SolutionBase: How to perform routine tasks with ISA Server 2004

ISA Server 2004 can help you secure your network and control Internet access for workstations at the same time. Here's how you accomplish routine administration tasks in ISA Server 2004.

Microsoft's Internet Security and Acceleration (ISA) Server 2004 provides new features and functionality and a greatly improved user interface. These enhancements bring changes in the way you perform routine firewall and Web proxy management tasks.

We discussed basic configuration of the ISA Server in an earlier article in this series, titled "Configuring a new ISA Server 2004 installation." In this article, I'll get into the step-by-step details of creating access rules, publishing your internal servers to the Internet, and creating cache rules.

You perform routine tasks via the ISA Management Console. To open the console, click Start | All Programs | Microsoft ISA Server | ISA Server Management, or type the path to the ISA Server program files, followed by \msisa.msc in the Run box.

Author's note: The instructions in this article apply to ISA Server 2004 Standard Edition (SE). At the time of this writing, ISA Server 2004 Enterprise Edition (EE) was still in private beta testing.

Creating firewall policies

The emphasis in ISA 2004 is on its firewall functionality, and the most common and most important tasks performed by the ISA administrator involve creating and managing firewall policy. There are two basic types of administrator-created rules that make up firewall policy:

  • Access rules control what traffic is allowed (or not allowed) through the ISA firewall.
  • Server publishing rules control incoming requests to your internal servers and make them available to external users over the Internet.

In addition, firewall policy includes system policy rules, which control traffic emanating from or terminating at the firewall itself. System policy rules are applied before any administrator-created rules. ISA Server 2004 includes a set of built-in system policy rules that can be enabled, disabled, and edited.

Creating access rules

When you initially install ISA Server 2004, it has a single default access rule that denies access to and from all networks. This rule is called Last Default rule. It can't be changed or deleted. It will always be last in the firewall policy rules order. When there is no matching rule above it that applies to particular traffic attempting to go through the firewall, the Last Default rule will be applied (and thus the traffic will be blocked).

Because of the Last Default rule, the newly installed ISA Server essentially "locks down" the network. No inbound or outbound traffic will be able to go through the ISA Server firewall until you create other rules to allow it. This is based on the "deny all" security philosophy (also called the Principle of Least Privilege), where you make exceptions for the traffic you want to allow.

In order for any traffic to go through the firewall, you must create at least one access rule. It's easy to create new access rules with the New Access Rule Wizard. For example, suppose you want to allow users on your internal network to access only specific Web sites that they need in order to do their work. First, open the ISA Management Console (msisa.msc). In the left pane, expand the server name (in this case, W2K3SE) and click Firewall Policy, as shown in Figure A.

As you can see in the figure, there's already one access rule in addition to the Last Default rule (it's a rule to allow HTTP traffic to and from all networks for administrators only).

Figure A

Creating an access rule is a common firewall policy task.

In the right pane, click the Tasks tab and, under Firewall Policy Tasks, click Create A New Access Rule. This starts the New Access Rule Wizard.

On the first page of the wizard, give your new rule a name. In our example, we'll call it Workers Web Access. Click Next. The Rule Action page of the wizard asks if this is to be an Allow or Deny rule. We want to allow access to certain Web sites, so we click Allow and then click Next. (In keeping with the "deny all" philosophy, the default here is "deny.")

On the Protocols page, you can select which protocols the rule will apply to. Because we want to allow access to Web objects, click Selected Protocols in the drop-down box (the default is All Protocols). Then click the Add button, expand Web in the Protocols list, and double-click HTTP (or click once and then click the Add button). This adds it to the list of allowed protocols, as shown in Figure B.

Click Close in the Protocols list box, and then click Next. (Note that you might also want to add the HTTPS protocol if workers will need to access secure Web sites.)

Figure B

You can apply a rule to only selected protocols, such as HTTP for Web access.

On the Access Rule Sources page, you can specify which originating sources the rule applies to. In our example, we want to apply the rule to users on our internal network, so we click the Add button. In the Network Entities box, we expand Networks and double-click Internal (or click once and click the Add button). Click Close on the Network Entities box, and then click Next.

On the Access Rule Destinations page, specify the destination Web servers or sites you want to allow. Click the Add button. In this case, we want to allow access to an entire domain, that of the official State of Texas Web site, so we click New and select Domain Name Set. We create a name for the set, called State of Texas, then click New to add a domain name to the set. Because we want to allow access to any Web servers in that domain, we'll use a wildcard (*) to represent the Web server name. You can also add an optional description, as shown in Figure C. Click OK.

Figure C

You can specify domains or sets of domains to which the rule will allow access.

In the Network Entities box, expand Domain Name Sets and you should now see your new set (State of Texas). Double-click it (or click once and click the Add button), then click Close in the Network Entities box. Click Next.

On the User Sets page, specify to which users this rule will apply. By default, it applies to all users. If that's not what you want, click Add to specify a different set of users.

In the User Sets box, select from the user sets that have already been created, or click New to create a new one. Clicking New invokes the New User Sets subwizard, where you give the user set a name (such as the name of a Windows group) and then select from Windows, RADIUS, or SecurID namespaces. In our example, we selected All Authenticated Users. You should then click All Users, Remove, and Next.

The last page of the wizard summarizes your selections. You can click Back to make changes, or click Finish to create the new access rule. Your new rule will now show up in the Firewall Policy list, as shown in Figure D.

Figure D

Your new rule appears here.

Before your rule will take effect, you must click the Apply button at the top of the middle pane in the ISA MMC.

Note that, by default, your new rule appears just above whatever rule you had selected prior to running the New Access Rule Wizard. In ISA 2004, rules are applied in the order in which they're shown in the list. You can reorder rules by selecting a rule, right-clicking it, and selecting Move Down or Move Up from the context menu.

In general, it's best to arrange your access rules in the following order: anonymous deny rules, anonymous allow rules, authenticated deny rules, authenticated allow rules. Machines that can't authenticate, such as servers, should be included in the anonymous allow and deny sets even though they aren't completely anonymous, since their connections must source from the IP address(es) for which you allow access to the rule.

Web and server publishing rules can be placed anywhere in Access Policy; however, I prefer to segregate publishing rules by putting them at the top of the firewall policy list. This makes it easier to distinguish the publishing rules from the access rules.

Publishing servers

Publishing your internal servers (such as Web servers, mail servers, FTP servers, SQL servers, etc.) through the ISA Server firewall makes them available to users on the Internet. Publishing Web and mail servers are relatively complex procedures that require planning and considering many factors. ISA Server 2004 includes separate Web publishing, secure Web publishing, and mail server publishing wizards, as well as a special wizard for publishing an Outlook Web Access (OWA) server. Going through the many steps involved in each is beyond the scope of this article. For our example, we'll publish an FTP server, which is a relatively simple procedure.

ISA Server 2000 allowed you to publish FTP servers only on the traditional TCP port 21. With ISA 2004, you can publish FTP servers on alternate ports.

To publish a server other than a Web server, mail server, or OWA server, select the Create A New Server Publishing Rule option under Firewall Policy Tasks after selecting the Tasks tab in the right pane of the ISA MMC. This starts the New Server Publishing Wizard.

The first step is to give the publishing rule a name. Let's call it FTP Server. Click Next. On the Select Server page, enter the IP address of the server you want to publish. You can also click the Browse button to find the server by name and select the IP address. Once you've entered the IP address using either method, click Next.

On the Select Protocol page, choose the server's function in the drop-down box. (We'll select FTP Server.) If you want to change from the default port, click the Port button and enter the alternate port(s). You can also use this dialog box to limit server access to traffic from a specified range of source ports. Click Next.

On the IP Addresses page, check the box for the network IP addresses on the ISA Server that should listen for requests for the published server (external, internal, local host, quarantined VPN clients, VPN clients, all networks and local host, or all protected networks). You can check more than one box. If you select external, internal, or local host, by default ISA will listen on all IP addresses in the selected network. You can click the Addresses button to change this and specify addresses.

The last page of the wizard summarizes your selections. You can click Back to make changes or click Finish to create the new server publishing rule. Your new rule will now appear in the list of Firewall Policy rules. Remember to click the Apply button to make it effective.

You can disable, enable, or edit your rules after creating them by double-clicking the rule, by right-clicking and selecting Properties, or by highlighting the rule and clicking Edit Selected Rule in the right Tasks pane. Any of these three procedures will display the rule's properties dialog box, as shown in Figure E.

Figure E

You can edit a rule after it is created by making changing in its Properties dialog box.

Editing system policy rules

System policy rules are used to control traffic that originates with or terminates at the local host network, which includes all addresses bound to all interfaces on the ISA firewall computer. For example, if you want to allow Web access from the ISA Server computer (although this isn't recommended for security reasons), you'd need to edit the system policy rules to allow HTTP traffic from the local host network.

To do this, go to the right Tasks pane, look under System Policy Tasks, and click Show System Policy Rules (they're hidden by default). Scroll down to the system policy rule named Allow HTTP Traffic From ISA Server To All Networks (for CRL download). This should be rule 26.

Double-click the rule, and on the General tab, check the Enable check box. Click OK. By enabling rule 29, you can also allow HTTP traffic to selected computers only for Content Download jobs if you have caching enabled and want to schedule content download jobs. Also note that by default, HTTP traffic is allowed from the ISA Server to the Microsoft error reporting sites, via rule 23. Finally, you can allow HTTP traffic from the ISA computer to selected sites by adding those sites in rule 17. The system policy rules are shown in Figure F.

Figure F

To control traffic originating from or terminating at the ISA Server, edit system policy rules.

Creating cache rules

When you install ISA 2004, the Web proxy components are enabled, but caching is disabled by default. Before you can create cache rules, you must enable caching by defining a cache drive.

In the left pane of the ISA MMC, expand the server name and then expand the Configuration node. Click Cache. In the right Tasks pane, click Define Cache Drives (enable caching).

In the Define Cache Drives dialog box, select a drive formatted in NTFS, set a maximum cache size greater than 0 MB, abd then click Set, as shown in Figure G. Click OK.

Figure G

Before you create cache rules, you must enable caching by defining a cache drive.

To disable caching, click Disable Caching in the right Tasks pane, set all cache drives manually to 0, or click the Reset button on the Define Cache Drives dialog box.

Now click Create A Cache Rule in the right Tasks pane to start the New Cache Rule Wizard. On the wizard's first page, you'll be asked to give the rule a name. In our example, we'll create a rule to prevent the caching of a particular Web site. We'll call it No Cache Click Next.

On the Cache Rule Destination page, specify the network entities that this rule applies to content requests. For our example, we'll click Add and create a new URL set called, which we'll then add to the rule. Click Next.

On the Content Retrieval page, you can control how objects in cache are retrieved when requested. In this case, we don't want the object ever retrieved from cache. However, that isn't one of our choices, so we select the most restrictive option ("Only if a valid version of the object exists in the cache. If no valid version exists, route the request to the server"). Click Next.

On the Cache Content page, we select when the content should be stored in the cache. In this case, we want to prevent the content from being cached, so we select "Never, no content will ever be cached." Click Next.

The last page of the wizard summarizes your selections, as shown in Figure H.

Figure H

The last page of the New Cache Rule Wizard summarizes your selections.

Just the beginning

The most common tasks performed by ISA Server administrators involve working with rules: access rules, server publishing rules, system policy rules, and cache rules. In this article, I've taken you through the process of creating each type of administrator-defined rule and editing system policies. Later articles in this series will demonstrate how to perform more complex tasks, such as publishing a Web server, monitoring your ISA Server 2004 firewall, and backing up the ISA Server configuration.