In general, creation of Firewall Policy rules and network policy rules comprise the bulk of the types of activities that an ISA Firewall Administrator will perform. Specific advanced tasks, however, should be understood when deploying ISA Server as a firewall.
Publishing Servers and Services
ISA Server 2004 can secure and "publish" a server to make it available to outside resources. The "publishing" of servers, such as web servers, OWA servers, SharePoint sites, Citrix servers, and the like is generally referred to as "reverse proxy" capabilities. The advantage to using ISA to publish servers is that it enables the ISA server to pre-authenticate connections to services and act as a bastion host to the network traffic, making sure that internal servers are never directly accessed from the Internet.
ISA Server 2004, whether deployed as a full firewall or not, supports publishing multiple types of servers, and it is important to understand how to set this up. Publishing scenarios, including step-by-step guides, are listed in Part III of this book, "Securing Servers and Services with ISA Server 2004."
Reviewing and Modifying the ISA System Policy
By default, ISA Server 2004 uses a set of Firewall Policy rules that grant the Localhost network specific types of functionality and access. Without system policies, for example, an ISA server itself would not be able to perform tasks such as pinging internal servers or updating software on the Windows Update website. Because the default rule is to deny all traffic unless otherwise specified, it is necessary to set up system policy rules to support specific types of access from the local ISA Server.
System policy rules are enabled but are not shown by default in ISA Server 2004. To view the system policy rules, click on the Show System Policy Rules link in the Tasks tab of the Firewall Policy node. The system policy rules, partially shown in Figure 5.12, are extensive, and it is important to understand what types of functionality are provided by each individual policy rule.
Figure 5.12. Viewing default system policy rules.
All the system policy rules are configurable through the System Policy Editor, shown in Figure 5.13. The System Policy Editor can be invoked simply by double-clicking on any of the system policy rules listed.
Figure 5.13. Editing system policies in the System Policy Editor.
The System Policy Editor divides the system policies into various configuration groups, which are subsequently organized into parent configuration groups as follows:
Troubleshooting why an ISA server cannot perform certain functionality should always include a visit to the System Policy Editor. The built-in system policy rules allow for the configuration of multiple deployment scenarios with ISA Server 2004.