In this chapter, we focus on the Microsoft ISA Server firewall policy, specifically the system policy, firewall policy, and access rules. We explain how policies are processed and how you can easily export and import your policy configurations. The second half of the chapter focuses on publishing, allowing external sources to access your internal network resources securely and safely.
ISA Server inspects traffic by referring to three sets of rules in the order shown in Figure 8-1.
Figure 8-1: ISA Server processes network rules, system policy rules, and then firewall policy rules when inspecting network traffic. After the rules are processed, the network rules determine whether to route or NAT the traffic. Finally client-specific rules are processed.
Network rules Define whether traffic between networks is set to Route or Network Address Translation (NAT)—if ISA Server doesn't have an explicit relationship defined, then it drops traffic between the networks.
See Chapter 9, "Configuring Multinetworking," for more information on networks and network rules.
System policy rules Include 30 predefined rules that allow use of common services necessary for your network infrastructure to function. System policy rules define how traffic flows from the ISA Server (which has its own network called LocalHost) to other networks.
Firewall policy rules Include three types of rules (access, Web publishing, and server publishing) that define what traffic flows from one network to others. One default rule (called Last Default Rule) exists, which denies all traffic from all networks to all networks for all users at all times for all content types.