The ISA firewall installation routine incorporates the settings you entered during the setup Wizard process. The install routine also sets up some default settings for User Permissions, Network Settings, Firewall Policy, and others. Table 6.5 lists the settings that you did not explicitly define during the installation process.
We can quickly summarize the default post-installation configuration with the following:
System Policies allow selected traffic to and from the ISA firewall itself.
No traffic is allowed through the ISA firewall because there is only a single Deny-access rule.
A route relationship is set between the VPN/VPN-Q Networks to the Internal Network.
A NAT relationship is set between the Internal Network and the default External Network.
Only Administrators can alter ISA firewall policy.
|
Feature
|
Post-installation Settings
|
|---|---|
|
User permissions
|
Members of the Administrators group on the local computer can configure firewall policy. If the ISA firewall is a member of the domain, domain admins are automatically added to the local administrators group.
|
|
Network settings
|
The following Network Rules are created by the installation wizard: Local Host Access Local Host Access defines a Route relationship between the Local Host network and all networks. Allow communications from the ISA firewall to all other hosts is routed (does not use NAT; there would be no point to using NAT from Local Host to any Network). Internet Access Internet Access defines a Network Address Translation (NAT) relationship from the Internal network, Quarantined VPN Clients network, and the VPN Clients network to the External network. NAT is used from these three Networks for any communications sourcing from them to the External Network. Access is allowed only if you configure the appropriate access policy. VPN Clients to Internal Network. VPN Clients to Internal Network defines a Route relationship between the VPN Clients Network and the Internal Network. Access is allowed only if you enable virtual private network (VPN) client access.
|
|
Firewall policy
|
A default Access Rule (named Default Rule) denies traffic between all networks.
|
|
System policy
|
The ISA firewall is secure by default. Some system policy rules are enabled to allow necessary services. You should review the system policy configuration and customize it so that only services critical to your specific deployment are enabled.
|
|
W eb chaining
|
A default rule (named Default Rule) specifies that all W eb Proxy client requests are retrieved directly from the Internet. That is to say, there is no Web chaining configured by default. Web chaining rules were called Web routing rules in ISA Server 2000.
|
|
Caching
|
The cache size is set to 0. All caching is therefore disabled. You will need to define a cache drive to enable W eb caching.
|
|
Alerts
|
Most alerts are enabled. You should review and configure alerts in accordance with your specific networking needs.
|
|
Client configuration
|
Firewall and Web Proxy clients have automatic discovery enabled by default. Web browser applications on Firewall clients are configured when the Firewall client is installed.
|
|
Autodiscovery for Firewall and Web Proxy Clients
|
Publication of autodiscovery information is disabled by default. You will need to enable publication of autodiscovery information and confirm a port on which autodiscovery information is published.
|