System policy
Microsoft Internet Security and Acceleration (ISA) Server 2004 protects your network resources, while also connecting them securely for specifically defined needs. ISA Server ensures a delicate balance between security and the need to connect in order to get the job done. This often requires defining specific firewall policy rules. More fundamentally, it requires that you put in place a networking infrastructure that allows for the most basic functionality. Authentication, network diagnostics and logging, and remote management are examples of services you may want to enable to effectively administer and monitor network activity and security.
ISA Server introduces a system policy, a set of firewall policy rules that control how the ISA Server computer enables the infrastructure necessary to manage network security and connectivity. ISA Server is installed with a default system policy, designed to address that balance between security and connectivity.
Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the ISA Server environment. After you install ISA Server, you can configure the system policy. You identify those services and tasks not critical to how you manage your network—and simply disable the associated system policy rules.
Some system policy rules are not enabled upon installation. You can similarly identify those services and tasks that you do require to manage your network. Enable the associated system policy rules.
System Policy Rules
When you enable a system policy configuration group, one or more system policy rules are enabled. Upon installation, the rules apply to specific networks, as listed in the table below. You can subsequently modify the networks to which the rules apply.
Note that when you disable a system policy configuration group, you are not necessarily preventing use of a particular protocol. This is because the same protocol may be specified in a different rule, which is enabled by a different configuration group.
The table below lists the system policy configuration groups, the rule names associated with each category, and a brief description of each rule.
| Configuration Group | Scenario | Rule Name | Rule Description |
|---|---|---|---|
| DHCP | Name resolution using DHCP | Allow DHCP request from firewall Allow DHCP reply to firewall | Allows the ISA Server computer to access all networks using the DHCP (reply) and DHCP (request) protocols |
| DNS | Name resolution using DNS | Allow DNS from the ISA | Allows the ISA Server computer to access all networks using the DNS protocol |
| NTP | Time configuration | Allow NTP protocol from firewall to trusted servers | Allows the ISA Server computer to access the Internal network using the NTP (UDP) protocol |
| Active Directory | Windows user authentication | Allow LDAP(S) protocols from firewall to trusted DCs Allow RPC from firewall to trusted server Allow Microsoft CIFS protocol from firewall to trusted servers Allow Kerberos protocol from firewall to trusted DSs | Allows the ISA Server computer to access the Internal network using various LDAP protocols RPC (all interfaces) protocol, various Microsoft CIFS protocols, and various Kerberos protocols |
| RSA SecurID | Authentication | Allow SecurID protocol from firewall to trusted servers | Allows the ISA Server computer to access the Internal network using the SecurID protocol |
| RADIUS | Authentication | Allow RADIUS protocol from firewall to trusted servers | Allows the ISA Server computer to access the Internal network using various RADIUS protocols |
| Microsoft Management Console | Remote management | Allow Remote Management using MMC from trusted servers | Allow computers on the Internal network to access the ISA Server computer using the MS Firewall Control and RPC (all interfaces) protocols |
| Terminal server | Remote management | Allow Remote Management using Terminal Server | Allows computers on the Internal network to access the ISA Server computer using the RDP (Terminal Services) protocol |
| ICMP (ping) | Connectivity verification | Allow ICMP (ping) from trusted servers to firewall | Allows computers on the Internal network to access the ISA Server computer using the Ping protocol, and vice versa. |
| Firewall client setup | Access to Firewall client share | Allow access to Firewall client share to trusted computers | Allows computers on the Internal network to access the ISA Server computer using various Microsoft CIFS and NetBIOS protocols |
| ICMP | Diagnostic | Allow ICMP from firewall to all networks | Allows the ISA Server computer to access all networks using various ICMP protocols and the Ping protocol. |
| Windows networking | Diagnostic | Allow Windows networking (NetBIOS) from firewall to all networks | Allows the ISA Server computer to access all networks using various NetBIOS protocols |
| Microsoft Error Reporting | Communication to Microsoft | Allow HTTP/HTTPS from firewall to Microsoft Error Reporting sites | Allows the ISA Server computer to access members of the Microsoft Error Reporting sites URL set using HTTP or HTTPS protocols |
| Remote logging (NetBIOS) | Logging | Allow Remote logging using NetBios transport to trusted servers | Allow the ISA Server computer to access the Internal network using various NetBIOS protocols |
| Remote Logging (SQL) | Logging | Allow Remote logging using Microsoft SQL protocol from firewall to trusted servers | Allow the ISA Server computer to use Microsoft (SQL) protocols to access the Internal network. |
| Remote Performance Monitoring | Remote monitoring | Allow Remote Performance monitoring from trusted servers to firewall | Allows computers on the Internal network to access the ISA Server computer using various NetBIOS protocols |
| Microsoft Operations Manager | Remote monitoring | Allows the ISA Server computer to access the Internal network using the Microsoft Operations Manager agent | |
| SMTP | Mail alerts | Allow SMTP protocol from firewall to trusted servers | Allows the ISA Server computer to access the Internal network using the SMTP protocol |
| Scheduled Download Jobs | Cache | Allow HTTP from firewall to all networks for scheduled downloads jobs | Allows the ISA Server computer to access all networks using the HTTP protocol |
| Allowed sites | Access to Microsoft sites | Allow HTTP/HTTPS from firewall to the selected sites | Allows the ISA Server computer to access members of the System Policy Allowed Sites URL set using HTTP and HTTPS protocols |
In addition to the rules listed in the table above, the system policy includes the following rules that apply to VPN configuration.
- Allow VPN site-to site from firewall
- Allow VPN site-to site to firewall
- Allow VPN clients to firewall
These rules are enabled when you enable VPN. For instructions, see Enable virtual private networking.
When you create an HTTP Connectivity Verifier, ISA Server checks for connectivity by sending HTTP GET requests to the specified computer. A system policy rule named Allow HTTP/HTTPS from firewall to all networks, for HTTP connectivity verifiers is configured as necessary, to allow these requests.
System Policy Defaults
The table below lists the system policy default settings, upon installation.
