Microsoft 2004 Manuel D’Utilisation
ISA Server 2004 Configuration Guide 131
Introduction
The ISA Server 2004 firewall controls what communications move between networks
connected to one another via the firewall. By default, the ISA Server 2004 firewall computer
blocks all traffic. The methods used to allow traffic to move through the firewall are:
connected to one another via the firewall. By default, the ISA Server 2004 firewall computer
blocks all traffic. The methods used to allow traffic to move through the firewall are:
• Access Rules, and
• Publishing Rules
• Publishing Rules
Access Rules control outbound access from a protected network to an unprotected network.
ISA Server 2004 considers all networks that are not the External network to be protected. All
networks comprising the External network are unprotected. Protected networks include the
VPN Clients network, the Quarantined VPN Clients network, the Local Host network, the
internal network, and perimeter networks. The Internet is the primary External network;
although, partner networks and extranets to which protected clients connect can be
considered External networks.
ISA Server 2004 considers all networks that are not the External network to be protected. All
networks comprising the External network are unprotected. Protected networks include the
VPN Clients network, the Quarantined VPN Clients network, the Local Host network, the
internal network, and perimeter networks. The Internet is the primary External network;
although, partner networks and extranets to which protected clients connect can be
considered External networks.
In contrast, Publishing Rules allow hosts on the External network access to resources on a
protected network. For example, an organization may wish to host its own Web, mail and FTP
servers. Web and Server Publishing Rules allow External hosts access to these resources.
protected network. For example, an organization may wish to host its own Web, mail and FTP
servers. Web and Server Publishing Rules allow External hosts access to these resources.
In Chapter 9 of the ISA Server 2004 Configuration Guide, we used a Network Template to
automatically create network relationships and Access Rules. The Access Rules were very
loose in order to allow you to access all sites and protocols on the Internet. While this
configuration is useful for testing basic functionality of the ISA Server 2004 firewall, a secure
firewall configuration requires that you create access controls limiting what users on the
Protected Networks can access on the Internet.
automatically create network relationships and Access Rules. The Access Rules were very
loose in order to allow you to access all sites and protocols on the Internet. While this
configuration is useful for testing basic functionality of the ISA Server 2004 firewall, a secure
firewall configuration requires that you create access controls limiting what users on the
Protected Networks can access on the Internet.
An Access Rule includes the following elements:
Rule Element
Description
Order (priority)
Firewall Access Policy is an ordered list of Access Rules. Rules
are processed from top to bottom until a match for a particular
connection is found. The first rule to match the connection’s
characteristics is applied.
are processed from top to bottom until a match for a particular
connection is found. The first rule to match the connection’s
characteristics is applied.
Action
There are two actions: Allow or Deny
Protocols
Protocols include all TCP/IP protocols. These include TCP, UDP,
ICMP, and protocols identified by their IP protocol number. The
firewall supports all TCP/IP protocols.
ICMP, and protocols identified by their IP protocol number. The
firewall supports all TCP/IP protocols.
From/Listener
The source of the communication. The source can be a single IP
address, a collection of IP addresses, an entire subnet, or multiple
subnets.
address, a collection of IP addresses, an entire subnet, or multiple
subnets.
To
The destination of a communication. The destination can be a
domain or collection of domains, a URL or a collection of URLs,
an IP address, a collection of IP addresses, a subnet, multiple
subnets or multiple networks.
domain or collection of domains, a URL or a collection of URLs,
an IP address, a collection of IP addresses, a subnet, multiple
subnets or multiple networks.
Condition
The condition is the user or group to which the rule applies.
Access Rules allow you to gain a fine level of control over which users have access to sites
and protocols. For example, consider the following Access Rule:
and protocols. For example, consider the following Access Rule: