Access Rules

Access rules describe how a source network (the network from which traffic originates) accesses resources on a destination network (the network on which the target resources reside). Access rules apply primarily to networks that are protected by the ISA Server gaining access to untrusted networks, like a corporate network gaining access to Internet resources.

When a client wishes to access a resource, ISA Server first evaluates network rules to determine what type of connection, if any, exists between networks. If a connection exists, access rules are processed (system policies first, then firewall policies). The request checks the policies to answer the following questions in order:

1. Is the protocol allowed?

2. Is the source address and port (defined by a computer, computer set, subnet, or network) allowed?

3. Does the schedule allow this client access at this time?

4. Is the destination address (defined by IP addresses, domain names, URL sets, and so on) allowed?

5. Is the user authenticated and allowed to access this destination?

6. Is the content of the traffic allowed?

   If the answer to all these questions is "Yes," then the client on the source network can access the resources on the destination network. If the answer to any of the questions is "No," the request is denied (even if a subsequent publishing rule allows the request).

Creating an Access Rule

To create a new access rule, follow these steps.

1. In the console tree, expand the server name, and click Firewall Policy.

2. In the task pane, click the Tasks tab. Under Firewall Policy Tasks, click Create New Access Rule.

3. On the Welcome To The New Access Rule Wizard page, type a name for the new access rule, and click Next.

4. On the Rule Action page, select either Allow or Deny to specify whether the action of this rule is to allow or deny access, and click Next.

5. On the Protocols page (shown in Figure 8-9), from the This Rule Applies To drop-down list, choose one of the following:

   • All Outbound Traffic—Implies all allowed traffic. If you choose this option, click Next to continue.

   • Selected Protocols—If you choose this option, click Add. On the Add Protocols page, select the protocols you wish to add to the access rule, click Add again, and then click Next to continue.

   • All Outbound Traffic Except Selected—If you choose this option, you will complete the same steps as above, but the protocols added will be treated as exceptions when the access rule is processed. Add the necessary protocols, and click Next to continue.

   On the Protocols page, you can also click Ports to limit traffic from clients originating within a range of source ports. By default, traffic from any allowed source port is accepted.

6. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, select the networks to include in the rule (for example, Internal), click Add, and then click Close. Click Next to continue.

7. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, click the networks to include in the rule (for example, External), click Add, and then click Close. Click Next to continue.

8. On the User Sets page, the default setting is for the rule to apply requests from the All Users user set. If you would like to modify the default, you can click All Users, click Remove, and then click Add to include new user sets. Click Add, in the Add Users dialog box click the user set to include in the rule, click Add again, and then click Close. Click Next to continue.

9. On the Completing The New Access Rule Wizard page, review the summary of information, and then click Finish.

10. Click Apply to save your changes, and then click OK.

Figure 8-9: You can determine to which protocols the rule applies on this page.

Disabling an Access Rule

Within the ISA Server Management console, you can choose to disable individual access rules or multiple access rules by using the Shift and Control keys on your keyboard and selecting each of the rules you would like to disable. The Last Default Rule that is configured with the installation of ISA Server 2004 cannot be disabled or deleted. You can see this when you have context on the default rule in the details pane by viewing the available tasks under Firewall Policy Tasks in the task pane. Notice that the task to disable or delete the selected rule is missing, but if you select a user-defined access rule, the two tasks appear.

Any type of rule can be disabled, whether it be an access rule, Web publishing rule, or server publishing rule. All are treated the same within the console.

To disable a user-defined access rule, follow these steps:

1. In the console tree, expand the server name, and click Firewall Policy.

2. In the details pane, select the access rule that you would like to disable.

3. In the task pane, click the Tasks tab. Under Firewall Policy Tasks, click Disable Selected Rules.

4. In the details pane, the icon for the access rule immediately changes to reflect a red downward arrow inside a circle as shown in Figure 8-10.

5. Click Apply to save your changes and update the configuration, and then click OK.

   Note

   To re-enable the access rule, select the specified rule in the details pane, and then in the tasks pane, click Enable Selected Rules.

Figure 8-10: Notice how the icon has changed to reflect the disabled access rule.

Deleting an Access Rule

The access rules on your ISA server can be deleted. If you have ISA Server up and running in a production network, it is good practice to disable the access rules prior to deletion to provide yourself with an easy back-out solution in case the rule was providing access to certain protocols that you weren't aware were in use.

Any type of rule can be deleted, except the Last Default Rule created by the installation of ISA Server. This includes access rules, Web publishing rules, and server publishing rules.

To delete an access rule, complete the following steps:

1. In the console tree, expand the server name, and click Firewall Policy.

2. In the details pane, select the access rule that you would like to delete.

3. In the task pane, click the Tasks tab. Under Firewall Policy Tasks, click Delete Selected Rules.

4. In the Confirm Delete dialog box, click Yes to delete the access rule.

5. Click Apply to save your changes and update the configuration, and then click OK.

Changing the Order of an Access Rule

Once you have more than one user-defined access rule, a new task becomes available to you in the task pane: the ability to move the selected rule either up or down in the Order column. This is a new concept in ISA Server 2004, because in ISA Server 2000, ordering of site and content rules and protocol rules was not necessary.

To change the order of an access rule, follow these steps:

1. In the console tree, expand the server name, and click Firewall Policy.

2. In the details pane, select the access rule that you would like to move up or down.

3. In the task pane, click the Tasks tab. Under Firewall Policy Tasks, click Move Selected Rules Up.

   Note

   The interface within the console understands, based on the position of the access rule, whether the rule can be moved up or down. It changes the title of the task appropriately or shows both tasks within the task menu. For example, if the rule you selected is in the first position, the task displays Move Selected Rules Down.

4. The access rule then moves up to the new position in the order. In the details pane, click Apply to save your changes and update your configuration, and then click OK.