Introduction
The ISA Server 2004 firewall controls what communications move between networks connected to one another via the firewall. By default, the ISA Server 2004 firewall computer blocks all traffic. The methods used to allow traffic to move through the firewall are:
•Access Rules, and
•Publishing Rules
Access Rules control outbound access from a protected network to an unprotected network. ISA Server 2004 considers all networks that are not the External network to be protected. All networks comprising the External network are unprotected. Protected networks include the VPN Clients network, the Quarantined VPN Clients network, the Local Host network, the internal network, and perimeter networks. The Internet is the primary External network; although, partner networks and extranets to which protected clients connect can be considered External networks.
In contrast, Publishing Rules allow hosts on the External network access to resources on a protected network. For example, an organization may wish to host its own Web, mail and FTP servers. Web and Server Publishing Rules allow External hosts access to these resources.
In Chapter 9 of the ISA Server 2004 Configuration Guide, we used a Network Template to automatically create network relationships and Access Rules. The Access Rules were very loose in order to allow you to access all sites and protocols on the Internet. While this configuration is useful for testing basic functionality of the ISA Server 2004 firewall, a secure firewall configuration requires that you create access controls limiting what users on the Protected Networks can access on the Internet.
An Access Rule includes the following elements:
Rule Element | Description |
Order (priority) | Firewall Access Policy is an ordered list of Access Rules. Rules |
| are processed from top to bottom until a match for a particular |
| connection is found. The first rule to match the connection’s |
| characteristics is applied. |
|
|
Action | There are two actions: Allow or Deny |
|
|
Protocols | Protocols include all TCP/IP protocols. These include TCP, UDP, |
| ICMP, and protocols identified by their IP protocol number. The |
| firewall supports all TCP/IP protocols. |
|
|
From/Listener | The source of the communication. The source can be a single IP |
| address, a collection of IP addresses, an entire subnet, or multiple |
| subnets. |
|
|
To | The destination of a communication. The destination can be a |
| domain or collection of domains, a URL or a collection of URLs, |
| an IP address, a collection of IP addresses, a subnet, multiple |
| subnets or multiple networks. |
|
|
Condition | The condition is the user or group to which the rule applies. |
|
|
Access Rules allow you to gain a fine level of control over which users have access to sites and protocols. For example, consider the following Access Rule:
ISA Server 2004 Configuration Guide | 131 |
