Access Policies Overview

Protocol rules and site and content rules determine access policy in ISA Server:

  • Protocol rules define which protocols clients can use to access the Internet.

  • Site and content rules define which sites and content can be accessed. Because no protocol rules are defined and applied when you install ISA Server, traffic will not be able to pass through.

Packet filters are used to manage the flow of IP packets to ISA Server and from ISA Server. Packet filtering inspects the header of each packet for protocol, port, and destination address and source address information. Packets are dropped if they are not explicitly allowed. Packet filtering is disabled in ISA cache mode. In ISA Firewall mode and Integrated mode, packet filtering is enabled. This means that all packets are dropped if they are not allowed by access policy, packet filters, and publishing rules.

If you running the ISA Server Enterprise Edition, then you can create access rules and policy elements at:

  • Array level

  • Enterprise level

The policy type that you apply at the array determines which policies are created at the array level, and which policies are created at the enterprise level.

The ISA Server Enterprise Edition allows you to create the following rules at the enterprise level:Creating and Managing Access Policies in ISA Server

  • Site and content rules

  • Protocol rules

  • Certain policy elements

With the ISA Server Standard Edition, you can create all site and content rules, and all protocol rules at the same place. Publishing rules and dial-up entries on the other hand must be created at the ISA server level.

ISA Server rules are affected by policy elements. Policy elements pertain to a part or component of an access policy. They are not created explicitly for each rule. Policy elements are predefined, and can be reused and customized.

The policy elements that you can define in ISA Management are listed here:

  • Destination sets; IP addresses of specific computers, or computer names.

  • Client address sets; IP addresses of specific client computers, or authenticated users and groups.

  • Schedules; when a rule is implemented.

  • Bandwidth priorities; define the priority level of a connection.

  • Protocol definitions; includes port number, TCP or UDP, and direction.

  • Content groups; MIME types or filename extensions, and content types that exist on the Web.

Policy elements can be defined at the enterprise level or at the array level.

The different rules and policy elements, and the places where they can be created are listed below:

  • Site and content rules: Type of policy:

    • Array Only: Use array policy only:

      • Can only be created at the array level

    • Enterprise Only: Use this enterprise policy:

      • Can only be created at the enterprise level

    • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

      • Can be created at the array level and enterprise level. At the array level it is deny only.

  • Protocol rules: Type of policy:

    • Array Only: Use array policy only:

      • Can only be created at the array level and at the enterprise level

    • Enterprise Only: Use this enterprise policy:

      • Can only be created at the enterprise level

    • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

      • Can be created at the array level and enterprise level. At the array level it is deny only.

    • Bandwidth priorities: Type of policy:

      • Array Only: Use array policy only:

        • Can only be created at the array level.

      • Enterprise Only: Use this enterprise policy:

        • Can only be created at the array level.

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can only be created at the array level.

    • Destination sets: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at the array level and at the enterprise level

      • Enterprise Only: Use this enterprise policy:

        • Can be created at the array level and at the enterprise level

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at the array level and at the enterprise level

    • Client address sets: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at the array level and at the enterprise level

      • Enterprise Only: Use this enterprise policy:

        • Can be created at the array level and at the enterprise level

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at the array level and at the enterprise level

    • Protocol definitions: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at the array level and at the enterprise level

      • Enterprise Only: Use this enterprise policy:

        • Can be created at the array level and at the enterprise level

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at the array level and at the enterprise level

    • Content groups: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at the array level and at the enterprise level

      • Enterprise Only: Use this enterprise policy:

        • Can be created at the array level and at the enterprise level

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at the array level and at the enterprise level

    • Schedules: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at the array level and at the enterprise level

      • Enterprise Only: Use this enterprise policy:

        • Can be created at the array level and at the enterprise level.

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at the array level and enterprise level.

    • Dial-up entries: Type of policy:

      • Array Only: Use array policy only:

        • Can be created at any server in the array.

      • Enterprise Only: Use this enterprise policy:

        • Can be created at any server in the array.

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at any server in the array.

    • Publishing rules: Type of policy:

      • Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy:

        • Can be created at any server in the array.

    The order in which access rules are processed for outgoing requests is illustrated here:

    • Protocol rules

    • Site and content rules

    • IP packet filters

    • Routing rules/firewall chaining

      The Getting Started Wizard

    ISA Server provides the Getting Started Wizard to assist and guide you in the initial setup of ISA Server, and in creating customized access policies.
    You can use the Getting Started Wizard to create and configure the following:

    • Create enterprise level policy elements for ISA array installations.

    • Configure enterprise policy settings for ISA array installations.

    • Create enterprise level site and content rules for ISA array installations.

    • Create enterprise level protocol rules for ISA array installations.

    • Create array level policy elements.

    • Create array level site and content rules.

    • Create array level protocol rules.

    • Configure packet filtering

    • Configure cache policy

    • Configure system security.

    How to launch the Getting Started Wizard

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the ISA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the detail pane.

    • The Getting Started Wizard appears.

      Configuring Customized Policy Elements

    Configuring Schedules
    Schedules determine when a rule is implemented. When you install ISA Server, there are two predefined schedules:

    • Work Hours; allows access Mondays – Friday, from 9am to 5pm.

    • Weekends; allows access on a Saturday and Sunday – all day.

    The rules that can use schedules are:

    • Site and content rules

    • Protocol rules

    • Bandwidth rules

    Configuring destination sets
    A destination set can be either of the following:

    • A single computer name, or multiple computers

    • A single IP address

    • A domain name.

    • An IP address range

    You can apply access rules to:

    • All destination sets.

    • A specific destination set.

    • All computers other than the specified destination set.

    The rules that can use destination sets are:

    • Site and content rules

    • Bandwidth rules

    • Routing rules

    • Web publishing rules

    Configuring client address sets
    Client address sets contain one or multiple computers. You can apply access rules to:

    • All client address sets.

    • All client address sets other than the specified client address set.

    The rules that can use client address sets are:

    • Site and content rules

    • Protocol rules

    • Bandwidth rules

    • Web publishing rules

    • Server publishing rules

    Configuring protocol definitions
    ISA Server provides a number of preconfigured protocol definitions which you can use to create server publishing rules, protocol rules, and application filters. You can use the ISA Management console to create customized protocol definitions.

    The rules that can use protocol definitions are:

    • Protocol rules

    • Bandwidth rules

    • Server publishing rules

    When creating customized protocol definitions, you have to configure the settings listed here:

    • Port number; used for the primary connection and is a port number between 1 and 65,535.

    • Protocol type; Transmission Control Protocol (TCP) protocol or User Datagram Protocol (UDP) protocol.

    • Direction; traffic flow direction can be:

      • Send Only

      • Receive Only.

      • Send Receive

      • Receive Send

    • Secondary connection; you can configure secondary connections as well, by setting the port number, protocol, and traffic flow direction.

    Configuring content groups
    Content groups apply to the following types of traffic:

    • Hypertext Transfer Protocol (HTTP) traffic

    • Tunneled File Transfer Protocol (FTP) traffic

    Content groups are used to define:

    • Multipurpose Internet Mail Extensions (MIME) types.

    • File name extensions.

    Content groups are used by:

    • Site and content rules.

    • Bandwidth rules

    ISA provides the predefined content groups listed below. You can though use the ISA Management console to create your own content groups.

    • Application

    • Application Data Files

    • Audio

    • Compressed Files

    • Documents

    • HTML Documents

    • Images

    • Macro Documents

    • Text

    • Video

    • VRML

    Configuring bandwidth priorities
    Bandwidth rules make it possible for you to set the priority for requests. Bandwidth rules are configured by specifying the elements listed below. These elements have to be defined before you create the bandwidth rule.
    :

    • Protocol definitions

    • IP addresses and users

    • Destination sets

    • Schedule

    • Content types

    • Bandwidth priority

      How to configure customized schedules

    • Open the ISA Management console.

    • Expand the Policy Elements node.

    • Right-click Schedules and select New and then select Schedule from the shortcut menu.

    • Provide a name for the schedule in the Name box.

    • Provide a description in the Description box.

    • You can define the schedule by using the available schedule table.

    • If you want to enable the schedule, select the Action option.

    • If you want to disable the schedule, select the Disable option.

    • Click OK.

      How to configure customized destination sets

    • Open the ISA Management console.

    • Expand the Policy Elements node.

    • Right-click Destination Sets and select New and then select Set from the shortcut menu.

    • Provide a name for the destination set in the Name box.

    • Provide a description in the Description box.

    • Click the Add button.

    • The Add/Edit Destination dialog box opens.

    • Select the Destination option.

    • In the available box enter the fully qualified domain name or the computer name.

    • To specify an IP address range, select the IP Addresses option and then enter the applicable IP addresses in the From box and To box.

    • Enter the path on the computers in the Path box.

    • Click OK in the Add/Edit Destination dialog box opens.

    • Click OK.

      How to configure customized client address sets

    • Open the ISA Management console.

    • Expand the Policy Elements node.

    • Right-click Client Address Sets and select New and then select Set from the shortcut menu.

    • Provide a name for the client address set in the Name box.

    • Provide a description in the Description box.

    • Click the Add button.

    • To specify an IP address range, in the From box, enter the lowest IP address and in the To box, enter the highest IP address.

    • Click OK twice.

      How to configure customized protocol definitions

    • Open the ISA Management console.

    • Expand the Policy Elements node.

    • Right-click Protocol Definitions and select New and then select Definition from the shortcut menu.

    • The New Protocol Definition Wizard launches.

    • Provide a name for the new protocol definition and click Next.

    • The Primary Connection Information page opens. Configure the following settings for the connection:

      • Port number

      • Protocol type

      • Direction

    Click Next.

    • When the Secondary Connections page opens, choose whether or not a secondary connection is included as well. If you set to include a secondary connection, enter the following settings for the connection:

      • Port number

      • Protocol type

      • Direction

    Click Next.

    • Click Finish.

      How to configure customized content groups

    • Open the ISA Management console.

    • Expand the Policy Elements node.

    • Right-click Content Groups and select New and then select Content Groups from the shortcut menu.

    • Provide a name for the content group in the Name box.

    • Provide a description in the Description box.

    • If you want to use a predefined content type, select the MIME type or file name extension in the Available Types drop down list box.

    • If you want to add a new content type, enter the MIME type or file name extension.

    • Click Add.

    • Click OK.

      How to configure bandwidth rules

    • Open the ISA Management console.

    • Navigate to the Bandwidth Rules folder.

    • Right-click the folder and select New Rule from the shortcut menu.

    • The New Bandwidth Rule Wizard launches.

    • In the Name box enter the name of the bandwidth rule.

    • In the Description box, enter a description for the bandwidth rule. Click Next.

    • Choose between the following options:

      • Apply This Rule to All IP Traffic

      • Selected Protocols

      • Except Selected Protocols

    Specify the selected protocols and then click Next.

    • You next have to define the schedule for the rule. This schedule defines when the rule will be enforced. Click Next.

    • Set the client type, and then click Next.

    • Specify the destinations that the rule applies to.

      • All Destinations

      • All Internal Destinations

      • All External Destinations

      • Specified Destination Set

      • All Destinations Except the Selected Set.

    • Specify the destination set if necessary. Click Next.

    • Select the content group. Options include:

      • All Content Groups

      • Selected Content Groups

    Click Next.

    • On the Bandwidth Priority page, specify the bandwidth priority.

    • Click Next and then click Finish.

      How to configure ISA Server cache policy (using the Getting Started Wizard)

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the SA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the details pane.

    • The Getting Started Wizard launches.

    • Select the Configure Cache Policy link.

    • The Cache Configuration Policy dialog box opens, displaying the General tab.

    • Click the HTTP tab.

    • The Enable HTTP Caching checkbox is enabled by default.

    • Select between the following options:

      • Frequently (Expire Immediately) option; if you want objects stored in the ISA Server cache to be more current.

      • Normally option; if you want objects in the ISA Server cache to be current but with consideration to network performance. This is the default configuration setting for HTTP object caching frequency.

      • Less Frequently (Reduced Network Traffic Is More Important) option; if network performance is more important than having up to date object information stored in the ISA Server cache.

    • Click the FTP tab.

    • Select the Enable FTP Caching checkbox.

    • Use the Time To Live For All Objects textbox to configure the Time To Live setting for all FTP objects. Select the time unit: Seconds, Minutes, Hours, Days, or Weeks.

    • Click the Active Caching tab.

    • Select the Enable Active Caching checkbox. Then choose the frequency for active caching:

      • Frequently option; if you want frequently accessed objects in cache refreshed prior to the objects expiring.

      • Normally option; if you want frequently accessed objects stored in the cache to be updated with consideration to network performance.

      • Less Frequently option; if you want frequently accessed objects in the cache to be updated, but network performance is more important.

    • Click the Advanced tab.

      • If you want to place a limit on the size of objects that are cached, enable the Do Not Cache Objects Larger Than checkbox. Specify the unit – KB, MB, GB.

      • If you want ISA Server to cache objects that have no last modification date specified, then enable the Cache Objects That Have An Unspecified Last Modification Time checkbox.

      • To configure negative caching, enable the Cache Objects Even If They Do Not Have An HTTP Status Code Of 200 checkbox.

      • If you want ISA Server to cache dynamic content, then choose the Cache Dynamic Content (Objects With Question Marks In The URL) checkbox.

      • In the Maximum Size Of URL Cached In Memory box, specify the maximum object size which ISA Server can cache in RAM.

      • If you do not want ISA Server to return an expired object from its cache when the Web server cannot be accessed to obtain a current version of the object, select the Do Not Return The Expired Object (Return An Error Page) option.

      • If you want ISA Server to return the expired object from its cache, select the Return The Expired Object Only If Expiration Was option. You next have to define TTL settings which will determine whether the expired object is returned or not.

      • Set the maximum percentage of the TTL in the At Less Than This Percentage Of Original Time To Live textbox. The object will not be returned from the cache if the expiration time is greater than this setting.

      • Enter the percentage of free memory to use for caching in the Percentage Of Free Memory To Use For Caching textbox.

    • Click OK.

      How to configure ISA Server to use a dial-up connection as the primary network connection (using the Getting Started Wizard)

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the ISA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the details pane.

    • The Getting Started Wizard launches.

    • Select the Configure Dial-Up Entries link.

    • Select the Create A Dial-Up Entry link.

    • Click Yes to the message, needing verification that the dial-up entry should be used as the default connection.

    • The New Dial-Up Entry dialog box opens.

    • Enter a name for the dial-up entry in the Name box.

    • Enter a description in the Description box.

    • Click the Select button.

    • Select the network dial-up connection to use.

    • Click Set Account

    • Enter the user name and password information for the dial-up entry.

    • Click OK.

      How to secure the ISA server by locking down Windows (using the Getting Started Wizard)

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the ISA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the details pane.

    • The Getting Started Wizard launches.

    • Select the Secure Server link.

    • Select the Secure Your ISA Server Computer link.

    • The ISA Server Security Configuration Wizard launches.

    • Click Next on the initial page of the ISA Server Security Configuration Wizard.

    • Select one of the following security levels:

      • Dedicated; highest security level.

      • Limited services; medium security level.

      • Secure; lowest security level.

    Click Next.

    • Click Finish.

      How to configure routing for Firewall and SecureNAT client requests (using the Getting Started Wizard)

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the ISA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the details pane.

    • The Getting Started Wizard launches.

    • Select the Configure Routing For Firewall And SecureNAT Clients link.

    • The Network Configuration Properties dialog box opens.

    • To specify routing for Firewall And SecureNAT clients, choose either of the following options:

      • Use Primary Connection; content is retrieved from the Internet directly

      • Use Dial-Up Entry; the dial-up entry is used to retrieve content from the Internet.

    • Select the Chain To This Computer checkbox if you want requests forwarded to another computer. Enter the computer's details in the available box.

    • Click OK.

      How to configure routing for Web Proxy client requests (using the Getting Started Wizard)

    • Open the ISA Management console.

    • Click the View menu and select the Taskpad view option.

    • In the console tree of the ISA Management console, select the Internet Security And Acceleration Server node.

    • Select the Getting Started Wizard icon in the details pane.

    • The Getting Started Wizard launches.

    • Select the Configure Routing For Web Browser Applications link.

    • Select the Configure A Routing Rule For Web Browser Applications link.

    • On the Action tab, configure how ISA Server should route Web Proxy client requests.

    • Click OK.

      Troubleshooting Access Problems

    Access problems can be categorized as follows:

    • User based access problems

    • Packet based access problems

    You should determine which category a problem falls into before commencing actual troubleshooting. This can assist in greatly reducing overall troubleshooting time.

    Before you can troubleshoot access issues, you need to understand how ISA Server processes access rules:

    • Protocol rules are applied first. This is done to determine whether or not the protocol used is specified in a rule. The request continues to be processed when there is no protocol rule that denies it, and there is a rule that allows it.

    • Site and content rules are evaluated next. The request continues to be processed when a site and content rule allows the request, and there is no site and content rule that denies it.

    • Packet filters are examined after site and content rules to check whether or not a blocking filter has been defined.

    • When protocol rules, site and content rules, and packet filters allow the request; then ISA Server uses its routing rules or firewall chaining configuration to determine how the message should be passed on.

    The common user access problems encountered are listed here:

    • Client cannot use a particular protocol.

    • Clients cannot use the protocol rule specified for the protocol definition.

    • Clients are unable to browse external Web sites.

    • Clients receive a 502 error whenever they try to browse an external Web site.

    • Clients can continue to utilize a protocol when the rule for the specific protocol has since been disabled.

    Troubleshooting user based access problems includes troubleshooting and resolving the issues listed here:

    • For Firewall clients, check that configuration settings are correct.

    • For Web Proxy clients, check whether the Web browser is configured correctly. Determine whether any other site can be accessed.

    • Check whether the user is allowed access by a site and content rule. You should check site and content rules applied at the enterprise level and array level.

    • Check whether the user is denied access by a site and content rule.

    • When authentication is required, check whether the client could process the required authentication.

    • Check whether the HTTP redirector filter is enabled for Firewall clients and SecureNAT clients.

    Before troubleshooting packet filter based access problems, you should understand which places control access:

    • ISA Server installation mode.

    • Packet filters.

    • Protocol rules.

    • Protocol definitions.

    • Application filters.

    When you install ISA Server in Firewall mode or in Integrated mode, client access is somewhat more increased than when installing ISA Server in Cache mode. When troubleshooting access problems when ISA Server is installed in Firewall mode or in Integrated mode, you typically have to examine the following components to isolate and resolve the issue:

    • Protocol rules.

    • Packet filters

    • Application filters

    You can use the following sequence of steps to troubleshoot packet filter based access problems in ISA Server Firewall or Integrated mode:

    • Check whether any protocol rules deny access.

    • Check whether a protocol rule allows access.

    • Check whether any packet filters deny access.

    • Check whether any packet filters allows access.

    • Check whether any application filters deny access.

    • Check whether any application filters allows access.

    In Cache mode, ISA Server limits client access as follows:

    • Firewall clients are not supported in ISA Server Cache mode.

    • Packet filters cannot be configured.

    • Protocol rules apply to the following only:

      • HTTP

      • HTTPS

      • FTP

      • Gopher