Home > Articles

0672321009

ISA Server Rules

The ISA Server rules determine what network resources client machines are permitted to access. You configure rules to control incoming traffic from the Internet to your internal network, and outgoing traffic from your internal network to the Internet. However, the rules are primarily used for managing inbound traffic.

There are several types of rules supported by the ISA Server. These rules include access policy, bandwidth, protocol, routing and chaining, scheduling, server publishing, site and contents, and Web publishing rules. The following sections will explore the site and content, protocol, bandwidth, and publishing rules.

Site and Content Rules

Site and content rules are used to allow or deny clients access to certain contents on the Internet. This rule works in conjunction with the protocol rules. In other words, clients are allowed access if the site and content rule specifically allows access. However, even if the site and content rule allows the client to access the contents, you still need to create a protocol rule, as you will learn more about in a moment, that allows the client to communicate using that protocol.

If you configure two conflicting rules, one that allows access and the other that denies access, the "deny rule" takes precedence and is processed first. Let's say as an IT manager you configure a couple of site and content rules. Rule #1 allows only the managers to access certain contents. Rule #2 denies all employees access to the same contents. As a manager, you will not be able to access the contents because the "deny rule" will be processed first.

When dealing with arrays, you can create site and content rules both at the enterprise level and at the array level. When you enable the array-level rules, they add additional restrictions to the existing enterprise-level site and content rules. For example, let's say that you are using an enterprise policy that permits all employees to use ICQ Chat at all times. You can configure a site and content rule at the array level that permits temporary employees to use ICQ Chat only during lunch hours, which will further restrict the existing enterprise policy. When you apply an enterprise policy to an array, you can only add deny rules at the array level, which simply gives you the capability to apply additional restrictions at a lower level.

Site and content rules are useful in applying various kinds of restrictions or granting different levels of permissions to the clients. For example, you can decide whether a site and content rule applies to all destinations, all internal destinations, all external destinations, to a certain destination set; or you can configure an exception rule so that it can apply to all destinations except the one you list. The rules either "allow" or "deny" access to destinations.

You can also decide at what times the rule should be in affect by using a predefined schedule. For example, you can apply the rule only to weekend or weekday hours. In addition, the rules can be applied to certain client address sets, to specific users or groups, or to any request. If that's not enough, you can even control the content groups to which the rules are applied. For example, the rules can be applied to only certain types of contents, such as macro documents or applications.

With this level of control, you can come up with all kinds of options to either deny or permit only certain users to access specific objects, at specific times, from specific locations. For example, you can restrict a group of contractors from downloading videos and images from external Web sites during 8:00 a.m. and 9:00 a.m. when the traffic is heavy on your network. As another example, you can create a rule that permits only employees in the IT department to download applications, but limit them from downloading the files only after hours or weekends. You could create an exception that enables the IT manager or the network administrator to download the files at any time.

Now that you have a better understanding of what the rules are used for, you will learn how to configure them.

Let's say you want to configure a rule that will enable your internal clients to access all contents on the Internet at all times. To configure such a site and content rule for the enterprise policy, use the following procedure:

  1. In the ISA Server Management console, click on Enterprise, Policies, <your enterprise policy>, Site and Content Rules.

  2. Right-click the Site and Content Rules and select New, then click on Rule to start the New Site and Content Rule Wizard.

  3. Enter a name for the rule, for example Internet Access, as shown in Figure 3.1. Notice that there is a note warning you to create new policy elements that may be required by the rule before using the wizard. You might have to create a destination set, a client address set, a schedule, and a content group.

  4. Figure 3.1 The New Site and Content Rule Wizard.

  5. On the Rule Action screen, select Allow.

  6. On the Rule Configuration screen, you will use the default selection Allow Access Based On Destination, as shown in Figure 3.2. If you don't specify clients or a schedule on this screen, the rule you create will be applicable to all the clients.

  7. Figure 3.2 Rule configuration for the site and content rule.

  8. On the Destination Sets screen, decide how you want to apply this rule. Select All Destinations (the default option), but notice the other options listed in the drop-down box.

  9. Click Finish on the final screen to complete the wizard.

Figure 3.3 shows the rule you just created inside the ISA Management console. Notice in the right-hand pane that the rule applies to the enterprise and allows any request to access all contents at all the destinations all the time.

Figure 3.3 The site and content rule at the enterprise level.

To configure a site and content rule at the array level, you will go through the same process as described previously.

Protocol Rules

Protocol rules are used to control clients' access to the Internet. They can allow or deny use of protocol definitions and can apply to either all or selected IP traffic. ISA Server comes with several common protocol definitions. You can add additional protocols to customize your environment.

As mentioned earlier, the protocol rules and the site and content rule work hand in hand. Remember from our earlier discussion that even if the site and content rule enables the client to access the contents, you still need to create a protocol rule that enables the client to communicate using that protocol.

TIP

When you disable an application filter, its protocol definition is no longer available to the client. In other words, clients using that protocol definition will be denied access.

Similar to the site and content rules, the rules that deny protocols are processed before the rules that allow access.

Let's say you want to create a protocol rule for a group of temporary employees that denies them access to ICQ 2000 chat during business hours. Here's how you will configure the rule.

  1. In the ISA Server Management console, click on Enterprise, Policies, <your enterprise policy>, Protocol Rules. For an array policy, you will go to Servers and Arrays, <your server name>, Access Policy, Protocol Rules.

  2. Right-click Protocol Rules and select New, then click on Rule to start the New Protocol Rule Wizard.

  3. Enter a name for the rule on the first screen; for example ICQ 2000.

  4. On the Rule Action screen, choose Deny.

  5. On the Protocols screen, select an option from the drop-down box to apply the rule. We will select Selected Protocols, as shown in Figure 3.4, because we only want to deny the TEMPS Group from accessing the ICQ 2000 protocol during work hours. Check the ICQ 2000 box. (Also note in Figure 3.4 the list of protocols to choose from.) If you need something other than Selected Protocols, some of the other options you can choose from are as follows:

    • All IP Traffic

    • Selected Protocols

    • All IP Traffic Except Selected

    Figure 3.4 Configuring the protocol to which the rule applies.

  6. On the Schedule screen, select Work Hours from the drop-down box. The other options are Always and Weekend.

  7. On the Client Type screen, select Specific Users and Groups.

  8. In the Users and Groups screen, add the TEMPS group.

  9. Click Finish on the final screen to complete the wizard.

After you have created the rule, you can double-click the rule to access its properties. On the Schedule tab, you can customize the hours for the TEMPS group. The default hours are Monday through Friday 9 a.m. to 5 p.m.

You can create additional schedules by clicking on the New button. This brings up the new schedule window that shows the TEMPS group's work schedule, which is Monday through Friday from 9 a.m. to 12 p.m. Figure 3.5 shows the new custom hours that you've configured for the TEMPS group.

TIP

At first sight, it might not be obvious what the selected scheduled hours are for a particular protocol. Depending on the area of the window that you've selected, the hours shown at the bottom are not necessarily the hours that are active. Highlight the dark (active) area with the mouse and you'll notice the exact hours at the bottom of the screen, as shown in Figure 3.5.

Figure 3.5 Applying a custom schedule to a protocol rule.

TIP

You can define new schedules; however, after the new entries are added, there is no delete option to get rid of them. To delete the entry, go to ISA Server Management console, Enterprise, Policy Elements, Schedules. You'll see the schedules you've created in the right-hand pane. When you try to delete the entry you'll be warned that if this policy element is used by any rule, ISA Server will not start.

Bandwidth Rules

Bandwidth rules are available in all ISA Server installation modes. The bandwidth rule works with the Quality of Service (QoS) scheduling service in Windows 2000 to prioritize network connections. The connections have a default scheduling for priority. If there is a bandwidth rule associated with a connection, its priority is changed accordingly. The bandwidth rule itself is not responsible for controlling the bandwidth of the connections; it simply communicates with the QoS to let it know how the priority should be set on a connection. It is the responsibility of the QoS service to control the bandwidth.

There's a default bandwidth rule that is guaranteed a minimum bandwidth by the QoS in Windows 2000. This rule can't be deleted or modified. You can create your own bandwidth rules to overwrite the default configuration. The range can be anywhere between 1 and 200 for both inbound and outbound traffic. For example, if you want Microsoft SQL Server to have more bandwidth on the network than other services, you can create a bandwidth rule for SQL Server and set the priority to a higher number; for example 200 (the maximum priority). On a busy network, when five clients send a request to Microsoft SQL Server and two send it to Microsoft Exchange Server, the bandwidth from five users will be evenly split among the five SQL Server users. The remaining bandwidth will be used by the two Exchange users.

Let's take a look at a bandwidth rule configuration as an example of this process. The following procedure describes how you can configure a bandwidth rule for Microsoft SQL Server.

  1. In the ISA Server Management console, click on Server and Arrays, <your server name>, Bandwidth Rules.

  2. Right-click Bandwidth Rules and select New, then click on Rule to start the New Bandwidth Rule Wizard.

  3. Enter a name for the rule on the first screen; for example Microsoft SQL Server.

  4. On the Protocols screen, select an option from the drop-down box to apply the rule. For our example we will select Selected Protocols, as shown in Figure 3.6, and check the Microsoft SQL Server box. All the options available are listed here:

    • All IP Traffic

    • Selected Protocols

    • All IP Traffic Except Selected

    Figure 3.6 Configuring a bandwidth rule.

  5. On the Schedule screen, select Always.

  6. On the Client Type screen, select Any Request.

  7. On Destination Sets screen, select All Destinations.

  8. On the Content Groups screen, select All Content Groups.

  9. On the Bandwidth Priority screen, select Use Default Scheduling Priority. (You will create a new priority in a moment).

  10. Click Finish on the final screen to complete the wizard.

  11. Right-click the new rule you just created and select Properties.

  12. On the General tab, ensure that the Enable box is checked.

  13. On the Bandwidth tab, check the Specified Priority Box and click on New.

  14. Enter the information shown in Figure 3.7 in the New Bandwidth Priority box and click OK to close the window.

  15. Figure 3.7 Creating a new bandwidth priority.

  16. On the Bandwidth tab, select your new SQL Server entry from the drop-down box, as shown in Figure 3.8.

  17. Figure 3.8 Specifying a new bandwidth priority.

  18. Click OK to apply the settings.

TIP

After you close the Window shown in Figure 3.7 and the entry is created, you won't see a Delete option. Even if you cancel out and don't click the Apply or OK button, the entry will still be saved. To delete the entry, go to ISA Server Management console, Enterprise, Policy Elements, Schedules. You'll see the schedules you created in the right-hand pane. When you try to delete the entry you'll be warned that if this policy element is used by any rule, ISA Server will not start.

Publishing Policy Rules

Publishing policy rules consist of two rules that allow information on servers in the internal network to be securely published to the external Internet clients. The two rules are known as:

  • Server publishing rule

  • Web publishing rule

The internal published servers are actually SecureNAT clients, so they don't need any special configuration. All you have to do is point them to the ISA Server computer as a default gateway. The external users communicate with the ISA Server computer, and in fact can't tell that they are really talking to a server inside the corporate network. The ISA Server acts as an intermediary and translates packets back and forth. The only IP address visible to the external clients is the IP address of the ISA Server computer.

Let's first take a closer look at the server publishing rules; we will then look at the Web publishing rules.

NOTE

The server publishing rules are available in Firewall and Integrated ISA Server mode—not in the Cache mode. The Web publishing rules are available in all three modes.

Server Publishing Rule

By default, ISA Server blocks all incoming traffic from the Internet. To allow an internal server to be accessible to the external clients, you create a server publishing rule. For example, to publish your FTP server to folks on the Internet, you'll create a server publishing rule on your ISA Server.

Server publishing rules can be limited to certain clients by using client address sets, which include the IP addresses of internal and possibly external clients.

When IP packet filtering is enabled on the ISA Server computer, the server publishing rules are applied to the client address sets. When IP packet filtering is disabled, the server publishing rule is applied to all the clients. This may not seem like a big deal, but let's look at an example so you can better understand what the consequences may be.

As an example, let's say you publish an FTP server only for the finance department so no one else can access their files. When IP filtering is enabled, only the finance department can access the files; however, if you disable IP filtering, the rule is applied to all the clients. Depending on how all the rules are configured and whether they are allow or deny rules, there is a possibility that you may end up giving access to more than just the finance department.

Let's say you want to publish an Exchange server located on the internal network inside the ISA Server computer. To configure a server publishing rule to publish this server, use the following procedure:

  1. In the ISA Server Management console, click on Server and Arrays, <your server name>, Publishing, Server Publishing Rules.

  2. If the enterprise policy settings are not configured to allow publishing, you won't be able to create a server publishing rule at the array level. See the following tip.

  3. Right-click Server Publishing Rules and select New, then click on Rule to start the New Server Publishing Rule Wizard.

  4. Type a name for the server publishing rule. Be sure to read the note that states that you may have to create new policy elements required by the rule before you use the wizard.

  5. On the Address Mapping screen, type the IP address of the internal Exchange server that you want to publish under the IP address of the internal server. Under External IP Address on ISA Server, type the IP address of the external interface on your ISA Server that is connected to the Internet.

  6. On the Protocol Settings tab, apply the rule to the Exchange RPC Server. Figure 3.9 shows the built-in list of protocols that are available to you.

  7. On the Client Type screen, select Any Request.

  8. Click Finish to complete the wizard.

TIP

If you don't see the options to create a new server publishing rule or a Web publishing rule on the array members, it is probably because the enterprise policy settings are not configured to allow publishing. To enable this option, go to the properties of your server and on the Policies tab, check the Allow Publishing Rules option. The missing options should become available to you immediately. You must be a member of the Enterprise Admins group to allow publishing rules.

Figure 3.9 Configuring a server publishing rule.

Web Publishing Rule

The Web publishing rule is used for publishing Web servers only. To publish all other servers, you need to use the server publishing rule.

Using the Web publishing rule, you make your internal servers available to external clients so they can access HTTP contents on the Web server. The ISA Server works as the intermediary and forwards HTTP requests to the internal Web server. If the contents are available in the ISA Server cache, it will respond on behalf of the Web server and return the contents to the client from the cache. The published Web server doesn't support digest or Basic authentication—and it better not, or else it will expose its IP address to the clients on the Internet.

You will notice a default Web publishing rule in the ISA Management console. This rule applies to all requests to all the destinations and is configured to discard all requests. This rule cannot be modified or deleted; and if you have additional rules, this rule will be applied last. When the requests come in, ISA Server checks to see whether there are rules and if the request matches the rule. If it does, the request is processed accordingly; if it doesn't, the default rule is applied (processed last in order) and the request is discarded.

Let's work through an example of a Web publishing rule. Say you want to publish a Web server called WEB1 to the external clients. To create a Web publishing rule, use the following procedure:

  1. In the ISA Server Management console, click on Server and Arrays, <your server name>, Publishing, Web Publishing Rules.

  2. If the enterprise policy settings are not configured to allow publishing, you won't be able to create a Web publishing rule at the array level. See the preceding tip.

  3. Right-click Web Publishing Rules and select New, then click on Rule to start the New Web Publishing Rule Wizard.

  4. Type a name for the Web publishing rule. Be sure to read the note that states that you may have to create new policy elements required by the rule before you use the wizard.

  5. On the Destination Sets screen, choose an appropriate option. The options are listed here:

    • All Destinations

    • All Internal Destinations

    • All External Destinations

    • Specified Destination Set

    • All Destinations Except Selected Set

    We will apply this rule to All Destinations.

  6. On the Client Type screen, select Any Request. You can also select specific computers, users, or groups.

  7. On the Rule Action screen, check the option Redirect the Request To This Internal Web Server (Name or IP Address), as shown in Figure 3.10, and type the IP address of the internal server that you want to publish. You can also use the fully qualified domain name of the server.

  8. On the next screen, click Finish to complete the wizard.

After the rule has been created, you can modify it by right-clicking the rule and selecting Properties. On the Bridging tab (see Figure 3.11), you can redirect the HTTP or SSL requests as HTTP, SSL, or FTP. For SSL, you can require that the site be published using SSL and 128-bit encryption. In addition, you can use a certificate to authenticate to the SSL Web server.

Figure 3.10 Redirecting a Web request to an internal published server.

TIP

The default port numbers for HTTP (80), SSL (443), and FTP (21) shown in Figure 3.10 are used only if you select to bridge the specific protocol. The bridging option is available on the Bridging tab, as shown in Figure 3.11.

Figure 3.11 Configuring the bridging option for a Web publishing rule.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020