Creating and Configuring a New Array and Array Policy

Collections of ISA Server 2004 Enterprise Edition computers can be grouped into firewall arrays. A firewall array shares a common configuration and all computers within the array share a common firewall policy. ISA Server 2004 Enterprise Edition arrays can consist of two or more firewall devices. Arrays make it easy to configure multiple firewalls because a single firewall policy is applied to all array members.

The array concept may be confusing to ISA Server 2004 Standard Edition administrators who are not accustomed to configuring firewall policy for multiple computers through a unified management interface. Configuring array policy for an enterprise array is similar to configuring firewall policy for a single ISA Server 2004 Standard Edition computer. The primary difference is that when configuring enterprise array policy, the same policy is applied to all computers in the array. In contrast, when you configure firewall policy on an ISA Server 2004 Standard Edition computer, policy is applied only to a single computer.

Note that while firewall policy is automatically applied to all computers in an array, there are some configuration options that do not lend themselves to array-level configuration. The ISA Server 2004 Enterprise Edition management interface informs you when you encounter one of these per-server configuration options and allows you to make the appropriate per-server settings when required.

You must create ISA Server 2004 Enterprise Edition arrays because there are no default arrays. In this section, you will perform the following ISA Server 2004 Enterprise Edition array-related tasks:

  • Create a new array. There are no default arrays, so you must create a new array to which you will apply firewall policy.
  • Configure array properties. There are many characteristics that define an array. The first step after creating a new array is to define these array-specific characteristics, such as addresses used for intra-array communications.
  • Create the intra-array network. Each array member in the sample network used in this ISA Server 2004 Enterprise Edition Quick Start Guide has three network interfaces. One network interface is connected to the default External network, another interface is connected to the default Internal network, and the third interface is connected to a network dedicated to intra-array communications. This intra-array communications network is required because you will later enable Network Load Balancing (NLB) for the array. A dedicated network adapter is required because ISA Server 2004 Enterprise Edition integrated NLB uses only unicast mode NLB.
  • Configure the Enterprise Remote Management Computers computer set. After creating the array, several network objects are included by default. One of these network objects is the Remote Management Computers computer set. You will need to add the Configuration Storage server, on which you will run the ISA Server 2004 Enterprise Edition management console, to this computer set so that it can manage computers in the ISA Server 2004 Enterprise Edition array.
  • Create an array access rule. In this section, you will create an HTTP-only access rule to demonstrate how to create an array-level rule, and then demonstrate how enterprise and array policies interact.
  • Move the enterprise access rule below the array access rule. You can move enterprise rules above and below array-level access rules. This section demonstrates how to do this.
  • Back up the enterprise configuration. ISA Server 2004 Enterprise Edition allows you to easily back up and restore your enterprise configuration. This section demonstrates procedures for backing up the enterprise configuration.
  • Back up the array configuration. In addition to making it easy to back up the enterprise firewall policy, ISA Server 2004 Enterprise Edition makes it easy to back up the array-level policy. This section demonstrates how to back up the array policy.

The first step is to create a new array. You can create one or more arrays in the ISA Server 2004 Enterprise Edition console from a single management workstation. There is never a need to use RDP to manage the firewall configuration on any array member computer. Perform the following steps to create the new enterprise array:

  1. In the ISA Server 2004 Enterprise Edition console, click the Arrays node in the left pane of the console. Click the Tasks tab in the task pane and click Create New Array.
  2. On the Welcome to the New Array Wizard page, enter a name for the new array in the Array name text box. In this example, you name the array NEWARRAY. Click Next.
  3. On the Array DNS Name page, enter the fully qualified domain name that Firewall clients and Web Proxy clients should use when connecting to the array. In this example, you enter newarray.msfirewall.org. You should create Host (A) records in the Internal network DNS that map the internal IP address of each array member to this name. Enter newarray.msfirewall.org in the Array’s DNS name text box and click Next.
    Cc302565.7e4b540e-2bcb-4afd-9acf-24e4a05414c2(en-us,TechNet.10).gif
  4. On the Assign Enterprise Policy page, in Apply this enterprise policy to the new array, select Enterprise Policy 1. Click Next.
    Cc302565.4e6cf522-1da6-4e26-8134-334ad9c8aa4f(en-us,TechNet.10).gif
  5. On the Array Policy Rule Types page, select the type of array firewall policy rules that an array administrator can create for the array. This option enables the enterprise administrator to limit the scope of rule types that an array administrator can create and helps centralize control over network firewall security policy. In this example, select the "Deny" access rules, "Allow access" rules, and Publishing rules (Deny and Allow) check boxes. Click Next.
    Cc302565.3676e1b9-8bb1-403e-87ab-db6853a1d780(en-us,TechNet.10).gif
  6. On the Completing the New Array Wizard page, click Finish.
  7. In the Create New Array dialog box, click OK when the array is successfully created.
    Cc302565.c74b270a-91aa-46dd-b9fa-838d54d5e035(en-us,TechNet.10).gif

In the left pane of the ISA Server 2004 Enterprise Edition console, expand the Arrays node, expand the NEWARRAY node, and then expand the Configuration node. With each of these nodes expanded, you can see all nodes and subnodes used to configure the array. The first step is to configure the general properties of the array. Perform the following steps to configure the array properties:

  1. Click the NEWARRAY node in the left pane of the console, and then click the Tasks tab in the task pane. On the Tasks tab, click Configure Array Properties.
  2. The first tab you see in the NEWARRAY Properties dialog box is the General tab. There is nothing you need to configure on this tab.
  3. Click the Policy Settings tab. On the Policy Settings tab, you can change the enterprise policy assigned to the array. You can also change the array firewall policy rule types that can be configured on this array. In this example, you do not make any changes on this tab.
    Cc302565.72148e90-d006-404e-9b8a-1ba7b3f98794(en-us,TechNet.10).gif
  4. Click the Configuration Storage tab. On the Configuration Storage tab, you can enter the name of the Configuration Storage server in Configuration Storage server (enter the FQDN). This value is entered by default during installation of the Configuration Storage server. You can also enter an alternate Configuration Storage server in Alternate Configuration Storage server (optional). Configuring an alternate Configuration Storage server provides fault tolerance in the event that the default Configuration Storage server is not available. Array members check the Configuration Storage server for updated policy based on the setting in the Check the Configuration Storage server for updates every box. The default is every 15 seconds, but you can configure the update interval to be any value. In this example, you do not make any changes on the Configuration Storage tab.
    Cc302565.243f9aef-b0b2-4735-9f54-1d980c0cea50(en-us,TechNet.10).gif
  5. On the Intra-Array Credentials tab, you configure the method for which credentials an array member should use when performing intra-array communications. Because all array members and the Configuration Storage server are members of the same domain, the default setting is Authenticate using the computer account of the array member. If all computers were not members of the same or trusted Active Directory domain, you would select the Authenticate using this account (for workgroup configuration only) option. In this example, you do not make any changes on the Intra-Array Credentials page.
    Cc302565.9dca9941-0d31-4a8f-a369-b5796c7a4219(en-us,TechNet.10).gif
  6. Click the Assign Roles tab. On the Assign Roles tab, you configure the users and groups that are allowed management roles for this array. Click the Add button on the Assign Roles tab. Use the Browse button to select a user or group to which you want to assign an array management role. Click the drop-down arrow for the Role list. You can assign users or groups to one of the following array roles: ISA Server Array Administrator, ISA Server Array Auditor, or ISA Server Array Monitoring Auditor. In this example, you assign the MSFIREWALL\Domain Admins group the ISA Server Array Administrator role. Click OK.
    Cc302565.13b90767-5ce2-423d-99a1-6d40d151a901(en-us,TechNet.10).gif
  7. Click Apply, and then click OK in the NEWARRAY Properties dialog box.
    Cc302565.85728f1b-e561-4921-8351-041b69e03f0c(en-us,TechNet.10).gif

Each member in the array on our example network has a third network adapter installed that is dedicated to intra-array communications. This is required because later you will enable ISA Server 2004 Enterprise Edition integrated Network Load Balancing (NLB) within the array. ISA Server 2004 Enterprise Edition NLB uses only unicast mode NLB. To prevent issues related to unicast mode NLB, you need a network interface dedicated to intra-array communications.

The ISA Server firewall array members consider all addresses that are not part of a defined ISA Server firewall network to be part of the default External network. To prevent routing errors, you must create an ISA Server firewall network definition for the intra-array network. Perform the following steps to create the intra-array network:

  1. In the ISA Server 2004 Enterprise Edition console, click the Networks node located under the Configuration node. Click the Tasks tab in the task pane and click Create a New Network.
  2. On the Welcome to the New Network Wizard page, enter a name for the new network in the Network name text box. In this example, you name the new network Intra-array Network. Click Next.
  3. On the Network Type page, select the Perimeter Network option and click Next.
    Cc302565.1ee514bf-1756-4d5d-b730-0391cef0a755(en-us,TechNet.10).gif
  4. On the Network Addresses page, you configure the addresses used on the intra-array network. You can use the Add Range, Add Adapter, or Add Private buttons to add the address range defining the network. However, you are not able to use the Add Adapter button in this example, because there are no computers assigned to the array yet. Because there are no computers assigned to the array, the Configuration Storage server does not have information about the array member adapters. In this example, click the Add Range button.
    Cc302565.6f9df38f-296b-4cd6-8c09-56aa19fb0df7(en-us,TechNet.10).gif
  5. In the IP Address Range Properties dialog box, enter the first and last addresses in the range in the Start address and End address text boxes. In this example, enter a Start address of 222.222.222.0 and an End address of 222.222.222.255. Click OK.
    Cc302565.784a1f43-c1f5-4311-b5ca-e959f4add46b(en-us,TechNet.10).gif
  6. Click Next on the Network Addresses page.
    Cc302565.8a2be3ed-2fc7-4c11-a7d7-b52a5129f2a8(en-us,TechNet.10).gif
  7. Click Finish on the Completing the New Network Wizard page.

To manage the enterprise array computers from a management station running the ISA Server 2004 Enterprise Edition console, the management station must be added to the Enterprise Remote Management Computers computer set. This computer set network object is created for you automatically. You only need to add the address of your management station to the computer set. In this example, you will add the IP address of the Configuration Storage server to this computer set. Perform the following steps to add the Configuration Storage server to the Enterprise Remote Management Computers computer set:

  1. In the ISA Server 2004 Enterprise Edition console, click the Enterprise Policy 1 node in the left pane of the console. In the task pane, click the Toolbox tab.
  2. On the Toolbox tab, click Network Objects. On the Network Objects tab, expand the Computer Sets folder.
  3. Double-click the Enterprise Remote Management Computers computer set.
  4. In the Enterprise Remote Management Computers Properties dialog box, click the Add button, and then click the Computer menu item.
    Cc302565.c74d0802-a88e-43c0-bf81-442fde6b9f43(en-us,TechNet.10).gif
  5. In the New Computer Rule Element dialog box, enter a name for the management station in the Name text box. In this example, you name the entry Enterprise Management Station. In the Computer IP Address text box, enter the IP address of the management station. In this example, the IP address of the management station is 10.0.0.4, so enter 10.0.0.4 in the text box. Click OK.
    Cc302565.8a97453d-6353-4c63-a5c5-e0c35162a4f5(en-us,TechNet.10).gif
  6. Click Apply, and then click OK in the Enterprise Remote Management Computers Properties dialog box.

To demonstrate the interactions between enterprise policy and array policy access rules, you will create an access rule in the array policy allowing outbound access only to HTTP. Perform the following steps to create the HTTP-only access rule:

  1. In the ISA Server 2004 Enterprise Edition console, expand the Arrays node, and then expand the NEWARRAY node. Click the Firewall Policy (NEWARRAY) node in the left pane of the console.
  2. Click the Tasks tab in the task pane, and then click Create Array Access Rule.
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the access rule in the Access rule name text box. In this example, you name the rule Array – HTTP only. Click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, confirm that the Selected protocols option is selected in the This rule applies to list, and then click the Add button.
  6. In the Add Protocols dialog box, expand the Common Protocols folder. Double-click HTTP and click Close.
    Cc302565.ab9a6811-19a5-4aa6-8fde-99c3a4570f08(en-us,TechNet.10).gif
  7. Click Next on the Protocols page.
    Cc302565.8ca58108-3358-4f57-a5f2-479b1e570e51(en-us,TechNet.10).gif
  8. On the Access Rule Sources page, click the Add button.
  9. In the Add Network Entities dialog box, expand the Enterprise Networks folder, and then double-click Enterprise Internal. Click Close.
    Cc302565.b35e97d9-8de0-4ed3-bf20-56b460aaef75(en-us,TechNet.10).gif
  10. Click Next on the Access Rule Sources page.
    Cc302565.96880730-1c34-4a0a-840f-ff30ca1aba89(en-us,TechNet.10).gif
  11. On the Access Rule Destinations page, click the Add button.
  12. In the Add Network Entities dialog box, expand the Networks folder, and then double-click the External network. Click Close.
  13. Click Next on the Access Rule Destinations page.
  14. On the User Sets page, accept the default entry All Users and click Next.
  15. Click Finish on the Completing the New Access Rule Wizard page.
  16. The array firewall policy should now look like the display in the following figure.
    Cc302565.e9ef8200-abcc-4fdd-adc0-9b926972a379(en-us,TechNet.10).gif

You can move enterprise access rules contained in the enterprise policy assigned to the array to be evaluated either before or after array-level rules on a per-rule basis. To do this, you must change the enterprise rule’s position in the enterprise policy configuration.

Perform the following steps to move the enterprise access rule:

  1. Click the Enterprise Policy 1 node in the left pane of the ISA Server 2004 Enterprise Edition console. The following figure shows the configuration of the current enterprise policy.
    Cc302565.29ce7fed-7781-4048-b80c-df412381677d(en-us,TechNet.10).gif
  2. Click the Enterprise All Open access rule and click the Move Down button (represented by a down-pointing blue arrow in the MMC button bar). The enterprise policy now looks like what appears in the following figure.
    Cc302565.82a7c982-8af3-400c-a075-4c4be6cb1bdb(en-us,TechNet.10).gif
  3. Click the Firewall Policy (NEWARRAY) node in the left pane of the console. You can see that the Enterprise All Open access rule now appears below the array policy rule.
    Cc302565.a25f8677-8b63-4da2-99f7-8b87be02d23c(en-us,TechNet.10).gif
  4. Return to the Enterprise Policy 1 node and move the Enterprise All Open access rule to the top of the list. Later in this ISA Server 2004 Enterprise Edition Quick Start Guide, you will test the effects of moving enterprise policy access rules.
  5. The basic enterprise and array configuration is now complete. Click the Apply button to save the changes to the firewall policy.
    Cc302565.8dcdf883-22ee-4c3f-9d54-ea2e8cafe349(en-us,TechNet.10).gif
  6. Click OK in the Apply New Configuration dialog box when the configuration is successfully applied.

At this point, you are ready to back up the Enterprise Policy configuration. The enterprise policy can be backed up to an .xml file and that file can be used to restore enterprise policy in the event of a disaster causing loss of the Configuration Storage server. Perform the following steps to back up the enterprise configuration:

  1. In the ISA Server 2004 Enterprise Edition console, click the Enterprise node in the left pane of the console. Click the Tasks tab in the task pane, and then click Export Enterprise Configuration.
  2. Click Next on the Welcome to the Export Wizard page.
  3. On the Export Preferences page, select the Export user permission settings check box and click Next.
  4. On the Export File Location page, enter a path and name for the enterprise configuration backup file. In this example, enter C:\enterprise_config in the Save the data to this file (enter the full path) text box. Click Next.
    Cc302565.fd6c06cb-f684-4f0f-83ca-e36a3e86b8ca(en-us,TechNet.10).gif
  5. Click Finish on the Completing the Export Wizard page.
  6. Click OK after the dialog box appears informing you that the export was successful.

You should also back up the array configuration at this point. Perform the following steps to back up the array configuration to an .xml file that you can use to later restore the array in the event that the Configuration Storage server is lost:

  1. In the ISA Server 2004 Enterprise Edition console, click the NEWARRAY node in the left pane of the console. Click the Tasks tab in the task pane, and then click Export (Back Up) Array Configuration.
  2. Click Next on the Welcome to the Export Wizard page.
  3. On the Export Preferences page, select the Export confidential information and Export user permission settings check boxes. Enter a password and confirm the password in the Password and Confirm password text boxes. Click Next.
    Cc302565.b794b6e1-7790-4602-86e2-3b96318817b9(en-us,TechNet.10).gif
  4. On the Export File Location page, enter a path and file name for the array backup file. In this example, enter C:\array_backup. Click Next.
    Cc302565.47cfd2d7-981b-4832-a4cf-3cf58295017c(en-us,TechNet.10).gif
  5. Click Finish on the Completing the Export Wizard page.
  6. Click OK after the dialog box appears informing you that the export was successful.

[Topic Last Modified: 02/26/2008]

Show: