لطفا منتظر باشید ...
Lesson 1 Creating an Access Policy with ISA Server
One of the primary functions of ISA Server is to connect your local network to the Internet while protecting your local network from malicious content originating from external sources. To customize this secure connectivity to suit your network needs, you can use ISA Server to create an access policy that permits internal clients access to specific Internet hosts. The access policy, together with the routing rules, determines how clients access the Internet.
After this lesson, you will be able to
Describe how ISA Server processes an outgoing request
Explain the conditions under which ISA Server processes requests from authenticated users from Firewall and Web Proxy clients
Select ISA Server system security levels
Estimated lesson time: 30 minutes
Controlling Outgoing Requests
When ISA Server processes an outgoing request, it checks routing rules, site and content rules, and protocol rules to determine whether access is allowed. A request is allowed only if both a protocol rule and a site and content rule allow the request and if there is no rule that explicitly denies the request. When ISA Server is installed in Firewall mode or Integrated mode, a predefined site and content rule is enabled, allowing access for all content types and to all sites. However, no protocol rules exist by default.
Protocol rules and site and content rules can be configured to apply either to originating client address sets (IP address ranges) or to specific users or groups requesting an object. ISA Server processes the requests differently depending on the client type (SecureNAT, Firewall, or Web Proxy) and on how ISA Server is configured.
For an outgoing request, rules and packet filters are processed in the following order:
Protocol rules
Site and content rules
IP packet filters
Routing rules or Firewall Chaining configuration
Figure 4.1 illustrates the processing flow for an outgoing Web request.
Figure 4.1 Processing access requests
ISA Server first checks the protocol rules before checking other rules or packet filters. ISA Server allows the request only if a protocol rule specifically allows the request and if no protocol rule specifically denies it.
After checking protocol rules, ISA Server checks the site and content rules. ISA Server allows the request only if a site and content rule specifically allows the request and if no site and content rule specifically denies it.
After checking site and content rules, ISA Server checks to determine whether an IP packet filter has been specifically configured to block the request. Note that, unlike protocol rules and site and content rules, IP packet filters do not need to be configured specifically to allow requests from client computers.
When it comes to Internet access, the behavior of the ISA Server computer is very different from that of the clients. IP packet filters are necessary to allow full Internet access from the ISA Server computer. In contrast to ISA Server clients, the ISA Server computer will not achieve full Internet access once you configure allow-type protocol rules and site and content rules. However, since IP packet filters are static, unlike rules, which are dynamic, you generally should not plan to use the ISA Server computer for regular Internet access. For this reason this book focuses on configuring secure Internet access for clients located behind ISA Server. (The subject of configuring IP packet filters is discussed in more detail in Lesson 5 of this chapter.)
Finally, ISA Server checks the routing rules (if a Web Proxy client has requested the object) or the Firewall Chaining configuration (if a SecureNAT or Firewall client has requested the object) to determine how the request should be serviced.
For example, assume that you installed ISA Server in Integrated or Firewall mode on a computer with two network cards, one connected to the Internet and the other connected to your local network. Your corporate guidelines allow all users access to all sites. In this case, your policy would consist simply of the following access policy rules:
A protocol rule. This allows all internal clients to use any protocol at all times.
A site and content rule. This allows everyone access to content on all sites at all times. Note that this rule allows internal clients access to the Internet without allowing external clients access to your network.
Configuring Access Policy
Access policies configured in ISA Server consist of site and content rules, protocol rules, and IP packet filters. You create standalone access policies for standalone servers. For an array, you can create an array-level access policy, an enterprise-level access policy, or a combination of rules at both the enterprise and array levels.
Access policy rules apply to all types of clients: Firewall clients, SecureNAT clients, and Web Proxy clients.
Rules and Authentication
Protocol rules and site and content rules can be configured to allow or to deny specific users access to chosen protocols, Internet sites, or content. When such rules are configured and enabled, each client request must be authenticated by ISA Server before the request can be allowed to pass through the ISA Server firewall. ISA Server handles authentication differently for SecureNAT, Firewall, and Web Proxy clients.
Unlike policy rules that are applied to specific users and groups, rules that are applied to specific client computers are enforced for all SecureNAT, Firewall, and Web Proxy clients. Rules that are applied to specific client computers are configured for client address sets, which are defined by IP address ranges and not by computer names. Since all client types provide the IP address of the client computer, all client types provide the information necessary for such rules to be successfully enforced.
SecureNAT Clients and Authentication
SecureNAT client requests include all non-Web Internet requests from clients that do not have Firewall Client installed. For example, mail and news requests are treated as SecureNAT sessions when the client computers on which the requests are made do not have the Firewall Client software enabled.
SecureNAT clients do not provide user name or computer name information to ISA Server when making a request. For this reason, all SecureNAT requests are denied passage through ISA Server when an access policy rule requires authentication.
For example, if your access policy consists of both a protocol rule and a site and content rule that allows access to all protocols and all sites at all times for members of the group Domain Users, a mail request from user John will be denied if John is making the request from a SecureNAT client, even if he is a member of the group Domain Users. Because SecureNAT requests cannot be authenticated, and because your access policy rules require authentication, all SecureNAT requests are denied categorically. For John to be granted non-Web Internet access under this access policy, he must have the Firewall Client software installed and enabled on the computer from which he requests access, and he must be a member of the group Domain Users.
Firewall Clients and Authentication
Firewall clients provide user name and computer name information to ISA Server when making a request. Therefore, access policy rules that require authentication can be enforced for Firewall Client sessions, and non-Web requests from Firewall clients are not rejected categorically, as is the case with SecureNAT clients.
For example, if your access policy consists of both a protocol rule and a site and content rule that allows access to all protocols and all sites at all times for members of the group Domain Users, then a mail request from the user John will be allowed to pass through the ISA Server firewall if (and only if) John is a member of the group Domain Users. Similarly, if there is an additional protocol rule denying access to user John, he will be denied access if he makes a non-Web request from a Firewall client.
Web Proxy Clients and Authentication
Web Proxy client requests are anonymous by default, but there are two conditions that force Web Proxy clients to provide user identification. When either of the following conditions is met, rules that are configured for specific users or groups are enforced for Web Proxy client sessions:
The default ISA Server properties have been modified to require authentication for outgoing Web requests.
Access policy includes an allow-type rule (whether a protocol rule or a site and content rule) that is configured for specific users or groups.Any allow-type rule configured for specific users or groups will prompt Web Proxy clients to generate a user-identified session. When access policy includes a deny-type rule defined for specific users or groups, that rule is ignored for Web Proxy clients unless another allow-type rule exists requiring authentication.
For example, let us assume that you have not modified the default out-going Web request properties, and that your access policy consists of the following rules:
A protocol rule allowing access to all protocols for all requests at all times
A protocol rule denying access to all protocols for user John
A site and content rule allowing access to all destinations for all requests at all times
Under these conditions, a Web request from the user John will not be denied because no allow-type rule exists that forces user identification from the Web Proxy client. However, if you were to add to this policy an allow-type protocol rule or site and content rule allowing complete access for all members of the group Domain Users, all Web requests would then be denied for user John.
Follow these steps to require authentication for all Web requests:
In the console tree of ISA Management, right-click the applicable array and then click Properties.
On the Incoming Web Requests tab or on the Outgoing Web Requests tab, click the Ask Unauthenticated Users For Identification check box.
This change will not take effect until Web Proxy is restarted.
ISA Server System Security (System Hardening)
ISA Server includes the ISA Server Security Configuration wizard which you can use to apply the full range of system security settings to all the servers in an array. The ISA Server Security Configuration wizard allows you to select any of the following security levels:
Dedicated. This setting is appropriate when ISA Server is functioning as a fully dedicated firewall, with no other interactive applications.
Limited Services. This setting is appropriate when ISA Server is functioning as a combined firewall and cache server. It may be protected by an additional firewall.
Secure. This setting is appropriate when the ISA Server computer has other servers installed on it, such as an Internet Information Services (IIS) server, database servers, or Simple Mail Transfer Protocol (SMTP) servers.
You can launch the ISA Server Security Configuration Wizard by selecting the Computers folder in ISA Management, right-clicking the server icon of the server you want to configure in the details pane, and selecting Secure from the shortcut menu. This process is shown in Figure 4.2.
Figure 4.2 Launching the ISA Server Security Configuration wizard
Follow these steps to set system security:
In the console tree of ISA Management, click Computers.
In the details pane, right-click the applicable computer, and then click Secure.
In the ISA Server Security Configuration Wizard screen, follow the on-screen instructions.
Getting Started Wizard
ISA Server includes a Getting Started wizard, shown in Figure 4.3, which walks you through the steps of creating an access policy customized for your network. After you finish using the tool, you will have configured a secure network connection to the Internet through ISA Server.
The Getting Started wizard helps you perform the following tasks:
Configure enterprise policy settings (for array installation only)
Create enterprise-level policy elements (for array installation only)
Create enterprise-level protocol rules (for array installation only)
Create enterprise-level site and content rules (for array installation only)
Create array-level policy elements
Create array-level protocol rules
Create array-level site and content rules
Set system security level
Configure packet filtering
Configuring routing and chaining
Create cache policy
You can also invoke the Getting Started wizard at any time after setup.
Follow these steps to begin the Getting Started wizard:
In ISA Management, select Taskpad from the View menu.
On the console tree, select the Internet Security And Acceleration Server node.
On the details pane, click the Getting Started Wizard icon.
Follow the direction appearing in the details pane.
Figure 4.3 Launching the Getting Started wizard
Lesson Summary
You can use ISA Server to configure an access policy, which consists of site and content rules, protocol rules, and IP packet filters. A request is allowed only if both a protocol rule and a site and content rule allow the request and if there is no rule that explicitly denies the request.
SecureNAT clients do not provide user identification, and when rules require authentication, SecureNAT client requests are categorically denied. For Firewall clients, which do provide user identification, group membership and user rights may affect outbound access. When a Web Proxy client requests content, authentication information is not passed to the ISA Server unless ISA Server requires identification, or unless an allow-type policy rule exists requiring authentication.
To enhance system security, ISA Server includes the ISA Server Security Configuration wizard, which you can use to apply a full range of system security settings to all the servers in an array. Finally, to facilitate security and access policy configuration, the Getting Started wizard walks you through the steps of defining access policy rules customized for your network.
