Procedure 5: Creating enterprise policies

  • Article

In the Fabrikam enterprise, the main array has a faster Internet connection than does the branch. For this reason, you will allow users on the main array to use the File Transfer Protocol (FTP), whereas, on the branch array, use of FTP will be at the discretion of the array administrator. The administrator of the branch array will be able to deny use of FTP to certain users or at certain times of day.

In this exercise, you will create the two enterprise policies that fit this scenario. The first will allow access on Hypertext Transfer Protocol (HTTP) and HTTPS, and will allow access on FTP unless an array administrator specifically denies it. The second enterprise policy will allow access on FTP without enabling array administrators to deny access on FTP. The difference between the FTP approach of these two policies depends on the location of the enterprise rule allowing FTP access relative to the rules that the array administrator creates.

These procedures take place on the Configuration Storage server. You can also create enterprise policies from an ISA Server array when logged on using enterprise administrator credentials, but in this walk-through you have not yet installed an array.

Create the FTP Optional policy

To create a functional enterprise policy, you must first create the policy, and then create access rules in the policy.

Creating the policy

Create and name the enterprise policy following these steps.

  1. Log on to the domain using enterprise administrator credentials (the user EnterpriseAdmin).

  2. Open ISA Server Management. To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  3. In the MMC console, expand Enterprise, and click Enterprise Policies.

  4. In the task pane, on the Tasks tab, click Create New Enterprise Policy to start the New Enterprise Policy Wizard.

  5. On the Welcome page, provide a name for the new policy, such as Fabrikam FTP Optional Access Policy, and then click Next.

  6. On the Completing the New Enterprise Policy Wizard page, click Finish.

Important

Changes you make in ISA Server Management are not applied until you click the Apply button in the details pane. You can click Apply after each change, or when you have made all of your changes.

Adding access rules to the enterprise policy

After you create the policy, you can add access rules to it. In this example, you will add a pre-array enterprise policy rule that allows Internal clients access to the Internet using HTTP and HTTPS, and a post-array enterprise policy rule that allows Internal clients access to the Internet using FTP. The net effect of this set of rules is that all clients will have Internet access on HTTP and HTTPS, and will also have access on FTP unless the array administrator expressly denies access with an array rule. By putting the FTP enterprise access rule in post-array enterprise rules, you are giving the array administrator an opportunity to control access using this protocol.

To add access rules to the enterprise policy:

  1. In ISA Server Management, expand Enterprise, expand Enterprise Policies, and click Fabrikam FTP Optional Access Policy.

  2. In the task pane, on the Tasks tab, select Create Enterprise Access Rule to start the New Access Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Enterprise Internet Access on HTTP and HTTPS, and then click Next.

  4. On the Rule Action page, select Allow, and then click Next.

  5. On the Protocols page, in This rule applies to, select Selected protocols. Click Add to open the Add Protocols dialog box. Expand Web, click HTTP, click Add, click HTTPS, and then click Add. Click Close to close the Add Protocols dialog box. On the Protocols page, click Next.

  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Network Sets, select All Protected Networks, click Add, and then click Close. On the Access Rule Sources page, click Next.

    Note

    The advantage of using All Protected Networks as the source, rather than listing specific networks, is that this rule will include future networks that are added to your enterprise, without requiring you to modify the rule.

  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Enterprise Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.

  8. On the User Sets page, because your rule applies to all users, you can leave the user set All Users in place and then click Next.

  9. Review the information on the wizard summary page, and then click Finish.

  10. Repeat these steps to create a rule called Enterprise Internet Access on FTP allowing access on FTP.

  11. Both rules were created in the post-array enterprise policy by default. Now, you will move the Enterprise Internet Access on HTTP and HTTPS rule into the pre-array enterprise policy. Right-click the rule and select Move Up. Continue to do this until the rule is in the pre-array enterprise policy.

    Cc302499.1cec009b-bab5-4598-a216-862c4cc00d9f(en-us,TechNet.10).gif

    Note

    Access rules are processed in order. When a request matches a rule, subsequent rules are ignored. Therefore, pre-array enterprise rules, which are first sequentially, will not be affected by array rules.

Creating the FTP Always Allowed policy

First create the policy, and then create access rules in the policy.

Creating the policy

Create and name the enterprise policy following these steps.

  1. If you logged out, log on to the domain using enterprise administrator credentials (the user EnterpriseAdmin).

  2. Open ISA Server Management. To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  3. In the MMC console, expand Enterprise, and click Enterprise Policies.

  4. In the task pane, on the Tasks tab, click Create New Enterprise Policy to start the New Enterprise Policy Wizard.

  5. On the Welcome page, provide a name for the new policy, such as Fabrikam FTP Always Allowed Policy, and then click Next.

  6. On the Completing the New Enterprise Policy Wizard page, click Finish.

    Important

    Changes you make in ISA Server Management are not applied until you click the Apply button in the details pane. You can click Apply after each change, or when you have made all of your changes.

Adding access rules to the enterprise policy

After you create the policy, you can add access rules to it. In this example, you will add a pre-array enterprise policy rule that allows Internal clients access to the Internet using HTTP, HTTPS, and FTP. Because this rule will be in the pre-array enterprise rules, the array administrator will not be able to deny FTP access.

To add access rules to the enterprise policy

  1. In ISA Server Management, expand Enterprise, expand Enterprise Policies, and click Fabrikam FTP Always Allowed Policy.

  2. In the task pane, on the Tasks tab, select Create Enterprise Access Rule to start the New Access Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Enterprise Internet Access on HTTP, HTTPS and FTP, and then click Next.

  4. On the Rule Action page, select Allow, and then click Next.

  5. On the Protocols page, in This rule applies to, select Selected protocols. Click Add to open the Add Protocols dialog box. Expand Web, click HTTP, click Add, click HTTPS, click Add, click FTP, and then click Add. Click Close to close the Add Protocols dialog box. On the Protocols page, click Next.

  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Network Sets, select All Protected Networks, click Add, and then click Close. On the Access Rule Sources page, click Next.

  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Enterprise Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.

  8. On the User Sets page, because your rule applies to all users, you can leave the user set All Users in place and then click Next.

  9. Review the information on the wizard summary page, and then click Finish.

  10. Move the rule into the pre-array enterprise policy. Right click the rule Enterprise Internet Access on HTTP, HTTPS and FTP and select Move Up. Continue to do this until the rule is in the pre-array enterprise policy.

  11. In the Firewall Policy details pane, click Apply to apply the changes.

[Topic Last Modified: 10/01/2007]