Enterprise Management in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition uses a multi-tiered enterprise and array model. An ISA Server enterprise consists of one or more arrays that group together ISA Server firewall computers in the enterprise. Each enterprise manages its own array members.

Configuration information for the enterprise and arrays is stored in ISA Server Configuration Storage servers. Each enterprise has one or more Configuration Storage servers. When you install the ISA Server Configuration Storage server component, you can select to create a new enterprise, or create a replica of an existing Configuration Storage server. Array members in the enterprise communicate with the Configuration Storage server to get up-to-date configuration information.

ISA Server computers in the same array share the same configuration, enterprise policy, and array policy, easing management and administration. When you modify the array configuration and apply the changes, all the array members are updated. Centralized administration allows all administrative tasks to be performed from one computer.

ISA Server Enterprise Edition uses a firewall policy to protect networks and control traffic flowing in and out of the organization. The firewall policy consists of access and publishing rules defined at the enterprise level and at the array level. The enterprise administrator has granular control over policy throughout the enterprise, including the level of policy authority granted to array administrators.

Enterprise Policies

As an ISA Server enterprise administrator, you define an enterprise policy that is applied to one or more arrays in the enterprise. Use enterprise policies as follows:

  • Create an enterprise policy to apply standardized firewall policy through the organization. For example, you can create a rule to be included in the enterprise policy that denies FTP traffic from internal networks to the Internet.
  • Apply an enterprise policy to one or more arrays. This simplifies array management, and ensures that you maintain a secure policy at the enterprise level. It saves the effort of creating and managing policy on each array, and changes only have to be applied to the enterprise policy.

You can also create enterprise policies based on array functionality. For example, you may have arrays that handle virtual private network (VPN) connections, arrays that handle publishing, and an array for Web proxy Internet access. It may be useful to create three enterprise policies, as follows:

  • Enterprise access policy for VPN arrays
  • Enterprise access policy for publishing arrays
  • Enterprise access policy for Internet access arrays

Each enterprise policy consists of an ordered set of access rules appropriate for the type of array. ISA Server provides a default enterprise policy that cannot be modified or deleted. It consists of a single default rule (Deny All) that denies all traffic. This ensures that the enterprise is locked down by default, and the only traffic allowed is that which you explicitly allow.

Configuring Enterprise Policies

Use the following steps when configuring the enterprise, and enterprise policies:

  1. Define enterprise-level administrative roles. Define enterprise administrators and enterprise policy administrators.
  2. Create enterprise networks and network rules. Create enterprise networks to use as the source and destination in enterprise-level access rules, or to include in the definitions of array-level networks. Create network rules that specify how enterprise networks communicate with each other.
  3. Create enterprise policies. You create enterprise policies and then define rules for use in the policies. Create rule elements (such as protocol definitions) at the enterprise level, and then use these elements as parameters for enterprise-level rules that determine what traffic is allowed to and from enterprise networks. Rule elements created at the enterprise level can also be used in array-level access rules. Each rule in the enterprise policy can be defined so that it applies either before or after the array policy. Rule ordering is important because of the way in which ISA Server checks rules. The first rule to match a request received by ISA Server is used, and subsequent rules are not checked.

Defining Enterprise-Level Administrative Roles

ISA Server uses a role-based model to organize enterprise and array administrators into predefined roles. Users with a particular role are allowed to do specific ISA Server tasks. ISA Server distinguishes between enterprise-level roles and array-level roles. Enterprise roles are as follows:

  • ISA Server Enterprise Administrator. This role allows full control over the enterprise and the configuration of all arrays in the enterprise. Users with this role can create enterprise policies and apply them to an array, manage array configurations, and assign roles to other users and groups.
  • ISA Server Enterprise Auditor. This role allows users to view the enterprise configuration and the configuration of all arrays in the enterprise.
  • ISA Server Enterprise Policy Editor. Enterprise administrators can assign administrators permissions for specific enterprise policies, thus limiting enterprise-level administration to a specific policy. Enterprise Policy Editors can create rules for the specific enterprise policy, but cannot create new enterprise policies.

For more information, see Role Based Administration Concepts in ISA Server 2006 at Microsoft TechNet.

Creating Enterprise Networks and Network Rules

Enterprise networks are global to all arrays in the enterprise, and include IP address ranges in your network topology. Traffic within an enterprise network should not cross any security boundary such as a firewall or VPN. Enterprise networks do not have properties that are found in array-level networks. Enterprise networks are used for the following purposes:

  • Creating an enterprise policy. ISA Server predefined enterprise networks act as a placeholder for array-level networks of the same name. Any rule applied to a predefined enterprise network will be applied to the same array-level network. For example, a rule that applies to the enterprise network named Local Host would apply to the IP addresses in the Local Host network for that array. Predefined enterprise networks do not have any properties associated with them, and cannot be explicitly used when creating array-level firewall policy rules. ISA Server includes the following predefined enterprise networks:
    • External
    • Local Host
    • Quarantined VPN Clients
    • VPN Clients
  • Inclusion in array-level networks. Enterprise networks provide a mechanism for arrays to reference each other across the enterprise. For example, an array administrator can define an array-level network that references the IP address range of an enterprise network, and create rules based upon it.

Before deploying arrays and array members in the enterprise, the enterprise administrator configures custom enterprise networks. An IP address can be included in only one enterprise network. IP addresses defined at the enterprise level and included in some enterprise networks are considered the address range for the enterprise.

Network rules are required to define relationships between networks. Without network rules in place, traffic cannot pass between networks. Network relationships can be defined as route or network address translation (NAT). When a route relationship is defined, IP addresses are not hidden between networks. This is a common configuration between two networks with private IP addresses. A NAT relationship ensures that the IP address of the request from the source network is replaced with the IP address of the ISA Server adapter connected to the destination network, and effectively hidden.

Enterprise-level network rules are useful when you want to create a network relationship between networks that is applicable to all arrays. For example, for all arrays in the enterprise, you may want to define a NAT relationship from the Internal network to the External network. Enterprise-level network rules can only be applied to enterprise-level network objects. They cannot be applied to array-level networks.

Creating Enterprise Policies

When you create a new enterprise policy, it contains a single default rule blocking all traffic. You then define enterprise-level access rules to add to the policy. Each enterprise-level rule in the enterprise policy can be organized as follows:

  • Enterprise policy rules that are processed before any array-level rules are processed. These are known as pre-array level rules.
  • Enterprise policy rules that are processed after the array-level rules are processed. These are known as post-array level rules.

You can reorder all enterprise rules except for the default deny rule of the enterprise policy. It is always processed last.

If you do not create any enterprise policies, the default enterprise policy will be applied to arrays in the enterprise after the array's firewall policy rules.

Array Policies

ISA Server 2006 Enterprise Editions groups ISA Server firewalls into arrays that share a common configuration and a single firewall policy, allowing them to be managed as a unit. Some information is specific to array members, such as cache configuration, Secure Sockets Layer (SSL) certificates, and a VPN static address pool. All array members should have identical configurations, including:

  • Number of network adapters, connected to array-level networks with the same names.
  • Mirrored accounts with Basic Monitoring permissions (for workgroup deployments).
  • Application and Web filter configuration.
  • Certificates installed.
  • ISA Server language version installed. Within an enterprise, arrays can have different language versions of ISA Server installed.

Configuring Arrays

Configuring arrays consists of the following steps:

  1. Define arrays. You can run Setup to create and configure an array, or install the Configuration Storage server, and then create arrays in ISA Server Management after running Setup. To monitor the array from the Configuration Storage server, the IP address of the Configuration Storage server must be added to either the predefined computer set Enterprise Remote Management Computers, or the predefined array-level computer set Remote Management Computers. If you create an array when installing ISA Server firewall, this is done automatically. If you create the array from ISA Server Management after running Setup, add this IP address manually to the computer set.
  2. Configure array properties. In ISA Server Management, run the New Array Wizard to create an array and specify some array properties. Then customize the settings on the array properties pages.
  3. Configure intra-array settings. We recommend that you have a dedicated network adapter to associate with the intra-array network.
  4. Configure array-level access rules. Create array access rules, and order array rules and enterprise rules as required.
  5. Use enterprise networks in array-level policy. Array administrators can include enterprise networks in the definitions of array-level networks.

Defining Arrays

You can create an array when you install an ISA Server firewall. During array creation, you specify the following:

  • Array name and description.
  • Array Domain Name System (DNS) name to be used by clients for array discovery.
  • Enterprise policy that should be applied to the array.
  • Rule constraints. Specify the types of firewall policy rules that can be created on the array level. This setting determines the level of customization that an array administrator can apply on a specific array. The following rule types can be enabled or disabled:
    • Deny access rules
    • Allow access rules
    • Publishing rules (allow and deny)

Alternatively, you can install the Configuration Storage server and then create arrays after running Setup.

Note

Creating an array over a slow link may take a long time.

Configuring Array Properties

From ISA Server Management, you can create new arrays, modify existing array properties, or configure additional array properties that you cannot configure using the New Array Wizard. From the array properties pages, you can configure the following:

  • General. Name, description, and DNS name of the array.
  • Policy Settings. The enterprise policy that applies to the array, and the type of rules that can be created at the array level.
  • Configuration Storage. Specifies the Configuration Storage server that the array should use, and an alternate Configuration Storage server to be used if the primary is not available. It also defines how often the array should poll the Configuration Storage server for updates, and the authentication method used for the connection between array members and the Configuration Storage server. Where the array members and the Configuration Storage servers are in the same domain, Active Directory® directory service authentication is used. Where they are in untrusted domains, or either is in a workgroup configuration, a certificate must be installed on the Configuration Storage server, and a root certification authority (CA) certificate for the issuing CA is required on each array member.
  • Assign Roles. In a domain scenario, specify an Active Directory user or group, and then select one of the following roles to be assigned to them:
    • ISA Server Array Administrator.   Gives full control permissions for the array, and permissions to view the enterprise policy applied to the array.
    • ISA Server Array Auditor.   Allows array monitoring and view permissions for the array configuration.
    • ISA Server Array Monitoring Auditor.   Allows some monitoring permissions.

In a workgroup configuration, type the name of the group or user, and select a role to assign to that group or user. For the account you specify, you must create identical (mirrored) accounts on each array member. For more information, see Role Based Administration Concepts in ISA Server 2006 at Microsoft TechNet.

  • Customer Feedback. Specify whether you want to join the Customer Experience Improvement Program (CEIP). This program allows Microsoft to collect anonymous hardware configuration information, and information about how the software is being used. CEIP is not enabled by default. Note that if you do enable CEIP, Web Proxy client access will be enabled automatically on the ISA Server computer (Local Host network).
  • Intra-array Credentials. Specifies the address used for array members to communicate with each other.

Configuring Intra-Array Settings

When an array includes multiple members, they communicate with each other for a number of reasons, including:

  • CARP. The Cache Array Routing Protocol (CARP) effectively combines the cache drives of all member servers into a single logical cache. To accomplish this, the member servers forward requests to each other.
  • VPN. Member servers inform the other servers when a VPN tunnel exists, so that the array can route applicable traffic to the appropriate tunnel (to the server that owns the tunnel).
  • Configuration Storage server. If the Configuration Storage server is installed on one of the member servers, the other member servers will access that server.

Array members communicate with each other using the intra-array address. Although each member server can be uniquely identified by its fully qualified domain name (FQDN), the intra-array address is critical for the following reasons:

  • Each array member may have more than one network adapter. Sensitive intra-array traffic should be communicated only on specific adapters. By specifying an intra-array address, you configure the specific network adapter to pass the intra-array communication.
  • When the array is configured to use Network Load Balancing (NLB), the NLB-bound adapter should not be used for intra-array traffic. By specifically limiting the intra-array address, you avoid the conflict between the NLB-bound address and the intra-array address.
  • Intra-array traffic should not be subject to quota restrictions. By specifying the intra-array address, you ensure it is not subject to these restrictions.

During Setup, the following is configured:

  • The intra-array address is set to the default IP address of the array member's network adapter associated with the Internal network. This IP address may also be used for other purposes, including for communication with the Configuration Storage server, and for remote management. If IP address changes occur, check that the intra-array address is correctly configured, and that NLB mechanisms are using the correct IP address.
  • The default system policy rule Allow intra-array communications is enabled. This rule allows communication using the MS Firewall Control and RPC protocols to and from all members of the predefined Array Servers computer set. The MS Firewall Control protocol is based on Lightweight Directory Access Protocol (LDAP) (outbound TCP port 2171) and LDAPS (port 2172), and is used for communication between array members and the Configuration Storage server. LDAPS is used when servers are in untrusted domains, or workgroup mode. Remote procedure call (RPC) is used for monitoring. The Array Servers computer set contains all the IP address of all the array members.

The intra-array address can be modified by the array administrator for each array member. Note the following guidelines when configuring secure intra-array communications:

  • We recommend that intra-array communication be done over either a dedicated hub or a virtual LAN. This configuration is intended to physically or logically isolate intra-array traffic from the other networks.
  • We recommend that you use a dedicated network adapter in a network used only for intra-array communication. This network should include all the array member's intra-array addresses.
  • Upon installation, a pair of private and public keys is created for each array member. These keys are used to transfer confidential data between array members. If you believe that the keys have been compromised, create a new key pair by uninstalling and then reinstalling ISA Server.
  • If NLB is not configured for the array, specify the intra-array address as the primary IP address of the first network adapter on the network.
  • When ISA Server integrated NLB is enabled for the array, use a dedicated network adapter that is located on the network, for intra-array traffic. A different network adapter on the same network should be used for NLB.

After you install a dedicated network adapter, perform the following steps:

  1. Configure the IP address to be used for intra-array communication. When reconfiguring the intra-array address, the new address is added to the Array Servers computer set.
  2. Create a dedicated array-level network, which should include each array member’s intra-array address. When you create the network, specify its type as Internal. We recommend exporting the intra-array network. This ensures that its settings are backed up, even if networks are overwritten by selecting another network template.
  3. Enable the network to listen for Web Proxy client requests. Do not enable the network to listen for Firewall client requests.

Configuring Array-Level Access Rules

When you configure array-level access rules, these rules are combined with the enterprise policy as the effective array policy, which is the firewall behavior that results from the rules combination. Rules are processed in the following order:

  • Array-level system policy rules. The predefined set of system policy rules allowing traffic to and from the ISA Server computer (Local Host network) are processed before all other rules.
  • Pre-array enterprise rules (ordered before firewall policy rules).
  • Array-level firewall policy rules.
  • Post-array enterprise rules (ordered after firewall policy rules).

For example, if an enterprise administrator wants to allow FTP access across the enterprise without exception, a pre-array enterprise access rule allowing FTP should be created. However, to allow FTP access but give the array administrators the ability to deny FTP access, a post-array enterprise access rule allowing FTP should be created. If an array administrator then creates an array access rule denying FTP, the effective policy will be that FTP is denied. If the array administrator does not create a rule that denies FTP, the effective policy will be that FTP is allowed.

Using Enterprise Networks in Array-Level Policy

Enterprise administrators use enterprise networks to create enterprise-level access rules, but array administrators can include enterprise networks when defining array-level networks. Configure array-level networks with IP address ranges, and in addition, one or more enterprise networks. The effect is that the array definition may include IP addresses that are not necessarily physically connected to the array.

Note

You should only include enterprise networks that include address ranges that correspond with the routing table of the specific array member.

Consider for example, two arrays: a front-end array and a back-end array, both connected to a network with an IP address range from 10.0.0.0/8. Suppose also that the enterprise administrator has defined an enterprise network called ENT-Perimeter with the IP address range from 10.0.0.0 through 10.255.255.255. Each array administrator can then define an array-level network called Perimeter, and include the IP range of the enterprise network ENT-Perimeter in it. They can then create array-level firewall policy rules based on the network Perimeter.

In some cases, the array administrator might want to create only an array-level network, thereby effectively creating a network visible and usable only for that array. The rest of the enterprise cannot use this network. For example, array-level networks might be useful in these scenarios:

  • The array-level network should not be impacted by changes made at the enterprise level.
  • The array-level network is unused and unneeded at the enterprise level.

Traffic from an IP address that is not in an array-level network is, by default, considered spoofed. This is true even if the IP address is included in an enterprise network.