ISA Server's default settings prohibit all Internet access, so to enable ISA Server, you need to change some settings. (Microsoft did this so that total security is ensured until you consciously allow access to the network.)
ISA Server provides the Getting Started Wizard to walk you through this initial setup. Table 31-3 describes the default settings of a freshly installed ISA server. For more complete control over the various aspects of ISA Server, use the console tree to locate the appropriate element, as described in the section entitled Administering ISA Server later in this chapter. The Getting Started Wizard provides an abbreviated list of options for each task.
Table 31-3. ISA Server postinstallation default settings
Feature | Default Setting |
---|---|
User permissions | Members of the Administrators group on the local computer can configure policies on stand-alone servers. Only members of the Domain Admins and Enterprise Admins groups can configure array and enterprise policies. |
Enterprise Policy Settings | The default enterprise array policy is used for new arrays. Stand-alone servers don't use enterprise policies. |
Access control | All clients are allowed access to all content on all sites, using the default site and content rule named Allow Rule. Setup fails to create this rule sometimes, so you should double-check this setting. |
Packet filtering | Enabled, unless in cache-only mode. |
Publishing | No internal servers (such as Web servers) are accessible from the Internet. |
Protocol rules | No protocols are allowed through the firewall, effectively blocking all Internet access. |
Routing | All requests from Web Proxy clients are retrieved directly from the Internet. |
Caching | HTTP and FTP requests are cached, but active caching (prefetching content) is disabled. |
Alerts | All alerts are enabled except All port scan attack, Dropped packets, Protocol violation, and User Datagram Protocol (UDP) bomb attack. |
To open this wizard, launch the ISA Management console by clicking Start, pointing to Programs, then to Microsoft ISA Server, and choosing ISA Management. The following sections cover the various parts of the wizard. Click Next in the Getting Started screen to begin the wizard, shown in Figure 31-9, or click a heading to jump directly to that part of the wizard.
Figure 31-9. The Getting Started Wizard.
If you don't see the Getting Started Wizard or any links on the right side of the ISA Management console, you probably have the Taskpad view turned off. To turn it on, from the View menu, choose Taskpad.
ISA Server can be configured to reduce the likelihood that the Nimda and Code Red viruses will be transmitted into or out of the network. For more information, see http://www.microsoft.com/isaserver/techinfo/prevent/default.asp on the ISA Server Web site.
If you installed ISA Server as an array member, the Getting Started Wizard displays a number of headings you can use to configure the default policy for arrays in the enterprise.
These headings work identically to those discussed in the following sections; the only difference is that the settings you specify under the Configure Enterprise Policy heading apply to all arrays in the enterprise. The settings you specify under the Configure The Server And Array heading apply only to the server or array you're administering.
Click the Select Policy Elements link to display the Select Policy Elements dialog box shown in Figure 31-10. Use this dialog box to choose how to apply policies: by users and groups, by computer names or IP addresses, by schedule, or by destination IP address or domain name.
Figure 31-10. Selecting policy elements to configure.
Click the Configure Schedules link to set up or modify schedules (a type of policy element) that you can use when creating access rules. ISA Server automatically sets up a Work Hours schedule (9-5 Monday through Friday) and a Weekends schedule (all day Saturday and Sunday).
Double-click a schedule to modify it, or click the Create A Schedule link to create a new schedule, as shown in Figure 31-11. Click and drag the outline of a time block, and then select Active or Inactive to specify whether the schedule applies to the selected time period or not. Enter a name and optionally a description for the schedule and then click OK.
Figure 31-11. Creating a new schedule.
Click Next or Configure Client Sets to create policy elements that define groups of internal network clients to which you can then apply rules. Click the Create Client Set link to open the Client Set dialog box, shown in Figure 31-12.
Create a new client set by clicking Add and entering the starting and ending IP addresses for the group of internal network clients. When you're finished adding IP address sets, enter a name and optionally a description for the group of clients, and then click OK.
Figure 31-12. Creating a client set.
To enable clients access to the external network (which is most likely the Internet), you need to specify which protocols clients can use to access the external network. To do so, click Next or the Configure Protocol Rules link, and then use the following steps to create a protocol rule, a type of policy:
Figure 31-13. Selecting protocols to allow clients to use.
A good way to configure ISA Server is to initially allow all protocols, and then create rules to deny those protocols that you know users don't need. This reduces the need to open ports later for different services such as Microsoft NetMeeting, Windows Media, and instant messaging clients.
Figure 31-14. Specifying to which clients the rule applies.
Applying a protocol rule to certain users or groups excludes non-Windows clients from the protocol rule. If you don't then create a protocol rule that either applies to all requests or to client address sets containing the non-Windows clients on the network, these clients won't be able to access the Internet or external network.
You can use destination sets to group computers on the Internet together. You can optionally apply rules to these destination sets to control such things as site and content rules, bandwidth rules, Web publishing rules, and routing rules.
To create destination sets, click the Configuring Destination Sets link, and then use the following steps:
Figure 31-15. Creating a new destination set.
Figure 31-16. Adding destinations to a destination set.
You can use site and content rules to limit which Web sites and content the network clients can access. By default, ISA Server allows access to all content and sites once you've created a protocol rule permitting clients to actually reach the sites.
Our testing indicates that there are some instances when the default Allow Rule isn't created, thereby preventing all Internet access even when the proper protocol rules are in place. Check the enterprise policy and array and stand-alone server configuration if in doubt.
To create additional rules limiting access by destination set, schedule, or client set, use the following procedure:
Figure 31-17. Creating a site and content rule.
Be careful not to create conflicting or overlapping rules. In the event of overlapping rules, the more restrictive rule is used.
Figure 31-18. Specifying which destinations to include in the rule.
The default security settings for Windows are not appropriate for an ISA server that will be exposed to potential attacks on the Internet. For this reason, Microsoft provides the ISA Server Security Configuration Wizard to walk you through locking down Windows. To use this wizard, follow these steps:
Figure 31-19. Securing an ISA server.
Security level changes you make using the ISA Server Security Configuration Wizard are difficult to undo, and they might impact applications that require low security levels to run. This isn't a reason not to lock down your server, but it is a reason to test the functionality of other server applications after running the wizard.
A key security component of ISA Server is its packet filtering capabilities. To modify packet filtering settings, use the following procedure:
Figure 31-20. Configuring packet routing and packet filtering properties.
If you don't enable IP routing, internal clients won't be able to use the Ping, Tracert, or Pathping utilities. Additionally, outbound PPTP connections are disabled as well. Note, though, that the Ping tool only functions with SecureNAT clients; Firewall clients need to disable the Firewall client software to use Ping.
Don't enable filtering of fragmented IP packets if you use streaming audio or video across the ISA server.
Figure 31-21. Configuring packet filtering.
Figure 31-22. Enabling intrusion detection.
ISA Server provides the ability to use dial-up connections to provide Internet access to clients.
To set up ISA Server to use a dial-up connection as the primary network connection, use the following steps:
Figure 31-23. Configuring a dial-up entry.
ISA Server automatically establishes a connection as needed, as long as you don't have a default gateway specified on any network card in the ISA server. Also note that ISA Server probably won't hang up a connection once established, so make sure that you want to be connected continuously before using a dial-up link with ISA Server.
The Configure Routing For Firewall And SecureNAT Clients link allows you to specify how requests from Firewall and SecureNAT clients are routed: either directly to the Internet using ISA Server, or using an upstream server such as another ISA server or Microsoft Proxy Server 2.0.
To modify these routing settings, use the following steps:
Figure 31-24. Modifying firewall routing properties.
Most companies use the default routing rule for Web Proxy clients (any client using a Web browser configured to use the ISA server as the proxy server). This rule automatically routes requests for Web pages to the Internet if the requested page isn't available from ISA Server's cache.
However, you can also set up ISA Server to route Web Proxy client requests to an upstream server, or create multiple rules to route clients differently based on the destination set of the request.
To configure routing for Web proxy clients, use the following steps:
Figure 31-25. Configuring routing for Web browser applications.
If clients frequently access your company's own Web site, you can create a routing rule that routes requests for your company's external Web site directly to your company's internal Web site or intranet. To do this, first create a destination set containing the desired Web site or Web sites (destinations). Then click the Routing folder in the ISA Management console tree, choose the New Rule command from the Action menu, and use the wizard to create a new routing rule.
Although you configure the size and location of ISA Server's cache during installation, there are some additional configuration steps that you should take to ensure that ISA Server provides optimal performance for your network:
Some Web pages have a Time to Live (TTL) setting, which overrides the settings you make here. This permits dynamic Web pages to work properly without presenting users with stale data.
Figure 31-26. Configuring caching for Web pages.
Active caching permits ISA Server to preemptively go to the Internet and update frequently accessed Web pages. Then when a client requests the Web page, the latest version is already available from the ISA Server cache.
Figure 31-27. Configuring other cache settings.
More Info
To change the size of the ISA Server cache or on which drives it is located, see the section entitled Changing Cache Properties later in this chapter.