With a CSS Enterprise in place, the groundwork can be laid for the eventual introduction of the ISA Servers. The key is to pre-configure information that will be global for all ISA Servers and Arrays within an organization. The ISA admin console, a default installation option on a CSS server, is used in this capacity, and can be run even before official ISA Servers are installed. The Console, shown in Figure 6.6, is slightly different than the Standard Edition Console. Several Enterprise options have been added.
Figure 6.6. Exploring the ISA Enterprise admin console.
Although it is possible to wait to configure the options in the console until the servers are installed, it is often preferable to pre-configure them.
Delegating Administration of ISA
The first step that should be performed on an ISA Server is the delegation of administration to individual users or, preferably, groups of users. To delegate administration to a group, for example, perform the following steps:
Defining Enterprise Networks
The Enterprise Console enables Enterprise networks to be defined and configured before ISA Servers are installed. An Enterprise network is one that is defined for use by all ISA Servers and arrays within an organization. For example, if a company's network were composed of three locations, Miami, Kiev, and Sapporo, and each location utilized a different network subnet, then each of these subnets could be defined within CSS as Enterprise networks. This makes it easier to create rules that apply to traffic to and from these networks and ensures that any changes made to the networks (such as new subnets added) are applied globally across all ISA Servers.
In this example, a single Internal network (10.10.10.0/24) is defined in the CSS Console as follows:
Establishing Enterprise Network Rules
Along with the Enterprise networks, Enterprise network rules can be defined to describe the relationship, either Route or NAT, between the various networks. In this example, a NAT relationship is configured between the newly created CompanyABC-Internal network and the External network as follows:
Creating Enterprise Policies
An Enterprise policy is one that, as the name suggests, is global to the entire ISA Enterprise. Enterprise policies are vessels for Enterprise access rules, and can be populated with various access rules that are global for all parts of an organization. It is convenient to create Enterprise policies to make it easier to implement global changes that may be dictated at an organization. For example, an Enterprise policy could be set up with several Enterprise access rules that allow web access and FTP access. A change in organizational policy to allow the Remote Desktop Protocol for all networks could be easily modified by adding an additional Enterprise access rule to an existing Enterprise policy.
By default, a single Enterprise policy already exists, with a default access rule to deny all connections. This is by design for security purposes. To create an additional Enterprise policy, do the following:
Creating Enterprise Access Rules for the Enterprise Policy
Each Enterprise policy can be populated with various Enterprise access rules. To create a single rule allowing web access, for example, perform the following steps:
Changing the Order of Enterprise Policy Rules
With ISA Server 2004 Standard Edition, firewall policy rules are implemented in order from top to bottom. This is true as well with the Enterprise Edition, with one twist on the theme. Enterprise policies can be implemented either before array rules (described in later sections of this book) or after those array rules. They can be moved from one section to another, similar to what is displayed in Figure 6.12.
Figure 6.12. Changing the order of an Enterprise Policy Rule.
This concept can be useful if it's necessary to specify which rule is applied, and whether it is applied before or after different array rules are applied.