System Policy


The system policies operate in the same manner as firewall rules. These 30 predefined rules define how traffic flows between the ISA Server computer itself and other networks. To view the system policy rules, follow these steps:

  1. Open the ISA Server Management console, expand the ISA server name, then click to the Firewall Policy node.

  2. In the task pane, click the Tasks tab. Under System Policy Tasks, click Show System Policy Rules. The system policies will appear in the details pane.

Table 8-1 shows all the system policies. The Default/Recommendation column shows the default settings, and provides recommendations for configuring policies in certain usage scenarios.

Table 8-1: ISA Server 2004 System Policy Rules
Open table as spreadsheet

Name

Recommendation

Default State

Order

Action

Protocols

From/Listener

To

Condition

Allow access to directory services for authentication purposes

If your ISA server isn't installed in a domain, disable this rule.

Enabled

1

Allow

LDAP

LDAP (UDP)

LDAP GC (global catalog)

LDAPS

LDAPS GC (global catalog)

Local Host

Internal

All Users

Allow remote management from selected computers using Microsoft Management Console (MMC)

If you will not use the ISA Server Management console from remote machines, disable this rule

Enabled

2

Allow

Microsoft Firewall Control

NetBIOS datagram

NetBIOS Name Service

NetBIOS Session

RPC (all interfaces)

Remote Management Computers

Local Host

All Users

Allow remote management from selected computers using Terminal Server

If you don’t want to allow Terminal Service/Remote Desktop access to the ISA server, disable this system policy.

Enabled

3

Allow

RDP (Terminal Services)

Remote Management Computers

Local Host

All Users

Allow remote logging to trusted servers using NetBIOS

If you wish to allow the ISA server to log on to trusted machines (say to a central SQL Server database), then enable this rule.

Disabled

4

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

All Users

Allow RADIUS authentication from ISA Server to trusted RADIUS servers

If you will not use RADIUS authentication, disable this rule.

Enabled

5

Allow

RADIUS

RADIUS Accounting

Local Host

Internal

All Users

Allow Kerberos authentication from ISA Server to trusted servers

If you do not wish to support Kerberos authentication, then disable this rule.

Enabled

6

Allow

Kerberos-Sec (TCP)

Kerberos-Sec (UDP)

Local Host

Internal

All Users

Allow DNS from ISA Server to selected servers

ISA Server requires domain name system (DNS) for name resolution. Do not disable this rule. You can create computer sets to restrict access to the DNS servers, however.

Enabled

7

Allow

DNS

Local Host

All Networks (and Local Host)

All Users

Allow DHCP requests from ISA Server to all networks

If your ISA server will not use DHCP to obtain Internet Protocol (IP) addresses, disable this rule. Recommended to always use static address for internal network adapter. If you do require Dynamic Host Configuration Protocol (DHCP), limit traffic by setting the networks that require it on the To tab.

Enabled

8

Allow

DHCP (request)

Local Host

Anywhere

All Users

Allow DHCP replies from DHCP servers to ISA Server

See Rule 8.

Enabled

9

Allow

DHCP (reply)

Internal

Local Host

All Users

Allow ICMP (Ping) requests from selected computers to ISA Server

If you do not wish to allow Remote Management Computers to ping the ISA Server, then disable this rule.

Enabled

10

Allow

Ping

Remote Management Computers

Local Host

All Users

Allow ICMP requests from ISA Server to selected servers

Leave this rule enabled to allow ISA Server to determine connectivity with other computers.

Enabled

11

Allow

ICMP Information Request

ICMP Timestamp Ping

Local Host

All Networks (and Local Host Network)

All Users

All virtual private network (VPN) client traffic to ISA Server

Unless you enable an ISA Server client VPN (which automatically enables this rule), leave this rule disabled.

Disabled

12

Allow

PPTP

External

Local Host

All Users

Allow VPN site-to-site traffic to ISA Server

Unless you enable an ISA Server Site-To-Site VPN (which automatically enables this rule), leave this rule disabled.

Disabled

13

Allow

None

External

IPSec Remote Gateways

Local Host

All Users

Allow VPN site-to-site traffic from ISA Server

See Rule 13

Disabled

14

Allow

None

Local Host

External

IPSec Remote Gateways

All Users

Allow Microsoft CIFS from ISA Server to trusted servers

If you are using authentication with Active Directory directory service, and/or need to access file shares on the internal network, leave this rule enabled. You can also limit exposure by creating a computer set with the domain controllers (DCs) and replace the internal network with your DC Computer Set.

Enabled

15

Allow

Microsoft CIFS (TCP, port 445)

Microsoft CIFS (UDP, port 445)

Local Host

Internal

All Users

Allow remote SQL logging from ISA Server to selected servers

If you want to allow logging to SQL Server computers on other machines, enable this rule.

Disabled

16

Allow

Microsoft SQL (TCP)

Microsoft SQL (UDP)

Local Host

Internal

All Users

Allow HTTP/HTTPS requests from ISA Server to specified sites

This allows access to Microsoft.com sites (defined in the System Policy Allowed Sites Domain Name Set). If you do not want the ISA server to contact the Windows Update or Microsoft.com diagnostic sites directly, disable this rule. This allows access to sites defined in the System Policy Allowed Sites Domain Name set, which by default includes certain Microsoft defined sites (such as Microsoft.com and Windowsupdate.com)

Enabled

17

Allow

HTTP

HTTPS

Local Host

System Policy Allowed Sites

All Users

Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers

If you create a connectivity verifier (in the Monitoring node on the Connectivity tab) for Web sites, a prompt allows you to enable this rule. Take caution enabling this rule as it might affect the functionality of new connectivity verifiers.

Disabled

18

Allow

HTTP

HTTPS

Local Host

All Networks (and Local Host Network)

All Users

Allow access from trusted computers to the Firewall Client installation share on ISA Server

If you install the Firewall Client Share on the ISA server, this rule becomes enabled.

Disabled

19

Allow

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Internal

Local Host

All Users

Allow remote performance monitoring of ISA Server from trusted servers

If you will conduct performance monitoring of the ISA server, enable this rule and ensure that the computer performing the monitoring is in the Remote Management Computer Set.

Disabled

20

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Remote Management Computers

Local Host

All Users

Allow NetBIOS from ISA Server to trusted servers

If you do not need to connect to file shares on the internal network, disable this rule.

Enabled

21

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

All Users

Allow RPC from ISA Server to trusted servers

 

Enabled

22

Allow

RPC (all interfaces)

Local Host

Internal

All Users

Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites

This rule allows the ISA firewall to send error reports to Microsoft.

Enabled

23

Allow

HTTP

HTTPS

Local Host

Microsoft Error Reporting sites

All Users

Allow SecurID authentication from ISA Server to trusted servers

This rule should be enabled only if SecurID authentication is enabled, otherwise it should remain disabled.

Disabled

24

Allow

SecurID

Local Host

Internal

All Users

Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager Agent

Enable this rule if you use Microsoft Operations Manager to monitor the ISA firewall.

Disabled

25

Allow

Microsoft Operations Manager Agent

Local Host

Internal

All Users

Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)

This rule should be enabled if you want the ISA firewall to access certificate revocation lists (CRLs), required if the ISA server terminates any SSL connections.

Disabled

26

Allow

HTTP

Local Host

All Networks (and Local Host)

All Users

Allow NTP from ISA Server to trusted NTP servers

You should change this rule by allowing contact with a trusted Network Time Protocol (NTP) server in your organization. The Internal entry allows it to contact any server within the Internal network.

Enabled

27

Allow

NTP (UDP)

Local Host

Internal

All Users

Allow SMTP from ISA Server to trusted servers

If you don't plan on using Simple Mail Transfer Protocol (SMTP) to send alerts, you should disable this rule. If you do plan on sending SMTP alerts, then you should replace the Internal Destination with a specific computer that will accept the SMTP messages from the ISA Server firewall.

Enabled

28

Allow

SMPT

Local Host

Internal

All Users

Allow HTTP from ISA Server to selected computers for Content Download Jobs

This rule is automatically enabled when Content Download Jobs are enabled.

Enabled

29

Allow

HTTP

Local Host

All Networks (and Local Host)

System and Network Service

Allow Microsoft Firewall Control communication to selected computers

Unless you plan on using the remote MMC, you should disable this rule.

Enabled

30

Allow

All outbound traffic

Local Host

Remote ManagementComputers

All Users

Editing the System Policy

System policy rules can be edited using the System Policy Editor. By default, system policy rules are not shown in the details pane along with the firewall policy rules. To access the System Policy Editor and edit the system policy, follow these steps:

  1. Open the ISA Server Management console.

  2. In the console tree, expand the server name, and click Firewall Policy.

  3. In the task pane, under System Policy Tasks, click Edit System Policy.

  4. The System Policy Editor, shown in Figure 8-2, allows you to modify the configuration groups, enable or disable the configuration groups or individual services, and control how the traffic flows between the networks.

  5. For example, to disable the DNS service, in the Network Services configuration group select DNS. On the General tab, select the Enable check box to disable the communication between ISA Server and trusted DNS servers.

  6. To modify the networks to which traffic can be routed, click the To tab illustrated in Figure 8-3. Click Add, Edit, or Remove to change the network entities. Click OK after completing your changes.

  7. In the details pane, click Apply to save the changes and update the configuration.

  8. Click OK to complete the change.

image from book
Figure 8-2: The System Policy Editor in ISA Server 2004.

image from book
Figure 8-3: Each policy has a General tab that illustrates the properties, and either a From or To tab that controls the source or destination to which the policy applies.

Exporting and Importing System Policy

Exporting and importing functions in ISA Server 2004 gives you the ability to save your ISA configuration to an XML file. This is useful if you need to back up your configuration at a later date, or would like to apply your configuration of one ISA server to another ISA server. Although exporting the firewall policy rules will be more commonplace, you can also export and import the system policy rules.

To export the system policy, follow these steps:

  1. In the console tree, expand the server name, and click Firewall Policy.

  2. In the task pane, click the Tasks tab. Under System Policy Tasks, click Export System Policy.

  3. On the Export Configuration dialog box, browse to the location to where you would like to save the export file, type a filename to be given to the export file in the File Name text box, and then click Export.

  4. In the Exporting System Policy Rules dialog box, click OK.

To import the system policy, follow these steps:

  1. In the console tree, expand the server name, and click Firewall Policy.

  2. In the task pane, click the Tasks tab. Under System Policy Tasks, click Import System Policy.

  3. In the Import Configuration dialog box, browse to the location on the disk where you saved the export XML file, select the export file to insert it into the File Name text box, and click Import.

  4. In the Importing System Policy Rules dialog box, click OK.

  5. In the details pane, click Apply to save the changes, and then click OK.




Microsoft Internet Security and Acceleration ISA Server 2004 Administrator's Pocket Consultant
Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)
ISBN: 0735621888
EAN: 2147483647
Year: 2006
Pages: 173

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net