Setting Up Enterprise Networks and Policies

With a CSS Enterprise in place, the groundwork can be laid for the eventual introduction of the ISA Servers. The key is to pre-configure information that will be global for all ISA Servers and Arrays within an organization. The ISA admin console, a default installation option on a CSS server, is used in this capacity, and can be run even before official ISA Servers are installed. The Console, shown in Figure 6.6, is slightly different than the Standard Edition Console. Several Enterprise options have been added.

Figure 6.6. Exploring the ISA Enterprise admin console.

Although it is possible to wait to configure the options in the console until the servers are installed, it is often preferable to pre-configure them.

Delegating Administration of ISA

The first step that should be performed on an ISA Server is the delegation of administration to individual users or, preferably, groups of users. To delegate administration to a group, for example, perform the following steps:

1.	Start the ISA Server 2004 Enterprise Admin Console (Start, All Programs, Microsoft ISA Server, ISA Admin Console).
2.	From the Console tree, click on the Enterprise node.
3.	In the Tasks tab of the Tasks pane, click on the link Assign Administrative Roles.
4.	Click the Add button.
5.	Enter the DOMAIN\Groupname into the Group or User field (or use the Browse button) and select a role that matches the group chosen, as is illustrated in Figure 6.7. Figure 6.7. Delegating administration in ISA Enterprise Edition.
6.	Click the Add button to add groups as necessary.
7.	Click OK to close the dialog box.
8.	Click Apply and then click OK to save the changes.

Defining Enterprise Networks

The Enterprise Console enables Enterprise networks to be defined and configured before ISA Servers are installed. An Enterprise network is one that is defined for use by all ISA Servers and arrays within an organization. For example, if a company's network were composed of three locations, Miami, Kiev, and Sapporo, and each location utilized a different network subnet, then each of these subnets could be defined within CSS as Enterprise networks. This makes it easier to create rules that apply to traffic to and from these networks and ensures that any changes made to the networks (such as new subnets added) are applied globally across all ISA Servers.

In this example, a single Internal network (10.10.10.0/24) is defined in the CSS Console as follows:

1.	From the ISA Enterprise Console, navigate through the console tree to Enterprise, Enterprise Policies, Enterprise Networks.
2.	In the Tasks tab of the Tasks pane, click the link for Create a New Network.
3.	When the wizard appears, enter a name for the network, such as CompanyABC-Internal, and click Next.
4.	Under the Network Addresses dialog box, click Add Range.
5.	Enter a Start address and an End address that define the Internal network, as shown in Figure 6.8, and click OK. Figure 6.8. Defining the Enterprise Internal network.
6.	Click Next.
7.	Click Finish, Apply, and OK.

Establishing Enterprise Network Rules

Along with the Enterprise networks, Enterprise network rules can be defined to describe the relationship, either Route or NAT, between the various networks. In this example, a NAT relationship is configured between the newly created CompanyABC-Internal network and the External network as follows:

1.	From the Enterprise Networks Node in the Console tree, click on the Create a Network Rule link in the Tasks tab of the Tasks pane.
2.	Enter a name for the network rule, such as NATExternal and Internal and click Next.
3.	In the Network Traffic Sources, click the Add button.
4.	Under Enterprise Networks, choose CompanyABC-Internal (or equivalent) and click Add.
5.	Select External and click Add.
6.	Click Close and click Next.
7.	Under the Network Traffic Destinations dialog box, click Add.
8.	Under Enterprise Networks, choose CompanyABC-Internal and click Add, then repeat for External. Click Close and Next when done.
9.	Under Network Relationship, shown in Figure 6.9, choose Network Address Translation (NAT) and click Next to continue. Figure 6.9. Defining the network relationship between ISA Enterprise networks.
10.	Click Finish, Apply, and OK to save the changes.

Creating Enterprise Policies

An Enterprise policy is one that, as the name suggests, is global to the entire ISA Enterprise. Enterprise policies are vessels for Enterprise access rules, and can be populated with various access rules that are global for all parts of an organization. It is convenient to create Enterprise policies to make it easier to implement global changes that may be dictated at an organization. For example, an Enterprise policy could be set up with several Enterprise access rules that allow web access and FTP access. A change in organizational policy to allow the Remote Desktop Protocol for all networks could be easily modified by adding an additional Enterprise access rule to an existing Enterprise policy.

By default, a single Enterprise policy already exists, with a default access rule to deny all connections. This is by design for security purposes. To create an additional Enterprise policy, do the following:

1.	From the ISA Enterprise Console, click on the Enterprise Policies node.
2.	In the Tasks tab of the Tasks pane, click the link for Create New Enterprise Policy.
3.	Enter a name for the policy, such as CompanyABC Policy, and click Next.
4.	Click Finish, Apply, and OK.

Creating Enterprise Access Rules for the Enterprise Policy

Each Enterprise policy can be populated with various Enterprise access rules. To create a single rule allowing web access, for example, perform the following steps:

1.	From the ISA Console, navigate to Enterprise, Enterprise Policies, CompanyABC Policy (or equivalent).
2.	From the Tasks tab in the Tasks pane, click the link for Create Enterprise Access Rule.
3.	Enter a name for the Access rule, such as Web Access, and click Next.
4.	Under Rule Action, select Allow and click Next.
5.	Under the Protocols dialog box, choose Selected Protocols and click the Add button.
6.	Under Common Protocols, choose HTTP and click Add, choose HTTPS and click Add, choose DNS and click Add, and then click Close.
7.	At the dialog box displayed in Figure 6.10, click Next to continue. Figure 6.10. Adding a Web Access rule to the Enterprise policy.
8.	From the Access Rule sources, click the Add button.
9.	Under Enterprise Networks, choose CompanyABC-Internal, click Add and then click Close.
10.	Click Next to continue.
11.	Under Access Rule Destinations, click the Add button.
12.	Under Enterprise Networks, select the External network and click Add and Close.
13.	Click Next to continue.
14.	Under User Sets, accept the default of all users and click Next.
15.	Verify the configuration in the final dialog box, shown in Figure 6.11, and click Finish. Figure 6.11. Finalizing a Web Access rule in the Enterprise policy.
16.	Click Apply and OK to save the changes.

Changing the Order of Enterprise Policy Rules

With ISA Server 2004 Standard Edition, firewall policy rules are implemented in order from top to bottom. This is true as well with the Enterprise Edition, with one twist on the theme. Enterprise policies can be implemented either before array rules (described in later sections of this book) or after those array rules. They can be moved from one section to another, similar to what is displayed in Figure 6.12.

Figure 6.12. Changing the order of an Enterprise Policy Rule.

This concept can be useful if it's necessary to specify which rule is applied, and whether it is applied before or after different array rules are applied.

Figure 6.6. Exploring the ISA Enterprise admin console.

Delegating Administration of ISA

Figure 6.7. Delegating administration in ISA Enterprise Edition.

Defining Enterprise Networks

Figure 6.8. Defining the Enterprise Internal network.

Establishing Enterprise Network Rules

Figure 6.9. Defining the network relationship between ISA Enterprise networks.

Creating Enterprise Policies

Creating Enterprise Access Rules for the Enterprise Policy

Figure 6.10. Adding a Web Access rule to the Enterprise policy.

Figure 6.11. Finalizing a Web Access rule in the Enterprise policy.

Changing the Order of Enterprise Policy Rules

Figure 6.12. Changing the order of an Enterprise Policy Rule.