Using ISA Server 2004 Network Templates to Automatically Create Access Policy:
The Edge Firewall Template

By Thomas W Shinder M.D.

ISA Server 2004 introduces a lot of usability enhancements that makes it easier than every to get the firewall configured and provide secure access to the Internet. ISA Server 2000 firewall veterans will recall their early experiences with trying to get the firewall configured to connect internal network clients to the Internet; it wasn’t always a simple or quick experience. There were Policy Elements to configure, Access Rules that depended on Policy Elements that you might not have configured yet, listeners to configure, and lots more. ISA Server 2004 removes a lot of the guesswork by providing a set of preconfigured network templates that you can use to quickly configure the firewall.

The ISA Server 2004 firewall uses Network Templates to simplify Network object and firewall policy configuration. There are five preconfigured Network Templates:

These network templates are named after the role you want the ISA Server 2004 firewall to take on the network. The Microsoft Internet Security and Acceleration Server 2004 management console interface provide a picture of the firewall’s position on the network which makes selecting the correct template even easier.

In this article we’ll go over the details of the Edge Firewall network template. This Network Template is used when the ISA Server 2004 firewall is at the Internet edge, with an external interface connected to the Internet and an internal interface connected to the LAN. You can also use this template if you have a broadband router or broadband NAT device in front of the ISA Server 2004 firewall.

The network template should be used after you have configured the network interfaces correctly. For more details on configuring the ISA Server 2004 firewall’s network interfaces, including the DNS and default gateway settings, check out my article Get Up and Running with ISA Server 2004 Beta 2 at http://isaserver.org/articles/isa2004beta2.html.

The figure below shows the ISA Server 2004 perspective on the Edge Firewall template. The Internal Network is located behind the ISA Server 2004 firewall and is protected by it. The Local Host network represents the ISA Server 2004 firewall itself. The External Network (Internet) is represents all the hosts that are not located on the Internal network or on the VPN clients network. The VPN Clients network is a special network that is dynamically created by the ISA Server 2004 firewall that contains the IP addresses of connected VPN clients.

The Edge Firewall Template perform two major tasks for you:

The Internal network is a collection of IP addresses that you will configure when you run the Edge Firewall Template Wizard. The Wizard will also allow you to select a Firewall Policy that controls the flow of traffic between the Internal network, VPN Clients network, and the External network.

The Wizard allows you to choose from a number of different Firewall Policy. These pre-defined Firewall Policies include:

This firewall policy prevents all network access through the firewall. Use this option when you want to define the entire firewall policy on your own. This option requires that network infrastructure services (such as DNS) are available in the Internal Network because there are no Access Rules that enable Internal network clients access to DNS servers on the Internet.

This firewall policy prevents all network access through the firewall except for network infrastructure services (such as DNS). This option is useful when network infrastructure services are provided by your Internet Service Provider (ISP). Use this option when you want to define the firewall policy for client access on your own. The following rules will be created:

DNS: Allow DNS from Internal Network, VPN Clients to the Internet

This firewall policy allows access to Web sites, but no other network access through the firewall. Use this option when you want to allow Web access only. You can modify this policy later to allow other types of network access. This option requires that network infrastructure services (such as DNS) are available in the Internal network and have some mechanism to reach the Internet to resolve Internet host names. You will need to manually configure a DNS Access Rule to allow access to Internet DNS servers to resolve DNS host names if you use this template. The following rules will be created:

1. Web access: Allow HTTP, HTTPS, FTP from Internal Network, VPN Clients to the Internet

2. VPN: Allow all protocols from VPN Clients to Internal Network

This firewall policy solves the name resolution problems introduced with the Restricted Web Access firewall policy noted above. This firewall policy allows access to Web sites and Internet DNS servers, but no other network access is allowed through the firewall. Use this option when you want to allow only Web access to hosts on the Internal network. You can modify the policy later to allow other types of network access. This option is useful when network infrastructure services (such as DNS) are provided by your Internet Service Provider (ISP). The following rules will be created:

1. Web access: Allow HTTP, HTTPS, FTP from Internal Network, VPN Clients to the Internet

2. DNS: Allow DNS from Internal Network, VPN Clients to the Internet

3. VPN: Allow all protocols from VPN Clients to Internal Network

Allow all types of access to the Internet through the firewall. The firewall will prevent access from the Internet to the protected networks. Use this option when you want to allow all Internet access. You can modify the policy later to stop some types of network access. The following rules will be created:

1. Internet access: Allow all protocols from Internal Network, VPN Clients to the Internet

2. VPN: Allow all protocols from VPN Clients to Internal Network

It’s worth clarifying the DNS policy implemented in some of these rules. While its technically true that the DNS rule allows networks that do not host their own DNS servers to resolve Internet host names, this does not mean that the DNS rule does not work for those networks that host their own DNS server. When you have your own DNS server on the Internal network, that DNS sever must have access to all Internet DNS servers, or to a DNS forwarder. Therefore, you can use the firewall policies noted above that include a DNS rule to support DNS servers on your own Internal network.

If you’re testing ISA Server 2004 firewalls at this time, the best template for you to begin with is the Unrestricted Internet access firewall policy template. This will allow outbound access for Internal network clients to all protocols. At a later time, when you are more comfortable with creating Access Policies, you can then configure more granular and more restrictive outbound access controls.

Creating Firewall Policy using the Edge Firewall Network Template

Perform the following steps to create firewall Access Policy using the Edge Firewall Network Template:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the computer name in the scope pane. Then expand the Configuration node.
  2. Click on the Networks node. Click the Open/Close Task Pane button for the Task Pane if the Task Pane is not open. In the Task Pane, click the Template tab. On the Templates tab, click the Edge Firewall template.

  1. Click Next on the Welcome to the Network Template Wizard page.
  2. On the Export the ISA Server Configuration page, click the Export button. We want to save the current configuration in the event that we’re not pleased with the results of the Edge Network template.

  1. In the Export Configuration dialog box, enter a name for the backup configuration file in the File name text box. Place checkmarks in the Export user permission settings and Export confidential information (encryption will be used) checkboxes. Then click Export.

  1. In the Set Password dialog box, enter a password and confirm the password in the Password and Confirm password text boxes. The password protects the confidential information stored in the backup file. Click OK.

  1. Click OK in the Exporting dialog box when it say that it has Successfully export the configuration.
  2. Click Next on the Export the ISA Server Configuration page.
  3. On the Internal Network IP Addresses page, confirm that the Wizard has correctly identified the IP addresses on the Internal network. The Internal network is the network that contains the infrastructure servers and other important network servers with which the ISA Server 2004 firewall must communicate. Example of these types of servers include the Active Directory domain controller, DNS server, DHCP server, IAS server, and Certificate Server. You can use the Add Adapter and Add Private buttons to add more IP addresses to this list. IP addresses in the Address Ranges list will be allowed Internet access based on the Firewall Policy you configured later on in the Wizard. Click Next after all the IP addresses are entered into the list.

  1. On the Select a Firewall Policy page, select a firewall policy from the Select a firewall policy list. There are five policies you can select from. Click on each of the firewall policies and read the Description for each one. In this example we will select the Unrestricted Internet Access policy. This firewall policy will allow hosts on the Internal network and VPN clients network full Internet access for all protocols that are available to them. SecureNAT clients will have access to all protocols listed on the Protocols page of the toolbox, and Firewall client will have access to all Internet protocols. Click Next.

  1. Review the settings on the Completing the Network Template Wizard page and click Finish.
  2. Click Apply to save the changes and update the firewall policy.

Review the Changes to the Firewall Policy

The Network Template Wizard has created two rules that you can view in the Firewall Policy node of the Microsoft Internet Security and Acceleration Server 2004 management console. Perform the following steps to review the changes made to the firewall’s Access Policies:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the scope pane and then click on the Firewall Policy node. In the Details pane you can see two rules created by the Network Template Wizard.

  1. The first rule on the list is the Unrestricted Internet access rule. This rule has the following characteristics:

    2.  

    Action: Allow

    Protocols: All Protocols

    From: Internal and VPN Clients networks

    To: External

    Condition: All Users

    This rule allows all devices on the Internal network and VPN clients network full access to the Internet. Notice that in contrast to how things works with ISA Server 2000, VPN clients can now access the Internet through the ISA Server 2004 firewall. In ISA Server 2000, you could not make VPN clients SecureNAT clients; this meant that VPN clients needed to be configured as Firewall clients before they could access the Internet. ISA Server 2004 solves this problem and now the VPN clients can access Internet resources without needing to be configured as Firewall clients.

  2. The second rule on the list is the VPN to Internal Access rule. This rule has the following characteristics:

    3.  

    Action: Allow

    Protocols: All Protocols

    From: VPN Clients network

    To: Internal

    Condition: All Users

    This rule allows VPN clients access to all resources on the Internal network.

Test the Firewall Policy from an Internal Network Client

You can test the new Firewall Policy from an internal network client system. Go to a machine on the internal network and perform the following steps:

  1. At the internal network client, open Internet Explorer and enter the URL http://www.microsoft.com/isaserver in the Address bar. Click OK.
  2. The ISA Server Web site appears in the browser.
  3. You can monitor the connections internal network clients make to the Internet using the real time logging feature available in ISA Server 2004. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node.
  4. In the Details pane, click the Logging tab. On the Logging tab, click the Start Query link.

  1. Click the Show/Hide Console Tree button to hide the scope pane. Click the Open/Close Task Pane button to close the Task Pane. This allows you a clean view of the real time monitor.
  2. At the internal network client machine, click a link on the ISA Server Web site. Then return to the Microsoft Internet Security and Acceleration Server 2004 management console to view the results in the real time monitor. You can see the details of the connection, including the source and destination IP addresses, the protocol used, the source network and destination network, and the user name of the user who initiated the connection.

Click the figure below to see it in full size:

Conclusion

ISA Server 2004 simplifies configuring the Internal network address list and creating firewall policies through the use of network templates. In this article we went over the Edge Firewall network template. The Edge Firewall network template configures the Internal Network IP address range and creates a firewall policy. In this example we used the Full Internet Access firewall policy that allows all hosts on the Internal network and the VPN clients network full access to the Internet. The Edge Network Template and the Full Access firewall policy is an ideal way to start with your review of how ISA Server 2004 network templates work. In future articles we will review the other ISA Server 2004 Network Templates and the Firewall Policies that are available to you when using those templates.

hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000020 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!