Network objects describe the locations from which traffic originates (source) and to which it travels (destination). These locations can be any one of ten types—networks, enterprise networks (only in Enterprise Edition), network sets, computers, computer sets, address ranges, subnets, URL sets, domain name sets, and Web listeners—all of which are described in more detail next.
Note | To view all the network objects in the ISA Server Management console tree, click Firewall Policy. On the Toolbox tab in the task pane, click Network Objects. All of the network objects are discussed below. |
A network is one or more IP addresses that designate network devices. Several preconfigured networks exist:
Local host This represents the ISA server itself, and includes the IP addresses bound to the ISA server and 127.0.0.1. There is also an Enterprise local host, which identifies each ISA server in an array along with its unique local host addresses.
Internal All IP addresses associated with the internal network adapter. See how to configure this network in the section entitled "Configuring the Internal Network Object" later in this chapter.
External All IP addresses that are not defined, or "everything else." You cannot configure or customize this network.
VPN Clients and Quarantined VPN Clients networks These two networks are automatically populated when a VPN client or gateway connects to the ISA server; the quarantined VPN clients network is populated only when VPN quarantine is enabled and systems meet the quarantine criteria.
Note | ISA Server Enterprise Edition has what are known as enterprise networks. These networks are configured at the enterprise—rather than the array—level. You can follow the same procedures for creating and editing enterprise networks, but will manage them in the ISA Server Management console by navigating to the Enterprise node, then selecting the Enterprise Networks node. |
To create a new network, follow these steps:
In the Network Objects section in the task pane, click New, and then click Network.
On the Welcome To The New Network Wizard page, type a new network name and click Next.
On the Network Type page, select one of four network types, and then click Next:
Internal Network Contains computers that exist in an environment where they are not exposed to External networks.
Perimeter Network Contains computers that host services published to untrusted networks.
VPN Site-To-Site Network Establishes a link with another network through a VPN link.
External Network Contains computers from untrusted networks, usually on the Internet.
Note | The internal, perimeter, and external networks have the same interface to define networks—as a best practice, be sure to include the type of network you're creating in the name. The VPN site-to-site network option requires that you set up the VPN connections at both sites. See Chapter 11, "Securing Virtual Private Network Access," for information on configuring this option. All other network configurations are covered here. |
On the Network Addresses page, choose to define the network using one or more of the following three methods, and then click Next.
Add Range Add a range of IP addresses you assign.
Add Adapter Choose one of the ISA server's network adapters, and use its routing table to configure the network.
Add Private Add one or more of the four private network ranges. As a best practice, avoid adding all of these ranges.
Note | In the Enterprise Edition, when working in the Array Firewall policies, you will also see an Add Network button that allows you to choose an enterprise network. |
On the Completing The New Network Wizard page, review your settings, then click Finish.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
When you wish to control a collection of networks, you can group them together into a network set. The following preconfigured network sets exist:
All Networks (and Local Host) Includes all possible networks, including the Local Host network defining the ISA server itself.
All Protected Networks Includes all networks except for the external network.
The internal network represents the machines that ISA Server is protecting inside your network—this is the default protected network. To configure the Internal Network object, follow these steps:
In the ISA Server Management console, expand the Configuration node for your array, and then click the Networks node.
In the Details pane, click the Networks tab, right-click the internal network, and select Properties.
In the Internal Properties dialog box, you can configure the IP addresses and domains that comprise the internal network. Make the updates you require, click OK, and then click Apply.
Note | For more information on configuring the internal network, see Chapter 4, "Installing and Configuring Microsoft ISA Server 2004 Clients," and Chapter 9, "Configuring Multinetworking." |
To create a network set, follow these steps:
In the Network Objects section in the task pane, click New, and then click Network Set.
On the Welcome To The New Network Set Wizard page, type a new network set name, then click Next.
On the Network Selection page, shown in Figure 7-6, select either Includes All Selected Networks or Includes All Networks Except The Selected Networks, then select the check boxes for the appropriate networks. Click Next.
On the Completing The New Network Set Wizard page, review your settings, then click Finish.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Figure 7-6: You select the networks you wish to include or exclude from your network set on the Network Selection page.
A single IP address designating a network device is known as a computer. It can also indicate a device such as a modem, another firewall, and so on.
To create a computer object, follow these steps:
In the Network Objects section in the task pane, click New, and then click Computer.
In the New Computer Rule Element dialog box, type in the name and (optionally) a description of the computer.
Either click Browse to locate the IP address of the computer or type in the IP address as shown in Figure 7-7.
Click OK to close the New Computer Rule Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Figure 7-7: You can define any device with an IP address as a computer object—in this case we are defining a wireless access point.
Address ranges consist of a range of IP addresses, and can be used in access rules or computer sets.
To create an address range object, follow these steps:
In the Network Objects section in the task pane, click New, and then click Address Range.
In the New Address Range Rule Element dialog box, type in the name and (optionally) a description of the address range.
Type in the start and end IP addresses within the range, and then click OK to close the New Address Range Rule Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Subnets designate a subnet based on the network and its default gateway in a classless interdomain routing (CIDR) format. Subnets can help define a network that might not be directly included in the internal network. One example is a network that exists behind a router on the internal network and needs to be controlled differently, even though existing rules may match traffic for that network. The use of subnets helps avoid the type of problem that occurs when you include a network range that is not directly attached to the network interface card (NIC) in the internal network. You can also create a separate network object with addresses that are not in the internal network because you wish to administer them separately. Without the use of subnets, you could cause ISA Server to generate spoofing errors and block traffic.
To create a subnet object, follow these steps:
In the Network Objects section in the task pane, click New, and then click Subnet.
In the New Subnet Rule Element dialog box, type in the name and (optionally) a description of the subnet.
In the Network Address text box, type in the network ID for the subnet, then indicate the network (subnet) mask either by typing the number of bits, or typing the decimal representation in the Network Mask text box as shown in Figure 7-8.
Click OK to close the New Subnet Rule Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Figure 7-8: You can specify the subnet mask in the Network Mask text box.
A computer set is a collection of computers, address ranges, or subnets. Several preconfigured computer sets exist: Anywhere, IPsec Remote Gateways, and Remote Management Computers. With ISA Server Enterprise Edition, you will also see Enterprise Remote Management Computers, Replicate Configuration Storage Servers, Array Servers, and Managed ISA Server Computers.
To create a new computer set object, follow these steps:
In the Network Objects section in the task pane, click New, and then click Computer Set.
In the New Computer Set Rule Element dialog box, type in the name and (optionally) a description of the computer rule.
Click Add, which allows you to create a combination of computers, address ranges, or subnets you've configured.
Click OK to close the New Computer Set Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
URL sets designate several URLs, which are also known as Web addresses. You can include several different Web site addresses and use wildcards. If, for example, you wanted to allow only the Web addresses related to Contoso's support Web site, you would need to create a URL set that indicates that path, along with a wildcard, as in this example:
http://www.contoso.com/support/*
URL sets apply only to HTTP traffic, and depend on a correctly configured DNS infrastructure. You can use URL sets only with Web rules.
To create a URL set object, follow these steps:
In the Network Objects section in the task pane, click New, and then click URL Set.
In the New URL Set Rule Element dialog box, type in the name and (optionally) a description of the URL set.
Click New to create a new URL entry, as shown in Figure 7-9.
Click OK to close the New URL Set Rule Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Figure 7-9: You can create a URL set, which consists of one or more URLs, using wildcards.
Domain name sets identify one or more fully qualified domain names (FQDNs). Two preconfigured domain name sets exist, which can be configured or deleted:
Microsoft Error Reporting Sites Allows the error reporting functionality in Microsoft products to report issues to the *.watson.microsoft.com site.
System Policy Allowed Sites Allows access to the following Microsoft sites: *.microsoft.com, *.windows.com, and *.windowsupdate.com.
To create a domain name set object, follow these steps:
In the Network Objects section in the task pane, click New, and then click Domain Name Set.
In the New Domain Name Set Rule Element dialog box, type in the name and (optionally) a description of the domain name set.
Click New to create a new domain name entry, as shown in Figure 7-10.
Click OK to close the New Domain Name Set Element dialog box.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Figure 7-10: Domain name sets allow you to block or allow sites based on DNS domain names.
Unlike the other network objects, Web listeners don't designate a location, but rather identify the IP addresses and ports on which the ISA server listens for Web requests. You can create one or more Web listeners, which you then configure to publish Web servers to other networks. If, for example, you wanted to publish your Windows SharePoint Server (WSS) Configuration page, you would need to define a Web listener to listen for Web traffic coming into the particular IP address and port number that was assigned at the time of the WSS installation.
To create a Web listener, follow these steps:
In the Network Objects section in the task pane, click New, and then click Web Listener.
On the Welcome To The New Web Listener Wizard page, type a new Web listener name, then click Next.
On the IP Addresses page, select the networks on which the listener will monitor Web requests. Figure 7-11 shows a view of the predefined network and Figure 7-12 shows the dialog box that appears when clicking a particular Address button when highlighting the external network. When you've completed this step, click Next.
On the Port Specification page, select the HTTP or SSL listeners check boxes, configure the port to match those ports for which you want to monitor Web traffic, and then click Next.
Note | If you choose SSL, you need to choose a certificate, which must already be installed on the ISA server. |
On the Completing The New Web Listener Wizard page, review your settings, and then click Finish.
Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.
Note | Once you create the Web listener, you can select it in the Toolbox, right-click and select Properties to configure it with authentication methods or control the maximum timeout and number of connections. |
Figure 7-11: You can choose from a predefined network.
Figure 7-12: The External Network Listener IP Selection dialog box provides granular control of the IP addresses used by the external Web listener.