Reviewing and Modifying Network Rules
After the wizard has completed, the networks, network rules, and firewall rules will have been created and can be customized as necessary. In certain cases, it may be necessary to modify some of the settings that the wizard created, particularly if changes have been made or new networks need to be added to an environment after it has been placed into production.
Modifying Network Rules
Network rules, after they are put into place, are not changed often because the relationship between networks is often quite static. In certain cases, however, modifications may be necessary. If those circumstances arise, the task of modifying the rules is relatively straightforward. To modify an existing network rule, perform the following
Creating New Network Rules
Creating a new network rule is primarily done only when a major change to the ISA firewall configuration has taken place, such as when a new network has been added to the server. In addition, this procedure can be used if the network template wizard is not run on a new server and manual
Understanding Firewall Policy Rules
Firewall policy rules are distinct from network rules in that they define what types of traffic and applications will be supported between the network segments. For example, an administrator may want to configure a firewall rule to allow web traffic from internal
Figure 5.9. Examining firewall policy.
Firewall policy configuration should be well
The basic rule of thumb with ISA firewall policy rules is to deny all traffic unless a specific need has been established that the traffic will be allowed. The key to a successful ISA firewall deployment is to identify the entire range of functionality that will be necessary in advance, and then to create individual rules to reflect that functionality.
Firewall rules are applied to network traffic from top to bottom in the list. This is important to note because specific rules may need to be applied before other ones are. For example, if a rule at the top of the list is set to deny HTTP traffic to a particular network segment, and a later rule allows it, the traffic is denied because it hits the upper rule first. Rule placement is therefore an important component of an ISA firewall policy.
To move rules up or down in the policy list, select a rule by clicking on it and then click the link titled Move Selected Rules Down or Move Selected Rules Up, depending on the specific need.
It should be noted that the last rule on an ISA Server is the default rule to deny all traffic if not already specified. So if there isn't a specific rule above the default rule that allows for a certain protocol or activity, that protocol is blocked by the default rule. This rule exists to preserve security: The ISA server is configured to allow only predefined activities to occur, and anything not explicitly stated is
Modifying Firewall Policy Rules
If the Network Template Wizard was run, and a default policy other than Block All was enacted, then a set of predefined rules should already exist on the newly configured ISA server. Double-clicking on these rules individually is the way to modify them. The properties box for a rule, shown in Figure 5.10, contains multiple configuration options on each of the tabs as
Figure 5.10. Modifying Firewall Policy Rules.
After any changes are made, click the OK button, click Apply in the Central Details pane, and OK again to save changes to the rule.
Creating Firewall Policy Rules
Firewall policy rules are powerful and highly customizable, and can be used to set up and secure access to a wide range of services and protocols. So it may seem surprising that creating an access rule to allow or deny specific types of traffic is relatively straight forward. To set up a new rule, perform the following steps: