Creating and Configuring a New Enterprise Policy

ISA Server 2004 Enterprise Edition supports enterprise firewall policies that can be applied to one or more arrays. Enterprise policies can be created once, and then applied to one or more arrays with the goal of standardizing security policy throughout the organization. Enterprise policies can also be integrated with local array policies. This provides array administrators with an additional level of control over traffic moving through ISA Server 2004 Enterprise Edition arrays.

In this section, you will examine the following procedures involved with creating and configuring an enterprise policy:

• Assign Enterprise Administrator and Enterprise Auditor roles. You can assign firewall enterprise administrator and firewall enterprise auditor permissions to users or groups. Enterprise administrators have complete configuration control over computers in the enterprise, and enterprise auditors can audit any computer in the organization.
• Define the default enterprise policy. ISA Server 2004 Enterprise Edition includes a default enterprise policy. The implications of this policy are discussed.
• Create a new enterprise network. The ISA Server 2004 Enterprise Edition computer performs stateful packet and application-layer inspection on communications moving from one ISA Server 2004 Enterprise Edition network to another ISA Server network. You will create an ISA Server network at the enterprise level and use this for access control.
• Create an enterprise network rule. This rule sets the route relationship between the enterprise Internal network and the Internet. Network rules control the route relationship between the source and destination networks in a communication. You can choose either route or network address translation (NAT). You will create a NAT relationship between our enterprise network and the Internet.
• Create a new enterprise policy. Enterprise policies include access rules that can be overlaid on local array access rules to create an integrated firewall policy. This provides centralized security management required for standardization, and flexibility for the local array administrators to create array-level access rules and publishing rules.
• Create an enterprise access rule. A new access rule is created and named Enterprise All Open. The Enterprise All Open access rule allows access from all hosts to all sites using any protocol.
• Move enterprise access rule relative positions. The Enterprise All Open access rule is moved so that it is applied before array policy. This demonstrates how you can move enterprise policy rules so that they can be applied before or after local array policy rules.

Assign Enterprise Administrator and Enterprise Auditor Roles

In this procedure, you will assign the ISA Server Enterprise Administrator and ISA Server Enterprise Auditor roles.

Perform the following steps to assign the enterprise roles:

1. In the left pane of the ISA Server 2004 Enterprise Edition console, expand the Enterprise node, and then expand the Enterprise Policies node. Your console should now appear similar to that in the following figure.
   
2. Right-click the Enterprise node in the left pane of the ISA Server 2004 Enterprise Edition console and click Properties.
3. In the Enterprise Properties dialog box, click the Assign Roles tab. On the Assign Roles tab, you can configure which users and groups are allowed access to the Configuration Storage server, and which users and groups can monitor arrays.
   
4. Click the Add button to display the Administration Delegation dialog box. You can add local or domain users or groups to either the ISA Server Enterprise Administrator or ISA Server Enterprise Auditor roles for the entire enterprise. Use the Browse button to locate the user or group, and then click the drop-down arrow in the Role list to assign the appropriate role to the user or group selected. Click OK to save the changes.
5. In the example used in the ISA Server 2004 Enterprise Edition Quick Start Guide, you do not make any changes to the Administration Delegation configuration.
   

Define the Default Enterprise Policy

In the left pane of the ISA Server 2004 Enterprise Edition console, a Default Policy is located under the Enterprise Policies node. You cannot change or delete this Default Policy. The purpose of this policy is to ensure that the ISA Server 2004 Enterprise Edition array is completely locked down by default. Only traffic you explicitly allow through the firewall array is allowed to traverse the array.

If you create no other enterprise policies, this default enterprise policy is applied to all arrays you create. This policy is configured to place the default rule included in the Default Policy at the end of the access rule list, after the array’s firewall policy.

The enterprise Default Policy ensures that the ISA Server 2004 Enterprise Edition array secures your organization by default.

Create a New Enterprise Network

Enterprise networks can be used in both enterprise and array-level access rules. In this ISA Server 2004 Enterprise Edition Quick Start Guide, you will create an enterprise network to demonstrate how enterprise networks are created in contrast to array-level networks.

Perform the following steps to create a new enterprise network:

1. In the ISA Server 2004 Enterprise Edition console, confirm that the Enterprise Policies node is expanded and click the Enterprise Networks node.
2. In the details pane, click the Networks tab.
3. Click the Tasks tab in the task pane, and then click Create a New Network.
4. On the Welcome to the New Network Wizard page, in Network name, type a name for the new enterprise network. In this example, the name of the new enterprise network is Enterprise Internal. Click Next.
5. On the Network Addresses page, you specify all the addresses that are defined as internal for your organization, or a subset of addresses, depending on your enterprise-level requirements. Click the Add Range button to add addresses to your enterprise network.
6. In the IP Address Range Properties dialog box, enter the range of addresses you want to use for this enterprise network. In this example, enter a Start address of 10.0.0.0 and an End address of 10.0.0.255. Click OK.
   
7. The new address range now appears in the list of Address ranges on the Network Addresses page. Click Next.
   
8. Click Finish on the Completing the New Network Wizard page.

Create an Enterprise Network Rule

For traffic to move from one ISA Server firewall network to another ISA Server firewall network (a firewall network is a network configured at the ISA Server enterprise or array level), a network rule must be created defining the route relationship between the source and destination networks.

In this example, you will create a network address translation (NAT) relationship between the Enterprise Internal network and the Internet. This allows the array to use NAT for all connections between the hosts on the Enterprise Internal network and the Internet.

Perform the following steps to create the network rule:

1. In the left pane of the ISA Server 2004 Enterprise Edition console, click the Enterprise Networks node. In the details pane, click the Network Rules tab.
2. Click the Tasks tab in the task pane. Click Create a Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the network rule in the Network rule name text box. In this example, you name the network rule Enterprise Internal to External. Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, expand the Enterprise Networks folder and double-click Enterprise Internal. Click Close.
   
6. Click Next on the Network Traffic Sources page.
   
7. On the Network Traffic Destinations page, click the Add button.
8. In the Add Network Entities dialog box, expand the Enterprise Networks folder and double-click External. Click Close.
9. Click Next on the Network Traffic Destinations page.
   
10. On the Network Relationship page, select the Network Address Translation (NAT) option and click Next.
    
11. Click Finish on the Completing the New Network Rule Wizard page.
12. The new network rule appears in the list of enterprise network rules.
    

Create a New Enterprise Policy

You can create enterprise policies and populate these enterprise polices with access rules, which can then be overlaid on array policies. Enterprise policies enable the enterprise administrator to centralize firewall access control throughout all firewall arrays in the organization. You need to create a new enterprise policy before creating custom enterprise access rules, which are used to control access through enterprise policy throughout your organization.

Perform the following steps to create a new enterprise policy:

1. In the ISA Server 2004 Enterprise Edition console, click the Enterprise Policies node in the left pane of the console, and then click the Tasks tab in the task pane. On the Tasks tab, click Create New Enterprise Policy.
2. On the Welcome to the New Enterprise Policy Wizard page, enter a name for the new enterprise policy in the Enterprise policy name text box. In this example, you name the new enterprise policy Enterprise Policy 1. Click Next.
3. Click Finish on the Completing the New Enterprise Policy Wizard page.

The new enterprise policy now appears in the left pane of the console. Click Enterprise Policy 1. You see that there is a single rule included in the new enterprise policy, which is the default rule. This default rule prevents all communications moving through the ISA Server 2004 Enterprise Edition computers to which this enterprise policy applies. You will need to create an enterprise-level access rule to allow traffic through the ISA Server firewall arrays based on enterprise policy.

Create an Enterprise Access Rule

You can now populate the enterprise policy with access rules. In this ISA Server 2004 Enterprise Edition Quick Start Guide, you will create a simple Enterprise All Open access rule allowing outbound traffic from hosts on the Enterprise Internal network to the Internet. You will use this Enterprise All Open access rule as an example only. In a well-managed enterprise, enterprise firewall administrators create access rules that are consistent with the Principle of Least Privilege, where users are allowed access only to the resources they require to accomplish their work.

However, as a proof of concept, you will create an Enterprise All Open access rule to simplify the initial configuration of your enterprise policy. We recommend that you disable this rule and create more restrictive access rules after confirming that your test enterprise-level access rule performs as expected.

Perform the following steps to create the Enterprise All Open access rule in your Enterprise Policy 1 enterprise policy:

1. In the ISA Server 2004 Enterprise Edition console, click the Enterprise Policy 1 enterprise policy in the left pane of the console. Click the Tasks tab in the task pane, and then click Create Enterprise Access Rule.
2. On the Welcome to the New Access Rule Wizard page, enter a name for the access rule in the Access rule name text box. In this example, enter the name Enterprise All Open in the Access rule name text box. Click Next.
3. On the Rule Action page, select the Allow option and click Next.
   
4. On the Protocols page, click the drop-down arrow on the This rule applies to list and click All outbound traffic. Click Next.
   
5. On the Access Rule Sources page, click the Add button.
6. In the Add Network Entities dialog box, expand the Enterprise Networks folder, and then double-click Enterprise Internal. Click Close.
7. Click Next on the Access Rule Sources page.
8. On the Access Rule Destinations page, click the Add button.
9. In the Add Network Entities dialog box, expand the Enterprise Networks folder, and then double-click External. Click Close.
10. Click Next on the Access Rule Destinations page.
11. On the User Sets page, accept the default entry All Users and click Next.
12. Review your settings on the Completing the New Access Rule Wizard page and click Finish.

Move Enterprise Access Rule Relative Positions

Enterprise access rules can be applied before or after array-level rules. This provides the enterprise firewall administrator with the flexibility to configure centralized firewall policy for all array members to which a particular enterprise policy is applied. You can create one or more access rules in an enterprise policy and then configure these rules, on a per-rule basis, to be applied either before or after local array policy.

Array administrators can be allowed to create their own custom array-level policies that are applied before or after one or more enterprise access rules. This provides flexibility for both enterprise and array administrators when configuring access control for network protection.

In the following figure, you can see that the enterprise access rule is placed after the Array Firewall Policy.

In this example, you will want the Enterprise All Open access rule to be applied before the array policy. You can do this by selecting the Enterprise All Open access rule, and then clicking the Move Up button, as shown in the following figure.

Move the Enterprise All Open access rule to the top of the list. Your enterprise policy should appear like the following figure.

[Topic Last Modified: 02/26/2008]