Configuring ISA Server 2006 Firewall Rules

Cc539142.chm_head_left(en-us,TechNet.10).gif Cc539142.chm_head_middle(en-us,TechNet.10).gif Cc539142.chm_head_right(en-us,TechNet.10).gif

Configuring ISA Server 2006 Firewall Rules

You may wish to create some or all of the following access rules for Microsoft Internet Security and Acceleration (ISA) Server 2006.

Tasks

  1. Create the Internal DNS Server to Forwarder Rule
  2. Create a Web Access Rule
  3. Create a Windows SharePoint Services Publishing Rule

Create the Internal DNS Server to Forwarder Rule

This rule allows outbound DNS queries. Without it, only internal DNS names can be resolved.

Procedure DWISA.20: To create the Internal DNS Server to Forwarder Rule

  1. Log on to ISACS01 using an account that has ISA Server Administrator permissions.
  2. From the Start menu, point to All Programs, and then select Microsoft ISA Server Management.
  3. In the Microsoft Internet Security and Acceleration Server 2006 management console, expand the array name, and then click the Firewall Policy node.
  4. In the Firewall Policy node, click the Tasks tab in the Task Pane. On the Task Pane, click the Create Access Rule link.
  5. On the Welcome to the New Access Rule Wizard page, type Forward DNS Requests in the Access Rule name text box. Click Next.
  6. On the Rule Action page, select the Allow option, and then click Next.
  7. On the Protocols page, select the Selected protocols option from the This rule applies to list, and then click the Add button.
  8. In the Add Protocols dialog box, click the Infrastructure folder. Double-click the DNS entry, and then click Close.
  9. Click Next on the Protocols page.
  10. On the Access Rule Sources page, click the Add button.
  11. In the Add Network Entities dialog box, expand Networks, double-click Internal, and then click Close. Click Next.
  12. On the Access Rule Destinations page, click the Add button.
  13. In the Add Network Entities dialog box, expand the Networks folder, and then double-click the External entry. Click Close.
  14. Click Next on the Access Rule Destinations page.
  15. On the User Sets page, accept the default entry, All Users, and then click Next.
  16. On the Completing the New Access Rule Wizard page, review the settings, and then click Finish.
  17. Click Apply to save changes and update the configuration.

Create a Web Access Rule

If you wish servers on your zone 2-4 networks to be able to connect to the Web in order to download updates, you must create a Web Access Rule. Note that you will also need to configure the zone 2-4 servers to use the server running ISA Server as their default gateway.

Procedure DWISA.21: To create a Web access rule

  1. In the Microsoft Internet Security and Acceleration Server 2006 management console, expand the array and click the Firewall Policy node. In the Task pane, click the Tasks tab. Click the Create Access Rule link. This opens the New Access Rule Wizard.
  2. In the Access rule name text box, enter Outbound Web Access, and then click Next.
  3. On the Rule Action page, select Allow, and then click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list, and then click the Add button.
  5. In the Add Protocols dialog box, click to expand the Common Protocols folder. Double-click the HTTP and HTTPS entries, and then click Close.
  6. On the Protocols page, verify that HTTP and HTTPS appear in the list of protocols, and then click Next.
  7. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, expand the Networks folder. Click the Internal entry, and then click Add. Click Close, and then click Next.
  8. On the Access Rule Destinations page, click Add. In the Add Network Entities dialog box, expand the Networks folder. Click the External entry, and then click Add. ClickClose, and then click Next.
  9. On the User Sets page, accept the default of All Users, and then click Next.
  10. On the Completing the New Access Rule Wizard page, click Finish.
  11. Click Apply to save changes and update the configuration.

Create a Windows SharePoint Services Publishing Rule

If you chose to deploy Hosted Windows SharePoint Services, you will need to publish access to the Windows SharePoint Services front-end Web server.

Procedure DWISA.22: To create a SharePoint Publishing Rule

  1. On ISACS01, in the Microsoft Internet Security and Acceleration Server 2006 management console, expand the array, and then click the Firewall Policy node. In the Task pane, click the Tasks tab. Click the Publish SharePoint Sites link. This opens the SharePoint Publishing Rule Wizard.
  2. In the Web publishing rule name text box, enter SharePoint Publishing, and then click Next.
  3. On the Publishing Type page, select Publish a single Web site or load balancer, and then click Next.
  4. On the Server Connection Security page, select Use non-secured connections to connect the published Web server or server farm, and then click Next.
  5. On the Internal Publishing Details page, in the Internal site name box, enter COLLAB01.
  6. Select the Use a computer name or IP address to connect to the published server check box, enter the IP Address for COLLAB01 in the Computer Name or IP Address box, and then click Next.
  7. On the Public Name Details page, use the drop-down box next to Accept requests for, and then select Any Domain Name.
  8. On the Select Web Listener page, click New.
  9. The New Web Listener Wizard will launch. Enter the name SharePoint Web Listener, and then click Next.
  10. Select Do not require SSL secured connections with clients, and then click Next.
  11. On the Web Listener IP Addresses page, select External. Clear the ISA Server will compress contents check box, and then click Next.
  12. On the Authentication Settings page, select No Authentication, and then click Next.
  13. On the Single Sign On Settings page, click Next.
  14. On the Completing new Web Listener Wizard page, click Finish.
  15. On the Select Web Listener page, click Next.
  16. On the Authentication Delegation page, select No delegation, but client may authenticate directly, and then click Next.
  17. On the Alternate Access Mapping Configuration page, select SharePoint AAM is not yet configured, and then click Next.
  18. On the User Sets page, accept the default of All Users, and then click Next.
  19. On the Completing the New Web Publishing Rule Wizard page, click Finish.
  20. In the list of Firewall Policy Rules, right-click the SharePoint Publishing rule, and then click Properties.
  21. Click the To tab.
  22. Verify that Forward the original host header instead of the actual one (specified in the Internal site name field) is selected, and then click OK.
  23. Click Apply to save changes and update the configuration.