ISA Server Rules
The ISA Server rules determine what network resources client machines are permitted to access. You configure rules to control incoming traffic from the Internet to your internal network, and outgoing traffic from your internal network to the Internet. However, the rules are primarily used for managing inbound traffic.
There are several types of rules supported by the ISA Server. These rules include access policy, bandwidth, protocol, routing and chaining, scheduling, server publishing, site and contents, and Web publishing rules. The following sections will explore the site and content, protocol, bandwidth, and publishing rules.
Site and Content Rules
Site and content rules are used to allow or deny clients access to certain contents on the Internet. This rule works in conjunction with the protocol rules. In other words, clients are allowed access if the site and content rule specifically allows access. However, even if the site and content rule allows the client to access the contents, you still need to create a protocol rule, as you will learn more about in a moment, that allows the client to communicate using that protocol.
If you configure two conflicting rules, one that allows access and the other that denies access, the "deny rule" takes precedence and is processed first. Let's say as an IT manager you configure a couple of site and content rules. Rule #1 allows only the managers to access certain contents. Rule #2 denies all employees access to the same contents. As a manager, you will not be able to access the contents because the "deny rule" will be processed first.
When dealing with arrays, you can create site and content rules both at the enterprise level and at the array level. When you enable the array-level rules, they add additional restrictions to the existing enterprise-level site and content rules. For example, let's say that you are using an enterprise policy that permits all employees to use ICQ Chat at all times. You can configure a site and content rule at the array level that permits temporary employees to use ICQ Chat only during lunch hours, which will further restrict the existing enterprise policy. When you apply an enterprise policy to an array, you can only add deny rules at the array level, which simply gives you the capability to apply additional restrictions at a lower level.
Site and content rules are useful in applying various kinds of restrictions or granting different levels of permissions to the clients. For example, you can decide whether a site and content rule applies to all destinations, all internal destinations, all external destinations, to a certain destination set; or you can configure an exception rule so that it can apply to all destinations except the one you list. The rules either "allow" or "deny" access to destinations.
You can also decide at what times the rule should be in affect by using a predefined schedule. For example, you can apply the rule only to weekend or weekday hours. In addition, the rules can be applied to certain client address sets, to specific users or groups, or to any request. If that's not enough, you can even control the content groups to which the rules are applied. For example, the rules can be applied to only certain types of contents, such as macro documents or applications.
With this level of control, you can come up with all kinds of options to either deny or permit only certain users to access specific objects, at specific times, from specific locations. For example, you can restrict a group of contractors from downloading videos and images from external Web sites during 8:00 a.m. and 9:00 a.m. when the traffic is heavy on your network. As another example, you can create a rule that permits only employees in the IT department to download applications, but limit them from downloading the files only after hours or weekends. You could create an exception that enables the IT manager or the network administrator to download the files at any time.
Now that you have a better understanding of what the rules are used for, you will learn how to configure them.
Let's say you want to configure a rule that will enable your internal clients to access all contents on the Internet at all times. To configure such a site and content rule for the enterprise policy, use the following procedure:
In the ISA Server Management console, click on Enterprise, Policies, <your enterprise policy>, Site and Content Rules.
Right-click the Site and Content Rules and select New, then click on Rule to start the New Site and Content Rule Wizard.
Enter a name for the rule, for example Internet Access, as shown in Figure 3.1. Notice that there is a note warning you to create new policy elements that may be required by the rule before using the wizard. You might have to create a destination set, a client address set, a schedule, and a content group.
On the Rule Action screen, select Allow.
On the Rule Configuration screen, you will use the default selection Allow Access Based On Destination, as shown in Figure 3.2. If you don't specify clients or a schedule on this screen, the rule you create will be applicable to all the clients.
On the Destination Sets screen, decide how you want to apply this rule. Select All Destinations (the default option), but notice the other options listed in the drop-down box.
Click Finish on the final screen to complete the wizard.
Figure 3.1 The New Site and Content Rule Wizard.
Figure 3.2 Rule configuration for the site and content rule.
Figure 3.3 shows the rule you just created inside the ISA Management console. Notice in the right-hand pane that the rule applies to the enterprise and allows any request to access all contents at all the destinations all the time.
Figure 3.3 The site and content rule at the enterprise level.
To configure a site and content rule at the array level, you will go through the same process as described previously.
Protocol rules are used to control clients' access to the Internet. They can allow or deny use of protocol definitions and can apply to either all or selected IP traffic. ISA Server comes with several common protocol definitions. You can add additional protocols to customize your environment.
As mentioned earlier, the protocol rules and the site and content rule work hand in hand. Remember from our earlier discussion that even if the site and content rule enables the client to access the contents, you still need to create a protocol rule that enables the client to communicate using that protocol.
When you disable an application filter, its protocol definition is no longer available to the client. In other words, clients using that protocol definition will be denied access.
Similar to the site and content rules, the rules that deny protocols are processed before the rules that allow access.
Let's say you want to create a protocol rule for a group of temporary employees that denies them access to ICQ 2000 chat during business hours. Here's how you will configure the rule.
In the ISA Server Management console, click on Enterprise, Policies, <your enterprise policy>, Protocol Rules. For an array policy, you will go to Servers and Arrays, <your server name>, Access Policy, Protocol Rules.
Right-click Protocol Rules and select New, then click on Rule to start the New Protocol Rule Wizard.
Enter a name for the rule on the first screen; for example ICQ 2000.
On the Rule Action screen, choose Deny.
On the Protocols screen, select an option from the drop-down box to apply the rule. We will select Selected Protocols, as shown in Figure 3.4, because we only want to deny the TEMPS Group from accessing the ICQ 2000 protocol during work hours. Check the ICQ 2000 box. (Also note in Figure 3.4 the list of protocols to choose from.) If you need something other than Selected Protocols, some of the other options you can choose from are as follows:
All IP Traffic
All IP Traffic Except Selected
Figure 3.4 Configuring the protocol to which the rule applies.
On the Schedule screen, select Work Hours from the drop-down box. The other options are Always and Weekend.
On the Client Type screen, select Specific Users and Groups.
In the Users and Groups screen, add the TEMPS group.
Click Finish on the final screen to complete the wizard.
After you have created the rule, you can double-click the rule to access its properties. On the Schedule tab, you can customize the hours for the TEMPS group. The default hours are Monday through Friday 9 a.m. to 5 p.m.
You can create additional schedules by clicking on the New button. This brings up the new schedule window that shows the TEMPS group's work schedule, which is Monday through Friday from 9 a.m. to 12 p.m. Figure 3.5 shows the new custom hours that you've configured for the TEMPS group.
At first sight, it might not be obvious what the selected scheduled hours are for a particular protocol. Depending on the area of the window that you've selected, the hours shown at the bottom are not necessarily the hours that are active. Highlight the dark (active) area with the mouse and you'll notice the exact hours at the bottom of the screen, as shown in Figure 3.5.
Figure 3.5 Applying a custom schedule to a protocol rule.
You can define new schedules; however, after the new entries are added, there is no delete option to get rid of them. To delete the entry, go to ISA Server Management console, Enterprise, Policy Elements, Schedules. You'll see the schedules you've created in the right-hand pane. When you try to delete the entry you'll be warned that if this policy element is used by any rule, ISA Server will not start.
Bandwidth rules are available in all ISA Server installation modes. The bandwidth rule works with the Quality of Service (QoS) scheduling service in Windows 2000 to prioritize network connections. The connections have a default scheduling for priority. If there is a bandwidth rule associated with a connection, its priority is changed accordingly. The bandwidth rule itself is not responsible for controlling the bandwidth of the connections; it simply communicates with the QoS to let it know how the priority should be set on a connection. It is the responsibility of the QoS service to control the bandwidth.
There's a default bandwidth rule that is guaranteed a minimum bandwidth by the QoS in Windows 2000. This rule can't be deleted or modified. You can create your own bandwidth rules to overwrite the default configuration. The range can be anywhere between 1 and 200 for both inbound and outbound traffic. For example, if you want Microsoft SQL Server to have more bandwidth on the network than other services, you can create a bandwidth rule for SQL Server and set the priority to a higher number; for example 200 (the maximum priority). On a busy network, when five clients send a request to Microsoft SQL Server and two send it to Microsoft Exchange Server, the bandwidth from five users will be evenly split among the five SQL Server users. The remaining bandwidth will be used by the two Exchange users.
Let's take a look at a bandwidth rule configuration as an example of this process. The following procedure describes how you can configure a bandwidth rule for Microsoft SQL Server.
In the ISA Server Management console, click on Server and Arrays, <your server name>, Bandwidth Rules.
Right-click Bandwidth Rules and select New, then click on Rule to start the New Bandwidth Rule Wizard.
Enter a name for the rule on the first screen; for example Microsoft SQL Server.
On the Protocols screen, select an option from the drop-down box to apply the rule. For our example we will select Selected Protocols, as shown in Figure 3.6, and check the Microsoft SQL Server box. All the options available are listed here:
All IP Traffic
All IP Traffic Except Selected
Figure 3.6 Configuring a bandwidth rule.
On the Schedule screen, select Always.
On the Client Type screen, select Any Request.
On Destination Sets screen, select All Destinations.
On the Content Groups screen, select All Content Groups.
On the Bandwidth Priority screen, select Use Default Scheduling Priority. (You will create a new priority in a moment).
Click Finish on the final screen to complete the wizard.
Right-click the new rule you just created and select Properties.
On the General tab, ensure that the Enable box is checked.
On the Bandwidth tab, check the Specified Priority Box and click on New.
Enter the information shown in Figure 3.7 in the New Bandwidth Priority box and click OK to close the window.
Figure 3.7 Creating a new bandwidth priority.
On the Bandwidth tab, select your new SQL Server entry from the drop-down box, as shown in Figure 3.8.
Figure 3.8 Specifying a new bandwidth priority.
Click OK to apply the settings.
After you close the Window shown in Figure 3.7 and the entry is created, you won't see a Delete option. Even if you cancel out and don't click the Apply or OK button, the entry will still be saved. To delete the entry, go to ISA Server Management console, Enterprise, Policy Elements, Schedules. You'll see the schedules you created in the right-hand pane. When you try to delete the entry you'll be warned that if this policy element is used by any rule, ISA Server will not start.
Publishing Policy Rules
Publishing policy rules consist of two rules that allow information on servers in the internal network to be securely published to the external Internet clients. The two rules are known as:
Server publishing rule
Web publishing rule
The internal published servers are actually SecureNAT clients, so they don't need any special configuration. All you have to do is point them to the ISA Server computer as a default gateway. The external users communicate with the ISA Server computer, and in fact can't tell that they are really talking to a server inside the corporate network. The ISA Server acts as an intermediary and translates packets back and forth. The only IP address visible to the external clients is the IP address of the ISA Server computer.
Let's first take a closer look at the server publishing rules; we will then look at the Web publishing rules.
The server publishing rules are available in Firewall and Integrated ISA Server modenot in the Cache mode. The Web publishing rules are available in all three modes.
Server Publishing Rule
By default, ISA Server blocks all incoming traffic from the Internet. To allow an internal server to be accessible to the external clients, you create a server publishing rule. For example, to publish your FTP server to folks on the Internet, you'll create a server publishing rule on your ISA Server.
Server publishing rules can be limited to certain clients by using client address sets, which include the IP addresses of internal and possibly external clients.
When IP packet filtering is enabled on the ISA Server computer, the server publishing rules are applied to the client address sets. When IP packet filtering is disabled, the server publishing rule is applied to all the clients. This may not seem like a big deal, but let's look at an example so you can better understand what the consequences may be.
As an example, let's say you publish an FTP server only for the finance department so no one else can access their files. When IP filtering is enabled, only the finance department can access the files; however, if you disable IP filtering, the rule is applied to all the clients. Depending on how all the rules are configured and whether they are allow or deny rules, there is a possibility that you may end up giving access to more than just the finance department.
Let's say you want to publish an Exchange server located on the internal network inside the ISA Server computer. To configure a server publishing rule to publish this server, use the following procedure:
In the ISA Server Management console, click on Server and Arrays, <your server name>, Publishing, Server Publishing Rules.
If the enterprise policy settings are not configured to allow publishing, you won't be able to create a server publishing rule at the array level. See the following tip.
Right-click Server Publishing Rules and select New, then click on Rule to start the New Server Publishing Rule Wizard.
Type a name for the server publishing rule. Be sure to read the note that states that you may have to create new policy elements required by the rule before you use the wizard.
On the Address Mapping screen, type the IP address of the internal Exchange server that you want to publish under the IP address of the internal server. Under External IP Address on ISA Server, type the IP address of the external interface on your ISA Server that is connected to the Internet.
On the Protocol Settings tab, apply the rule to the Exchange RPC Server. Figure 3.9 shows the built-in list of protocols that are available to you.
On the Client Type screen, select Any Request.
Click Finish to complete the wizard.
If you don't see the options to create a new server publishing rule or a Web publishing rule on the array members, it is probably because the enterprise policy settings are not configured to allow publishing. To enable this option, go to the properties of your server and on the Policies tab, check the Allow Publishing Rules option. The missing options should become available to you immediately. You must be a member of the Enterprise Admins group to allow publishing rules.
Figure 3.9 Configuring a server publishing rule.
Web Publishing Rule
The Web publishing rule is used for publishing Web servers only. To publish all other servers, you need to use the server publishing rule.
Using the Web publishing rule, you make your internal servers available to external clients so they can access HTTP contents on the Web server. The ISA Server works as the intermediary and forwards HTTP requests to the internal Web server. If the contents are available in the ISA Server cache, it will respond on behalf of the Web server and return the contents to the client from the cache. The published Web server doesn't support digest or Basic authenticationand it better not, or else it will expose its IP address to the clients on the Internet.
You will notice a default Web publishing rule in the ISA Management console. This rule applies to all requests to all the destinations and is configured to discard all requests. This rule cannot be modified or deleted; and if you have additional rules, this rule will be applied last. When the requests come in, ISA Server checks to see whether there are rules and if the request matches the rule. If it does, the request is processed accordingly; if it doesn't, the default rule is applied (processed last in order) and the request is discarded.
Let's work through an example of a Web publishing rule. Say you want to publish a Web server called WEB1 to the external clients. To create a Web publishing rule, use the following procedure:
In the ISA Server Management console, click on Server and Arrays, <your server name>, Publishing, Web Publishing Rules.
If the enterprise policy settings are not configured to allow publishing, you won't be able to create a Web publishing rule at the array level. See the preceding tip.
Right-click Web Publishing Rules and select New, then click on Rule to start the New Web Publishing Rule Wizard.
Type a name for the Web publishing rule. Be sure to read the note that states that you may have to create new policy elements required by the rule before you use the wizard.
On the Destination Sets screen, choose an appropriate option. The options are listed here:
All Internal Destinations
All External Destinations
Specified Destination Set
All Destinations Except Selected Set
We will apply this rule to All Destinations.
On the Client Type screen, select Any Request. You can also select specific computers, users, or groups.
On the Rule Action screen, check the option Redirect the Request To This Internal Web Server (Name or IP Address), as shown in Figure 3.10, and type the IP address of the internal server that you want to publish. You can also use the fully qualified domain name of the server.
On the next screen, click Finish to complete the wizard.
After the rule has been created, you can modify it by right-clicking the rule and selecting Properties. On the Bridging tab (see Figure 3.11), you can redirect the HTTP or SSL requests as HTTP, SSL, or FTP. For SSL, you can require that the site be published using SSL and 128-bit encryption. In addition, you can use a certificate to authenticate to the SSL Web server.
Figure 3.10 Redirecting a Web request to an internal published server.
The default port numbers for HTTP (80), SSL (443), and FTP (21) shown in Figure 3.10 are used only if you select to bridge the specific protocol. The bridging option is available on the Bridging tab, as shown in Figure 3.11.
Figure 3.11 Configuring the bridging option for a Web publishing rule.