The steps completed to this point will perform a
basic installation and configuration to get ISA 2004 up and running as
a perimeter firewall and caching server, with internal clients having
basic Web access. For most installations, that is only the starting
point. Most installations will need to have additional tasks completed,
including setting up VPN access, configuring monitoring, and
configuring additional Firewall policies to expand and fine-tune the
rules that control access. And, finally, many installations will need
to have reverse proxy set up or have internal servers published that
need to be securely reachable from the Internet.
Define VPN Access
One
of the common tasks for ISA 2004 is setting up VPNs. And it’s something
that ISA 2004 does really well. Frankly, as an old time network
administrator, I was dreading having to write the VPN section because I
remember what a colossal pain it was in the old days.
To define VPN access, follow these steps:
1. | Open the ISA 2004 management console, and navigate to the Getting Started page.
|
2. | Click Configure VPN Access to open the VPN Clients tab of the Virtual Private Networks (VPN) page, shown in Figure 1.
|
3. | Click Verify That VPN Client Access Is Enabled to open the VPN Clients Properties dialog box shown in Figure 2.
|
4. | Select
the Enable VPN Client Access check box. Specify the maximum number of
VPN clients that this ISA server will allow. The default is 100.
|
5. | Click
the Groups tab and then click Add to add the accounts you will allow to
VPN in your network. Avoid specifying individual accounts; rather,
create a specific security group that is allowed access, as shown in Figure 3.
|
6. | Click
the Protocols tab, and specify the VPN protocols you will support. The
default is PPTP, but you can also use L2TP/IPSec for more secure access.
|
7. | Click
the User Mapping tab. If you will be using RADIUS to authenticate
requests, you can simplify the configuration by setting a default
Windows domain to use. For simple, Windows-managed VPN access that
includes only Windows clients, you can leave User Mapping disabled.
|
8. | Click
OK to close the dialog box. Nothing has yet been actually enabled—we
need to Apply the settings before they can take effect, and we’re not
ready yet.
|
9. | Click Remote Access Configuration to open the Virtual Private Networks (VPN) Properties dialog box shown in Figure 4.
|
10. | The
defaults are for only External networks to use VPN access, DHCP on the
Internal network for IP address assignment, MS-CHAPv2 authentication,
and no RADIUS server. Click the appropriate tabs to make any changes
necessary, and then click OK to close the dialog box.
|
11. | Optional:
Click View Firewall Policy For The VPN Clients Network to configure the
Firewall Policy rules for VPN clients if you want to create special
policies that apply only to your VPN clients.
|
12. | Optional:
Click View Network Rules to verify the network rules for incoming VPN
clients and to set up any special network rules that only apply to VPN
clients.
|
13. | When
you’ve configured all the settings, click Apply in the main ISA 2004
VPN Clients page, and the new configuration will be applied and VPN
access will be enabled.
|
Setup Monitoring
ISA 2004 provides a diverse set of monitoring tools. The main front end to the monitoring is the Dashboard, shown in Figure 5,
which has a capsule summary of connectivity, services, reports, alerts,
sessions, and the overall system performance all on a single page. The
biggest weakness of the dashboard is that it’s read only. If you want
more information or detail about a particular report, alert, and so on,
you need to drill down to the tab related to the type of element it is.
No double-clicking or right-clicking to get more information.
The
default installation provides a good starting point to add any
additional reports or monitoring you need for your environment. To add
a new alert or report, change the filtering of sessions, or make other
monitoring changes, click the tab in the center pane for the kind of
monitoring you want to modify, and then click the Tasks tab in the
rightmost pane. You’ll have context-sensitive choices that are
appropriate to the kind of monitoring you’re configuring.
Publishing Servers (Reverse Proxy)
In
addition to firewall and caching features, ISA 2004 also supports
“reverse proxy.” Reverse proxy lets you keep your key network services
inside your firewall perimeter but still be available from the Web,
thus protecting the servers. The two most common examples of doing this
are an extranet Web server and your e-mail server. ISA 2004 makes it
easy to publish the servers and services you need to make available
while protecting the servers from attack.
To publish a mail server, follow these steps:
1. | Open the ISA 2004 management console, and navigate to the Firewall Policy page.
|
2. | On the tasks pane, click Publish A Mail Server to open the New Mail Server Publishing Rule Wizard.
|
3. | Enter a name for the rule, and click Next to open the Select Access Type dialog box, shown in Figure 6.
|
4. | Select the type of access you’ll be providing to the mail server, and then click Next.
Note
If you’ll be providing both direct POP3/IMAP4 access and OWA access, you need to run the wizard twice.
|
5. | Select the services your e-mail server uses, and then click Next.
|
6. | Specify the IP address of the server. This IP address will be on your internal network segment.
|
7. | Click Next to open the IP Addresses dialog box shown in Figure 7.
|
8. | Specify the IP addresses that should have access to the server, and click Next.
|
9. | Click Finish to close the wizard, and then click Apply on the main Firewall Policy page to actually implement the changes.
|
Additional Configuration
The
initial setup and configuration of ISA 2004 is fairly straightforward,
as we’ve seen, in a basic configuration. Adding more features and
specific rules and filters adds complexity, but doing this follows the
same logic and steps as the basic configuration. We can’t begin to
cover all the possibilities in a single chapter, but we want to
highlight some typical configuration and management tasks. ISA 2004 has
a logical consistency in the way it’s configured, and if you understand
how to do one set of tasks in it, you’ll find it easy to extend that
knowledge to additional tasks.
The Toolbox
The
Toolbox is where you create, modify, and delete all the various
elements that make up the policies of ISA 2004. You can find the
Toolbox tab in the rightmost pane of the Firewall Policy section. The
elements you can add, delete, or edit here include:
Protocols
Users
Content Types
Schedules
Network objects
By combining these elements, you can create the rules and policies that you need for your network.
Defining Network Entities
ISA
2004 has several predefined network entities, as we’ve seen in setting
up our original access rule. But there might well be reasons you need
to define additional entities. These might take the form of individual
computers or specific subnets, and they can refer to either internal or
external computers and networks.
Note
Because
there is no 64-bit firewall client, you can define special rules for
your 64-bit computers, allowing you to provide special access rules
that apply only to them. Once a 64-bit client is available, you should
remove special rules for 64-bit computers and apply consistent policies
across your client network.
To define a new network entity, follow these steps:
1. | Open the ISA 2004 management console if it isn’t already open.
|
2. | Click Firewall Policy in the leftmost pane.
|
3. | Click the Toolbox tab, and expand the Network Objects panel, as shown in Figure 8.
|
4. | Select the kind of object you want to create from the New menu as shown in Figure 9. The kinds of network objects you can create are listed in Table 34-3.
Table 1. Network object types in ISA 2004| Object | Properties |
|---|
| Network | One or more contiguous ranges of IP addresses. | | Network Set | One or more defined networks. Allows you to combine noncontiguous ranges of IP addresses into a logical grouping. | | Computer | A
single IP address. (Note: A computer object is defined by an IP address
only and is not directly correlated to a computer name. If you’re using
DHCP to distribute IP addresses, you should use a DHCP reservation if
you need a specific computer to be defined for ISA purposes.) | | Address Range | A single contiguous range of IP addresses. | | Subnet | A single IP subnet (network ID and subnet mask). | | Computer Set | One
or more computers, address ranges, or subnets. Predefined computer sets
in ISA 2004 are Anywhere, IPSec Remote Gateways, and Remote Management
Computers. | | Web Listeners | The addresses and ports on a network that will listen for Web requests. | | URL Set | One or more URLs that can be used to define specific access rules. | | Domain Name Set | Groups DNS domain names into a set. Specific firewall policies can then be applied to the set. |
|
5. | Fill in the wizard or dialog box necessary for the object type you’re creating. Figure 10 shows the dialog box for creating a computer object.
|
6. | Once the new network entity has been added, you can use it in rules to either permit or deny specific access to the entity.
|
Defining Users
If
your clients are running the ISA Firewall Client, you can manage access
to and from the Internet by user and group, giving you much more
flexibility and simplifying the maintenance of policies and access
rules. Plus the user will have the correct level of access regardless
of what computer she or he is logged on to.
To define a new set of users, follow these steps:
1. | Open the ISA 2004 management console, and navigate to the Firewall Policy page.
|
2. | Click
the Toolbox tab in the leftmost pane, and expand the Users section.
There are three sets of predefined users—All Authenticated Users, All
Users, and System and Network Service.
|
3. | Click New, and the New User Sets Wizard opens, as shown in Figure 11. Type a name for this set of users in the User Set Name field, and click Next.
|
4. | Click Add, and the choice of types of users to add opens, as shown in Figure 12.
|
5. | Select
the user type, and the users or groups of users you want to add. You
can choose from multiple source types here. When you have added all the
users you want, click Next.
|
6. | Click Finish to close the wizard, and then Apply in the main Firewall Policy pane to implement the change.
|
