The Post-installation System Policy - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید





















The Post-installation System Policy




ISA Firewall Policy is a collection of Access Rules controlling access to and from the Local Host network. System Policy controls access to and from the system. You do not configure System Policy for network access between any other hosts. One of the most common errors made by new ISA firewall administrators is to use System Policy to control access from Protected Network hosts to non-Protected Network hosts.




Table 6.6 shows the list of System Policy rules and their status after installing the ISA firewall software. The Order/Comments column includes our advice regarding configuration of the specific System Policy Rule.












































































































Table 6.6: Default Post-installation System Policy





Order/Comments








Name








Action








Protocols








From/Listener








To








Condition








1




Is the ISA firewall a member of the domain? If not, disable this rule.








Allow access to




directory services




purposes








Allow








LDAP




LDAP (UDP)




LDAP GC (global catalog)




LDAPS




LDAPS GC




(Global Catalog)








Local Host








Internal








All Users








2




If no one is going to use the remote MMC to manage the ISA firewall, disable this




rule.








Allow remote management from selected computers using MMC








Allow








Microsoft Firewall




Control




NetBIOS datagram




NetBIOS




Name Service




NetBIOS




Session




RPC (all interfaces)








Remote Management Computers








Local Host








All Users








3




Confirm that the Remote Management Computers Computer Set has the addresses of the hosts that will manage the ISA firewall; if you don't want to allow RDP management of the ISA firewall, disable this rule. Order/Comments








Allow remote management from selected computers using Terminal Server Name








Allow Action








RDP (Terminal Services) Protocols








Remote Management




Computers From/Listener








Local Host To








All Users Continued Condition








4




(Disabled by default) Enable this rule if you want to log to








Allow remote logging to trusted servers using SQL servers.








Allow








NetBIOS




Datagram




NetBIOS




Name Service




NetBIOS Session








Local Host








Internal








All Users








5




Will you be using RADIUS authentication? If not, disable this rule.








Allow RADIUS authentication from ISA Server to trusted RADIUS servers








Allow








RADIUS




RADIUS




Accounting








Local Host








Internal








All Users








6




Will the ISA firewall be authenticating users? If not, disable this rule.








Allow Kerberos




authentication




from ISA Server




to trusted servers








Allow








Kerberos-Sec (TCP)




Kerberos-Sec




(UDP)








Local Host








Internal








All Users








7




This rule must be enabled so that the ISA firewall can initiate DNS queries.








Allow DNS from ISA Server to selected servers








Allow








DNS








Local Host








All Networks (and Local Host)








All Users








8




If the ISA firewall isn't going to act as a DHCP client, disable this rule. Order/Comments








Allow DHCP requests from ISA Server to all networks Name








Allow Action








DHCP (request) Protocols








Local Host From/Listener








Anywhere To








All Users Continued Condition








9




If the ISA firewall isn't going to act as a DHCP client, disable this rule.








Allow DHCP replies from DHCP servers to ISA Server








Allow








DHCP (reply)








Internal








Local Host








All Users








10




Confirm that you have configured the proper IP addresses for the Remote Management Computers Computer Set.








Allow ICMP (PING) requests from selected computers to ISA Server








Allow








Ping








Remote Management Computers








Local Host








All Users








11




This rule must be enabled so that the ISA firewall can carry out network management tasks via ICMP.








Allow ICMP requests from ISA Server to selected servers








Allow








ICMP Information Request ICMP Timestamp








Local Host








All Networks (and Local Host Network)








All Users








12




(disabled by default)




This rule is automatically enabled when you enable the ISA firewall's VPN server component.








All VPN client traffic to ISA Server








Allow








PPTP








External








Local Host








All Users








13




(disabled by default) This rule is automatically enabled when you enable a site-to-site VPN connection to this ISA firewall. Order/Comments








Allow VPN site- to-site traffic to ISA Server Name








Allow Action








NONE Protocols








External IPSec Remote Gateways From/Listener








Local Host




To








All Users Continued Condition








14




(disabled by default)




This rule is automatically




enabled when you




enable a site-to-site VPN




connection to this ISA




firewall.








Allow VPN site-to- site traffic from ISA Server








Allow








NONE








Local Host








External IPSec Remote Gateways








All Users








15




Will you be trying to access file shares from the ISA firewall? If not, disable this rule








Allow Microsoft CIFS from ISA Server to trusted servers








Allow








Microsoft CIFS (TCP) Microsoft CIFS (UDP)








Local Host








Internal








All Users








16 (disabled by default)




Enable this rule when you choose SQL logging.








Allow remote SQL logging from ISA servers








Allow








Microsoft SQL (TCP) Microsoft SQL (UDP)








Local Host








Internal








All Users








17




Unless you want to allow the ISA firewall to contact the Windows Update site itself, disable this rule. I prefer to download updates to a management machine, scan them, and then copy them out of band to the ISA firewall and install them from that. Order/Comments








Allow HTTP/HTTPS requests from ISA Server to specified sites Name








Allow Action








HTTP HTTPS Protocols








Local Host From/Listener








System Policy Allowed Sites To








All Users Continued Condition








18




(disabled by default) This rule is enabled when you create an HTTP/HTTPS connectivity verifier.








Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers








Allow








HTTP HTTPS








Local Host








All Networks (and Local Host Network)








All Users








19




(disabled by default) This rule is enabled if the Firewall client share is installed on the ISA firewall.








Allow access from trusted computers to the Firewall Client installation share on ISA Server








Allow








Microsoft CIFS (TCP) Microsoft CIFS (UDP) NetBIOS Datagram NetBIOS Name Service NetBIOS Session








Internal








Local Host








All Users








20




(disabled by default)




Enable this rule if you want to perform remote performance monitoring of ISA firewall.








Allow remote performance mon- toring of ISA iServer from trusted servers








Allow








NetBIOS Datagram NetBIOS Name Service NetBIOS Session








Remote Management Computers








Local Host








All Users








21




Unless you plan to access file shares from the ISA firewall, disable this rule. Order/Comments








Allow NetBIOS from ISA Server to trusted servers Name








Allow Action








NetBIOS Datagram NetBIOS Name Service NetBIOS Sessions Protocols








Local Host From/Listener








Internal To








All Users Continued Condition








22




Unless you plan to use RPC to connect to other servers, disable this rule.








Allow RPC from ISA Server to trusted servers








Allow








RPC (all interfaces)








Local Host








Internal








All Users








23




This rule allows the ISA firewall to send error reports to Microsoft.








Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites








Allow








HTTP HTTPS








Local Host








Microsoft Error Reporting sites








All Users








24




(disabled by default)




This rule should be enabled if SecurID authentication is enabled.








authentication from ISA Server to trusted servers








Allow








SecurID








Local Host








Internal








All Users








25




(disabled by default)




Enable this rule if you use MOM to monitor the ISA firewall.








Allow remote mon- itoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent








Microsoft Operations Manager Agent








Local Host








Internal








All Users








26




(disabled by default)




Enable this rule if you want the ISA firewall to access CRL- required if the ISA terminates any SSL connections. Order/Comments








traffic from ISA Server to all networks (for CRL downloads) Name








Allow + Action








HTTP Protocols








Local Host From/Listener








All Networks (and Local Host) To








All Users Continued Condition








27




You should change this rule by allowing contact with a trusted NTP server in your organization. The Internal entry allows it to contact all servers anywhere in the world.








Allow NTP from ISA Server to trusted NTP servers








Allow








NTP (UDP)








Local Host








Internal








All Users








28




If you don't plan on using SMTP to send alerts, you should disable this rule. If you do plan on sending SMTP alerts, you should replace the Internal Destination with a specific computer that will accept SMTP messages from the ISA firewall.








Allow SMTP from Allow ISA Server to trusted servers








SMTP








Local Host








Internal








All Users








29




(disabled by default) This rule is automatically enabled when Content Download Jobs are enabled.








ISA Server to selected computers for Content Download Jobs








Allow








HTTP








Local Host








All Networks (and Local Host)








System and Network Service








30




Unless you plan on using the remote MMC, disable this rule








Allow Microsoft communication to selected computers








Allow








All Outbound traffic








Local Host








Remote Management Computers








All Users








The ISA firewall's System Policy Rules are evaluated before any user-defined Access Rules in the order listed in the Firewall Policy first column. View the ISA firewall's System Policy by clicking Firewall Policy in the left pane of the console and then clicking the Tasks tab. In the Tasks tab, click Show System Policy Rules. Click Hide System Policy Rules when you're finished viewing the firewall's system policy.









Warning




You can make changes to only some components of the ISA firewall's default System Policy. You will find that there are several instances where you cannot make changes to the ISA firewall's System Policy with the System Policy Editor.








You can edit the ISA firewall's System Policy by clicking Edit System Policy on the Tasks tab. This opens the System Policy Editor, as shown in Figure 6.12. For each System Policy Rule there is a General tab and a From or To tab. The General tab for each Configuration Group contains an explanation of the rule(s), and the From or To tab allows you to control protocol access to or from the ISA firewall machine itself.











Figure 6.12: The ISA Firewall's System Policy Editor













































Table 6.7: Default Port-installation ISA Firewall System Configuration





Feature








Default setting








User permissions








Members of the Administrators group on the local computer can configure firewall policy. If the ISA firewall is a member of the domain, then the Domain Admins global group is automatically included in the local machine's Administrators group.








Definition of Internal network








The Internal network contains IP addresses you specified during setup of the ISA firewall software.








Network Rules








Local Host Access Defines a route relationship between the Local Host network and all networks. All connections between the Local Host network (that is, the ISA firewall machine itself) are routed instead of NATed. Internet Access Defines a NAT (Network Address Translation) relationship between the Internal Network, Quarantined VPN Clients Network, and the VPN Clients Network - to the External network. From each of these three Networks to the Internet, the connection is NATed. Access is allowed only if you configure the appropriate Access Rules. VPN Clients to Internal Network Defines a route relationship between the VPN Clients Network and the Internal Network. Access is allowed only if you enable virtual private network (VPN) client access.








Firewall policy








A default rule (named Default Rule) denies traffic between all networks.








System policy








ISA Server is secure by default, while allowing certain critical services to function. Upon installation, some system policy rules are enabled to allow necessary services. We recommend that you review the system policy configuration and customize it so that only services critical to your specific deployment are enabled.








W eb chaining








A default rule (named Default Rule) specifies that all Web Proxy client requests are retrieved directly from the Internet.








Caching








The cache size is set to 0. All caching is, therefore, disabled.








Alerts








Most alerts are active. We recommend that you review and configure the alerts in accordance with your specific networking needs.








Client configuration








When installed or configured, Firewall and Web Proxy clients have automatic discovery enabled. Web browser applications on Firewall clients are configured when the Firewall client is installed.








/ 145