Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Forefront Edge Security TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Microsoft Forefront
Operations
 Chapter 9: Simplifying Network Conf...
Collapse All/Expand All Collapse All
Microsoft Internet Security and Acceleration Server 2004
Chapter 9: Simplifying Network Configuration with Network Templates

The ISA Server 2004 firewall comes with a number of prebuilt Network Templates you can use to automatically configure Networks, Network Rules and Access Rules. The Network Templates are designed to get you started quickly by creating a base configuration on which you can build. You can choose from one of the following Network Templates:

  • Edge Firewall

The Edge Firewall Network Template is used when the ISA Server 2004 firewall has a network interface directly connected to the Internet and a network interface connected to the Internal network

  • 3-Leg Perimeter

The 3-Leg Perimeter Network Template is used when you have an external interface, Internal interface and a perimeter network segment (DMZ) interface. This template configures the addresses and relationships between these networks.

  • Front Firewall

The Front Firewall Template is used when the ISA Server 2004 firewall serves as a front-end firewall in a back-to-back firewall configuration.

  • Back Firewall

The Back Firewall Template is used when the ISA Server 2004 firewall is located behind another ISA Server 2004 firewall, or a third-party firewall.

  • Single Network Adapter

The Single Network Adapter Template is a special configuration that removes the ISA Server 2004 firewall’s network firewall capabilities. Instead, the Single Network Adapter template configures the machine as a unihomed Web caching server.

In this ISA Server 2004 Configuration Guide document, we outline the procedures to carry out two scenarios:

  • Scenario 1: The Edge Firewall Configuration
  • Scenario 2: The 3-Leg Perimeter Configuration

You only need to go through the section that applies to your current setup. If you followed the complete instructions in the first chapter of this guide, then you should perform the procedures in the second scenario. Otherwise, you can use the procedures provided in the first scenario.

 Scenario 1: The Edge Firewall Configuration

The Edge Firewall template configures the ISA Server 2004 firewall to have a network interface directly connected to the Internet and a second network interface connected to the Internal network. The network template allows you to quickly configure firewall policy Access Rules that control access between the Internal network and the Internet.

Table 1 shows the firewall policies available to you when using the Edge Firewall template. Each of these firewall policies has its own set of Access Rules that it creates, ranging from an all open access policy between the Internal network and Internet to a Block All policy that prevents all access between the Internal network and the Internet.

Table 1: Network Edge Firewall Template Firewall Policy Options

Firewall Policy Description

Block all

Block all network access through ISA Server.

This option does not create any access rules other than the default rule which blocks all access.

Use this option when you want to define firewall policy on your own.

Block Internet access, allow access to ISP network services

Block all network access through ISA Server, except for access to network services such as DNS. This option is useful when your Internet Service Provider (ISP) provides these services.

Use this option when you want to define firewall policy on your own.

The following access rules will be created:

  1. Allow DNS from Internal Network and VPN Clients Network to External Network (Internet)

Allow limited Web access

Allow Web access using HTTP, HTTPS, FTP only. Block all other network access.

The following access rules will be created:

  1. Allow HTTP, HTTPS, FTP from Internal Network to External Network
  2. Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access and access to ISP network services

Allow limited Web access using HTTP, HTTPS, and FTP, and allows access to ISP network services such as DNS. Block all other network access.

The following access rules will be created:

  1. Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet)
  2. Allow DNS from Internal Network and VPN Clients Network to External Network (Internet)
  3. Allow all protocols from VPN Clients Network to Internal Network

Allow unrestricted access

Allow unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet.

The following access rules will be created:

  1. Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet)
  2. Allow all protocols from VPN Clients Network to Internal Network

Perform the following steps to configure the firewall using the Edge Firewall Network Template:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. Click the Templates tab in the Task Pane. Click the Edge Firewall network template.
    Cc302648.bc5c4daa-2ae5-43cd-a0b4-1b1cc1574b40(en-us,TechNet.10).gif
  3. Click Next on the Welcome to the Network Template Wizard page.
    Cc302648.6a42a60c-43ff-407a-979c-9c984e9b0c6b(en-us,TechNet.10).gif
  4. On the Export the ISA Server Configuration page, you are offered the opportunity to export the current configuration. You can return the ISA Server 2004 firewall to the state it was in before using the Edge Firewall network template using this file. We have already backed up the system configuration, so we will not need to export the configuration at this time. Click Next.
    Cc302648.50058cf1-1fc0-440d-b09a-b6f489597e30(en-us,TechNet.10).gif
  5. On the Internal Network IP Addresses page, you define the Internal network addresses. The current Internal network address range is automatically included in the Address ranges list. You can use the Add, Add Adapter and Add Private button to expand this list of addresses. In our current example we will keep the current Internal network address range. Click Next.
    Cc302648.5141f2f8-9f08-44a3-b8ca-37c7b581304c(en-us,TechNet.10).gif
  6. On the Select a Firewall Policy page you can select a firewall policy and a collection of Access Rules. In this example, we want to allow Internal network clients access to all protocols to access all sites on the Internet. After you become more familiar with the ISA Server 2004 firewall, you should increase the level of security for outbound access control. But at this point, general Internet access is more important. Select the Allow unrestricted access policy from the list and click Next.
    Cc302648.1a4d2385-100d-4536-b408-22c7378f7c32(en-us,TechNet.10).gif
  7. Review your settings and click Finish on the Completing the Network Template Wizard page.
  8. Click Apply to save the changes and update firewall policy.
  9. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration were successfully applied.
    Cc302648.7829920d-eaa4-4b0d-970d-21cf837fe8c2(en-us,TechNet.10).gif
  10. Click the Firewall Policies node in the left pane of the console to view the policies created by the Edge Firewall network template. These two Access Rules allow Internet network and VPN clients full access to the Internet, and the VPN clients are allowed full access to the Internal network.
    Cc302648.a193503c-da9f-406b-9f43-56add6cf91fb(en-us,TechNet.10).gif
 Scenario 2: The 3-Leg Perimeter Configuration

The 3-leg perimeter configuration creates network relationships and Access Rules to support an Internal network segment and a perimeter (DMZ) network segment. The perimeter network segment can host your publicly-accessible resources and infrastructure servers, such as a public DNS server or a caching-only DNS server.

Table 2: 3-Legged Perimeter Firewall Template Firewall Policy Options

Firewall Policy Description

Block all

Block all network access through ISA Server.

This option does not create any access rules other than the default rule which blocks all access.

Use this option when you want to define firewall policy on your own.

Block Internet access, allow access to network services on the perimeter network

Block all network access through ISA Server, except for access to network services, such as DNS on the perimeter network. Use this option when you want to define the firewall policy on your own.

The following access rules will be created:

  1. Allow DNS traffic from Internal Network and VPN Clients Network to Perimeter Network

Block Internet access, allow access to ISP network services

Prevent all network access through the firewall except for network services such as DNS. This option is useful when your Internet Service Provider (ISP) provides network services.

Use this option when you want to define the firewall policy on your own.

The following rules will be created:

  1. Allow DNS from Internal Network, VPN Clients Network and Perimeter Network to External Network (Internet)

Allow limited Web access, allow access to network services on perimeter network

Allow limited Web access using HTTP, HTTPS, FTP only and allow access to network services such as DNS on the perimeter network. All other network access is blocked.

This option is useful when network infrastructure services are available on the perimeter network.

The following access rules will be created:

  1. Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to Perimeter Network and External Network (Internet)
  2. Allow DNS traffic from Internal Network and VPN Clients Network to Perimeter Network
  3. Allow all protocols from VPN Clients Network to Internal Network

Allow limited Web access and access to ISP network services

Allow limited Internet access and allow access to network services such as DNS provided by your Internet Service Provider (ISP). All other network access is blocked.

The following access rules will be created:

  1. Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to the External Network (Internet)
  2. Allow DNS from Internal Network, VPN Clients Network and Perimeter Network to External Network (Internet)
  3. Allow all protocols from VPN Clients Network to Internal Network

Allow unrestricted access

Allow all types of access to the Internet through the firewall. The firewall will prevent access from the Internet to the protected networks. Use this option when you want to allow all Internet access. You can modify this policy later to block some types of network access.

The following rules will be created:

  1. Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet) and Perimeter Network
  2. Allow all protocols from VPN Clients to Internal Network

Perform the following steps to use the 3-Leg Perimeter network template:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and click the Networks node.
  2. Click the Networks tab in the Details pane and then click the Templates tab in the Task pane. Click the 3-Leg Perimeter network template.
    Cc302648.671a2062-6ced-4d57-ae03-098a357d3da9(en-us,TechNet.10).gif
  3. Click Next on the Welcome to the Network Template Wizard page.
  4. On the Export the ISA Server Configuration page, you can choose to export your current configuration. This is useful if you find that you need to return the firewall to its current settings in the event that the template settings do not meet your needs. We have already backed up the configuration, so we will not need to export the configuration at this time. Click Next.
    Cc302648.26e396f5-ae7d-499a-8c33-a76347ce3da3(en-us,TechNet.10).gif
  5. On the Internal Network IP Addresses page, you set the addresses that represent the Internal network. The addresses included in the current Internal network are automatically included in the Address ranges list. We will not add any addresses to the Internal network. Click Next.
    Cc302648.f49350ab-19fa-4753-8045-2b814e140366(en-us,TechNet.10).gif
  6. You configure the addresses that comprise the perimeter network segment on the Perimeter Network IP Addresses page. The wizard does not make any assumptions regarding what addresses should be included in the perimeter network, so the Address ranges list is empty.
    Cc302648.bbef435d-bf69-4e35-b191-a565abe1eb9f(en-us,TechNet.10).gif
  7. Click the Add Adapter button. In the Network adapter details dialog box, put a check mark in the DMZ check box. Note that the names that we previously set for network adapters appear in this list. Renaming network adapters helps you identify the network association of that adapter. Click OK.
    Cc302648.54e02155-c559-4ff5-bcdc-100da0fa5c5b(en-us,TechNet.10).gif
  8. The wizard automatically enters an address range to the Address ranges list based on the Windows routing table. Click Next.
    Cc302648.9e1423e7-0b53-4770-abc2-46d210edc0db(en-us,TechNet.10).gif
  9. On the Select a Firewall Policy page, you select a firewall policy that will create network relationships between the Internet, perimeter and Internal networks and also creates Access Rules. In this example, we want to allow the Internal network clients full access to the Internet and the perimeter network, and allow the perimeter network hosts access to the Internet. After you are more familiar with how to configure Access Policies on the ISA Server 2004 firewall, you will want to tighten the outbound access controls between the perimeter network segment and the Internet, and between the Internal network segment and the Internet. Select the Allow unrestricted access firewall policy and click Next.
    Cc302648.e351a436-f46f-470e-bb05-b296ef9d52c9(en-us,TechNet.10).gif
  10. Review the settings on the Completing the Network Template Wizard and click Finish.
  11. Click Apply to save the changes and update firewall policy.
  12. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration were successfully applied.
    Cc302648.ff0c8431-80e4-488e-9fdf-1e7a23dc4fcb(en-us,TechNet.10).gif
  13. Click the Firewall Policy node in the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console to view the rules created by the 3-Leg Perimeter network template. These two rules allow hosts on the Internal network and in the VPN clients network full access to the Internet and to the perimeter network. In addition, the VPN Clients network is allowed full access to the Internal network.
    Cc302648.d48303ad-4633-41a2-a4d4-460f2ebdcee2(en-us,TechNet.10).gif
  14. Expand the Configuration node in the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console. Click the Networks node. Here you see a list of networks, including the Perimeter network created by the template.
    Cc302648.6dd6f9de-5378-42b5-be5d-8d730456714d(en-us,TechNet.10).gif
  15. Click the Network Rules tab. Right-click the Perimeter Configuration Network Rule and click Properties.
    Cc302648.f798c064-5060-4cb8-a653-10c419c2ac48(en-us,TechNet.10).gif
  16. In the Perimeter Configuration Properties dialog box, click the Source Networks tab. You can see in the This rule applies to traffic from these sources list the Internal, Quarantined VPN Clients and VPN Clients networks listed as source networks.
    Cc302648.46c9769c-b86e-4052-a344-297703c304a0(en-us,TechNet.10).gif
  17. Click the Destination Networks tab. You see the Perimeter network in the This rule applies to traffic sent to these destinations list.
    Cc302648.b255887e-32bc-4037-8b8c-6b1c98e12f09(en-us,TechNet.10).gif
  18. Click the Network Relationship tab. The default setting is Network Address Translation (NAT). This is a slightly higher security configuration because it hides the addresses of the Internal network clients that connect to perimeter network hosts. However, NAT relationships can complicate access for certain protocols as not all protocols support address translation. In our current example, select the Route relationship to improve on the level of protocol access at the cost of a slight reduction in overall security. Keep in mind that, at this point, there are no Access Rules that allow access to the Internal network from the perimeter network.
    Cc302648.3bb39530-309c-4ffc-9dc3-82eab2b4cbe8(en-us,TechNet.10).gif
  19. Click Apply and then click OK.
  20. Click Apply to save the changes and update the firewall policy.
  21. Click OK in the Apply New Configuration dialog box after you see the message Changes to the configuration were successfully applied.
 Conclusion

In this ISA Server 2004 Configuration Guide chapter, we discussed how you can use the Edge Firewall and 3-Leg Perimeter network templates to simplify initial configuration of network addresses, Network Rules and Access Rules. In the next chapter of the ISA Server 2004 Configuration Guide, we will discuss the various ISA Server 2004 client types.
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker