Administration at the array level varies according to the options you choose for the enterprise policy. An array policy can be used in conjunction with an enterprise policy to further augment the settings imposed on the computers of the array. An array policy manages the way in which both inbound and outbound communication for ISA Server clients works through its ability to create access rules, Web publishing rules, and server publishing rules. If an array policy isn't tied to a user-defined enterprise policy, the array policy rules can allow and deny access based on the needs of the array administrator.
The method of applying effective array policy in ISA Server 2004 is straightforward and flexible. This method of applying system policy rules, pre-enterprise access rules, array access rules, and post-enterprise access rules, as depicted in Figure 14-7, gives array administrators more control than provided in ISA Server 2000. Because of this, ISA administrators can effectively delegate policy management to the array administrators.
Figure 14-7: The flow of effective policies in ISA Server 2004 is much improved.
System policy rules are applied first. Because of this, an array administrator can directly modify the system policy to override a pre-enterprise access rule defined by the enterprise administrator.
As discussed in the section entitled, "Enterprise Administration and Permissions," earlier in this chapter, ISA Server 2004 uses role-based administration. The following roles are for array administration:
ISA Server Array Monitoring Auditor This role allows for viewing and monitoring of the ISA Server computer, but does not allow for any configuration modifications to monitoring functionality.
ISA Server Array Auditor This role allows for viewing of firewall policy, creating reports, session and service management, and includes the capabilities of the ISA Server Array Monitoring Auditor.
ISA Server Array Administrator This role can perform any ISA Server task, including firewall policy management, creating reports, and alerts. It also includes the capabilities of the ISA Server Array Monitoring Auditor and the ISA Server Array Auditor.
See the ISA Server Help file under the section "Array-Level Administrative Roles" for an outline of the permissions each role can perform.
To configure array roles and permissions, follow these steps:
In the ISA Server Management console tree, expand the Arrays node, right-click the applicable array policy, and then select Properties.
Click the Assign Roles tab, click Add, type the name of the user or group, and then from the drop-down list, select the role to assign to the specified user or group. Click OK twice to complete.
In the details pane, click Apply to save your changes, and then click OK.
Before you create any array access rules, check the allowed array policy settings configured for the array. The three array policy settings are as follows:
"Deny" Access Rules Necessary if the array administrator wants to create access rules denying traffic
"Allow" Access Rules Necessary if the array administrator wants to create access rules allowing traffic
Publishing Rules ("Deny" Or "Allow") Necessary if the array administrator wants to publish servers (includes both Web and Server publishing)
To check array policy settings, follow these steps:
In the ISA Server Management console tree, select the Arrays node.
In the details pane, right-click the applicable array, and select Properties.
Click the Policy Settings tab. In the Array Firewall Policy Rule Types section, as shown in Figure 14-8, select each check box to give the array administrator granular control over the types of access rules that can be created.
By default, all three check boxes are selected, which allows the creation of all access rule types.
Figure 14-8: To grant array administrators the ability to create all types of access rules, select all three appropriate check boxes.
If all three of the check boxes are not checked, when you try to create an access rule within the array, you receive an error, as shown in Figure 14-9.
Figure 14-9: The ability to create access rules is denied if the policy settings for the array are not configured properly.
There are a variety of settings that can be configured at the array level. For in-depth information about how to administer individual arrays, see Chapter 13, "Configuring Arrays Using Centralized Management."
Before you make any modifications to an array, you should back it up. If any problems result from your changes, you can then restore the original configuration and avoid the time-consuming processes of diagnosing, fixing, and sometimes even recreating your ISA Server arrays.
The backup or export process for arrays is very similar to the procedures identified in the section entitled, "Backing Up and Restoring an Enterprise Configuration," earlier in this chapter. The difference is that when performing an export or backup, you right-click the applicable array and select Export (Backup). To import, you do the same, except right-click the applicable array and select Import (Restore).