Examining Advanced ISA Firewall Concepts

Examining Advanced ISA Firewall Concepts

In general, creation of Firewall Policy rules and network policy rules comprise the bulk of the types of activities that an ISA Firewall Administrator will perform. Specific advanced tasks , however, should be understood when deploying ISA Server as a firewall.

Publishing Servers and Services

ISA Server 2004 can secure and "publish" a server to make it available to outside resources. The "publishing" of servers, such as web servers, OWA servers, SharePoint sites, Citrix servers, and the like is generally referred to as "reverse proxy" capabilities. The advantage to using ISA to publish servers is that it enables the ISA server to pre-authenticate connections to services and act as a bastion host to the network traffic, making sure that internal servers are never directly accessed from the Internet.

ISA Server 2004, whether deployed as a full firewall or not, supports publishing multiple types of servers, and it is important to understand how to set this up. Publishing scenarios, including step-by-step guides, are listed in Part III of this book, "Securing Servers and Services with ISA Server 2004."

Reviewing and Modifying the ISA System Policy

By default, ISA Server 2004 uses a set of Firewall Policy rules that grant the Localhost network specific types of functionality and access. Without system policies, for example, an ISA server itself would not be able to perform tasks such as pinging internal servers or updating software on the Windows Update website. Because the default rule is to deny all traffic unless otherwise specified, it is necessary to set up system policy rules to support specific types of access from the local ISA Server.

System policy rules are enabled but are not shown by default in ISA Server 2004. To view the system policy rules, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. The system policy rules, partially shown in Figure 5.12, are extensive , and it is important to understand what types of functionality are provided by each individual policy rule.

All the system policy rules are configurable through the System Policy Editor, shown in Figure 5.13. The System Policy Editor can be invoked simply by double-clicking on any of the system policy rules listed.

The System Policy Editor divides the system policies into various configuration groups, which are subsequently organized into parent configuration groups as follows :

• Network Services The Network Services configuration group contains the DHCP, DNS, and NTP configuration groups, which allow for the designation of how the ISA server interacts with these services. For example, configuring the DNS configuration group enables an ISA server to communicate using DNS protocols to the servers listed in the group.

• Authentication Services The Authentication Services group contains the configuration groups for Active Directory, RADIUS, RSA SecurID, and CRL Download. Modifying these settings makes it possible to specify these types of authentication services, as well as enforce strict RPC compliance to AD servers.

• Remote Management The Remote Management group contains the Microsoft Management Console, Terminal Server, and ICMP (Ping) configuration groups. Modifying these settings allows for management of the ISA server, such as pinging ISA and using MMC consoles to access the server.

• Firewall Client The Firewall Client configuration group allows administrators to specify which systems have rights to access the Firewall Clients access share that may exist on an ISA server.

• Diagnostic Services The Diagnostic Services group contains the ICMP, Windows Networking, Microsoft Error Reporting, and HTTP Connectivity Verifiers configuration groups, which enable the ISA server itself to report on health- related issues, as well as ping other systems on a network.

• Logging The Logging group contains the Remote NetBIOS Logging and Remote SQL Logging configuration groups, which enable the ISA server to send its logs to other servers, such as an internal SQL database.

• Remote Monitoring The Remote Monitoring group contains the Remote Performance Monitoring, Microsoft Operations Manager, and SMTP configuration groups, which enable monitoring services such as MOM to access the ISA server and SMTP emails to be sent from ISA.

• Various The Various group contains the Scheduled Download Jobs and the Allowed Sites configuration groups. Of particular note is the Allowed Sites configuration group, which defines the System Policy Allowed Sites, as shown in Figure 5.14. Unless specific websites are added into this list, the ISA server cannot access them.

  Figure 5.14. Viewing the System Policy Allowed Sites list.

  

  
  

Troubleshooting why an ISA server cannot perform certain functionality should always include a visit to the System Policy Editor. The built-in system policy rules allow for the configuration of multiple deployment scenarios with ISA Server 2004.