لطفا منتظر باشید ...
Chapter 7: Creating and Using ISA 2004 Firewall Access Policy
Introduction
The ISA firewall's Access Policy (also known as firewall policy) includes Web Publishing Rules, Server Publishing Rules and Access Rules. Web Publishing Rules and Server Publishing Rules are used to allow inbound access and Access Rules are used to control outbound access.The concepts of inbound and outbound access are somewhat more confusing with the new ISA firewall, when compared to their interpretations in ISA Server 2000. The reason for this is that ISA Server 2000 was Local Address Table (LAT) based. The definitions of inbound and outbound access were relative to the LAT. Inbound access was defined as incoming connections from non-LAT hosts to LAT hosts (external to internal). In contrast, the new ISA firewall does not have a LAT and there is not a comparable concept of an 'internal' network in the same way that there was an internal network defined by the LAT in ISA Server 2000.In general, you should use Web Publishing Rules and Server Publishing Rules when you want to allow connections from hosts that are not located on an ISA firewall Protected Network to a host on an ISA firewall Protected Network. Access Rules are used to control access between any two networks. The only limitation is that you cannot create Access Rules to control access between networks that have a Network Address Translation (NAT) relationship when the initiating host is on the non-NATed site of the relationship.For example, suppose you have a NAT relationship between the default Internal Network and the Internet. You can create Access Rules that control connections between the Internal Network and the Internet because the initiating hosts are on the NATed side of the network relationship. However, you cannot create an Access Rule between a host on the Internet and the Internal Network because the Internet hosts are on the non-NATed side of the network relationship.In contrast, you can create Access Rules in both directions when there is a route relationship between the source and destination Networks. For example, suppose you have a route relationship between a DMZ segment and the Internet. In this case, you can create Access Rules controlling traffic between the DMZ and the Internet and you can also create Access Rules that control traffic between the Internet and the DMZ segment. The main job of the ISA firewall is to control traffic between source and destination networks. The ISA firewall's Access Policy permits clients on the source network to access hosts on a destination network and Access Rules also can be configured to block hosts on a source network from connecting to hosts on a destination network. Access Policy determines how hosts access hosts on other networks.This is a key concept. The source and destination hosts must be on different networks. The ISA firewall should never mediate communications between hosts on the same ISA network. We refer to this type of configuration as 'looping back through the ISA firewall'. You should never loop back through the ISA firewall to access resources on the same network.
When the ISA firewall intercepts an outbound connection request, it checks both network rules and firewall policy rules to determine if access is allowed. Network Rules are checked first. If there is no Network Rule defining a NAT or Route relationship between the source and destination networks, then the connection attempt will fail. This is a common reason for failed connections and it is something you should check for when Access Policy does not behave the way you expect it to.Access Rules can be configured to apply to specific source and/or destination hosts. Clients can be specified either by IP address (for example, by using Computer or Computer Set Network Objects) or by user name. The ISA firewall processes the requests differently depending on which type of client is requesting the object and how the Access Rules are configured. When a connection request is received by the ISA firewall, the first thing the ISA firewall does is check to see if there is a Network Rule defining the route relationship between the source and destination networks. If there is no Network Rule, the ISA firewall assumes that the source and destination networks are not connected. If there is a Network Rule defining a route relationship between the source and destination network, then the ISA firewall processes the Access Policy rules.After the ISA firewall has confirmed that the source and destination networks are connected, Access Policy is processed. The ISA firewall processes the Access Rules in the Access Policy from the top down (System Policy is processed before user-defined Access Policy). If an Allow rule is associated with the outbound connection request, the ISA firewall will allow the request. In order for the Allow rule to be applied, the characteristics of the connection request must match the characteristics defined by the Access Rule. The Access Rule will match the connection request if the connection request matches the following Access Rule parameters:
Protocol
From (source location, which can include a source port number)
Schedule
To (destination location, which can include addresses, names, URLs and other Network Objects)
Users
Content groups
If the settings for each of these parameters match those in the connection request, then the Access Rule will be applied to the connection. If the connection request doesn't match the parameters in the Access Rule, then the ISA firewall moves to the next rule in the firewall's Access Policy.
| Warning | If there are no System Policy or user-defined Access Rules that apply to the connection request, then the Last Default rule is applied. This rule blocks all communications through the ISA firewall. |
If the Access Rule matches the parameters in the connection request, then the next step is for the ISA firewall to check the Network Rules once again to determine if there is a NAT or Route relationship between the source and destination Networks. The ISA firewall also checks for any Web chaining rules (if a Web Proxy client requested the object) or for a possible firewall chaining configuration (if a SecureNAT or firewall client requested the object) to determine how the request will be serviced.
| Tip | Web Chaining Rules and Firewall Chaining both represent methods of ISA firewall routing. Web Chaining Rules can be configured to forward requests from Web Proxy clients to specific locations, such as upstream Web Proxy servers. Firewall chaining allows requests from SecureNAT and Firewall clients to be forwarded to upstream ISA firewalls. Both Web Chaining and Firewall Chaining Rules allow the ISA firewall to bypass its default gateway configuration for specific connection requests from Web Proxy and Firewall clients. |
For example, suppose you have an ISA firewall with two NICs: one NIC is connected to the Internet and the other connected to the Internal Network. You have created a single 'All Open' rule which allows all users access to all protocol to connect to all sites on the Internet. This 'All Open' policy would include the following rules on the ISA firewall:
A Network Rule defining the route relationship between the source network (the Internal Network) and the destination Network (the Internet).
An Access Rule allowing all internal clients access to all sites at all times, using any protocol.
The default configuration is to NAT between the default Internal Network and the Internet. However, you can Route between the Internal network (and any other network) and the Internet if you like (as long as you have public addresses on the network).
