Module 3: Enabling Secure Internet Access. Overview Access Policies and Rules Overview Creating Policy Elements Configuring Access Policies and Rules

Module 3:Enabling Secure Internet Access

Overview

Access Policies and Rules Overview

Creating Policy Elements

Configuring Access Policies and Rules

Configuring Bandwidth Rules

Using ISA Server Authentication

Microsoft® Internet Security and Acceleration (ISA) Server provides policy-based access control that enables organizations to securely control outbound access. Network administrators can configure access policies to specify which content and sites are accessible, whether a particular protocol is available for outgoing Internet requests, and during which times access is allowed. In addition, network administrators can configure authentication to restrict access on a per-user basis or on a per-group basis.

After completing this module, you will be able to:

Explain the use of access policies and rules to enable Internet access.

Create policy elements.

Configure access polices and rules.

Configure bandwidth rules.

Explain the use of authentication for outgoing Web requests.

Access Policy and Rules Overview

Understanding Access Policy Components

Processing Outgoing Client Requests

Planning an Access Policy Strategy

One of the primary functions of ISA Server is connecting your internal network to the Internet while implementing your organization's security policies that define the type of Internet access that you allow. By creating an access policy and associated rules, you can allow or deny internal users access to specific protocols, Internet sites, and content. When ISA Server processes an outgoing request, it uses the access policy to determine if access should be allowed or denied. It is important to plan a strategy before creating an access policy to ensure that the rules that you create meet the needs of your organization.

In this lesson you will learn about the following topics:

Understanding access policy components

Processing outgoing client requests

Planning an access policy strategy

Site and Content RuleSite and Content Rule

Policy ElementPolicy

ElementPolicy

ElementPolicy

Element

Allow or Deny

Allow or Deny

Allow or Deny

Allow or Deny

Access PolicyAccess Policy

Protocol RuleProtocol Rule

Policy ElementPolicy

ElementPolicy

ElementPolicy

Element

Allow or Deny

Allow or Deny

Allow or Deny

Allow or Deny

Understanding Access Policy Components

An access policy consists of the following components:

Protocol rules. Define the protocols that the ISA Server clients can use to communicate between the internal network and the Internet.

Site and content rules. Define the type of content and the sites to which Web Proxy clients are allowed or denied access.

Policy elements. Define settings that you use as parts of rules. For example, you can create policy elements that define a schedule or a specific type of content.

Processing Outgoing Client Requests

Is there asite and content

rule that denies therequest?


rule that denies therequest?

Is there aprotocol rule that denies

the request?

Is there aprotocol rule that denies

the request?

Request frominternal clientRequest frominternal client

Deny requestDeny request Retrieve objectRetrieve object

Is there aprotocol rule that allows

the request?

Is there aprotocol rule that allows

the request?

Yes

No

No

Yes

Yes

No

No


rule that allows therequest?


rule that allows therequest?

Yes

No

Yes

Does an IP packet filterblock the request?

Does an IP packet filterblock the request?

Does a routingrule specify routing to an

upstream server?

Does a routingrule specify routing to an

upstream server?

Yes

Route to upstream server

Route to upstream server

No

When ISA Server processes an outgoing client request, it checks protocol rules and site and content rules to determine if access is allowed. A request is allowed only if both a protocol rule and a site and content rule each allow the request and if there is no rule that explicitly denies the request.

Note: ISA Server also controls Internet traffic based on

Internet Protocol (IP) packet filters and routing rules. When you install ISA Server as a stand-alone server, a site and content rule named "Allow Rule" allows access to all content on all sites by default. However, because ISA Server contains no protocol rules by default, no traffic is allowed to pass until you define at least one protocol rule.

Planning an Access Policy Strategy

Determine Organizational RequirementsDetermine Organizational Requirements

Define Rules Define Rules

Create Policy Elements Create Policy Elements

Create Rules by Using Policy Elements Create Rules by Using Policy Elements

Test Rules Test Rules

You should perform the following tasks when planning an access policy strategy:

Determine your organization's requirements based on your business needs.

Because an access policy should be consistent with business needs, it is important to identify your business needs before you create an access policy. For example, one of your business needs may include giving users access to a supplier's Web site.

Define the rules that are needed.

You define rules to implement your organization's access policy. For example, you can create a rule to grant access for all employees to the www.contoso.msft Web site during business hours.


Rules require policy elements, which are the building blocks that you use to create rules. For example, you can create a policy element that defines specific computers or directories at www.contoso.msft.

Create rules that use the policy elements.

When you create rules, you use policy elements to define the rules.

Test rules.

Ensure that the rules allow the required access for your users, without providing more access than necessary. Ensure that you test all of the rules before allowing users to gain access to the Internet.


Policy Element Overview

Creating Schedules

Creating Bandwidth Priorities

Creating Destination Sets

Creating Client Address Sets

Creating Protocol Definitions

Creating Content Groups

Policy elements are the components that you use to create ISA Server rules. Policy elements give you more control to define users, locations, bandwidth allocation, specific protocols, and types of content in policy rules. ISA Server includes several types of policy elements that you can use to create rules for your access policy.

Important: Policy elements do not define any access policy by themselves. Rather, you use policy elements as components of rules that control access.


Policy element overview

Creating schedules

Creating bandwidth priorities

Creating destination sets

Creating client address sets

Creating protocol definitions

Creating content groups

Policy Element Overview

Policy Elements Can Include:

Schedules

Bandwidth Priorities

Destination Sets

Client Address Sets

Protocol Definitions

Content Groups

Dial-up Entries

Before you can configure an access policy, you must create the associated policy elements that you will use when defining the rules. ISA Server policy elements can include:

Schedules. The days and times when a rule is active.

Bandwidth priorities. Determine the relative amount of bandwidth that you can allocate to different types of network traffic. You use bandwidth priorities in bandwidth rules that determine which connection gets priority over others to allocate available network bandwidth.

Destination sets. One or more computers or directories on specific computers. For access policy rules, destination sets are computers that are not on the internal network.

Client address sets. One or more computers that you specify by name or by using an IP address or range of IP addresses. For access policy rules, client address sets are computers on the internal network.

Protocol definitions. Predefined or user-defined protocols that ISA Server clients can use to communicate with other computers.

Content groups. Logical groupings of common file types and file extensions.

Dial-up entries. Specify how the ISA Server computer will connect to the Internet. The dial-up entry includes the name of the network dial-up connection that is configured for the remote access server and the user name and password for a user who has permissions to gain access to the dial-up connection.

New schedule

Name: Lunch Hours and Weekends

Description: Use this schedule to permit access to siteslunch hours and weekends.

OK Cancel

Creating Schedules

Click Active to add portions of the week, or click Inactive to remove portions of the week.

Set the activation times for rules that are based on this schedule.

12 · 2 · 4 · 6 · 8 · 10 · 12 · 2 · 4 · 6 · 8 · 10 · 12Al

Sunday

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday from 12 AM to 12 AM

Active Inactive

Use schedules to create rules that apply separate access policies during different times of the day or the week. For example, you can create a schedule to use in a rule for an access policy that allows access to the Internet during the lunch hour only.

To create a schedule:

1. In ISA Management, in the console tree, expand Policy Elements, click Schedules, and then in the details pane, click Create a Schedule.

2. In the New schedule dialog box, in the Name box, type the name of the schedule.

3. In the Description box, type a description for the schedule.

4. In the schedule table, click a cell, day, or hour, or drag multiple cells, to select the specified times.

5. To modify the schedule, do the following tasks, and then click OK:

Click Active to add portions of the week to the schedule. Click Inactive to remove portions of the week from the schedule.

When a blue cell appears, the rule is in effect during that period; when a white cell appears, the rule is not in effect during that period.

Note: By default, ISA Server contains the Weekends schedule and the Work hours schedule, which you can modify for use in policy rules.

Creating Bandwidth Priorities

New Bandwidth Priority

Name:

Description(optional):

OKOKOKOK Cancel

Basic Priority

Assigns high priority to incoming traffic.

Outbound bandwidth (1-2000):

Inbound bandwidth (1-200): 20

New Bandwidth Priority

Name:


OKOKOKOK Cancel

High Priority

Assigns high priority to incoming traffic.

Outbound bandwidth (1-2000):

Inbound bandwidth (1-200): 30

Use bandwidth priorities to create bandwidth rules that assign a higher priority to specific traffic that is moving to or from the Internet. For example, you can create a bandwidth rule that assigns a high bandwidth priority to traffic for specific employees or departments. Before you can assign this type of bandwidth rule, you must create the associated bandwidth priorities.

How Bandwidth Priorities Work

Bandwidth priorities assign priorities to connections that pass through ISA Server. Bandwidth priorities are directional and can be controlled for both inbound connections and outbound connections.

When there is limited bandwidth, ISA Server allocates this bandwidth according to bandwidth priorities that you assign to traffic that is processed by ISA Server. You can use a number between 1 and 200 to specify a bandwidth priority. A higher number indicates a higher priority.

When you assign a bandwidth priority, you must assess the impact of that bandwidth priority in relationship to the other bandwidth priorities that you assign. For example, if you assign bandwidth priority A to30 and you assign bandwidth priority B to 20, ISA Server will allocate 60 percent of the available bandwidth to traffic with bandwidth priority A and will allocate 40 percent of the available bandwidth to traffic with bandwidth priority B when processing bandwidth rules.

Creating a New Bandwidth Priority

To create a new bandwidth priority:

1. In ISA Management, in the console tree, right-click Bandwidth Priorities, point to New, and then click Bandwidth Priority.

2. In the New Bandwidth Priority dialog box, in the Name box, type the name of the bandwidth priority.

3. In the Description box, type a description of the bandwidth priority.

4. Do the following tasks, and then click OK:

To define the bandwidth priority for outbound traffic, in the Outbound bandwidth box, type a number between 1 and 200.

To define the bandwidth priority for inbound traffic, in the Inbound bandwidth box, type a number between 1 and 200.

Creating Destination Sets

RemoveRemoveRemoveRemove

New Destination Set

Name: Partner Web

Description (optional):

Cancel

Include these computers:

Name/IP Range Path

OK

Edit…Edit…Edit…Edit…Add…

Add/Edit Destination

Computer name: nwtraders.msft

IP addresses:

Cancel

To include a specific directory in the destination set, type the pathbelow.To include all the files, use this format: /dir/*.To select a specific file, use this format: /dir/filename.

Path:

/sales/accounts.xls

OK

Browse…

From:

To (optional):

Use destination sets to create rules that allow or deny access to one or more computers. For example, you can create a destination set that includes the Web sites of business partners and then allow access to this destination set. You can specify destination sets by using a domain name or by using a range of IP addresses. You can also allow or deny access to specific directories on a computer. Other rules, such as bandwidth rules, also use destination sets.

To create a new destination set:

1. In ISA Management, in the console tree, click Destination Sets, and then in the details pane, click Create a Destination Set.

2. In the New Destination Set dialog box, in the Name box, type a name for the destination set.

3. In the Description box, type a description for the destination set.

4. Click Add, and then in the Add/Edit Destination dialog box, do one of the following:

If specifying a destination If specifying a destination set by set by

Then Then

Computer or domain name Click Destination, and then type the computer name or click Browse to select a computer on your network. To add all of the computers in a domain, type *.domain (where domain is the name of your domain). For example, to add all of the computers in the contoso.msft domain, you would type *.contoso.msft

IP address Click IP addresses. In the From box, type the first IP address in the range, and then in the To box, type the last IP address in the range. To include a single computer, type the same IP address in the From box and in the To box.

5. To specify a particular path on a Web site, in the Path box, type the path of the specified computer by using the format listed in the following table, and then click OK twice:

To specifyTo specify Use the formatUse the format

A specific directory /dir

All of the files in a directory /dir/*

A specific file in a directory /dir/filename

Important: ISA Server processes path components of a rule only for client requests that use the Hypertext Transfer Protocol (HTTP) protocol and only for Web Proxy client requests that use the File Transfer Protocol (FTP) protocol. ISA Server ignores the path component of a destination set when processing any other client requests but still evaluates the computer and IP address components of any applicable destination set, independent of the protocol that the client uses. For more information, see "Site and content rules" in ISA Server Help.

Creating Client Address Sets

Client Set

Name: Support Staff


Select the addresses of computers that belong to this clientaddress set.

Members:

RemoveRemoveRemoveRemove

From To

Edit…Edit…Edit…Edit…Add…

CancelOK

Add/Edit IP Addresses

Client set IP addresses:

CancelOK

From: 192 . 168 . 101 . 0

To: 192 . 168 . 101 . 255

Use client address sets to create rules that allow or deny access to outgoing Web requests from a single computer or from a set of computers. Other rules, such as bandwidth rules, also use client address sets.

To create a client address set:

1. In ISA Management, in the console tree, click Client Address Sets, and then in the details pane, click Create a Client Set.

2. In the Client Set dialog box, in the Name box, type a name for the client address set.

3. In the Description box, type a description for the client address set.

4. Click Add.

5. In the Add/Edit IP Addresses dialog box, in the From box, type the first IP address in the range, and then in the To box, type the last IP addresses in the range. To include a single computer, type the same IP address in the From box and the To box.

6. Click OK twice.

Note: Although you can use the Open Windows' User Manager button on the Configure Client Address Sets taskpad to create or modify Microsoft Windows® 2000 security groups on the ISA Server computer, the security groups are separate policy elements from the client address sets.

Creating Protocol Definitions

Type a number between between 1 and 65535 to specify the port number.

Protocol definitions define the communications parameters that a protocol uses. You use protocol definitions to create rules that allow or deny access based on specific protocols. ISA Server includes many predefined protocol definitions for the most popular protocols. If you use a protocol for which ISA Server does not contain a definition, you can create a new protocol definition for that protocol.

Note: You can create protocol definitions for only the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols. To control network traffic that uses any other protocol types, such as the Internet Control Message Protocol (ICMP), you must create packet filters.

Protocol Definition Overview

Before you create a new protocol definition, you must know how the protocol works. This knowledge includes the port number that a protocol uses, the protocol type, and the direction of the connection. Generally, you obtain port information from an application vendor or from a protocol specification, such as a Request for Comments (RFC).

Note: The Internet Assigned Numbers Authority (IANA) maintains a registry of assigned protocol and port numbers. For more information, see the IANA Web site at www.iana.org/assignments/port-numbers

Primary Connections

Protocols use at least one port during a session. When you define a protocol definition, you must specify which port the protocol uses to establish the session. This port is the primary connection. For example, the Simple Mail Transfer Protocol (SMTP) uses TCP port 25 for a client connection to a mail server. To create a protocol definition for SMTP, you must specify a primary connection that uses TCP port 25 for outgoing connections.

Secondary Connections

Some protocols use multiple ports during the same session. When creating a protocol definition for this type of protocol, you must define one or more secondary connections in addition to the primary connection. For example, the FTP protocol uses TCP port 21 for a client to establish an initial connection with a server and then, by default, the FTP server uses TCP port 20 for a connection to the client to transfer data. To create a protocol definition for the FTP protocol, in addition to configuring a primary connection that uses TCP port 21 for an outgoing connection, you must configure a secondary connection that uses TCP port 20 for incoming connections.

Important: Before deleting a protocol definition that you created, always ensure that no rules use that protocol definition. If a rule uses a protocol definition that you delete, ISA Server will not start. In addition, you cannot modify or delete built-in protocol definitions or the protocol definitions that are defined by application filters. For more information about protocol definitions and application filters and for a list of protocol definitions included with ISA Server, see "Configuring protocol definitions" in ISA Server Help.

Creating a New Protocol Definition

To create a new protocol definition:

1. In ISA Management, in the console tree, right-click Protocol Definitions, and then in the details pane, click Create a Protocol Definition.

2. In the New Protocol Definition Wizard, in the Name box, type the name of the protocol definition, and then click Next

3. On the Primary Connection Information page, specify a port number between 1 and 65535 that the protocol uses for the initial connection. Specify the protocol type, which is TCP or UDP. Specify the direction: Outbound (TCP only). An internal computer establishes the

connection. Inbound (TCP only). An external computer establishes the

connection. Send (UDP only). An internal computer sends packets without

expecting the external host to reply by using the same connection. Send/Receive (UDP only). An internal computer sends packets and

expects the external host to reply by using the same connection. Receive (UDP only). An external computer sends packets without

expecting the internal host to reply by using the same connection. Receive/Send (UDP only). An external computer sends packets and

expects the internal host to reply by using the same connection.

5. On the Secondary Connections page, specify whether to use secondary connection settings. If the protocol that you are defining uses secondary connections, for each secondary connection, click New, and then specify the port range, protocol type, and the direction of the secondary connection, click OK, and then click Next.

6. On the Completing the New Protocol Definition Wizard page, review your choices, and then click Finish.

Creating Content Groups

ISA Server includes several preconfigured content groups.

ISA ManagementAction View

Tree Name Description Content TypesInternet Security and Acceleration Server

Servers and ArraysLONDON

MonitoringComputerAccess PolicyPublishingBandwidth RulesPolicy Elements

SchedulesBandwidth PrioritiesDestination SetsClient Address SetsProtocol Definitions

Application Applications application/hta.application/x-internet-signup.application/x-pkcs7-certificApplication Data Files Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.applAudio Audio files audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3Compressed Files Compressed Files application/x-gzip,application/x-tar,application/x-gtar,application/x-comDocuments Documents text/tab-separated-values,text/xml,text/h323,application/postscript,applHTML Documents HTML Documents text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xslImages All known types of images .cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.rasMacro Documents Documents that may contain macr… application/msword,application/vnd.ms-excel,application/x-msaccess,aText Text content .txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/Video Video files video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe,.VRML VRML x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof

Content groups define types of Web content. Use content groups to create rules that allow or deny access to Web requests based on the type of content. When you create content groups, you must specify the content's Multipurpose Internet Mail Extensions (MIME) type and file extension. ISA Server uses MIME types when applying rules to HTTP traffic and file extensions when applying rules to FTP traffic. ISA Server includes many predefined content groups. You can also define new content groups when you want to create a rule that is not predefined.

Note: For a list of default MIME types and files extensions, see "Configuring content groups" in ISA Server Help.

To create a content group:

1. In ISA Management, in the console tree, right-click Content Groups, point to New, and then click Content Group.

2. In the New Content Group dialog box, in the Name box, type the name of the content group.

3. In the Description box, type a description for the content group.

4. In the Available Types box, do one of the following:

To In the Available types box

Select an existing content type Select a file extension or a MIME type.

Add a new content type Type a new file extension or a MIME type.

5. Click Add, repeat this step for additional content types, and then click OK.

Important: ISA Server uses content groups only when applying rules to HTTP requests from all client types and to FTP requests from Web Proxy clients.


Planning Access Policies

Creating Protocol Rules

Creating Site and Content Rules

ISA Server access policies and the rules that you use to implement these policies help your organization meet security policy requirements. Proper planning helps to ensure that you configure rules that are appropriate for your organization. Rules determine the type of access to grant users for specific sites on the Internet. An access policy can contain protocol rules and site and content rules. In addition, ISA Server uses bandwidth rules to determine which connections get priority.


Planning access policies

Creating protocol rules

Creating site and content rules

Planning Access Policies

Gather organizational support.

22

Implement policy.33

Determine the policy structure.

11

Evaluate policy.44

Site and Content RuleSite and Content Rule

Access PolicyAccess Policy

Protocol RuleProtocol Rule

Before you configure Internet access for clients, you must carefully examine the Internet access requirements of your organization and then implement policies and authentication methods that are based on those requirements. Use the following steps to plan your access policies:

1. Determine the policy structure. The first step in designing an access policy is to determine how you want to structure your access policy:

Allow all access with the exception of specific rules that deny access. This policy is best suited for an organization that makes Internet access freely available and that has few reasons to restrict Internet access of any kind by employees.

Deny all access except the type of access that you specifically allow. This policy is best suited for an organization that uses the Internet for only a few specific uses.

Many organizations employ a combination of both types of access policy. For example, an organization may allow access to all Web sites, except for a few selected Web sites, by using the HTTP protocol. The same organization may allow other outgoing Internet traffic by using only a few protocols that have been specifically approved.

2. Gather organizational support. When designing your organization's access policy, it is recommended that you confer with all relevant decision makers in your organization, including management, human resources, and legal departments.

3. Implement policy. After your access policy is in place, you can configure ISA Server authentication and rules to implement your organization's requirements. It is recommended that all required components of the policy are in place before you allow Internet access.

4. Evaluate policy. After you have configured your rules, it is important that you periodically review the policy. You must ensure that all rules work together and that they do not conflict with each other.

Creating Protocol Rules

Name the RuleName the Rule

Specify the Rule ActionSpecify the Rule Action

Select the Protocol(s) Select the Protocol(s)

Select a ScheduleSelect a Schedule

Select a Client TypeSelect a Client Type FinishFinishFinishFinish

StartStartStartStart

Protocol rules determine the protocols that clients can use to gain access to the Internet. For example, a protocol rule might allow clients to use the HTTP protocol.

Important: ISA Server processes a request for a user to gain access to an Internet site only if a protocol rule permits the use of the protocol and a site and content rule allows access to the site.

To create a protocol rule:

1. In ISA Management, in the console tree, expand Access Policy, click Protocol Rules, and then in the details pane, click Create a Protocol Rule.

2. In the New Protocol Rule Wizard, in the Protocol rule name box, type a name for the protocol rule, and then click Next.

3. On the Rule Action page, click Allow or Deny to specify the rule action, and then click Next.

4. On the Protocols page, click one of the following options, and then click Next.

If you select Then

All IP traffic No further action is required. For Firewall clients, ISA Server allows or denies all IP traffic. For SecureNAT clients, ISA Server allows or denies all traffic that matches an existing protocol definition.

Selected protocols Select the check boxes for all protocols to which the rule will apply.

All IP traffic except selected

Select the check boxes for all protocols to which the rule will not apply.

5. On the Schedule page, select a schedule, and then click Next.

6. On the Client Type page, click one of the following options, and then click Next.

If you select Then

Any request No further action is required.

Specific computers (client address sets)

On the Client Sets page, click Add to add client sets. The rule applies to requests from only the computers that belong to the client set that you select.

Specific users and groups

On the Users and Groups page, click Add to add users and groups. The rule applies to requests from only the users or groups that you select.

7. On the Completing the New Protocol Rule Wizard page, review your choices, and then click Finish.

Disabling and Deleting Protocol Rules

You can disable protocol rules that you are not using. To disable a protocol rule, in the details pane, click the rule, and then on the Action menu, click Disable. To re-enable a rule, click the rule, and then on the Action menu, click Enable. To permanently remove a rule, click the rule, and then click Delete a Protocol Rule.

Creating Site and Content Rules

Name the RuleName the Rule

Specify the Rule ActionSpecify the Rule Action

Select a Destination SetSelect a Destination Set

Select a ScheduleSelect a Schedule

Select a Client TypeSelect a Client Type


FinishFinishFinishFinish

Site and content rules determine if users or client address sets can gain access to specific content on specific destination sets. For example, a site and content rule might allow a group of users to gain access to any destination on the Internet from any computer in a specific department.

To create a site and content rule:

1. In ISA Management, in the console tree, expand Access Policy, click Site and Content Rules, and then in the details pane, click Create a Site and Content Rule.

2. In the New Site and Content Rule Wizard, in the Site and Content rule name box, type a name for the rule, and then click Next.

3. On the Rule Action page, click Allow or Deny to specify the rule action.

Note: You can also choose to redirect users to a specific Web page when users attempt to gain access to a prohibited Web site. For example, you can use a Web page to provide information about your organization's access policies. To redirect users, on the Rule Action page, select the If HTTP request, redirect request to this site check box, and then type the complete URL of the Web page.

5. On the Destination Sets page, select the destination to which the rule applies, perform the associated actions, and then click Next.

If the rule applies to Then

All destinations Select a schedule, and then select a client type.

All internal destinations Select a schedule, and then select a client type.

All external destinations Select a schedule, and then select a client type.

Specified destination set

Select a schedule, select a client type, and then select the previously configured destination set

All destinations except selected sets

Select a schedule, select a client type, and then select the previously configured destination set.

6. On the Completing the New Site and Content Rule Wizard page, review your choices, and then click Finish.

Disabling and Deleting Site and Content Rules

You can disable site and content rules that you are not using. To disable a site and content rule, in the details pane, click the rule, and then on the Action menu, click Disable. To re-enable a rule, click the rule, and then on the Action menu, click Enable. To permanently remove a rule, click the rule, and then click Delete a Site and Content Rule.

Using Content Groups in Site and Content Rules

You cannot add a content type to a site and content rule by using the New Site and Content Rule Wizard.

To add a content group to an existing rule:

1. In ISA Management, in the detail pane, click the site and content rule that you want to configure, and then click Configure a Site and Content Rule.

2. In the Properties dialog box for the rule, on the HTTP Content tab, click Selected content groups, select one or more check boxes for the applicable content groups, and then click OK.


Bandwidth Rules Overview

Creating Bandwidth Rules

Bandwidth rules determine how ISA Server treats client requests when your network is congested. ISA Server applies bandwidth rules only when there is insufficient bandwidth for all user requests. ISA Server allocates all available bandwidth according to the bandwidth rules that you define.

Note: Before you create bandwidth rules, consider the impact on the system resources of the ISA Server computer. Establishing connections to which a bandwidth rule applies incurs additional processing overhead.


Bandwidth rules overview

Creating bandwidth rules

Bandwidth Rules Overview

Network Allocation

User Allocation

Unused Priorities

Rule Order

Default Rule

Priority APriority A

Priority BPriority B

You use bandwidth rules to assign a priority to different types of network traffic. ISA Server allocates bandwidth as follows:

Network allocation. ISA Server allocates available bandwidth proportionally to the bandwidth priorities that apply to current network traffic. For example, you assign bandwidth priority A to network traffic from managers, and priority A is 30. You assign bandwidth priority B to requests from employees, and priority B is 20. When both employees and managers connect to the Internet, ISA Server allocates 60 percent of available bandwidth to traffic with priority A and 40 percent of available bandwidth to traffic with priority B.

User allocation. All users who are assigned a priority share the bandwidth that ISA Server allocates to that priority. For example, if your bandwidth priorities result in 60 percent of available bandwidth being allocated to managers, all managers share this portion of bandwidth.

Unused priorities. When bandwidth that is allocated to a priority is not used, ISA Server dynamically allocates the unused bandwidth to a higher priority. For example, if employees do not use the bandwidth that ISA Server allocates to them, ISA Server makes the unused bandwidth available to managers.

Rule order. ISA Server processes bandwidth rules in order. If a request matches the conditions specified by a bandwidth rule, ISA Server applies the bandwidth rule to the request. If the request does not match the conditions specified by the bandwidth rule, ISA Server processes the next bandwidth rule.

Default rule. If no other bandwidth rule applies to the request, ISA Server applies the default rule. ISA Server always applies the default rule last. The default rule assigns the default bandwidth priority. By default the default bandwidth is 100 for inbound and outbound traffic. You can change the numbers used by default bandwidth priority.

Default scheduling priority. Instead of using a bandwidth priority when you create a bandwidth rule you can also assessing the operating system's default scheduling priority. The default scheduling priority guarantees a minimum bandwidth, which is always much lower than the bandwidth allocated to a request with a specified bandwidth priority.

Creating Bandwidth Rules

Name the Rule

Select the Protocol(s)

Select a Schedule

Select a Client Type

Select a Destination Type

Select a Content Group

Select Bandwidth Priority


FinishFinishFinishFinish

You must configure effective bandwidth before you create bandwidth rules.

Online Demo

Configuring Effective Bandwidth

Before you create bandwidth rules, you must configure your effective bandwidth. ISA Server uses the effective bandwidth to determine when network congestion occurs. Set the effective bandwidth to match the slowest network connection. For example, if your internal network operates at 100 megabits per second (Mbps) and your dial-up connection to the Internet operates at 56 kilobits per second (Kbps), the effective bandwidth is 56 Kbps.

To configure your effective bandwidth:

1. In ISA Management, in the console tree, right-click Bandwidth Rules, and then click Properties.

2. In the Bandwidth Rules Properties dialog box, select the Enable bandwidth Control check box, type the effective bandwidth in Kbps, and then click OK.

Creating a New Bandwidth Rule

To create a new bandwidth rule:

1. In ISA Management, in the console tree, right-click Bandwidth Rules, point to New, and then click Rule.

2. In the New Bandwidth Rule Wizard, in the Bandwidth rule name box, type a name for the bandwidth rule, and then click Next.

3. On the Protocols page, click one of the following options, and then click Next.

If you select Then

All IP traffic No further action is required.

Selected protocols Select the check boxes for all protocols to which the rule will apply.

All IP traffic except selected

Select the check boxes for all protocols to which the rule will not apply.

4. On the Schedule page, select a schedule, and then click Next.

5. On the Client Type page, click one of the following options, and then click Next.

If you select Then

Any request No further action is required.

Specific computers (client address sets)

On the Client Sets page, click Add to add client sets.

Specific users and groups

On the Users and Groups page, click Add to add users and groups.

6. On the Destination Sets page, click one of the following options, and then click Next.

If you select Then

All destinations No further action is required.

All internal destinations No further action is required.

All external destinations No further action is required.

Specified destinations Select a destination set.

All destinations except selected set

Select a destination set.

7. On the Content Groups page, select one or more content groups, and then click Next.

8. On the Bandwidth Priority page, click one of the following options, and then click Next.

If you want to specify Then

The default Windows 2000 scheduling priority

Click Use default scheduling priority.

A previously configured bandwidth priority

Click Custom.

9. On the Completing the New Bandwidth Rule Wizard page, review your choices, and then click Finish.

Disabling and Deleting Bandwidth Rules

You can disable bandwidth rules that you are not using. To disable a bandwidth rule, click the rule, and then on the Action menu, click Disable. To re-enable a rule, click the rule, and then on the Action menu, click Enable. To permanently remove a rule, click the rule, and then on the Action menu, click Delete.


Authentication Overview

Configuring Authentication for Outgoing Web Requests

Selecting Authentication Methods

Configuring Authentication Methods

How you configure authentication for ISA Server depends on the type of client. Requiring authentication for all Web Proxy clients allows you to configure access rules that are based on users and group membership. It also allows you to include information about user Web activity in ISA Server logs. ISA Server supports several authentication methods to meet the requirements of your organization. You can also select more than one method of authentication, if necessary.


Authentication overview

Configuring authentication for outgoing web requests

Selecting authentication methods

Configuring authentication methods

Authentication Overview

InternetInternet

ISA ServerISA Server

SecureNAT ClientNo user-based authentication.

SecureNAT ClientNo user-based authentication.

Firewall ClientAuthentication is based on client credentials.

Firewall ClientAuthentication is based on client credentials.

Web Proxy ClientAuthentication is dependent on

browser and operating environment.

Web Proxy ClientAuthentication is dependent on

browser and operating environment.

ISA Server authentication is separate from the authentication that may be required for a Web site or other Internet resource. ISA Server requires authentication to process rules that control access based on only a user's identity. The administrator of the Web site determines the level of access, if any, that a user may have to that site.

The ISA Server authentication that you use depends on the type of client:

SecureNAT clients. For SecureNAT clients, there is no user-based authentication. You can restrict access to the Internet based on only sites, content, IP address of the client computer, protocol, and time of day.

Firewall clients. When ISA Server authenticates a Firewall client, it uses the credentials of the user making the request on the computer running the Firewall client. Because Firewall client authentication is automatic, no configuration is required to enable authentication of users who gain access to ISA Server by using a Firewall client.

Note: By default, the Firewall service passes all HTTP and FTP requests from Firewall clients to the Web Proxy service, but it does not forward client authentication information. To ensure proper authentication of Web requests from Firewall clients, configure Web browsers as Web Proxy clients on computers that run the Firewall client.

Web Proxy clients. Web Proxy clients do not automatically send authentication information to ISA Server. By default, ISA Server requests credentials from a Web Proxy client to identify a user only when processing a rule. You can configure which method the client and ISA Server use for authentication. When configuring authentication for Web Proxy clients, you must consider both the Web browser and the networking environment. You can also configure ISA Server to require authentication for all Web requests so that ISA Server can log information about which user connects to which Web site.

Configuring Authentication for Outgoing Web Requests

LONDON Array Properties

GeneralIncoming Web Requests Security

OK Cancel

Add…Add…

Apply

Performance

Enable SSL listeners

TCP port: 8080

SSL port: 8443

Connections

Outgoing Web RequestsAuto Discovery

IdentificationUse the same listener configuration for all internal IP addresses.

Configure listeners individually per IP address

Server IP Address Display N… Authentic… Server C…LONDON <All internal Integrated

RemoveRemove Edit…

Configure…Connection settings:

Ask unauthenticated users for identification

When you configure authentication, ISA Server verifies the identity of the user before processing a Web request that originates from a Web Proxy client. By default, Web Proxy clients use anonymous connections to connect to ISA Server. ISA Server requests user credentials from Web Proxy clients only when it is required, such as when a rule allows only specific users to gain access to a Web site.

You can configure ISA Server to request authentication for all Web requests from Web Proxy clients. Requiring authentication for all requests ensures that ISA Server can log information about the Web sites to which users gain access. However, when you require authentication, you must ensure that all Web Proxy clients can send authentication information.

To configure authentication for outgoing Web requests:

1. In ISA Management, in the console tree, right-click the appropriate server or array, and then click Properties.

2. On the Outgoing Web Requests tab, select the Ask unauthenticated users for identification check box, and then click OK.

Important: Require ISA Server to ask unauthorized users for identification. If your rules allow all users access to one or more Web sites but deny specific users access to the same Web site, you must configure ISA Server to require authentication for users. If any of your rules allow the Anonymous user access to a Web site, a user may be granted access to the site even though there is a rule that denies access specifically to that user. This is because a Web browser first attempts an anonymous connection, which may be granted by a rule that allows all users access. Requiring authentication ensures that users can never establish an anonymous connection. For more information, see "Rules and authentication" in ISA Server Help.

Selecting Authentication Methods

Basic Authentication

Digest Authentication

Integrated Windows Authentication

Client Certificate Authentication

ISA Server authentication establishes the identity of the user who issues a request from a Web Proxy client. After ISA Server has established the user's identity, it can apply rules that are based on the user's identity and log which user issues which Web requests. ISA Server supports four methods of authentication. The authentication method that you choose depends on your computing environment and your security requirements. You can configure ISA Server to use one or more authentication methods. When you specify multiple methods, ISA Server and the Web Proxy client negotiate the most secure method that both can use. ISA Server supports the following methods of authentication:

Basic authentication. Prompts users for a user name and password before allowing Web access. Basic authentication sends and receives user information as plain text and does not use encryption. Basic authentication is the least secure authentication method that ISA Server supports. Because basic authentication is part of the HTTP specification, most browsers support it.

Important: Because a malicious user on your internal network could capture network packets that contain user names and passwords, evaluate whether you require authentication before using Basic authentication.

Digest authentication. Passes authentication credentials through a process called hashing. Hashing creates a string of characters based on the password but does not send the actual password across the network, ensuring that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all of the domain controllers are running Windows 2000 and users are using Microsoft Internet Explorer 5 or later, and it is also supported by HTTP 1.1 compliant Web browsers. Use Digest authentication for authentication when you need to connect to ISA Server across a third-party firewall or a third-party proxy server.

Integrated Windows authentication. Uses either the Kerberos V5 authentication protocol or the Windows challenge/response authentication protocol, which do not send the user name and password across the network. Integrated Windows authentication works with Internet Explorer 2.0 or later. Use Integrated Windows authentication when all of the client computers use Internet Explorer.

Client certificate authentication. Requests a client certificate from the client before allowing the request to be processed. Users obtain client certificates from a certification authority that can be internal to your organization or a trusted external organization. Client certificates usually contain identifying information about the user and the organization that issued the client certificate. Use client certificate authentication when your organization requires certificates for user authentication.

Important: When selecting an authentication method, ensure that all client Web browsers can use at least one of the selected authentication methods. Otherwise, users will not be able to gain access to external Web sites.

Configuring Authentication MethodsLONDON Array Properties

GeneralIncoming Web Requests Security

OK Cancel

Add…Add…

Apply

Performance

Enable SSL listeners

TCP port: 8080

SSL port: 8443

Connections

Outgoing Web RequestsAuto Discovery

IdentificationUse the same listener configuration for all internal IP addresses.

Configure listeners individually per IP address

Server IP Address Display N… Authentic… Server C…LONDON <All internal Integrated

RemoveRemove Edit…

Configure…Connection settings:

Ask unauthenticated users for identification

CancelOK

Server: LONDON

IP Address: <All internal IP addresses>

Display Name:

Use a server certificate to authenticate to web clients

Select…Select…

AuthenticationBasic with this domain:

Digest with this domain:

Integrated

Client certificate (secure channel only)

Select domain…

Select domain…Select domain…Select domain…Select domain…

Add/Edit Listeners

When you configure authentication methods for outgoing Web requests, you define the authentication method that ISA Server uses for requests that arrive on a single internal network adapter or all of the internal network adapters. ISA Server calls these configuration settings listeners. You can also configure the port that ISA Server uses to listen for client requests.

To configure authentication methods for outgoing Web requests:

1. In ISA Management, in the console tree, right-click the appropriate server or array, and then click Properties.

2. On the Outgoing Web Requests tab, select one of the following options:

To configure authentication methods that are

Then

The same for all IP addresses associated with internal network adapter

Select the appropriate server, click Use the same listener configuration for all IP addresses, and then click Edit.

Different for IP addresses associated with internal network adapter

Click Configure listeners individually per IP address, and then click Add.

3. In the Add/Edit Listeners dialog box, in the Server list, click the computer for which you are configuring the listener, and then in the IP address list, select the IP address that is associated with the network interface on the internal network that should listen for outgoing Web requests.

4. Under Authentication, select the check boxes for one or more of the following authentication methods, and then click OK twice:

Basic with this domain. If you choose this option, you must also click Edit, and then in the Select Domain dialog box, select the domain in which the user accounts that you use for authentication are located.

Digest

Integrated

Client certificate (secure channel only)

5. In the ISA Server Warning dialog box, click Save the changes and restart the service(s), and then click OK. If you want to restart the service later (for example, if there are current user connections), click Save the changes, but don't restart the service(s), click OK, and then manually stop and start the Web Proxy service later.

Changing the Listener Port

By default, ISA Server listens for requests from Web Proxy clients on port 8080. If Web Proxy clients are configured to use a different port, you can change the port that ISA Server uses to listen for client requests.

To change the listening port, in the Properties dialog box for the ISA Server computer, in the TCP box, type the port number on which ISA Server will listen for Web Proxy requests.

Note: You can also configure ISA Server to encrypt communications with Web Proxy clients. This configuration may be required in a high-security environment in which all communication between the Web Proxy client and the ISA Server must be secured. For information about how to enable Secure Sockets Layer (SSL) listeners to provide a secure channel between client computers and the ISA Server computer, see "Configuring outgoing Web request properties" in ISA Server Help.

Lab A: Enabling Secure Internet Access

Objectives

After completing this lab, you will be able to:


Configure access polices and rules.

Configure authentication for outgoing Web requests.

Prerequisites

Before working on this lab, you must have:

Experience using ISA Management.

Knowledge of ISA Server policy elements and rules.

Knowledge of ISA Server authentication methods.

Lab Setup

This lab environment includes the following resources:

A computer running Microsoft Windows 2000 Advanced Server with ISA Server installed.

A computer running Windows 2000 Advanced Server that is configured as a Firewall client and a Web Proxy client and that has ISA Management installed.

Exercise 1: Creating Policy Elements

In this exercise, you will create the policy elements that are required to implement your security policy.

Scenario

You must implement an Internet access policy for Northwind Traders. Before you can create the required rules, you must create the policy elements that you will use to create these rules.

These policy elements are:

A schedule that includes periods of high network utilization, which is the current time until two hours from now.

A destination set that includes the Web site www.contoso.msft/sports.

A client address set for the Accounting department.

A protocol definition for the line-of-business application.

A content group for the .bild file type.

A bandwidth priority definition for high priority traffic.

Online Simulation

Exercise 2: Creating Protocol Rules

Scenario

After the policy elements are created to implement the access policy for Northwind Traders, the protocol rules required to enforce this policy must be created.

These protocol rules are:

A protocol rule that allows all users to gain access to the Internet by using the HTTP, HTTP-S, and FTP protocols.

A protocol rule that allows members of the Domain Admins group to gain access to the Internet by using all protocols.

A protocol rule that allows access to the line-of-business application.

A protocol rule that denies all Internet access from the Accounting department.

Online Demo

Exercise 3: Creating Site and Content Rules

In this exercise, site and content rules will be created.

Scenario

Northwind Traders's access policy requires that rules be set that restrict access based on specific content. To accomplish this task, site and content rules must be created.

The site and content rules are:

A site and content rule that denies access to the Web site www.contoso.msft/sports during periods of high network usage.

A site and content rule that denies access to files that have a .bild extension.

Online Demo

Exercise 4: Configuring Authentication

In this exercise, authentication settings for ISA Server will be created.

Scenario

User-level authentication must be configured for all users in a network, regardless of which Web browser they use. To do this, an ISA Server must be configured to use Basic Authentication. After confirming that Basic Authentication works, an ISA Server must be configured to use Integrated Authentication in addition to Basic Authentication.

Online Demo

Review

Access Policies and Rules Overview



