Working with Network Templates

Network templates are new in ISA Server 2004. Network templates of five very common network topologies are available from within the ISA Server Management console. You can configure your ISA server to run with a single network adapter, sit on the network edge, or establish a perimeter network simply by choosing a template and walking through the steps in this section.

The five network templates are outlined in Table 9-1.

Creating an Edge Firewall

An edge firewall configuration is one of the primary deployment scenarios for ISA Server. You are placing the ISA server between your internal network and the outside world to provide both firewall and proxy capabilities.

To create an edge firewall, follow these steps:

1. In the console tree, expand the server name, expand Configuration, and click Networks.

2. In the task pane, click the Templates tab.

3. Click Edge Firewall.

4. On the Welcome To The Network Template Wizard page, read the text to ensure you have selected the template that you would like to apply to your ISA server, and click Next.

5. On the Export The ISA Server Configuration page, you are advised to export your ISA Server configuration for backup purposes. If you choose to do so, click Export, determine the disk location, type a name for the export file, specify optional parameters to include user permissions and confidential data (such as user passwords and certificates), and click Export, and then click OK. When the export is complete, you are returned to this page in the wizard. Click Next to continue.

   Note

   If you choose to export confidential information, you are prompted to set a password with a minimum of eight characters. The password is needed if you choose to import the file.

6. On the Internal Network IP Addresses page, choose to define the network using one or more of the following three methods, and then click Next.

   • Add Add a range of Internet Protocol (IP) addresses you assign.

   • Add Adapter Choose one of the ISA Server computer's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of three private network ranges. As a best practice, avoid adding all of these ranges.

7. On the Select A Firewall Policy page, choose one of firewall policies (shown in Figure 9-1 and explained here) to apply to your networks. Then, click Next.

   Note

   Adding private address ranges that aren't used in your network increases the number of potential computers that can exist inside your protected networks. By limiting the range of the internal network, you reduce your attack surface.

   • Block All Blocks all network traffic utilizing the Default Rule installed with ISA Server. Use this option when you want to define your own policies and access rules.

   • Block Internet Access, Allow Access To ISP Network Services Blocks all network traffic except for protocol access to DNS and VPN services that might be provided by your ISP. This option creates one new access rule.

   • Allow Limited Web Access Only allows access to HTTP, HTTPS, and FTP protocols while blocking all other network traffic. This option creates two new access rules.

   • Allow Limited Web Access And Access To ISP Network Services Only allows access to HTTP, HTTPS, FTP for Web access, and access for Domain Name System (DNS) and virtual private network (VPN) protocols for services that might be provided by your ISP. This option creates three new access rules.

   • Allow Unrestricted Access Allows all network traffic across all protocols. This option creates two new access rules.

8. On the Completing The Network Template Wizard page, review the summary of information, and click Finish.

9. In the details pane, you will see an illustration of the edge firewall network topology under the Networks tab. To update your configuration, click Apply, and then click OK.

   In the Apply New Configuration dialog box, you will notice a note at the bottom stating that if your VPN configuration was affected by this change that it can take several minutes before the changes are enacted.

Figure 9-1: There are several different types of firewall policies for you to choose from when configuring your ISA server using network templates.

Creating a 3-Leg Perimeter

A 3-leg perimeter firewall is configured with three network adapters. Each network adapter connects to a unique network: the internal network, the external network, and the perimeter network.

To create a 3-leg perimeter firewall, complete the following steps:

1. In the console tree, expand the server name, expand Configuration, and click Networks.

2. In the task pane, click the Templates tab.

3. Click 3-Leg Perimeter.

4. On the Welcome To The Network Template Wizard page, read the text to ensure you have selected the template that you would like to apply to your ISA server, and click Next.

5. On the Export The ISA Server Configuration page, you are advised to export your ISA server configuration for backup purposes. If you choose to do so, click Export, determine the disk location, type a name for the export file, specify optional parameters to include user permissions and confidential data (such as user passwords and certificates), and click Export, and then click OK.When the export is complete, you are returned to this page in the wizard.Click Next to continue.

6. On the Internal Network IP Addresses page, choose to define the internal network using one or more of the following three methods, and then click Next.

   • Add Add a range of IP addresses you assign.

   • Add Adapter Choose one of the ISA Server computer's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of three private network ranges. As a best practice, avoid adding all of these ranges.

7. On the Perimeter Network IP Addresses page, choose to define your perimeter network using the same options available in Step 6, and then click Next.

8. On the Select A Firewall Policy page, choose one of the following firewall policies to apply to your networks, and then click Next.

   Note

   Refer to Step 7 in the section "Creating an Edge Firewall," earlier in this chapter, to reference the description of the common firewall policies used by each of the network templates. This procedure is defining the unique firewall policies not yet explained.

   • Block Internet Access, All Access To Network Services On The Perimeter Network Blocks all network traffic except for protocol access to DNS and VPN on your perimeter network. This option creates one new access rule.

   • Allow Limited Web Access, Allow Access To Network Services On The Perimeter Network Only allows access to HTTP, HTTPS, FTP for Web access, and access for DNS and VPN protocols for access to your perimeter network. This option is recommended when your network services reside in the perimeter network. This option creates three new access rules.

9. On the Completing The Network Template Wizard page, review the summary of information, and click Finish.

10. In the details pane, you will see an illustration of the 3-leg perimeter network topology under the Networks tab. To update your configuration, click Apply, and then click OK.

Creating a Front Firewall

A front firewall configuration is a back-to-back firewall topology where ISA Server is connecting to the Internet edge. The ISA server connects to the external network and the perimeter network.

To create a front firewall, follow these steps:

1. In the console tree, expand the server name, expand Configuration, and click Networks.

2. In the task pane, click the Templates tab.

3. Click Front Firewall.

4. On the Welcome To The Network Template Wizard page, read the text to ensure you have selected the template that you would like to apply to your ISA server, and click Next.

5. On the Export The ISA Server Configuration page, you are advised to export your ISA server configuration for backup purposes. If you choose to do so, click Export, determine the disk location, type a name for the export file, specify optional parameters to include user permissions and confidential data (such as user passwords and certificates), click Export, and then click OK. When the export is complete, you are returned to this page in the wizard. Click Next to continue.

6. On the Perimeter Network IP Addresses page, choose to define the perimeter network using one or more of the following three methods, and then click Next.

   • Add Add a range of IP addresses you assign.

   • Add Adapter Choose one of the ISA Server computer's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of three private network ranges. As a best practice, avoid adding all of these ranges.

7. On the Select A Firewall Policy page, select the firewall policy to apply to your ISA server, and then click Next. Your options include the following:

   • Block All Prevents all traffic from passing through ISA Server.

   • Block Internet Access, Allow Access To ISP Network Services Only allows DNS communications from the perimeter and VPN client networks to External network.

   • Allow Limited Web Access, Allow Access To Network Services On Perimeter Network Only allows access to HTTP, HTTPS, FTP for Web access, and access for DNS and VPN protocols for access to your perimeter network. This option is recommended when your network services reside in the perimeter network. This option creates three new access rules.

   • Allow Limited Web Access And Access To ISP Network Services Only allows access to HTTP, HTTPS, FTP for Web access, and access for DNS and VPN protocols for access to the External network. This option is recommended when your network services reside on the ISP's servers. This option creates three new access rules.

   • Allow Unrestricted Access Allows access from all Protected networks to the External network.

8. On the Completing The Network Template Wizard page, review the summary of information, and click Finish.

9. In the details pane, you will see an illustration of the front firewall network topology under the Networks tab. To update your configuration, click Apply, and then click OK.

Creating a Back Firewall

A back firewall configuration is a back-to-back firewall topology where ISA Server is providing additional firewall capabilities to the existing front-end firewall. This is common when the front-end firewall provides only stateful packet inspection, and the ISA server on the back end complements the front-end firewall by providing application-level packet inspection. The ISA server in this scenario connects to the internal network and the perimeter network.

To create a back firewall, follow these steps:

1. In the console tree, expand the server name, expand Configuration, and click Networks.

2. In the task pane, click the Templates tab.

3. Click Back Firewall.

4. On the Welcome To The Network Template Wizard page, read the text to ensure you have selected the template that you would like to apply to your ISA server, and click Next.

5. On the Export The ISA Server Configuration page, you are advised to export your ISA server configuration for backup purposes. If you choose to do so, click Export, determine the disk location, type a name for the export file, specify optional parameters to include user permissions and confidential data (such as user passwords and certificates), and click Export, and then click OK.When the export is complete, you are returned to this page in the wizard.Click Next to continue.

6. On the Internal Network IP Addresses page, choose to define the internal network using one or more of the following three methods, and then click Next.

   • Add Add a range of IP addresses you assign.

   • Add Adapter Choose one of the ISA Server computer's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of three private network ranges. As a best practice, avoid adding all of these ranges.

7. On the Select A Firewall Policy page, choose one of the following firewall policies to apply to your networks. Click Next to continue.

   • Block All Prevents all traffic from passing through ISA Server.

   • Block Internet Access, All Access To Network Services On The Perimeter Network Blocks all network traffic except for protocol access to DNS and VPN on your perimeter network. This option creates one new access rule.

   • Block Internet Access, Allow Access To ISP Network Services Only allows DNS communications from the perimeter and VPN client networks to External network.

   • Allow Limited Web Access Only allows access to HTTP, HTTPS, and FTP protocols while blocking all other network traffic. This option creates two new access rules.

   • Allow Limited Web Access, Allow Access To Network Services On Perimeter Network Only allows access to HTTP, HTTPS, FTP for Web access, and access for DNS and VPN protocols for access to your perimeter network. This option is recommended when your network services reside in the perimeter network. This option creates three new access rules.

   • Allow Limited Web Access And Access To ISP Network Services Only allows access to HTTP, HTTPS, FTP for Web access, and access for DNS and VPN protocols for access to the External network. This option is recommended when your network services reside on the ISP's servers. This option creates three new access rules.

   • Allow Unrestricted Access Allows access from all Protected networks to the External network.

8. On the Completing The Network Template Wizard page, review the summary of information, and click Finish.

9. In the details pane, you will an illustration of the back firewall network topology under the Networks tab. To update your configuration, click Apply, and then click OK.

Creating a Single Network Adapter Configuration

ISA Server 2000 didn't support using a single network adapter configuration. This is now fully supported and provides an option if you are looking to deploy ISA Server only as a proxy and Web caching server. If you do choose this option, understand that you lose the following functionalities:

• Application-level filtering

• IP packet filtering

• Use of firewall and SecureNAT clients

• VPN functions

• Server publishing

• Multinetwork firewall policy

To create a single network adapter configuration, complete the following steps:

1. In the console tree, expand the server name, expand Configuration, and click Networks.

2. In the task pane, click the Templates tab.

3. Click Single Network Adapter.

4. On the Welcome To The Network Template Wizard page, read the text to ensure you have selected the template that you would like to apply to your ISA server, and click Next.

5. On the Export The ISA Server Configuration page, you are advised to export your ISA server configuration for backup purposes. If you choose to do so, click Export, determine the disk location, type a name for the export file, specify optional parameters to include user permissions and confidential data (such as user passwords and certificates), and click Export, and then click OK. When the export is complete, you are returned to this page in the wizard.. Click Next to continue.

6. On the Internal Network IP Addresses page, choose to define the internal network using one or more of the following three methods, and then click Next.

   • Add Add a range of IP addresses you assign.

   • Add Adapter Choose one of the ISA Server computer's network adapters, and use its routing table to configure the network.

   • Add Private Add one or more of three private network ranges. As a best practice, avoid adding all of these ranges.

7. On the Select A Firewall Policy page, choose the following firewall policy to apply to your networks. Click Next to continue.

   • Apply Default Web Proxying And Caching Configuration Only select this option when your ISA server is configured with a single network adapter. This policy denies access to all networks with a single default rule.

8. On the Completing The Network Template Wizard page, review the summary of information, and click Finish.

9. In the details pane, you will see an illustration of the single network adapter configuration topology under the Networks tab. To update your configuration, click Apply, and then click OK.