Chapter 14: Using Enterprise and Array Policies
One of the many reasons Microsoft ISA Server 2004 can easily scale to enterprise size environments is that it can administer and enforce policies centrally. This chapter focuses on the administration and management of enterprise and array policies, which allow you to manage a number of ISA servers from a central console, making the administration of ISA Server easier than ever.
Enterprise and Array Policies Explained
To use enterprise policies and arrays, you must install ISA Server Enterprise Edition. To configure policies, you must have sufficient rights to administer them; normally, you must be a member of the ISA Server Enterprise Administrator group to administer enterprise policies and a member of the ISA Server Array Administrator group to administer array policies. You can create many enterprise policies that are applicable to one or many arrays.
| Note | Enterprise and array policies aren't available in ISA Server Standard Edition. For more information about the differences between the versions of ISA Server, see Chapter 1, "Overview of Microsoft ISA Server 2004 Administration." |
An array consists of one or several ISA servers that you administer with the same set of policies. An enterprise policy consists of access rules that can be applied to arrays. For a comparison of enterprise and array policies, see Table 14-1.
| Effective Policy Settings | Enterprise Policy | Array Policy |
|---|---|---|
| Applies policies to all arrays in the enterprise | Yes | No |
| Applies policies to individual members of an array | No | Yes |
| Can only further restrict an enterprise policy | No | No (this is a major distinction between Microsoft ISA Server 2000 and ISA Server 2004) |
Enterprise policies apply to all servers in the targeted array; you can then configure and apply array policies to further augment the ISA Server configuration.
Enterprise and Array Decisions
Enterprise and array policies in ISA Server 2004 work in tandem to provide a client environment that can be effectively controlled and enforced. In ISA Server 2000, the enterprise policy provided the baseline configuration and the array policies only further imposed the restrictions (that is, no allow-based rules, only deny).
You can be as strict or lenient as your business case requires. For example, you could set your enterprise policy to allow outbound File Transfer Protocol (FTP) traffic as a rule applied before the array policy; if your array administrators want to prevent FTP traffic, they could then create a deny rule, which would block access. Alternatively, as an enterprise administrator, you can still control what types of rules can be created by the array administrators. Most administrators choose a hybrid approach in which they create basic restrictions in the enterprise policy—such as restricting access to pornography or gambling sites by denying access to certain Domain Name sets or Uniform Resource Locator (URL) sets—and then allow administrators to further configure settings at the array level.
Configuring Enterprise Policy Settings
There are two categories for applying an enterprise policy at the array level:
-
Enterprise Policy Rules Applied Before Array Firewall Policy This option applies the enterprise policy access rules first before applying any array-level policy rules.
-
Enterprise Policy Rules Applied After Array Firewall Policy This option applies the enterprise policy access rules after applying any pre-array enterprise rules and array-level enterprise rules. By default, all newly created enterprise access rules fall into this category. You can move access rules up or down using a task in the Tasks pane.
EAN: 2147483647
Pages: 173