Network Objects

Network objects describe the locations from which traffic originates (source) and to which it travels (destination). These locations can be any one of ten types—networks, enterprise networks (only in Enterprise Edition), network sets, computers, computer sets, address ranges, subnets, URL sets, domain name sets, and Web listeners—all of which are described in more detail next.

Networks

A network is one or more IP addresses that designate network devices. Several preconfigured networks exist:

• Local host This represents the ISA server itself, and includes the IP addresses bound to the ISA server and 127.0.0.1. There is also an Enterprise local host, which identifies each ISA server in an array along with its unique local host addresses.

• Internal All IP addresses associated with the internal network adapter. See how to configure this network in the section entitled "Configuring the Internal Network Object" later in this chapter.

• External All IP addresses that are not defined, or "everything else." You cannot configure or customize this network.

• VPN Clients and Quarantined VPN Clients networks These two networks are automatically populated when a VPN client or gateway connects to the ISA server; the quarantined VPN clients network is populated only when VPN quarantine is enabled and systems meet the quarantine criteria.

Creating a New Network Object

To create a new network, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Network.

2. On the Welcome To The New Network Wizard page, type a new network name and click Next.

3. On the Network Type page, select one of four network types, and then click Next:

   • Internal Network Contains computers that exist in an environment where they are not exposed to External networks.

   • Perimeter Network Contains computers that host services published to untrusted networks.

   • VPN Site-To-Site Network Establishes a link with another network through a VPN link.

   • External Network Contains computers from untrusted networks, usually on the Internet.

   Note

   The internal, perimeter, and external networks have the same interface to define networks—as a best practice, be sure to include the type of network you're creating in the name. The VPN site-to-site network option requires that you set up the VPN connections at both sites. See Chapter 11, "Securing Virtual Private Network Access," for information on configuring this option. All other network configurations are covered here.

4. On the Network Addresses page, choose to define the network using one or more of the following three methods, and then click Next.

   • Add Range Add a range of IP addresses you assign.

   • Add Adapter Choose one of the ISA server's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of the four private network ranges. As a best practice, avoid adding all of these ranges.

   Note

   In the Enterprise Edition, when working in the Array Firewall policies, you will also see an Add Network button that allows you to choose an enterprise network.

5. On the Completing The New Network Wizard page, review your settings, then click Finish.

6. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Network Sets

When you wish to control a collection of networks, you can group them together into a network set. The following preconfigured network sets exist:

• All Networks (and Local Host) Includes all possible networks, including the Local Host network defining the ISA server itself.

• All Protected Networks Includes all networks except for the external network.

Configuring the Internal Network Object

The internal network represents the machines that ISA Server is protecting inside your network—this is the default protected network. To configure the Internal Network object, follow these steps:

1. In the ISA Server Management console, expand the Configuration node for your array, and then click the Networks node.

2. In the Details pane, click the Networks tab, right-click the internal network, and select Properties.

3. In the Internal Properties dialog box, you can configure the IP addresses and domains that comprise the internal network. Make the updates you require, click OK, and then click Apply.

Creating a Network Set Object

To create a network set, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Network Set.

2. On the Welcome To The New Network Set Wizard page, type a new network set name, then click Next.

3. On the Network Selection page, shown in Figure 7-6, select either Includes All Selected Networks or Includes All Networks Except The Selected Networks, then select the check boxes for the appropriate networks. Click Next.

4. On the Completing The New Network Set Wizard page, review your settings, then click Finish.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Figure 7-6: You select the networks you wish to include or exclude from your network set on the Network Selection page.

Computers

A single IP address designating a network device is known as a computer. It can also indicate a device such as a modem, another firewall, and so on.

Creating a Computer Object

To create a computer object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Computer.

2. In the New Computer Rule Element dialog box, type in the name and (optionally) a description of the computer.

3. Either click Browse to locate the IP address of the computer or type in the IP address as shown in Figure 7-7.

4. Click OK to close the New Computer Rule Element dialog box.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Figure 7-7: You can define any device with an IP address as a computer object—in this case we are defining a wireless access point.

Address Ranges

Address ranges consist of a range of IP addresses, and can be used in access rules or computer sets.

Creating an Address Range Object

To create an address range object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Address Range.

2. In the New Address Range Rule Element dialog box, type in the name and (optionally) a description of the address range.

3. Type in the start and end IP addresses within the range, and then click OK to close the New Address Range Rule Element dialog box.

4. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Subnets

Subnets designate a subnet based on the network and its default gateway in a classless interdomain routing (CIDR) format. Subnets can help define a network that might not be directly included in the internal network. One example is a network that exists behind a router on the internal network and needs to be controlled differently, even though existing rules may match traffic for that network. The use of subnets helps avoid the type of problem that occurs when you include a network range that is not directly attached to the network interface card (NIC) in the internal network. You can also create a separate network object with addresses that are not in the internal network because you wish to administer them separately. Without the use of subnets, you could cause ISA Server to generate spoofing errors and block traffic.

Creating a Subnet Object

To create a subnet object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Subnet.

2. In the New Subnet Rule Element dialog box, type in the name and (optionally) a description of the subnet.

3. In the Network Address text box, type in the network ID for the subnet, then indicate the network (subnet) mask either by typing the number of bits, or typing the decimal representation in the Network Mask text box as shown in Figure 7-8.

4. Click OK to close the New Subnet Rule Element dialog box.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Figure 7-8: You can specify the subnet mask in the Network Mask text box.

Computer Sets

A computer set is a collection of computers, address ranges, or subnets. Several preconfigured computer sets exist: Anywhere, IPsec Remote Gateways, and Remote Management Computers. With ISA Server Enterprise Edition, you will also see Enterprise Remote Management Computers, Replicate Configuration Storage Servers, Array Servers, and Managed ISA Server Computers.

Creating a Computer Set Object

To create a new computer set object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Computer Set.

2. In the New Computer Set Rule Element dialog box, type in the name and (optionally) a description of the computer rule.

3. Click Add, which allows you to create a combination of computers, address ranges, or subnets you've configured.

4. Click OK to close the New Computer Set Element dialog box.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

URL Sets

URL sets designate several URLs, which are also known as Web addresses. You can include several different Web site addresses and use wildcards. If, for example, you wanted to allow only the Web addresses related to Contoso's support Web site, you would need to create a URL set that indicates that path, along with a wildcard, as in this example:

• http://www.contoso.com/support/*

URL sets apply only to HTTP traffic, and depend on a correctly configured DNS infrastructure. You can use URL sets only with Web rules.

Creating a URL Set Object

To create a URL set object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click URL Set.

2. In the New URL Set Rule Element dialog box, type in the name and (optionally) a description of the URL set.

3. Click New to create a new URL entry, as shown in Figure 7-9.

4. Click OK to close the New URL Set Rule Element dialog box.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Figure 7-9: You can create a URL set, which consists of one or more URLs, using wildcards.

Domain Name Sets

Domain name sets identify one or more fully qualified domain names (FQDNs). Two preconfigured domain name sets exist, which can be configured or deleted:

• Microsoft Error Reporting Sites Allows the error reporting functionality in Microsoft products to report issues to the *.watson.microsoft.com site.

• System Policy Allowed Sites Allows access to the following Microsoft sites: *.microsoft.com, *.windows.com, and *.windowsupdate.com.

Creating a Domain Name Set Object

To create a domain name set object, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Domain Name Set.

2. In the New Domain Name Set Rule Element dialog box, type in the name and (optionally) a description of the domain name set.

3. Click New to create a new domain name entry, as shown in Figure 7-10.

4. Click OK to close the New Domain Name Set Element dialog box.

5. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

Figure 7-10: Domain name sets allow you to block or allow sites based on DNS domain names.

Web Listeners

Unlike the other network objects, Web listeners don't designate a location, but rather identify the IP addresses and ports on which the ISA server listens for Web requests. You can create one or more Web listeners, which you then configure to publish Web servers to other networks. If, for example, you wanted to publish your Windows SharePoint Server (WSS) Configuration page, you would need to define a Web listener to listen for Web traffic coming into the particular IP address and port number that was assigned at the time of the WSS installation.

Creating and Configuring a Web Listener Object

To create a Web listener, follow these steps:

1. In the Network Objects section in the task pane, click New, and then click Web Listener.

2. On the Welcome To The New Web Listener Wizard page, type a new Web listener name, then click Next.

3. On the IP Addresses page, select the networks on which the listener will monitor Web requests. Figure 7-11 shows a view of the predefined network and Figure 7-12 shows the dialog box that appears when clicking a particular Address button when highlighting the external network. When you've completed this step, click Next.

4. On the Port Specification page, select the HTTP or SSL listeners check boxes, configure the port to match those ports for which you want to monitor Web traffic, and then click Next.

   Note

   If you choose SSL, you need to choose a certificate, which must already be installed on the ISA server.

5. On the Completing The New Web Listener Wizard page, review your settings, and then click Finish.

6. Click Apply to save the changes, and then click OK to close the Apply Network Configuration dialog box.

   Note

   Once you create the Web listener, you can select it in the Toolbox, right-click and select Properties to configure it with authentication methods or control the maximum timeout and number of connections.

Figure 7-11: You can choose from a predefined network.

Figure 7-12: The External Network Listener IP Selection dialog box provides granular control of the IP addresses used by the external Web listener.