Examining Advanced ISA Firewall Concepts
In general, creation of Firewall Policy rules and network policy rules comprise the bulk of the types of activities that an ISA Firewall Administrator will perform. Specific advanced
, however, should be
when deploying ISA Server as a firewall.
Publishing Servers and Services
ISA Server 2004 can secure and "publish" a server to make it available to outside resources. The "publishing" of servers, such as web servers, OWA servers, SharePoint sites, Citrix servers, and the like is
referred to as "reverse proxy" capabilities. The advantage to using ISA to publish servers is that it enables the ISA server to pre-authenticate connections to services and act as a
host to the network traffic, making sure that internal servers are never directly accessed from the Internet.
ISA Server 2004, whether deployed as a full firewall or not, supports publishing multiple types of servers, and it is important to understand how to set this up. Publishing scenarios, including step-by-step guides, are listed in Part III of this book, "Securing Servers and Services with ISA Server 2004."
Reviewing and Modifying the ISA System Policy
By default, ISA Server 2004 uses a set of Firewall Policy rules that grant the Localhost network specific types of functionality and access. Without system policies, for example, an ISA server itself would not be able to perform tasks such as pinging internal servers or updating software on the Windows Update website. Because the default rule is to deny all traffic unless
specified, it is necessary to set up system policy rules to support specific types of access from the local ISA Server.
System policy rules are enabled but are not shown by default in ISA Server 2004. To view the system policy rules, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. The system policy rules, partially shown in Figure 5.12, are
, and it is important to understand what types of functionality are provided by each individual policy rule.
Figure 5.12. Viewing default system policy rules.
All the system policy rules are configurable through the System Policy Editor, shown in Figure 5.13. The System Policy Editor can be invoked simply by double-clicking on any of the system policy rules listed.
Figure 5.13. Editing system policies in the System Policy Editor.
The System Policy Editor divides the system policies into various configuration groups, which are subsequently organized into parent configuration groups as
The Network Services configuration
contains the DHCP, DNS, and NTP configuration groups, which allow for the designation of how the ISA server
with these services. For example, configuring the DNS configuration group enables an ISA server to communicate using DNS protocols to the servers listed in the group.
The Authentication Services group contains the configuration groups for Active Directory, RADIUS, RSA SecurID, and CRL Download. Modifying these settings makes it possible to specify these types of authentication services, as well as enforce strict RPC compliance to AD servers.
The Remote Management group contains the Microsoft Management Console, Terminal Server, and ICMP (Ping) configuration groups. Modifying these settings allows for management of the ISA server, such as pinging ISA and using MMC consoles to access the server.
The Firewall Client configuration group allows administrators to specify which systems have rights to access the Firewall Clients access share that may exist on an ISA server.
The Diagnostic Services group contains the ICMP, Windows Networking, Microsoft Error Reporting, and HTTP Connectivity Verifiers configuration groups, which enable the ISA server itself to report on health-
issues, as well as ping other systems on a network.
The Logging group contains the Remote NetBIOS Logging and Remote SQL Logging configuration groups, which enable the ISA server to send its logs to other servers, such as an internal SQL database.
The Remote Monitoring group contains the Remote Performance Monitoring, Microsoft Operations Manager, and SMTP configuration groups, which enable monitoring services such as MOM to access the ISA server and SMTP emails to be sent from ISA.
The Various group contains the Scheduled Download Jobs and the Allowed Sites configuration groups. Of particular note is the Allowed Sites configuration group, which defines the System Policy Allowed Sites, as shown in Figure 5.14. Unless specific
are added into this list, the ISA server cannot access them.
Figure 5.14. Viewing the System Policy Allowed Sites list.
Troubleshooting why an ISA server cannot perform certain functionality should always include a visit to the System Policy Editor. The built-in system policy rules allow for the configuration of multiple deployment scenarios with ISA Server 2004.