Microsoft’s Internet Security and Acceleration (ISA) Server
2004 provides new features and functionality and a greatly improved user
interface. These enhancements bring changes in the way you perform routine
firewall and Web proxy management tasks.

We discussed basic configuration of the ISA Server in an
earlier article in this series, titled “Configuring a
new ISA Server 2004 installation.”
In this article, I’ll get into the
step-by-step details of creating access rules, publishing your internal servers
to the Internet, and creating cache rules.

You perform routine tasks via the ISA Management Console. To
open the console, click Start | All Programs | Microsoft ISA Server | ISA
Server Management, or type the path to the ISA Server program files, followed
by \msisa.msc in the Run box.

Author’s note: The instructions in this article apply to ISA Server 2004
Standard Edition (SE). At the time of this writing, ISA Server 2004 Enterprise
Edition (EE) was still in private beta testing.

Creating firewall policies

The emphasis in ISA 2004 is on its firewall functionality,
and the most common and most important tasks performed by the ISA administrator
involve creating and managing firewall policy. There are two basic types of
administrator-created rules that make up firewall policy:

  • Access
    rules control what traffic is allowed (or not allowed) through the ISA
    firewall.
  • Server
    publishing rules control incoming requests to your internal servers and
    make them available to external users over the Internet.

In addition, firewall policy includes system policy rules,
which control traffic emanating from or terminating at the firewall itself. System
policy rules are applied before any
administrator-created rules. ISA Server 2004 includes a set of built-in system
policy rules that can be enabled, disabled, and edited.

Creating access rules

When you initially install ISA Server 2004, it has a single
default access rule that denies access to and from all networks. This rule is
called Last Default rule. It can’t be changed or deleted. It will always be
last in the firewall policy rules order. When there is no matching rule above
it that applies to particular traffic attempting to go through the firewall,
the Last Default rule will be applied (and thus the traffic will be blocked).

Because of the Last Default rule, the newly installed ISA
Server essentially “locks down” the network. No inbound or outbound traffic
will be able to go through the ISA Server firewall until you create other rules
to allow it. This is based on the “deny all” security philosophy (also called
the Principle of Least Privilege), where you make exceptions for the traffic
you want to allow.

In order for any traffic to go through the firewall, you
must create at least one access rule. It’s easy to create new access rules with
the New Access Rule Wizard. For example, suppose you want to allow users on
your internal network to access only specific Web sites that they need in order
to do their work. First, open the ISA Management Console (msisa.msc). In the
left pane, expand the server name (in this case, W2K3SE) and click Firewall
Policy, as shown in Figure A.

As you can see in the figure, there’s already one access
rule in addition to the Last Default rule (it’s a rule to allow HTTP traffic to
and from all networks for administrators only).

Figure A

Creating an access rule is a common firewall policy task.

In the right pane, click the Tasks tab and, under Firewall
Policy Tasks, click Create A New Access Rule. This starts the New Access Rule Wizard.

On the first page of the wizard, give your new rule a name.
In our example, we’ll call it Workers Web Access. Click Next. The Rule Action
page of the wizard asks if this is to be an Allow or Deny rule.
We want to allow access to certain Web sites, so we click Allow and then click
Next. (In keeping with the “deny all” philosophy, the default here is “deny.”)

On the Protocols page, you can select which protocols the rule
will apply to. Because we want to allow access to Web objects, click
Selected Protocols in the drop-down box (the default is All Protocols). Then
click the Add button, expand Web in the Protocols list, and double-click HTTP
(or click once and then click the Add button). This adds it to the list of
allowed protocols, as shown in Figure B.

Click Close in the Protocols list box, and then click Next.
(Note that you might also want to add the HTTPS protocol if workers will need
to access secure Web sites.)

Figure B

You can apply a rule to only selected protocols, such as HTTP for Web
access.

On the Access Rule Sources page, you can specify which
originating sources the rule applies to. In our example, we want to apply the
rule to users on our internal network, so we click the Add button. In the
Network Entities box, we expand Networks and double-click Internal (or click
once and click the Add button). Click Close on the Network Entities box, and
then click Next.

On the Access Rule Destinations page, specify the
destination Web servers or sites you want to allow. Click the Add button. In
this case, we want to allow access to an entire domain, that of the official
State of Texas Web site, so we click New and select Domain Name Set. We create
a name for the set, called State of Texas, then click New to add a domain name
to the set. Because we want to allow access to any Web servers in that domain,
we’ll use a wildcard (*) to represent the Web server name. You can also add an
optional description, as shown in Figure
C
. Click OK.

Figure C

You can specify domains or sets of domains to which the rule will allow
access.

In the Network Entities box, expand Domain Name Sets and you
should now see your new set (State of Texas). Double-click it (or click once
and click the Add button), then click Close in the Network Entities box. Click
Next.

On the User Sets page, specify to which users this rule will
apply. By default, it applies to all users. If that’s not what you want, click
Add to specify a different set of users.

In the User Sets box, select from the user sets that have
already been created, or click New to create a new one. Clicking New invokes
the New User Sets subwizard, where you give the user set a name (such as the
name of a Windows group) and then select from Windows, RADIUS, or SecurID
namespaces. In our example, we selected All Authenticated Users. You should
then click All Users, Remove, and Next.

The last page of the wizard summarizes your selections. You can
click Back to make changes, or click Finish to create the new access rule. Your
new rule will now show up in the Firewall Policy list, as shown in Figure D.

Figure D

Your new rule appears here.

Before your rule will take effect, you must click the Apply button at the top of the middle pane in the
ISA MMC.

Note that, by default, your new rule appears just above
whatever rule you had selected prior to running the New Access Rule Wizard. In
ISA 2004, rules are applied in the order in which they’re shown in the list.
You can reorder rules by selecting a rule, right-clicking it, and selecting
Move Down or Move Up from the context menu.

In general, it’s best to arrange your access rules in the
following order: anonymous deny rules, anonymous allow rules, authenticated
deny rules, authenticated allow rules. Machines that can’t authenticate, such
as servers, should be included in the anonymous allow and deny sets even though
they aren’t completely anonymous, since their connections must source from the
IP address(es) for which you allow access to the rule.

Web and server publishing rules can be placed anywhere in
Access Policy; however, I prefer to segregate publishing rules by putting them
at the top of the firewall policy list. This makes it easier to distinguish the
publishing rules from the access rules.

Publishing servers

Publishing your internal servers (such as Web servers, mail
servers, FTP servers, SQL servers, etc.) through the ISA Server firewall makes
them available to users on the Internet. Publishing Web and mail servers are
relatively complex procedures that require planning and considering many
factors. ISA Server 2004 includes separate Web publishing, secure Web
publishing, and mail server publishing wizards, as well as a special wizard for
publishing an Outlook Web Access (OWA) server. Going through the many steps
involved in each is beyond the scope of this article. For our example, we’ll
publish an FTP server, which is a relatively simple procedure.

ISA Server 2000 allowed you to publish FTP servers only on
the traditional TCP port 21. With ISA 2004, you can publish FTP servers on
alternate ports.

To publish a server other than a Web server, mail server, or
OWA server, select the Create A New Server Publishing Rule option under
Firewall Policy Tasks after selecting the Tasks tab in the right pane of the
ISA MMC. This starts the New Server Publishing Wizard.

The first step is to give the publishing rule a name. Let’s call it FTP Server. Click Next. On the Select Server
page, enter the IP address of the server you want to publish. You can also
click the Browse button to find the server by name and select the IP address.
Once you’ve entered the IP address using either method, click Next.

On the Select Protocol page, choose the server’s function in
the drop-down box. (We’ll select FTP Server.) If you want to change
from the default port, click the Port button and enter the alternate port(s).
You can also use this dialog box to limit server access to traffic from
a specified range of source ports. Click Next.

On the IP Addresses page, check the box for the network IP
addresses on the ISA Server that should listen for requests for the published
server (external, internal, local host, quarantined VPN clients, VPN clients,
all networks and local host, or all protected networks). You can check more
than one box. If you select external, internal, or local host, by default ISA
will listen on all IP addresses in the selected network. You can click the
Addresses button to change this and specify addresses.

The last page of the wizard summarizes your selections. You
can click Back to make changes or click Finish to create the new server
publishing rule. Your new rule will now appear in the list of Firewall Policy
rules. Remember to click the Apply button to make it effective.

You can disable, enable, or edit your rules after creating
them by double-clicking the rule, by right-clicking and selecting Properties,
or by highlighting the rule and clicking Edit Selected Rule in the right Tasks
pane. Any of these three procedures will display the rule’s properties dialog
box, as shown in Figure E.

Figure E

You can edit a rule after it is created by making changing in its
Properties dialog box.

Editing system policy rules

System policy rules are used to control traffic that
originates with or terminates at the local host network, which includes all
addresses bound to all interfaces on the ISA firewall computer. For example, if
you want to allow Web access from the ISA Server computer (although this isn’t
recommended for security reasons), you’d need to edit the system policy rules to
allow HTTP traffic from the local host network.

To do this, go to the right Tasks pane, look under System
Policy Tasks, and click Show System Policy Rules (they’re hidden by default). Scroll
down to the system policy rule named Allow HTTP Traffic From ISA Server To All
Networks (for CRL download). This should be rule 26.

Double-click the rule, and on the General tab, check the
Enable check box. Click OK. By enabling rule 29, you can also allow HTTP
traffic to selected computers only for Content Download jobs if you have
caching enabled and want to schedule content download jobs. Also note that by
default, HTTP traffic is allowed from the ISA Server to the Microsoft error
reporting sites, via rule 23. Finally, you can allow HTTP traffic from the ISA
computer to selected sites by adding those sites in rule 17. The system policy
rules are shown in Figure F.

Figure F

To control traffic originating from or terminating at the ISA Server, edit system
policy rules.

Creating cache rules

When you install ISA 2004, the Web proxy components are
enabled, but caching is disabled by default. Before you can create cache rules,
you must enable caching by defining a cache drive.

In the left pane of the ISA MMC, expand the server name and
then expand the Configuration node. Click Cache. In the right Tasks pane, click
Define Cache Drives (enable caching).

In the Define Cache Drives dialog box, select a drive
formatted in NTFS, set a maximum cache size greater than 0 MB, abd then click
Set, as shown in Figure G. Click OK.

Figure G

Before you create cache rules, you must enable caching by defining a cache
drive.

To disable caching, click Disable Caching in the right Tasks
pane, set all cache drives manually to 0, or click the Reset button on the
Define Cache Drives dialog box.

Now click Create A Cache Rule in the right Tasks pane to
start the New Cache Rule Wizard. On the wizard’s first page, you’ll be asked to
give the rule a name. In our example, we’ll create a rule to prevent the caching
of a particular Web site. We’ll call it No Cache shinder.net. Click Next.

On the Cache Rule Destination page, specify the network
entities that this rule applies to content requests. For our example, we’ll click Add and
create a new URL set called shinder.net, which we’ll then add to the rule. Click
Next.

On the Content Retrieval page, you can control how objects
in cache are retrieved when requested. In this case, we don’t want the object
ever retrieved from cache. However, that isn’t one of our choices, so we select
the most restrictive option (“Only if a valid version of the object exists in
the cache. If no valid version exists, route the request to the server”).
Click Next.

On the Cache Content page, we select when the content should
be stored in the cache. In this case, we want to prevent the content from being
cached, so we select “Never, no content will ever be cached.” Click Next.

The last page of the wizard summarizes your selections, as
shown in Figure H.

Figure H

The last page of the New Cache Rule Wizard summarizes your selections.

Just the beginning

The most common tasks performed by ISA Server administrators
involve working with rules: access rules, server publishing rules, system
policy rules, and cache rules. In this article, I’ve taken you through the process
of creating each type of administrator-defined rule and editing system policies.
Later articles in this series will demonstrate how to perform more complex
tasks, such as publishing a Web server, monitoring your ISA Server 2004
firewall, and backing up the ISA Server configuration.