New Features in ISA 2004

ISA 2004 is as different from ISA 2000 as ISA 2000 was from Proxy 2.0. ISA 2004 offers many new features, all of which are well documented on Microsoft's website. This section highlights a few new features that SBS administrators will appreciate the most.

ISA Management MMC

The face-lift of the ISA Management MMC is the first thing that you'll notice (see Figure 23.1). It's now organized into three vertical panels. On the left is the navigation panel, in the center is the display of the item you've selected, and on the right is the task pad or toolbox. Getting around is easy, and the MMC is well organized.

Figure 23.1. The new MMC for Internet Security and Acceleration Server 2004.

ISA Networks

Arguably the most important new feature of ISA 2004 is that it no longer trusts the internal network. Stateful inspection will be performed on all traffic in your network regardless of the source or destination. ISA 2000 only knew two networks, internal and external, and it completely trusted the internal network. In ISA 2004 you'll notice that by default SBS recognizes five networks: internal, external, LocalHost, VPN clients, and VPN quarantined clients, and it doesn't trust any of them. Having removed the LAT (Local Area Table), ISA is now free to handle unique relationships between the various networks.

Each network that you specify can have a unique set of policies to handle the traffic for that network. One policy can be applied to several networks, or the policy can be applied to only one network. A couple of examples can be seen in the default configuration of the Firewall Policy (see Figure 23.2).

Figure 23.2. The Firewall Policy rules are numbered. Policy is applied from the top down.

Policy Ordering

When you create a new policy you'll notice that if you haven't previously specified where to place that policy it is placed at the end of the list. Policies are processed from the top down. This means that it will take longer for your server to get to processing rules at the bottom of this list than at the top. It also means that you need to be careful at which position you place your new rule.

The policy Traffic Vetween VPN Client and Internal Networks allows VPN clients to access the internal network. If you look at the From and To columns, you'll notice that this policy applies to both the internal network and the VPN client network. Looking down the column you'll see other examples. Take particular notice of the network types All Protected Networks and All Networks (and LocalHost). These are known as network sets. Network sets represent more than one network and are there to simplify administration by grouping networks, much like groups in Active Directory. Two network sets are created by default. The ISA 2004 Help file describes them as follows:

All Networks (and LocalHost)This network set includes all networks defined for ISA Server. When you create a new network, the new network is automatically included in this network set. All Networks is the same as Anywhere. Every IP address is included in both Anywhere and in All Networks.
All Protected NetworksThis network set includes all networks except the built-in external network. When you create a new network, the new network is automatically included in this network set.

Remember one important thing about these preconfigured groups: Any new network you create will automatically be added to them. For this reason, use them with caution. For example, if you create a new network object called Wireless Network, it will automatically become part of the All Networks (and LocalHost) network set. Is this what you really want? Maybe, but maybe not. Say that you have traveling consultants come to your office with laptops, and they need Internet access. You only want the Wireless Network to get out to the Internet but not have access to anything on the internal network. If you have used the network set All Networks (and LocalHost) in a moment of laziness when you created a rule for access to your SQL Server or NAS device, you've also just allowed Wireless Network users to access those things too.

VPN Quarantine

Another new feature is VPN Quarantine. ISA 2004 is fully integrated with the Windows Server 2003 VPN Quarantine feature. This allows you to create a sandbox for your VPN users to sit in while they are checked for a match with your VPN security policy. Your VPN security policy can require patches and virus protection, but beware that Microsoft hasn't provided much for the small business consultant to work with here. There are no wizards, no templates, just a development platform waiting for scripts that you'll have to write by hand. In sum, it's ugly at this point but still worth noting.

As if just to tempt you, Microsoft has made it easy to enable VPN Quarantine even if you don't yet have the VPN security policy set up.

You can enable VPN Quarantine, and all your VPN clients will be Quarantined and then disconnected when the time to comply with your VPN security times out. Figure 23.3 shows the VPN Quarantine Clients Properties configuration options. VPN Quarantine is a wonderful idea whose time is near. Many small businesses have sales staff working from hotels, cars, and home on PCs that are out of their direct control, but vendors have yet to step up and create the add-ins necessary for small business to use this feature easily.

Figure 23.3. VPN quarantine settings.

Apply or Discard?

After you get started customizing the configuration of ISA 2004 Server, you'll quickly notice the presence of Apply and Discard buttons at the top of the ISA Management screen as shown in Figure 23.4. Even though you have made your changes and selected OK at the end of the change, you still have options. Doing nothing lets the changes remain dormant until you reboot or make a decision. Clicking Apply will apply your changes to new sessions only. Clicking Discard will undo your changes.

Figure 23.4. Click the Apply button for your changes to take effect. Click Discard to cancel your changes.

Note

To have your changes apply to all sessions immediately you'll need to restart the Firewall Service or disconnect the sessions in the Sessions tab in Monitoring.

Best Practice: Apply Changes One at a Time

Although it is tempting to make all your changes now and apply them later, it might not be a good habit to get into. Making several changes and then applying them all at once will likely result in a troubleshooting nightmare if things don't go as planned.

To avoid this, apply each change you make one at a time and test to make sure that it is doing what you intended before moving on to the next step.

Administration Delegation

Another new feature is administration delegation, which is found under Configuration, General. You are now able to offer the business owner or other interested individual monitoring access to the ISA Server without running the risk that he will reconfigure something. ISA 2004 recognizes three different levels of admin: ISA Server Basic Monitoring, ISA Server Extended Monitoring, and ISA Server Full Administrator.

From the ISA Server Help file, Table 23.1 shows what each level of delegation authorizes.

Table 23.1. Administration Delegation Roles in ISA 2004
Activity	ISA Server Basic Monitoring	ISA Server Extended Monitoring	ISA Server Full Administrator
View Dashboard, alerts, connectivity, sessions, services	X	X	X
Acknowledge alerts	X	X	X
View log information		X	X
Create alert definitions		X	X
Create reports		X	X
Stop and start sessions and services		X	X
View firewall policy		X	X
Configure firewall policy			X
Configure cache			X
Configure VPN			X

Administrators who have Extended Monitoring role permissions can configure all report properties with the following exceptions:

Cannot configure a different user account when publishing reports
Cannot customize report contents

Best Practice: Teach Monitoring Skills

A bit of training may be necessary to make sure that the person doing the monitoring knows what she is looking at and has an idea of how to spot a problem. In both of the monitoring delegations, Acknowledge Alerts is allowed. If a person isn't aware what the alert really means, she may panic when she sees it and start calling IT support when it really isn't necessary; some normal alerts occur to let you know that ISA is doing its job preventing unintended access to your network. Or worse yet, the would-be administrator may just acknowledge an alert without recognizing its seriousness. In either case, alert acknowledgement is best left to a qualified professional.

Most business owners, if they are interested in what the firewall is doing, are going to want to run reports from ISA 2004. Perform the steps in the following sections to set up administration delegation for extended monitoring and install the remote administration client on the person's desktop.

Assign Administrator Delegation

1.	In the ISA 2004 Management MMC in the left pane, expand Configuration and then select General.
2.	In the center pane select Administration Delegation. Click Next. Click the Add button on the Delegate Control page. Click Browse and then enter the name of the person or group that you want to delegate to. Click Check Name and then click OK.
3.	On this same page, under Roles you have a drop-down menu. Select ISA Server Extended Monitoring and click OK. You should now see your selection Users/Roles box under Domain/Administrator and BUILTIN/administrators. Click Next.
4.	Review your changes; they should look similar to Figure 23.5. If correct, click Finish. Click Apply at the top of the page to apply this change now. Figure 23.5. Review your list of whom administration of your ISA is delegated to and which role each person is playing before clicking Next.

Install the Remote Administration Client

Now that you've designated who can monitor ISA you'll want to install the Management tool on the workstation that the admin will be using. Follow these steps:

1.	Insert SBS 2003 SP1 disk 3 into the workstation.
2.	Browse the CD to the `X:\ISA2004\` directory and run `ISAAUTORUN.exe`. Follow the installation wizard and enter your SBS 2003 license code for the ISA 2004 license code.
3.	You'll be warned that ISA Server can't be installed on your operating system. That's OK; you're only going to install the management client. Your list of items to be installed should match those in Figure 23.6. Click Next. Then click Install. Figure 23.6. The list of ISA Server components to be installed on your workstation should only indicate ISA Server Management.
4.	When the installation is finished, an Internet Explorer window pops up letting you know that the installation was successful. Close this window.
5.	To Run ISA Management on the workstation, click Start, Programs, Microsoft ISA Server and select ISA Server Management.
6.	In ISA Server Management, in the left pane, right-click on Microsoft Internet Security and Acceleration Server 2004 and select Connect To.
7.	In the Connect To dialog box the radio buttons Another Computer (Remote Management) and Connect Using the Credentials of the Logged-On User should be selected. Enter the name of your SBS server in the box (see Figure 23.7) and click OK. You should now be connected to your server. Figure 23.7. Enter the name of your ISA Server or click the Browse button.