP relay or Exchange Server. In order for these machines to access the Internet while at the same time exerting some level of access control, you can use a Computer Set and add the machines that do not have logged-on users to the Computer Set.

You can create a new Computer Set by performing the following steps:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task Pane, click the Toolbox tab. Click the Network Objects link.

Click the Computer Sets folder.

Click the New Menu.

In the New Computer Set Rule Element dialog box, enter a name for the set in the Name text box. In this example we’ll name it Mail Relays.

Click Add. Select Computer, Address Range, or Subnet. In this example we’ll select Computer.

In the New Computer Rule Element dialog box, enter a name for the Computer Set in the Name text box. In this example, we’ll name it BORAX. In the Computer IP Address text box, enter the IP address of a server belonging to this group. You can use the Browse button if you don’t remember the IP address, but the address must be resolvable via DNS. Enter a description for the Computer in the Description (optional) text box. Click OK. You can see an example for Creating a New Network Set Network Object in Figure 4.41.

Figure 4.41: Creating a New Network Set Network Object

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

URL Sets

A URL Set Network Object is a collection of one or more URLs. You can use URL Sets to get fine-tuned control over what Web sites users can access through the ISA firewall. URL Sets are used only when an HTTP or FTP request is made through the ISA firewall. If you try to use a URL Set in a rule that applies to a non-HTTP or FTP protocol, the URL Set will not be applied, even if you create such a rule.

For example, suppose you create a URL Set containing the URL mail.isaserverorg.com. You want to allow users to access their mail by connecting to the mail server using the SMTP protocol at mail.isaserverorg.com so you create an Access Rule allowing all users access to the URL Set containing the mail.isaserverorg.com domain. When users try to connect, the connection attempt will fail because URL Sets are not applied to non-HTTP/FTP protocols.

There are no default URL sets. However, there are several key facts about URL Sets you should keep in mind when creating Access Rules using a URL Set:

You can specify both the protocol and port in a URL included in the URL set. However, only the FQDN and the path will be considered – the protocol and port will be ignored. The protocol and port are controlled by other aspects of an Access Rule.

You can use wildcards when creating an entry in a URL set. For example, http://*.isaserver.org, http://www.isaserver.org/* or even http://*.isaserver.org/*. However, you must put the wildcards at the beginning or the end of the entry. You cannot put them anywhere else. For example, http://*.isaserver.org/*/articles would not be a legal.

When creating URL Set entries for sites that require SSL, make sure that you do not include a path of any kind. For example, when you log on to a Hotmail account through the Web browser you must be able to access the URL https://loginnet.passport.com. If you were to create a URL Set entry for https://loginnet.passport.com/* the connection attempt would be denied. The reason for this is that the ISA firewall cannot perform stateful application-layer inspection for outgoing SSL connections. Because of this, the ISA firewall cannot access any paths once the SSL link is established. Since the ISA firewall has a URL Set entry that includes a path, but it cannot determine the path inside the SSL tunnel, it will drop the connection as a more secure option.

In the following example we’ll create a URL Set you can use to allow Outlook Express and Microsoft Outlook 2003 users to access their Hotmail accounts through the ISA firewall. You could use the following URL Set in an Access Rule that applies to all users, or to users that belong to a Computer Set or Subnet or some other Network Object as the source location.

Perform the following steps to create a URL Set:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the URL Sets folder.

Click the New Menu, and then click URL Set.

In the New URL Set Rule Element dialog box, enter a name for the URL Set in the Name text box. In this example we’ll name it Hotmail Access. Click New. In the text box above the New button, enter the first URL. In this example enter http://*.passport.com, and press ENTER. Repeat the procedure and add the following URLs: http://*.passport.net, http:/*.msn.com, http://*.hotmail.com. Click OK. Figure 4.42 shows how to create a new URL Set Network Object.

Figure 4.42: Creating a new URL Set Network Object

Click Apply to save the changes and update the firewall policy

Click OK in the Apply New Configuration dialog box

Domain Name Sets

Domain Name Set Network Objects are very similar to URL Sets except that they can be applied to all protocols, and they do not include path statements, only FQDNs. URL Sets support wildcards at the beginning of the FQDN, such as *.isaserver.org. They do not support wildcards at the end of the FQDN because that would include a path in a URL, and only URL Sets support path statements.

There are two default Domain Name Sets:

Microsoft Error Reporting Sites

System Policy Allowed Sites

The Microsoft Error Reporting Sites Domain Name Set includes the domains *.watson.microsoft.com and watson.microsoft.com. This Domain Name Set is used in a System Policy Rule that allows the ISA firewall to send error information to Microsoft for analysis.

The System Policy Allow Sites Domain Name Set includes the *.microsoft.com, *.windows.com and *.windowsupdate.com domains. There are System Policy Rules that use this Domain Name Set to allow the ISA firewall to contact Windows Update and obtain other information from Microsoft Web site properties.

Domain Name Sets have a very similar functionality to that provided by the URL Sets, and if you don’t need path statements in your Access Rule, then you can use either one if you’re controlling HTTP/HTTPS or Web Proxy tunnel FTP access. However, if you want to control any other protocol, then you need to use Domain Name Sets, since URL Sets are used just for HTTP/HTTPS/FTP.

You can create your own Domain Name Sets by performing the following steps:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.

In the Task pane, click the Toolbox tab. Click the Network Objects link.

Click the Domain Name Sets folder.

Click the New Menu, and then click Domain Name Set.

In the New Domain Name Set Policy Element dialog box, enter a name for the Domain Name Set in the Name text box. Click New. Enter a domain name or fully-qualified domain name in the text box, and press ENTER. Enter a description of the Domain Name Set in the Description (optional) text box. Click OK. See Creating a New Domain Name Set Network Object in Figure 4.43 .

Figure 4.43: Creating a New Domain Name Set Network Object

The new Domain Name Set appears in the list of Domain Name Sets (Figure 4.44 ).

Figure 4.44: Viewing the New Domain Name Set

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Web Listeners

Web Listeners represent a significant departure from the rest of the Network Object we’ve discussed in this section. A Web listener doesn’t really fit into a Network location as it can’t be used as a source or destination in any Access Rule or Publishing Rule. However, I suppose the ISA firewall development team needed to put them somewhere, and the Network Objects group was a good as any.

A Web Listener is used to accept incoming connections to Web sites, and they are an integral part of Web Publishing Rules. Each Web Publishing Rule requires a Web listener to accept the incoming connection to the Published Web site. Separate Web listeners can be created for HTTP and SSL connections, and you can create Web listeners for IP addresses on each interface on the ISA firewall.

We will discuss Web Listeners in detail in Chapter 8, where we dig deeply into Web Publishing and Web Publishing Rules.

ISA Firewall Network Templates

There are a number of approaches you can take when installing and configuring the ISA firewall. The approach we usually take is to install the ISA firewall software on a hardened version of Windows Server 2003 and then manually configure all the networks connected to the ISA firewall. We create the Networks, set the route relationships between the Networks using Network Rules, and then create the fine-tuned inbound and outbound access policies. Once you understand how the ISA firewall works, you can configure an ISA firewall with 10 network interface cards with a powerful inbound and outbound and intranet access policy in less than an hour. Compare that to a similarly configured PIX and you’ll truly appreciate the security and ease of use of an ISA firewall.

If you want to get up and running quickly and you don’t want to spend a lot of time learning about how the ISA firewall works, you have the option of using an ISA firewall Network Template. There are Network Templates that configure the ISA firewall in the following roles:

Edge Firewall

Front Firewall

Back Firewall

Trihomed DMZ Firewall (3-Leg Firewall)

Unihomed Web Caching-only Firewall (Single NIC template)

In this section we’ll go over the details of each Network Template, what they do and how they work.

Edge Firewall Template

The Edge Firewall Template is applied when the ISA firewall is on the Internet edge of the corporate network. The Internet edge is where the ISA firewall has a network interface directly connected to the Internet, and at least one other network interface connected to a network under your administrative control. The Edge Firewall Template assumes that you have at least one External interface and at least one Internal interface.

You will find the following key changes made to the ISA firewall configuration after running the Edge Firewall Template:

A Network Rule is created that sets the route relationship between the Internal and VPN Clients Networks as Route.

The default Internal Network remains; the Template does not remove the default Internal Network that you created during installation of the ISA firewall.

The Edge Firewall Template is the one that most closely preserves your default networking settings.

The policies in Table 4.6 are available to you when you run the Edge Firewall Template. Be very sure that you understand each of these policies before running the template. Then after running the template, review your firewall policies and make sure that you completely understand what you have done. We highly recommend that you begin with the Block all policy. This provides the most secure configuration and insures that you do not inadvertently create a security hole in your firewall. Later, you can create Access Rules and Publishing Rules on the ISA firewall to control outbound and inbound access. Table 4.6 describes the Firewall Policies Available with the Edge Firewall Template.

Perform the following steps to apply the Edge Firewall Template:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.

In the Networks node, click the Templates tab in the Task pane. The top-listed Network Template is the Edge Firewall Template. Click the Edge Firewall Template.

Click Next on the Welcome to the Network Template Wizard page.

On the Export the ISA Server Configuration page you have the option of backing up your current ISA firewall’s configuration. This is a valuable feature because the Network Template will overwrite the current Network configuration and Firewall Policy. If you back up the current configuration, you can restore it very easily in the event that you don’t like what the Network Template Wizard does to your firewall. Click Export.

In the Export Configuration dialog box, enter a name for the current ISA firewall configuration in the File name text box. In this example, we’ll name the configuration file Pre-Edge Firewall Template. Notice that the configuration is saved in .xml format. You do not need to Export user permission settings or Export confidential information (encryption will be used) because you are not chaining user permissions with this template, and you are probably not going to use this backup file to move this ISA firewall’s configuration to another machine. You just want to back up the current Network and firewall policy. Click Export.

The Exporting dialog box appears. Click OK when the wizard informs you that it Successfully exported the configuration.

Click Next on the Export the ISA Server Configuration page.

On the Internal Network IP Addresses page, set the addresses that represent the Internal Network. The Network Template Wizard will pull the same addresses you used for your Internal Network when you installed the ISA firewall. You do have the option to add more addresses to the default Internal Network by using the Add, Add Adapter, and Add Private buttons. The Add button allows you to manually enter a range or ranges of addresses. The Add Adapter button allows you to leverage the Windows routing table to automatically add addresses to the Internal Network, and the Add Private button automatically adds entire network IDs to the addresses included in the default Internal Network. In this example, and in most situations, you will not change the addresses on this page. Click Next. See the Internal Network IP Addresses page in Figure 4.45.

Figure 4.45: Defining the IP addresses

On the Select a Firewall Policy page, select the appropriate firewall policy for your organization. Refer to Table X above for details on each Firewall Policy. We highly recommend that you select the Block All firewall policy, and then later manually configure firewall policy after you understand how the ISA firewall’s policies work. This will minimize the chance of you creating a configuration that is not as secure as you want. In this example, we’ll select the Block all Firewall Policy, and click Next.

Click Finish on the Completing the Network Template Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

At this point, no traffic is allowed inbound or outbound through the ISA firewall because we selected the most secure firewall policy in the Network Template. You can now customize the ISA firewall’s Firewall Policies to meet your organization’s needs.

Trihomed (3-Leg) or DMZ Template

The trihomed DMZ Template allows you to configure the ISA firewall with three or more network adapters to use the additional network adapters are Perimeter network or DMZ segments. The trihomed DMZ Network Template is interesting because it sets some interesting Network Rules, which might be counterintuitive to the majority of ISA firewall administrators.

After running the trihomed DMZ Network Template, you’ll find that:

A new Network Object, the Perimeter Network Object, is created.

A Network Rule named Perimeter Access sets a Route relationship from the Perimeter Network to the Internet

A Network Rule name Perimeter Configuration sets a NAT relationship between the Internal and VPN Clients network and the Perimeter Network.

The Network Rules are a bit problematic. The Perimeter Access Network Rule sets a route relationship between the Perimeter Network and the Internet. This means that you’ll need to use public addresses in the DMZ segment. You’re going to find that things don’t work the way you planned if you use private addresses in the DMZ segment. If you use this trihomed DMZ Network Template you’ll need to change the Perimeter Access Network Rule to NAT if you use private addresses in the DMZ segment. Even more problematic is that the Template sets the route relationship between the DMZ segment and the Internal network to NAT. While this is a reasonable configuration if you use public addresses on the DMZ segment, it isn’t our preferred configuration when private addresses are used on the DMZ segment.

The Perimeter Configuration Network Rule sets the route relationship between the Internal and VPN clients Networks to NAT. While NAT will work, it doesn’t work with all protocols, and you can run into issues that you wouldn’t have problems with if you chose a Route relationship between the Internal and VPN Clients Networks and the DMZ segment. If you use public addresses on the DMZ segment, then you need to leave the route relationship as NAT. But if you are using private addresses on the trihomed DMZ segment, then change the route relationship to Route.

You can choose from one of the policies listed in Table 4.7 when running the trihomed DMZ Network Template. Again, we highly recommend that you select the Block all firewall policy, and then configure the ISA firewall with the specific Access Rules and Publishing Rules required for your organization. Firewall policies are shown in Table 4.7 .

Perform the following steps to apply the Edge Firewall Template:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click on the Networks node.

In the Networks node, click the Templates tab in the Task Pane. Select the 3-Leg Perimeter Network Template by double-clicking it..

Click Next on the Welcome to the Network Template Wizard page.

On the Export the ISA Server Configuration page, you have the option of backing up your current ISA firewall’s configuration. This is a valuable feature because the Network Template will overwrite the current Network configuration and Firewall Policy. If you back up the current configuration, you can restore it very easily in the event that you don’t like what the Network Template Wizard does to your firewall. Click Export.

In the Export Configuration dialog box, enter a name for the current ISA firewall configuration in the File name text box. In this example, we’ll name the configuration file Pre-3-Leg Perimeter Template. Notice that the configuration is saved in .xml format. You do not need to Export user permission settings or Export confidential information (encryption will be used) because you are not chaining user permissions with this template, and you are probably not going to use this backup file to move this ISA firewall’s configuration to another machine. You just want to back up the current Network and firewall policy. Click Export.

The Exporting dialog box appears. Click OK when the wizard informs you that it Successfully exported the configuration.

Click Next on the Export the ISA Server Configuration page.

On the Internal Network IP Addresses page, configure a list of addresses that define the Internal Network. The addresses that appear by default are those addresses that you already defined as part of the Internal Network during the installation of the ISA firewall software. You have the option to add more addresses by clicking the Add, Add Adapter or Add Private button. We recommend that you use the Add Adapter button and avoid the use of the Add Private button. Click Next.

Configure the addresses that are part of the new DMZ segment on the Perimeter Network IP Addresses page. Again, you have the option of using the Add, Add Adapter or the Add Private buttons. In this example, we’ll use the Add Adapter button. Click Add Adapter.

Select the Adapter representing the DMZ interface, and the put a checkmark in the checkbox network to that adapter. It’s important that you select the adapter first. If you don’t, you will not see the correct information in the Network Interfaces Information box (Figure 4.46). This box shows the list of addresses that will be used to define the DMZ Network. Click OK.

Figure 4.46: Selecting the Network Adapter

Click Next on the Perimeter Network IP Addresses page.

On the Select a Firewall Policy page, select the firewall policy that applies to your organization’s requirements. We highly recommend that you select the Block all policy, and configure a policy based on your requirements later. Select the Block all policy, and click Next.

Click Finish on the Completing the Network Template Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Front Firewall Template

The Front Firewall Network Template is used when the ISA firewall is in front of another firewall. This makes the ISA firewall a front-end firewall and the firewall located behind the front-end ISA firewall is the back-end firewall. The back-end firewall can be an ISA firewall, or a third-party firewall; it will make no different to the front-end ISA firewall.

The Front Firewall Template makes some interesting assumptions about your network infrastructure and the characteristics of the network located behind the front-end ISA firewall. These include:

The Front Firewall Template assumes that the network behind the ISA firewall is a perimeter network. After running the Front Firewall Template, the front-end ISA firewall will not have an “Internal” network defined. The new Perimeter Network defined by the Template will replace the role of the former default Internal Network.

A new Network Rule named Perimeter Access is created. This Network Rule sets a route relationship between the Perimeter and VPN Clients Network and the External network. The assumption is that you’ll be using public addresses on the network behind the front-end ISA firewall. If you’re not using public addresses on the network behind the front-end ISA firewall, this default Network Rule is going to cause problems. If you’re using private addresses on the network behind the front-end ISA firewall, change the route relationship in the Perimeter Access Network Rule to NAT.

An issue that you’ll have to deal with in certain circumstances when you have a front-end ISA firewall is the “network within a Network” issue. If you have a route relationship between the perimeter network and the network behind the back-end ISA firewall, then you’ll need to include all the addresses in the network behind the back-end ISA firewall in the definition of the Perimeter Network on the front-end ISA firewall.

The last issue deserves more attention, as the issue might not be immediately evident. Figure 4.47 shows an example of a front-end/back-end ISA firewall configuration where both firewalls are ISA firewalls.

Figure 4.47: Route Relationships in a Network behind a Network

In this example the back-end ISA firewall defines its Internal Network as 10.0.0.0/24, and the perimeter network is part of its default External network. Note that you don’t have to define the perimeter network as part of the default External network on the back-end ISA firewall. You could actually create a new Network Object called Perimeter Network and assign the network ID of the perimeter network to that Network Object. However, in this example, we’ll just assume that the perimeter network is part of the back-end ISA firewall’s default external network. There is also a Network Rule on the back-end ISA firewall that sets a Route relationship between the back-end ISA firewall’s Internal Network and its External Network.

The front-end ISA firewall has had the Front Firewall Template applied to it, so it doesn’t have an Internal network. Instead, the Internal Network has been replaced by the Perimeter Network, as we discussed earlier. The addresses included in the front-end ISA firewall’s Perimeter Network include all those in the Network ID of the perimeter network, which in this case is 192.168.1.0/24. On the front-end ISA firewall there is a NAT relationship between the perimeter network and the Internet.

Now imagine that a host on the Internal network behind the back-end ISA firewall tries to connect to resources on the Internet. What will happen? Since there is a Route relationship between the back-end ISA firewall’s Internal Network and the perimeter network, the source IP address of the host on the Internal network will be retained. When the front-end ISA firewall receives the connection request, it will see the Internal Network host’s original IP address and assume that the connection is using a spoofed address and deny the connection attempt.

Why? Because ISA firewalls always detect a spoof when it receives a packet on an interface from an IP address that is not reachable from that interface. Since the front-end ISA firewall does not have a definition for network ID 10.0.0.0/16, it makes it part of its default External Network. Since External Network hosts cannot connect directly with the Internal interface of the ISA firewall, the front-end ISA firewall drops the connection because it thinks it’s a spoof. This is a good thing, as the ISA firewall’s spoof detection is a key component of its IDS/IPS system.

You can correct this problem by adding the back-end ISA firewall’s Internal Network addresses to the front-end ISA firewall’s list of addresses for the perimeter Network and add a route for the back-end ISA firewall’s internal network into the front-end ISA firewall’s routing table. Now the front-end ISA firewall knows that the back-end ISA firewall’s Internal Network is reachable from the front-end ISA firewall’s Perimeter Network interface, and it will not drop the connection as a spoofed packet.

It’s important to note that this is still a secure configuration. The ISA firewall is still able to detect truly spoofed packets on all interfaces, including the External interface.

Table 4.8 shows the Firewall Policy options you have with the Front Firewall Network Template. Again, we strongly encourage you to use the Block all template, and then create your own custom firewall policies so that they precisely match your organization’s requirements.

Perform the following steps to apply the Edge Firewall Template:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.

In the Networks node, click the Templates tab in the Task pane. Select the Front Firewall Network Template by double-clicking it.

Click Next on the Welcome to the Network Template Wizard page.

On the Export the ISA Server Configuration page, you have the option of backing up your current ISA firewall’s configuration. This is a valuable feature because the Network Template will overwrite the current Network configuration and Firewall Policy. If you back up the current configuration, you can restore it very easily in the event that you don’t like what the Network Template Wizard does to your firewall. Click Export.

In the Export Configuration dialog box, enter a name for the current ISA firewall configuration in the File name text box. In this example we’ll name the configuration file Pre-Front Firewall Template. Notice that the configuration is saved in .xml format. You do not need to Export user permission settings or Export confidential information (encryption will be used) because you are not chaining user permissions with this template, and you are probably not going to use this backup file to move this ISA firewall’s configuration to another machine. You just want to back up the current Network and firewall policy. Click Export.

The Exporting dialog box appears. Click OK when the wizard informs you that it Successfully exported the configuration.

Click Next on the Export the ISA Server Configuration page.

On the Perimeter Network IP Addresses page, configure a list of addresses that define the Internal Network. The addresses that appear by default are those addresses that you defined as part of the Internal Network during the installation of the ISA firewall software. You have the option to add more addresses by clicking Add, Add Adapter or Add Private. We recommend that you use the Add Adapter button, and avoid the use of the Add Private button. Click Next.

On the Select a Firewall Policy page, select the firewall policy that applies to your organization’s requirements. We highly recommend that you select the Block all policy, and configure a policy based on your requirements later. Select the Block all policy, and click Next.

Click Finish on the Completing the Network Template Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Back Firewall Template

The Back Firewall Template is very similar to the Edge Firewall Template. The main difference between the Edge Firewall Template and the Back Firewall Template is that the network diagram in the Microsoft Internet Security and Acceleration Server 2004 management console is different, depending on which template you select. Figure 4.48 shows the network diagram for the Back Firewall Template and the Figure 4.49 shows the network diagram for the Edge Firewall Template.

Figure 4.48: Network Diagram for Back Firewall Template

Figure 4.49: Network Diagram for Edge Firewall Template

Firewall Polices you can choose from when using the Back Firewall Template are listed in Table 4.9. We recommend that you choose the Block all template, and then create custom policies based on your organization’s security requirements.

Perform the following steps to apply the Back Firewall Template:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click on the Networks node.

In the Networks node, click the Templates tab in the Task pane. Double-click the Back Firewall Template.

Click Next on the Welcome to the Network Template Wizard page.

On the Export the ISA Server Configuration page, you have the option of backing up your current ISA firewall’s configuration. This is a valuable feature because the Network Template will overwrite the current Network configuration and Firewall Policy. If you back up the current configuration, you can restore it very easily in the event that you don’t like what the Network Template Wizard does to your firewall. Click Export.

In the Export Configuration dialog box, enter a name for the current ISA firewall configuration in the File name text box. In this example we’ll name the configuration file Pre-Edge Firewall Template. Notice that the configuration is saved in .xml format. You do not need to Export user permission settings or Export confidential information (encryption will be used) because you are not chaining user permissions with this template, and you are probably not going to use this backup file to move this ISA firewall’s configuration to another machine. You just want to back up the current Network and firewall policy. Click Export.

The Exporting dialog box appears. Click OK when the wizard informs you that it Successfully exported the configuration.

Click Next on the Export the ISA Server Configuration page.

On the Internal Network IP Addresses page, set the addresses that represent the Internal Network. The Network Template Wizard will pull the same addresses you used for your Internal Network when you installed the ISA firewall. You have the option to add more addresses to the default Internal Network by using Add, Add Adapter and Add Private. The Add button allows you to manually enter a range or ranges of addresses. The Add Adapter button allows you to leverage the Windows routing table to automatically add addresses to the Internal Network, and the Add Private button automatically adds entire network IDs to the addresses included in the default Internal Network. In this example, and in most situations, you will not change the addresses on this page. Click Next.

On the Select a Firewall Policy page, select the appropriate firewall policy for your organization. Refer to Table 4.9 for details on each Firewall Policy. We highly recommend that you select the Block All firewall policy, and then later manually configure a firewall policy after you understand how the ISA firewall’s policies work. This will minimize the chance of creating a configuration that is not as secure as you want. In this example, we’ll select the Block all Firewall Policy, and click Next. Figure 4.50 depicts Selecting a Firewall Policy.

Figure 4.50: Selecting a Firewall Policy

Click Finish on the Completing the Network Template Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Single Network Adapter or Unihomed Network Template

The Single Network Adapter Network Template is used when you want to run the ISA firewall with a single NIC. You do not need to run the Single Network Adapter Template if you installed the ISA firewall on a single NIC machine. You will need to create your on Access Policy, which is our preferred method of configuring the ISA firewall. The Single Adapter Network Template does not create an Access Policy.

The Single Network Adapter Template can be run on machines that have multiple Network Interface cards. If the machine has multiple NICs, you will need to disable all NICs except for one. However, if you use multiple network interfaces, keep in mind that all interfaces are considered Internal and that there are no addresses that are considered external to the machine with a single NIC template applied to it.

Some important considerations regarding the Single Network Adapter Template are:

After the Template is applied to the ISA firewall, all addresses will be considered Internal. The Single NIC ISA firewall has no conception of Internal or External, since there is only a single interface. All Access Rules will have the source and destination networks as Internal.

Only the HTTP, HTTPS, and Web Proxy tunneled FTP protocols are supported on a single NIC ISA firewall.

You cannot use the Firewall client when the ISA firewall has a single NIC. This means you lose the significant protection, access control, and enhanced logging capabilities provided when the Firewall client is installed on client workstations.

The machine is used only for forward and reverse Web Proxy and caching. You cannot create additional protocols and you cannot create Access Rules supporting non-“Web” protocols.

The ISA firewall’s strong firewall capabilities are retained to the extent that the firewall is able to protect itself. No connections can be made to the ISA firewall until you create Access Rules that compromise the security of the ISA firewall itself.

You cannot make the ISA firewall a VPN server.

You cannot create Server Publishing Rules, only Web Publishing Rules.

We recommend that you use the unihomed (single NIC) ISA firewall configuration only when you have another ISA firewall in production on the network. The other ISA firewall provides the strong stateful filtering and strong stateful application-layer inspection, and the single NIC ISA firewall takes over the processing overhead for SSL-to-SSL bridging (we’ll discuss this in more detail in Chapter 8 on Publishing Servers to the Internet).

Perform the following steps to apply the Single Network Adapter Template:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click on the Networks node.

In the Networks node, click the Templates tab in the Task pane. Double-click the Single Network Adapter Template.

Click Next on the Welcome to the Network Template Wizard page.

On the Export the ISA Server Configuration page, you have the option of backing up your current ISA firewall’s configuration. This is a valuable feature because the Network Template will overwrite the current Network configuration and Firewall Policy. If you back up the current configuration, you can restore it very easily in the event that you don’t like what the Network Template Wizard does to your firewall. Click Export.

In the Export Configuration dialog box, enter a name for the current ISA firewall configuration in the File name text box. In this example, we’ll name the configuration file Pre-Single NIC Template. Notice that the configuration is saved in .xml format. You do not need to Export user permission settings or Export confidential information (encryption will be used) because you are not chaining user permissions with this template, and you are probably not going to use this backup file to move this ISA firewall’s configuration to another machine. You just want to back up the current Network and firewall policy. Click Export.

The Exporting dialog box appears. Click OK when the wizard informs you that it Successfully exported the configuration.

Click Next on the Export the ISA Server Configuration page.

On the Internal Network IP Addresses page (Figure 4.51), you see a list of all addresses in the IPv4 range with the exception of the addresses in the loopback network. Click Next.

Figure 4.51: Defining the IP addresses

On the Select a Firewall Policy page, you have the choice of a single Default NIC policy. Select that policy and click Next.

Click Finish on the Completing the Network Template Wizard page.

Dynamic Address Assignment on the ISA Firewall’s External Interface

Many smaller organizations do not have static IP addresses that they can assign to the external interface of the ISA firewall. The ISA firewall does support dynamic address assignment on any of its interfaces. We strongly recommend that you never use dynamic address assignment on any interface except the external interface of the ISA firewall.

You will need to change the System Policy on the ISA firewall in order to obtain a dynamic address on the external interface. Perform the following steps to make the required changes to System Policy:

Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and click the Firewall Policy node.

On the Firewall Policy Node, click the Tasks tab in the Task pane. In the System Policy Tasks group, click the Show System Policy Rules link.

The System Policy Rules appear before the Firewall Policy rules that you create. Right-click Policy Rule #8 Allow DHCP replies from DHCP server to ISA Server and click Edit System Policy.

The System Policy Editor opens and the focus is on the DHCP entry in the Network Services group in the Configuration Groups section. Click the From tab.

On the From tab, click Add.

In the Add Network Entities dialog box, click the New menu. Click Computer.

In the New Computer Rule Element dialog box, enter a name for your public DHCP server in the Name text box. In this example we’ll name it ISP DHCP Server. Enter the IP address of your ISP’s DHCP server in the Computer IP Address text box. Enter a description for this Computer Object in the Description (optional) text box. Click OK.

In the Add Network Entities dialog box, click the Computers folder, and then double-click your ISP DHCP server entry. If you don’t yet know the IP address of your ISP’s DHCP server, you can click the Networks folder and double-click the External network. Click Close.

Click OK in the System Policy Editor.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box.

Now set your external interface to use dynamic address assignment. If you run Network Monitor on the external interface of the ISA firewall, you’ll see something like the following (Figure 4.52):

Figure 4.52: Network Monitor Trace of DHCP Conversation

If you do not know the IP address of your DHCP server, you can find that out by using the ipconfig /all command. The resulting printout will display the IP address of your ISP’s DHCP server.

Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP

Some organizations are in locations where ISP support is very limited. These companies must use a dial-up modem connection or a VPN connection in order to connect to their local ISP. The ISA firewall supports dial-up connections to the Internet. The dial-up connection can be an analog modem connection or a VPN connection. Both type of connections are configured in the ISA firewall’s Network Connections window. The connection you create is known as a connectoid, and the connectoid appears in the Network Connections window as an icon.

You then configure the ISA firewall to use the connectoid. One of the most common issues we see with new ISA firewall administrators is that they only create the connectoid and expect the ISA firewall to use it, or they configure the dial-up connection in the Microsoft Internet Security and Acceleration Server 2004 management console but do not set it up in the Network Connections window.

There are two steps you need to perform to use a dial-up connection with the ISA firewall:

Create a dial-up connectoid

Configure the ISA firewall to use the connectoid

Create an Access Rule allowing the ISA firewall to use the VPN protocol (this is only required if you are using a VPN connection for the dial-up link)

We’ll go through an example of how to create a VPN connectoid and use that VPN connectoid in the ISA firewall’s dial-up configuration. This is a common scenario for DSL users in Europe. We’ll also discuss all the options available, so that dial-up modem users can also benefit from these instructions.

The first step is to create the VPN connectoid. Perform the following steps to create the VPN connectoid on a Windows Server 2003 machine. The procedures are very similar on Windows 2000 as well.

Right-click My Network Places on the desktop, and click Properties.

In the Network Connections window, click the New Connection Wizard link.

Click Next on the Welcome to the New Connection Wizard page.

On the Network Connection Type page, select the Connection to the network at my workplace, and click Next.

On the Network Connection page, select the Virtual Private Network connection option, and click Next.

On the Connection Name page, enter a name for the VPN connectoid in the Company Name text box. In this example, we’ll name the connectoid VPN to ISP, and click Next.

On the VPN Server Selection page, enter the IP address of your ISP’s VPN server in the Host name or IP address text box. Click Next.

On the Connection Availability page, select the Anyone’s use option, and click Next.

On the Completing the New Connection Wizard page, click Finish.

In the Connect VPN to ISP dialog box, click Properties.

In the Connect VPN to ISP dialog box, click the Options tab. In the Redialing options frame, put a checkmark in the Redial if line is dropped option. In the Redial attempts text box, enter 99. In the Time between redial attempts drop-down list, select 5 seconds. In the Idle time before hanging up drop-down list, select Never.

In the Connect VPN to ISP dialog box, enter the user name and password your ISP assigned to you when you purchased your account. Put a checkmark in the Save this user name and password for the following users checkbox. Select the Anyone who uses this computer option.

Click Connect to test the connectoid to confirm that you can connect to your ISP using this connectoid.

The next step is to configure the ISA firewall to use this connectoid:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then expand the Configuration node. Click the General node.

On the General node, click the Specify Dial-Up Preferences link.

In the Dialing Configuration dialog box, you have the following options:

I will dial the connection myself Use this option when you want to dial the dial-up connection first before users on protected Networks can access the Internet through the connection. This requires operator intervention to initiate the connection, but after the connection is established, the connection can be configured to automatically redial if it is dropped. Use this option for VPN connections and for any connection where the automatic dialing doesn’t work for you properly.

Allow automatic dialing to this network This option allows the ISA firewall to automatically dial the connection in response to Web Proxy, Firewall, and SecureNAT clients on a protected Network behind the ISA firewall. Be careful with this option if you’re using a VPN connection. If you enable this option, and the connection doesn’t dial up correctly, then disable it and use the I will dial the connection myself option instead.

Configure this dial-up connection as the default gateway This option allows the ISA firewall to replace its current default gateway settings and use the VPN server it connects to as the new default gateway. This is the option you will use in the majority of cases if you are connecting to the ISP using a dial-up connection.

Use the following dial-up connection This option allows you to select the dial-up connectoid you created.

Use this account Enter the user account name that you used when you created the dial up connectoid. Do not enter local domain credentials. You must enter the actual credentials that your ISP assigned to you for your Internet account.

Click Apply, and then click OK.

If you use a VPN connection for your dial-up link, then you will need to create an Access Rule on the ISA firewall that allows the local host network to use the PPTP or L2TP/IPSec VPN protocol. If your ISP is using another VPN protocol (such as a proprietary IPSec NAT-T protocol), then you will need to create an access rule that allows the use of that protocol. Most ISPs should be using either PPTP or L2TP/IPSec for ease of use or for enhanced security.

Perform the following steps to create the Access Rule allowing the VPN connection: