لطفا منتظر باشید ...
Firewall Policy
node. Click the Tasks tab in the Task Pane and click the Create New Access Rule link. This brings up the Welcome to the New Access Rule Wizard page. Enter a name for the rule in the Access Rule name text box. In this example we'll create an 'All Open' Access Rule that allows all traffic from all hosts outbound from the default Internal Network to the default External Network. Click Next.| Warning | All Open' rule we create in this example is for demonstration purposes only and for initial firewall testing. After you confirm that your ISA firewall successfully connects you to the Internet, you should disable the 'All Open' rule and create Access Rules that match your network use policy. Outbound access control is just as important to your overall security posture as inbound access control. In fact, the ISA firewall's strong user/group based outbound access control is one feature that sets the ISA firewall apart from virtually any other firewall on the market today. |
The Rule Action Page
On the Rule Action page you have two options: Allow or Deny. In contrast to ISA Server 2000, the new ISA firewall has the Deny option set as the default. In this example, we'll select the Allow option and click Next, as shown in Figure 7.1.
Figure 7.1: the Rule Action page
The Protocols Page
On the Protocols page, you decide what protocols should be allowed outbound from the source to destination location. You have three options in the This rule applies to list:
All outbound traffic This option allows all protocols outbound. The effect of this option differs depending on the client type used to access this rule. For Firewall clients, this option allows all protocols outbound, including secondary protocols that are defined on the ISA firewall and some that are not defined. However, if a SecureNAT client attempts to connect via a rule that employs this option, outbound access will only be allowed for protocols that are included in the ISA firewall's Protocols list. If the SecureNAT client cannot connect to a resource when you use this protocol, try creating a new Protocol Definition on the ISA firewall to support the SecureNAT client's connection. However, if secondary connections are required, such as is the case with FTP, you must employ the Firewall client or create an application filter to support that protocol for SecureNAT clients.
Selected protocols This option allows you to select the specific protocols to which you want this rule to apply. You can select from the default list of protocols included with the ISA firewall right out of the box, or you can create a new Protocol Definition 'on the fly'. You can select one protocol or multiple protocols for a single rule.
All outbound traffic except selected This option allows you to enable all protocols outbound (dependent only the client type) except for specific protocols outbound. For example, you might want to allow Firewall clients outbound access to all protocols except those you explicitly want to deny because of corporate security policy, such as AOL Instant Messenger, MSN Messenger and IRC. See Figure 7.2.
Figure 7.2: The Protocols page
Highlight the Selected Protocols option and click the Add button. This brings up the Add Protocols dialog box. In the Add Protocols dialog box, you see a list of folders that group protocols based on their general use. For example, the Common Protocols folder contains protocols most commonly used when connecting to the Internet and the Mail Protocols folder is used to group protocols most commonly used when accessing mail services through the ISA firewall. The User-Defined folder contains all your custom protocols that you manually create on the ISA firewall. The All Protocols folder contains all protocols, both built-in and User-defined, configured on the ISA firewall.
Click the All Protocols folder and you'll see a list of all protocols configured on the ISA firewall. The ISA firewall comes with over 100 built-in Protocol Definitions you can use in your Access Rules, as shown in Figure 7.3.
Figure 7.3: the Add Protocols dialog box
If you need to use a protocol for which there isn't already a Protocol Definition, you can create a new one now but clicking the New menu. Clicking the New menu will allow you the option to create a new Protocol or new RPC Protocol. See the section earlier in this chapter on how to create new Protocol Definitions.
Once you identify the protocol you want to include in the rule, double click on it. Double click on any other protocol you want to include in the rule and then click Close in the Add Protocols dialog box. In this example, we want to allow access to all protocols, so click close in the Add Protocols dialog box.
On the Protocols page, select the All outbound traffic option from the This rule applies to list and click Next.
The Access Rule Sources Page
On the Access Rule Sources page, select the source location to which this Access Rule should apply. Click the Add button to add the source of the communication for which this rule will apply.
In the Add Network Entities dialog box you can choose the source location of the communication to which this Access Rule applies. If none of the source locations listed in the Add Network Entities dialog box works for you, you can create a new Network Object by clicking the New menu. Double click the location to which you want the rule to apply. Note that you can choose more than one source location by double clicking on multiple Network Objects.
In this example, click on the Networks folder to expand the folder and then double click on the Internal Network entry. Click Close to close the Add Network Entities dialog box as shown in Figure 7.4.
Figure 7.4: the Add Network Entities dialog box
Click Next on the Access Rule Sources page.
The Access Rule Destinations Page
On the Access Rule Destinations page, select the destination for which you want this rule to apply. Click the Add button to add a destination location. The Add Network Entities dialog box appears and you can select a Network Object for the destination for which this Access Rule applies. As in the previous page of the Access Rule Wizard, you can create a new destination location by clicking the New menu and creating the new location.
In this example, we'll click on the Networks folder and then double click on the External entry. Click Close to close the Add Network Entities dialog box. Click Next on the Access Rule Destinations page.
The User Sets Page
On the User Sets page, you can set the users to which this Access Rule applies. The default setting is All Users. If you want to remove this User Set or any other one from the list of users to which this rule applies, select the User Set and click the Remove button. You can also edit a user set in the list by clicking the Edit button.
You can add a User Set to the list by clicking the Add button. In the Add Users dialog box, you can double click on a Firewall Group to which you want the rule to apply. You can also create new firewall groups by clicking the New menu and you can edit existing firewall groups by clicking the Edit menu.
In this example, we'll use the default setting, All Users. Click Close in the Add Users dialog box and click Next on the User Sets page as shown in Figure 7.5.
Figure 7.5: The User Sets page
The Completing the New Access Rule Wizard page appears next. Review your settings and click Finish.
Access Rule Properties
There are several options you can configure in an Access Rule that aren't exposed in the New Access Rule Wizard. You can select these options by going into the Properties dialog box of the Access Rule.
The Properties dialog box of an Access Rule contains the following tabs:
The General tab
The Action tab
The Protocols tab
The From tab
The Users tab
The Schedule tab
The Content Types tab
Right click the Access Rule and click the Properties command.
The General Tab
The first tab you see is the General tab. You can change the name of the Access Rule by entering the new name in the Name text box. The rule can be enabled or disabled by placing or removing the checkmark in the Enable checkbox.
The Action Tab
The Action tab provides several options that were not exposed in the New Access Rule Wizard. The options available on the Action tab include:
Allow Choose this option if you want connections matching the characteristics of this rule to be allowed through the ISA firewall
Deny Choose this option if you want to connections matching the characteristics of this rule to be denied access through the ISA firewall
Redirect HTTP requests to this Web page Choose this option if you want HTTP requests matching the characteristics of this rule to be redirected to another Web page. This option is only available if the rule is a Deny rule. When the user attempts to access a denied site, the request is automatically redirected to a Web page you configure in the text box below this option. Make sure that you enter the complete URL to which you want the user to be redirected, such as http://corp.domain.com/accesspolicy.
Log requests matching this rule Connection attempts matching the Access Rule are automatically logged after you create the rule. There may be times when you don't want to log all connections matching a particular rule. One example of when you would not want to log connections matching a rule is when you create a rule matching protocols you have little interest in investigating, such as NetBIOS broadcasts. Later in this chapter, we will describe a procedure you can use to reduce the size of your log files by creating an Access Rule that does not log connections matching NetBIOS broadcast protocols.
Figure 7.6 shows the contents of the Action tab.
Figure 7.6: The Action tab
The Protocols Tab
The Protocols tab provides you many of the same options available in the New Access Rule Wizard. You have the same options in the This rule applies to list, which are: Allow all outbound traffic, Selected protocols and All outbound traffic except selected. You can use the Add button to add more protocols to the list. Use the Remove button to remove protocols that you select in the Protocols list and click the Edit button to edit protocols you select in the Protocols list.
| Note | You can edit only user-defined protocols. |
There are application filters that you can configure for any of the protocols you've included in the Protocols list on the Protocols tab. The filters available depend on the protocols you've included in the list. Click the Filters button to view the configurable filters for the list of protocols included in the Access Rule as shown in Figure 7.7.
Figure 7.7: The Protocols tab
You also have control over the source ports allowed to access resources through the ISA firewall via each Access Rule. Click the Ports button and you'll see the Source Ports dialog box. The default setting is Allow traffic from any allowed source port. However, if you have applications for which you can control the source port, or those that use default source ports (such as SMTP), then you can limit the source ports allowed to access the rule by selecting the Limit access to traffic from this range of source ports option and enter the From and To source ports that represent the first and last ports in a range of source ports you want to allow. See Figure 7.8.
Figure 7.8: the Source Ports dialog box
The From Tab
On the From tab you have options similar to those seen in the New Access Rule Wizard. However, an option not available in the Wizard is the ability to create an exception. If you want to add additional source locations for which this Access Rule should apply, click the Add button next to the This rule applies to traffic from these sources list. If you want to remove a source location, click the location and then click the Remove button. If you want to edit the characteristics of a location, click the Edit button.
You can apply this rule to all source locations in the This rule applied to traffic from these sources list except for certain source locations you specify in the Exceptions list. For example, suppose the Access Rule is configured to deny outbound access to the PPTP VPN protocol for all machines on the Internal Network. However, you want to allow machines that belong to the Remote Management Computers Computer Set access to this protocol. You can add the Remote Management Computers Computer Set to the list of Exceptions by clicking the Add button. Use the Remove and Edit button in the Exceptions list to remove and edit the locations in that list, as shown in Figure 7.9.
Figure 7.9: The From tab
The To Tab
The To tab provides similar functionality as that on the Access Rule Destination page of the New Access Rule Wizard. However, you have the additional option to set an Exception to the destinations included in the This rule applies to traffic sent to these destinations list.
For example, suppose you create an Access Rule that allows outbound access to the HTTP protocol for all External sites. However, you do not want to allow users access to the Hotmail Web mail site. You can create a Domain Name Set for the domains required for Hotmail access and then use the Add button in the Exceptions section to add the Hotmail Domain Name Set. The rule will then will allow HTTP access to all sites except the Hotmail site. See Figure 7.10.
Figure 7.10: The To Tab
The Users Tab
The Users tab allows you to add firewall groups to which you want the Access Rule to apply , as shown in Figure 7.11. In addition, you have the option to add exceptions to the group to which the rule applies. For example, you could configure the rule to apply to All Authenticated Users but exclude other firewall groups, such as the built-in System and Network Service group.
Figure 7.11: The Users tab
The Schedule Tab
On the Schedule tab, you set the times you want the rule to apply. The scheduling option isn't exposed in the New Access Rule Wizard interface. You can use one of the three default schedules: Always, Weekends or Work hours, or you can create a new custom schedule by clicking the New button, as illustrated by Figure 7.12.
Figure 7.12: The Schedule tab
The Content Types Tab
Another option not exposed in the New Access Rule Wizard is the ability to apply content type control over the connection. On the Content Types tab, you can specify what content types will apply to the rule. Content Type constraints are only applied to HTTP connections; all other protocols ignore the settings on the Content Types tab.
The default setting is to have the rule apply to All content types. You can limit the content types the rule applies to by selecting the Selected content types (with this option selected, the rule is applicable only HTTP traffic) option and putting a checkmark in the checkboxes next to the content types to which you want the rule to apply. See Figure 7.13.
Figure 7.13: The Content Types tab
| Tip | If you unbind the Web Proxy filter from the HTTP protocol and then allow Firewall or SecureNAT client connections access to this rule, the connection attempt may fail because content inspection is dependent on the Web Proxy filter. |
| Note | The name of the Access Rule appears in the title bar of that rule's Properties dialog box. This is true when you click from tab to tab in the Access Rule's Properties dialog box. However, if you click the Content Types tab and then click other tabs in the Access Rule's Properties dialog box, the name of the rule changes in the title bar to Content Types Properties. However, when you leave the dialog box, the name of the rule does not actually change. We would prefer to think of this as an Easter Egg, rather than a bug. |
The Access Rule Context Menu Options
There are several options to choose from when you right click an Access Rule. These options include the following:
Properties This option brings up the Access Rule's Properties dialog box.
Delete This option deletes the Access Rule.
Copy This option allows you to copy an Access Rule and then paste a copy of the rule to the Firewall policy.
Paste This option allows you to paste an Access Rule that you've copied
Export Selected This option allows you to export the Access Rule to an .xml file. You can then import this file to another ISA firewall to replicate the rule to another machine.
Import to Selected This option allow you to import an Access Rule from an .xml file to the position selected in the Access Policy.
Move Up This option allows you to move the rule up on the list of Access Rules.
Move Down This option allows you to move the rule down on the list of Access Rules
Disable This option allows you disable the Access Rule while keeping it on the list of Access Rules and allows you to re-enable it later if you require it again
Enable This option allows you to enable an Access Rule that you've disabled.
Configure HTTP This option appears when the Access Rule includes the HTTP protocol. The Configure HTTP option allows you to configure the HTTP Security Filter to exert access control over HTTP connections using the ISA firewall's advanced application layer inspection mechanisms
Configure FTP This option appears when the Access Rule includes the FTP protocol. When it is selected, you are presented with a dialog box that allows you to enable or disable FTP uploads
Configure RPC Protocol This option appears when the Access Rule includes an RPC protocol. When it is selected, you are presented with a dialog box that allows you to enable or disable strict RPC compliance (which has the effect of enabling or disabling DCOM connections).Tip
The Copy option is very useful if you want to avoid using the New Access Rule Wizard to create new rules. Right click an existing rule and then click Copy. Right click the same rule and then click Paste. The pasted copy of the rule will have the same name as the original rule except that there will be a (1) appended to the name. You can then right click the rule and click Properties or you can double click the rule and then change the name and other characteristics of the rule. We find this useful when we're making small changes to Access Rules and do not want to lose the settings on the original rule. If the new rule doesn't work as expected, we can delete the new rule and return to the original rule. Try copying and paste rules a few times and see how this process works for you.
Configuring RPC Policy
When you create an Access Rule that allows outbound RPC, you have the option to configure RPC protocol policy. Access Rules that allow All IP Traffic also include RPC protocols. Right click the Access Rule and click Configure RPC protocol to configure RPC policy.
In the Configure RPC protocol policy dialog box, shown in Figure 7.14, you have a single option: Enforce strict RPC compliance. The default setting is enabled. When this setting is not enabled, the RPC filter will allow additional RPC type protocols, such as DCOM. If you find that some RPC-based protocols do not work correctly through the ISA firewall, consider disabling this option.
Figure 7.14: The Configure RPC Protocol Policy Dialog Box
RPC policy is configured on a per-protocol basis. For example, you can enforce strict RPC compliance for one Access Rule and disable strict RPC compliance for another Access Rule in the ISA firewall's firewall policy.
Configuring FTP Policy
When you created an Access Rule that allows the FTP protocol, you have the option to configure FTP policy. Right click the Access Rule and click the Configure FTP command. This brings up the Configure FTP protocol policy dialog box, shown in Figure 7.15. By default, the Read Only checkbox is enabled. When this checkbox is enabled, FTP uploads will be blocked. If you want to allow users to upload files using FTP, remove the checkmark from the checkbox.
Figure 7.15: The Configures FTP Protocol Policy Dialog Box
FTP policy is configured on a per-rule basis.
Configuring HTTP Policy
Whenever you create an Access Rule that allows HTTP connections, you have the option to configure HTTP policy. HTTP policy settings control the HTTP Security Filter. We discuss the configuration options available in the HTTP Security Filter in full detail in chapter 10.
Ordering and Organizing Access Rules
The ordering of Access Rules is important to ensure that your Access Policy works the way you expect it to work. We recommend the follow ordering of Access Rules:
Put Web Publishing Rules and Server Publishing Rules on the top of the list
Place anonymous Deny Access Rules under the Web Publishing Rules and Server Publishing Rules. These rules do not require user authentication and do not require the client to be from a specific location (such as part of a Computer Set)
Place anonymous Allow Access Rules under the Anonymous Deny Access Rules. These rules do not require user authentication and do not require the client to be from a specific location (such as part of a Computer Set)
Place Deny Access Rules requiring authentication below the anonymous Allow Access Rules
Place Allow Access Rules requiring authentication below the Deny Access Rules requiring authentication.
It is important that anonymous rules that apply to the same protocol as an authenticated access rule be applied first if it is your intent to allow anonymous access for that protocol. If you do not put the anonymous access rule before the authenticated Access Rule, then the connection request will be denied to the anonymous user (typically a SecureNAT client) for that protocol.
For example, suppose you have two Access Rules: one rule allows all users access to the HTTP protocol and the second rule allows members of the EXECS firewall group access to the HTTP, HTTPS, FTP, IRC and MSN Messenger protocols. If you place the rule allowing the EXECS group access before the anonymous access rule, then all HTTP connections outbound will require authentication and the anonymous access rule located under the authentication required rule will be ignored. However, if you had an anonymous access rule for the NNTP protocol under the rule allowing the EXECS outbound access to the HTTP, HTTPS, FTP, IRC and MSN Messenger protocols, then the anonymous NNTP connection would be allowed because the NNTP protocol doesn't match the characteristics of the rule allowing the EXECS users outbound access.
We found this model a bit confusing at first. When we first starting working with the ISA firewall, we assumed that when a rule applies to a particular firewall group, a connection request from a user that does not supply credentials to the ISA firewall would be ignored and the firewall would then continue down the list of rules until an anonymous Access Rule matching the connection parameters was found. However, this is not the case. Anonymous users might be considered members of the 'Anonymous Users' group and that group does not match any group for which you might require authentication. Since the 'Anonymous Users' group never matches an actual group, any rule for which authentication is required matching the connection request will be denied.
How to Block Logging for Selected Protocols
You may want to prevent the ISA firewall from logging information about certain protocols that reach the firewall. Common examples are the NetBIOS broadcast protocols: NetBIOS Name Service and NetBIOS Datagram. Both of these protocols regularly broadcast to the local subnet broadcast address and can fill the ISA firewall's Firewall Service log with information that isn't very useful to the ISA firewall administrator.
You can create an Access Rule that includes these protocols and then configure the Access Rule to not log information about connections associated with the rule. For example, you can perform the following procedure to block logging of these NetBIOS protocols:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
In the Task Pane, click the Tasks tab and click the Create New Access Rule link.
On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we'll name the rule Block NetBIOS logging. Click Next.
Select the Deny option on the Rule Action page and click Next.
On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
In the Add Protocols dialog box, click the Infrastructure folder. Double click the NetBIOS Datagram and NetBIOS Name Service entries. Click Close.
Click Next on the Protocols page.
On the Access Rule Sources page, click the Add button.
In the Add Network Entities dialog box, click the Computer Sets folder and then double click the Anywhere entry. Click Close.
Click Next on the Access Rule Sources page.
On the Access Rule Destinations page, click the Add button.
In the Add Network Entities dialog box, click the Computer Sets folder. Double click the Anywhere entry and click Close.
Click Next on the Access Rule Destinations page.
Click Next on the User Sets page.
Click Finish on the Completing the New Access Rule Wizard page.
Right click the Block NetBIOS Logging rule and click Properties.
In the Block NetBIOS Logging Properties dialog box, remove the checkmark from the Log requests matching this rule checkbox.
Click Apply and then click OK.
Click Apply to save the changes and update the firewall policy.
Click OK in the Apply New Configuration dialog box.
The rule you created in this example not only prevents logging of NetBIOS broadcasts, but prevents these protocols to and from the ISA firewall. Thus, you get two benefits from one rule!
Disabling Automatic Web Proxy Connections for SecureNAT Clients
There may be times when you want Firewall and SecureNAT client to bypass the Web Proxy service. By default, HTTP connections from SecureNAT and Firewall clients are automatically forwarded to the Web Proxy filter. The advantage of this configuration is that both SecureNAT and Firewall clients are able to benefit from the ISA firewall's Web Proxy cache (when caching is enabled on the ISA firewall).
The problem is that some Web sites are poorly written and are not compliant with CERN compliant Web proxies. You can solve this problem by configuring these sites for Direct Access and then unbinding the Web Proxy filter from the HTTP protocol.
Perform the following steps to disable automatic Web Proxy connections for Firewall and SecureNAT clients:
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node in the left pane of the console.
In the Task Pane, click the Toolbox tab. On the Toolbox tab, click the Command Protocols folder and double click the HTTP protocol.
In the HTTP Properties dialog box, click the Parameters tab.
On the Parameters tab, remove the checkmark from the Web Proxy Filter checkbox. Click Apply and then click OK.
Click Apply to save the changes and update the firewall policy.
Click OK in the Apply New Configuration dialog box.
One side effect of bypassing the Web Proxy filter is that HTTP Policy is not applied to the SecureNAT and Firewall clients. However, HTTP Policy is applied to machines that are explicitly configured as Web Proxy clients, even when the Firewall, SecureNAT and Web Proxy clients access the site using the same Access Rule.
For example, suppose you create a rule named HTTP Access. The HTTP Access Access Rule allows all users on the Internal network access to all sites on the External Network using the HTTP protocol. Let's say you configure HTTP Policy for this rule to block connections to the www.spyware.com domain. When Web Proxy clients attempt to connect to www.spyware.com, the connection will be blocked by the HTTP Access Access Rule. However, when the SecureNAT and Firewall clients attempt to access www.spyware.com via the HTTP Access rule (when the Web Proxy Filter is unbound from the HTTP protocol), that Access Rule will allow the SecureNAT and Firewall clients through.
Another side effect of unbinding the Web Proxy Filter from the HTTP Protocol Definition is that the configuration interface (Configure HTTP policy for rule dialog box) for the HTTP filter is removed from the Microsoft Internet Security and Acceleration Server 2004 management console. For all rules that have an HTTP policy already configured, that policy is still enforced on Web Proxy clients. However, to change HTTP Policy on existing rule, or to configure HTTP policy on new Access Rules, you will need to re-bind the HTTP Filter to the HTTP Protocol Definition. You can then unbind the Web Proxy Filter again after configuring the HTTP policy.
Of course, you could just configure all clients as Web Proxy clients (which is our recommendation) and avoid the administrative overhead.
| Warning | The HTTP Policy configuration interface is also removed from Web Proxy rules when the Web Proxy Filter is unbound from the HTTP Protocol Definition. |
