Chapter 11: Configuring ISA Server 2004 Access Policy

  • Article

The ISA Server 2004 firewall controls what communications move between networks connected to one another through the firewall. By default, the ISA Server 2004 firewall computer blocks all traffic. The methods used to allow traffic to move through the firewall are:

  • Access Rules, and
  • Publishing Rules

Access Rules control outbound access from a protected network to an unprotected network. ISA Server 2004 considers all networks that are not the External network to be protected. All networks comprising the External network are unprotected. Protected networks include the VPN Clients network, the Quarantined VPN Clients network, the Local Host network, the internal network, and perimeter networks. The Internet is the primary External network; although, partner networks and extranets to which protected clients connect can be considered External networks.

In contrast, Publishing Rules allow hosts on the External network access to resources on a protected network. For example, an organization may want to host its own Web, mail, and FTP servers. Web and Server Publishing Rules allow External hosts access to these resources.

In Chapter 9 of the ISA Server 2004 Configuration Guide, we used a Network Template to automatically create network relationships and Access Rules. The Access Rules were very loose in order to allow you to access all sites and protocols on the Internet. While this configuration is useful for testing basic functionality of the ISA Server 2004 firewall, a secure firewall configuration requires that you create access controls limiting what users on the Protected Networks can access on the Internet.

An Access Rule includes the following elements:

Rule Element Description

Order (priority)

Firewall Access Policy is an ordered list of Access Rules. Rules are processed from top to bottom until a match for a particular connection is found. The first rule to match the connection’s characteristics is applied.

Action

There are two actions: Allow or Deny

Protocols

Protocols include all TCP/IP protocols. These include TCP, UDP, ICMP, and protocols identified by their IP protocol number. The firewall supports all TCP/IP protocols.

From/Listener

The source of the communication. The source can be a single IP address, a collection of IP addresses, an entire subnet, or multiple subnets.

To

The destination of a communication. The destination can be a domain or collection of domains, a URL or a collection of URLs, an IP address, a collection of IP addresses, a subnet, multiple subnets or multiple networks.

Condition

The condition is the user or group to which the rule applies.

Access Rules allow you to gain a fine level of control over which users have access to sites and protocols. For example, consider the following Access Rule:

Rule Element Value

Order (priority)

1

Action

Allow

Protocols

HTTP and FTP (download).

From/Listener

Internal Network.

To

www.microsoft.com and ftp.microsoft.com.

Condition

Limited Web Access (Group).

This rule limits allows users that belong to the Limited Web Access group to use the HTTP and FTP (download) protocols. However, members of that group must be located on the internal network when they issue the request. In addition, not only must the members of the Limited Web Access be located on the internal network when they issue an HTTP or FTP (download) request, they can only access the www.microsoft.com and ftp.microsoft.com sites when using the protocols. This prevents users from putting the network at risk by downloading content from other Web sites which may contain untrusted or dangerous content.

The first step to strong user/group-based outbound access control is configuring the client systems behind the ISA Server 2004 firewall as Firewall and Web Proxy clients. Only Firewall and Web Proxy clients can authenticate with the firewall. By contrast, SecureNAT clients are not able to authenticate. Outbound access control is limited by the source IP address.

In Chapter 10 of the ISA Server 2004 Configuration Guide, you configured the CLIENT machine on the internal network as a SecureNAT, Firewall and Web Proxy client. This configuration enables the machine to send credentials to the ISA Server 2004 so that strong user/group-based Access Rules can be created.

In this chapter, you will create several Access Rules that control outbound access through the ISA Server 2004 firewall. Two rules are based on user/group membership, and one rule will control outbound access based on the source IP address of a server on the internal network.

You will perform the following procedures to create the customized firewall policy:

  • Create a user account
  • Disable the Access Rules created by the Network Template
  • Create an Access Rule limiting protocols and sites users can access
  • Create an Access Rule that provides administrators greater access to protocols and sites
  • Create a DNS server Access Rule allowing the Internal network DNS server access to Internet DNS servers
  • Use HTTP Policy to prevent access to suspect Web sites
  • Test the Access Rules

Create a User Account

The first step is to create a user account to which we can later assign limited Internet access privileges. In practice, the user account can be created in the Active Directory or on the local user database on the firewall computer. In our current example, we will create the user account in the Active Directory.

Perform the following steps to create the user account for user2:

  1. At the domain controller, click Start and point to Administrative Tools. Click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers console, expand your domain name and click the Users node. Right-click the Users node. Point to New and click.
  3. On the New Object – User page, enter the name of the user in the First name text box. In this example the first name of the user is User2. Enter the value user2 in the User logon name text box. Click Next.
    Cc302621.58d95ede-08c7-4d5d-87ae-3ef5b1cda3e8(en-us,TechNet.10).gif
  4. Enter a password and then confirm the password in the Confirm password text box. Remove the check mark from the User must change password at next logon, and click Next.
    Cc302621.1f1839a0-98a3-47fa-a301-7e9047c224a7(en-us,TechNet.10).gif
  5. Click Next on the Create an Exchange mailbox page.
  6. Click Finish on the last page of the New User Wizard.

Disable the Access Rules created by the Network Template

The next step is to disable the Access Rules created by the Network Template. In this example, we disable the Access Rules created by the 3-Leg perimeter template. You can perform a similar procedure if you used the Front-end firewall Network Template. We want to use these rules later, so we will disable the rules instead of deleting them. Later, we will re-enable the Access Rules created by the Network Template.

Perform the following steps to disable the Access Rules created by the Network Template:

  1. At the ISA Server 2004 firewall computer, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand your server name in the left pane of the console. Click the Firewall Policy node.
  2. In the Details pane, click the first rule created by the Network Template Wizard. Hold down the CTRL key on the keyboard and click the second rule created by the Wizard. Notice that both rules are now highlighted. Right-click the highlighted rules and click Disable.
    Cc302621.110b126c-725d-4013-b15c-008c66a5357b(en-us,TechNet.10).gif
  3. Click Apply to save the changes and update the firewall policy.
    Cc302621.4e8c5ea7-d629-4cc6-831b-2c0fb8172b32(en-us,TechNet.10).gif
  4. Click OK in the Apply New Configuration dialog box.
    Cc302621.7684ae4c-ec07-413a-993f-35aa9d45e8e0(en-us,TechNet.10).gif

Create an Access Rule Limiting Protocols and Sites Users Can Access

The first Access Rule will limit users access to only the HTTP and HTTPS protocols. In addition, the users will only be able to use these protocols when accessing Microsoft operated Web properties. A custom firewall group, Limited Access Web Users, will be created and user2, located in the Active Directory, will be placed into that Active Directory group.

The Access Rule can be characterized by the entries in the following table:

Rule Element Value

Order (priority)

3 (after all rules are created)

Name

Limited Access Web Users

Action

Allow

Protocols

HTTP and HTTPS.

From/Listener

Internal

To

Microsoft (Domain Name Set)

Condition

Limited Web Users (Group).

The rule will look like this in the Firewall Policy Details pane:

Cc302621.e608fed4-8315-4903-be1e-90048bad9810(en-us,TechNet.10).gif

Perform the following steps to create the limit user Access Rule:

  1. At the ISA Server 2004 firewall computer, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane of the console. Click the Firewall Policy node. In the Task pane, click the Tasks tab. Click Create New Access Rule.
    Cc302621.8c6e70a7-336e-46a9-97d5-c3ef6138501d(en-us,TechNet.10).gif
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will call the rule Limited Users Web Access. Click Next.
  3. On the Rule Action page, select Allow and click Next.
  4. On the Protocols page, select Selected protocols from the This rule applies to drop-down list. Click Add.
    Cc302621.60a937db-8b6f-4c6a-9974-9c0927a22cf9(en-us,TechNet.10).gif
  5. In the Add Protocols dialog box, double-click the HTTP and HTTPS protocols. Click Close.
    Cc302621.780d17fb-a4b8-4724-81d0-aa8cb4e49f50(en-us,TechNet.10).gif
  6. Click Next on the Protocols page.
    Cc302621.5489b96f-7cd0-4574-ac73-8ab61b721ba2(en-us,TechNet.10).gif
  7. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal network, and click Close.
    Cc302621.72a1fc9c-660d-4751-8341-ef393140e673(en-us,TechNet.10).gif
  8. Click Next on the Access Rule Sources page.
  9. On the Access Rule Destinations page, click Add. On the Add Network Entities dialog box, click the New menu, and click Domain Name Set.
    Cc302621.00ac6989-3292-44ca-8875-40f71e902e84(en-us,TechNet.10).gif
  10. In the New Domain Name Set Policy Element dialog box, click New. Enter the first domain name *.microsoft.com and press ENTER. Enter the following three domains *.msn.com, *.hotmail.com and *.windows.com. In the Name text box, enter Microsoft and click OK.
    Cc302621.4822b06d-46a9-443b-87c1-8e253bafdb91(en-us,TechNet.10).gif
  11. In the Add Network Entities dialog box, click the Domain Name Sets folder and then double-click the Microsoft entry. Click Close.
    Cc302621.cb7d4622-e61a-415f-9da1-2fdfe609c232(en-us,TechNet.10).gif
  12. On the User Sets page, select All Users entry from the This rule applies to request from the following user sets list, and click Remove. Click Add.
  13. In the Add Users dialog box, click the New menu.
  14. On the Welcome to the New User Sets Wizard page, enter a name for the User Set in the User set name text box. In this example, we will name the User Set Limited Web Users. Click Next.
  15. On the Users page, click Add. Select the Windows users and groups option.
    Cc302621.15e5256b-0c76-4cf2-9523-752cf583a314(en-us,TechNet.10).gif
  16. In the Select Users or Groups dialog box, click the Locations button.
  17. In the Locations dialog box, expand the Entire Directory entry and click your domain name. In this example, the domain name is msfirewall.org. Click OK.
    Cc302621.f8b21703-c6f8-45b0-b890-2c183b5c6d99(en-us,TechNet.10).gif
  18. In the Select Users or Groups dialog box, enter User2 in the Enter the object names to select text box and click Check Names. When the Active Directory finds the user name, it will be underlined. Click OK.
    Cc302621.0c6121f1-1347-4282-b086-42c8ced75d72(en-us,TechNet.10).gif
  19. Click Next on the Users page.
  20. Click Finish on the Completing the New User Set Wizard page.
  21. Double-click the Limited Web Users entry in the Add Users dialog box and click Close.
  22. The Limited Web Users entry now appears in the This rule applies to requests from the following user sets list. Click Next.
  23. Click Finish on the Completing the New Access Rule Wizard page.

Create an Access Rule Providing Administrators Greater Access to Protocols and Sites

Network administrators require a higher level of Internet access than other users on the network. However, even network administrators should be restrained from protocols that can lead to a significant risk of network compromise. One of these protocols is the Internet Relay Chat protocol, which is often used to trade viruses and pirated software. We will create a rule that allows members of the Domain Administrators group access to all protocols except for the dangerous IRC protocol.

The Access Rule can be characterized by the entries in the following table:

Rule Element Value

Order (priority)

2 (after all rules are created)

Name

Administrator Internet Access

Action

Allow

Protocols

All Protocols except IRC

From/Listener

Internal

To

External

Condition

Administrators (group)

The rule will look like this in the Firewall Policy Details pane:

Cc302621.6ed682c2-3e23-42a7-b1da-227baab587b6(en-us,TechNet.10).gif

Perform the following steps to create the administrators Access Policy:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, right-click the Firewall Policy node in the left pane of the console, point to New and click Access Rule.
  2. On the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access rule name text box. In this example, we will call the rule Administrator Internet Access. Click Next.
  3. On the Rule Action page, select Allow and click Next.
  4. On the Protocols page, select the All outbound protocols except selected option from the This rule applies to drop-down list, and then click Add.
    Cc302621.1964b4e2-ac35-4b81-9c48-aadeda3fa517(en-us,TechNet.10).gif
  5. In the Add Protocols dialog box, click the Instant Messaging folder. Double-click the IRC protocol. Click Close.
    Cc302621.98b1df0c-588f-4065-b8c1-22d07a081dd8(en-us,TechNet.10).gif
  6. Click Next on the Protocols page.
  7. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder. Double-click the Internal entry and click Close.
  8. On the Access Rule Sources page, click Next.
  9. On the Access Rule Destinations page, click Add. Click the Networks folder and then double-click the External entry. Click Close.
  10. On the User Sets page, click All Users and Remove. Click Add.
  11. In the Add Users dialog box, click the New menu.
  12. On the Welcome to the New User Sets Wizard page, enter a name for the User Set in the User set name text box. In this example, we will name the User Set Administrators. Click Next.
  13. On the Users page, click Add. Select Windows users and groups.
    Cc302621.b197ea56-4ed5-407d-b525-cd4e50f7f717(en-us,TechNet.10).gif
  14. In the Select Users or Groups dialog box, click the Locations button.
  15. In the Locations dialog box, expand the Entire Directory entry and click your domain name. In this example, the domain name is msfirewall.org. Click OK.
    Cc302621.b61a93b5-62f8-47ea-8355-43487ff8ade5(en-us,TechNet.10).gif
  16. In the Select Users or Groups dialog box, enter Domain Admins in the Enter the object names to select text box and click Check Names. When the Active Directory finds the user name, the name will be underlined. Click OK.
    Cc302621.d9926c34-618f-47a4-9887-4e4551446a77(en-us,TechNet.10).gif
  17. Click Next on the Users page.
  18. Click Finish on the Completing the New User Set Wizard page.
  19. In the Add Users dialog box, double-click the Administrators entry, and click Close.
  20. Click Next on the User Sets page.
  21. Click Finish on the Completing the New Access Rule Wizard page.

Create a DNS Server Access Rule Allowing Internal Network DNS Servers Access to Internet DNS Servers

We use a DNS server located on the Internet network to resolve Internet host names in our current scenario. This DNS server must be able to resolve Internet host names by contacting other DNS servers located on the Internet. Most machines that run critical network services do not typically have logged on users. For this reason, we will create an Access Rule that does not require a logged on user account. Instead, we will create a Computer Set that contains a list of all the DNS servers on the network.

A Computer Set is a collection of computer names and addresses associated with those computer names. This makes it easy to assign Access Rules that control outbound access for machines belonging to such a group. You should make Computer Groups for all your important network servers so that you do not need to depend on logged on user accounts to exercise outbound access control over these servers.

Rule Element Value

Order (priority)

1 (after all rules are created)

Name

DNS Servers

Action

Allow

Protocols

DNS

From/Listener

DNS Servers

To

External

Condition

All Users

The rule will look like this in the Firewall Policy Details pane:

Cc302621.8e54e1fd-7c89-421e-ab4c-68cd181e9851(en-us,TechNet.10).gif

Perform the following steps to create an Access Rule that allows the internal network DNS server access to DNS servers on the Internet:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, right-click the Firewall Policy node in the left pane of the console. Point to New and click Access Rule.
  2. On the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access rule name text box. In this example, we will call the rule DNS Servers. Click Next.
  3. On the Rule Action page, select Allow and click Next.
  4. On the Protocols page, select Selected protocols from the This rule applies to list, and click Add.
  5. In the Add Protocols dialog box, click the Infrastructure folder. Double-click the DNS protocol. Click Close.
    Cc302621.e0446c50-11d0-44dc-8850-5822571ebda0(en-us,TechNet.10).gif
  6. Click Next on the Protocols page.
  7. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the New menu, and then click the Computer Set command.
  8. In the New Computer Set Rule Element dialog box, click Add. Click the Computer option.
    Cc302621.2fb7f460-6538-4d9a-83fc-4430446ea179(en-us,TechNet.10).gif
  9. In the New Computer Rule Element dialog box, enter a name for the DNS server in the Name text box. In this example, we’ll name the first DNS server DNS1. Enter the IP address of the DNS server in the Computer IP Address text box. Click OK.
    Cc302621.2569b52e-a8ff-4206-96d6-8da07399808e(en-us,TechNet.10).gif
  10. Click OK in the New Computer Set Rule Element dialog box.
  11. In the Add Network Entities dialog box, click the Computer Sets folder. Double-click the DNS Servers entry. Click Close.
    Cc302621.0f864b8a-3d6f-4251-87ce-a76ac1be492e(en-us,TechNet.10).gif
  12. Click Next on the Access Rule Sources page.
  13. On the Access Rule Destinations page, click Add. Click the Networks folder and double-click the External entry. Click Close.
  14. Click Next on the Access Rule Destinations page.
  15. On the User Sets page, accept the default entry, All Users, and click Next.
  16. Click Finish on the Completing the New Access Rule Wizard page.

Use HTTP Policy to Prevent Access to Suspect Web Sites

You can block access to Web sites based on virtually any component of the HTTP communication using ISA Server 2004 HTTP policy. For example, you might want to prevent access to all Web sites that contain a reference to the popular file-sharing application, Kaaza. This file-sharing program can present a risk to network security because the files downloaded through this application can contain viruses, worms and copyrighted material.

In the following walkthrough, you will configure the HTTP policy for the Administrator Internet Access and Limited Access Web Users rules to block all Web connections to sites that contain the string “Kaaza” in them. While this example uses a blunt approach to blocking Kaaza-related sites, it does demonstrate the power of ISA Server 2004’s deep HTTP inspection mechanisms.

Perform the following steps to prevent users from accessing Kaaza-related sites:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Firewall Policy node.
  2. Right-click the Administrator Internet Access rule and click Configure HTTP.
    Cc302621.94654177-8a4e-4577-a6af-582a24b5caf8(en-us,TechNet.10).gif
  3. In the Configure HTTP policy for rule dialog box, click the Signatures tab.
  4. On the Signatures tab, click the Add button.
  5. In the Signature dialog box, enter a name for the signature in the Name text box. In this example we will enter Kaaza URL. Select the Request URL entry in the Search in list. Enter the string kaaza in the Signature text box. Click OK.
    Cc302621.76fa20f6-36d4-4a27-a745-616539ac7ada(en-us,TechNet.10).gif
  6. Click Apply and OK in the Configure HTTP policy for rule dialog box.
    Cc302621.3da84825-f453-49c5-9e0a-6fadd392ae4a(en-us,TechNet.10).gif
  7. Repeat the preceding steps for the Limited Access Web Users rule.
  8. Click Apply to save the changes and update firewall policy.
  9. Click OK in the Apply New Configuration dialog box.

Test the Access Rules

Now the we have an ISA Server 2004 Access Policy in place, we can test the policy.

Perform the following steps to test Access Policy:

  1. First, review the Access Policies created on the ISA Server 2004 firewall. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Review the Access Rules in the Details pane of the console.
    Cc302621.b38070ec-0b5a-43e6-9d2c-49acdd179024(en-us,TechNet.10).gif
  2. Log on to the CLIENT computer as User2. Open the browser and enter www.microsoft.com in the Address bar. Press ENTER.
  3. The home page of the Microsoft site appears in the browser. In the Internet Explorer Address bar, enter www.isaserver.org and press ENTER.
  4. You will see the MSN search page indicating that the www.isaserver.org page could not be found. You can provide a more informative response to users by redirecting denied requests to an Internet Web server.
  5. In Internet Explorer, enter www.msn.com and press ENTER.
  6. You see the home page of the www.msn.com Web site. Note that some graphics do not appear on the page because they fall outside the range of sites allowed by the Domain Set we created for the Access Rule.
  7. In the Internet Explorer Address bar, enter the URL https://www.msn.com/kaaza. An error page is returned indicating that the HTTP Security filter has blocked the connection. The Signature configured in the HTTP policy for the Access Rule detected that Kaaza was in the URL and blocked the connection attempt.
    Cc302621.c6566f87-5bd4-4412-83fd-4f2e682d2707(en-us,TechNet.10).gif
  8. Log off the CLIENT machine and then log on as Administrator.
  9. Open the Web browser and enter www.microsoft.com in the Address bar of Internet Explorer and press ENTER. The Microsoft Web site appears.
  10. Enter www.isaserver.org in the Address bar of Internet Explorer and press ENTER. As an Administrator, you are able to access the site.
  11. Enter www.isaserver.org/kaaza in the Address bar of Internet Explorer. You see the same HTTP Security filter error message. Again, the settings in the HTTP policy of the rule block the connection attempt.
  12. Click Start and click the Run command. In the Run dialog box, enter cmd in the Open text box. Click OK.
  13. At the command line, enter the line telnet ftp.microsoft.com 21 and press ENTER. You will see a banner saying 220 Microsoft FTP Service. Enter quit and press ENTER. You will then see the message 221 Thank-you for using Microsoft products!
  14. At the command prompt, enter the line telnet dragons.ca.usdal.net 6667 and press ENTER. You will see an error indicating that the connection failed. If you look at the connection attempt in the ISA Server 2004 real-time log monitor, you will see that the connection attempt was actively denied by the firewall.
    Cc302621.ae97a00a-a7e0-47c0-b6ff-efcfa5f39850(en-us,TechNet.10).gif
  15. Log off the CLIENT computer.

Conclusion

In this ISA Server 2004 Configuration Guide section, we discussed the variety of methods you can use to control outbound access to the Internet using ISA Server 2004 Access Rules. In the walkthroughs, you created Access Rules that controlled access to specific Web sites and protocols based on user and group membership. In addition, you created policy elements “on the fly” while creating the Access Rules. In the next chapter of the ISA Server 2004 Configuration Guide, we examine the procedures required to publish a Web and FTP server located on the perimeter network segment.