Microsoft ISA Server 2004 Firewall phần 3

To perform remote administration of ISA Server 2004 firewalls using the management console, the management workstation must be added to the Enterprise Remote Management Computers (to manage all firewalls in the enterprise)
Nội dung trích xuất từ tài liệu:
Microsoft ISA Server 2004 Firewall phần 3 Figure 8-4. ISA Server 2004 Management Console [View full size image]To perform remote administration of ISA Server 2004 firewalls using the managementconsole, the management workstation must be added to the Enterprise RemoteManagement Computers (to manage all firewalls in the enterprise) or the RemoteManagement Computers (to manage a single firewall in the enterprise) computer set, andthen remote management must be enabled. The easiest way to do this is to right-click theFirewall Policy object in the management console and choose Edit System Policy. Underthe Remote Management configuration group, select Microsoft Management Console andensure that Enable is checked on the General tab. Next, click the From tab and choose theappropriate group that you want to update, as shown in Figure 8-5, and then click Edit. Figure 8-5. Modifying Remote Management Rules [View full size image]At the Properties screen, add, edit, or delete systems that will be allowed to performremote management on the firewalls. When you have finished, click OK to close anyopen windows, returning to the management console. Before any configuration changesare actually performed on the ISA servers, the last task is to select to either apply ordiscard the changes, as shown in Figure 8-6. Figure 8-6. Applying Configuration Changes [View full size image]NoteKeep in mind that any time you are applying or discarding changes you make, if youhave made multiple changes then you are selecting to apply or discard all of the changes,or in the event of firewall policy changes, you are selecting to apply or discard the entirefirewall policy. Make sure you are comfortable with any and all changes you have optedto make before you decide to click Apply.To understand how the Microsoft ISA Server 2004 firewall works, it is important toidentify the specific functions that an ISA Server 2004 firewall can perform: • Filter outbound access • Publish internal resources • Perform application filtering • Configure system policy rules • Configure client access methods • Cache web dataFiltering Outbound AccessISA Server 2004 manages and applies all rules in what is known as a firewall policy.Two general classifications of rules, publishing rules, are used to define access fromexternal sources to internal/protected resources, to external destinations.Access rules consist of the following policy elements: • Rule action This defines whether traffic should be allowed or denied when the rule conditions are met. • Protocols This is where you specify the protocols to which the rule applies. These can be any Layer 3 (IP level) protocol, any Layer 4 (transport layer) port number, or any ICMP properties. • Source This is where you define the source of the traffic that the rule will apply to, typically an internal network. • Destination This is where you define the destination of the traffic that the rule will apply to, typically an external network. • User sets This is where you define the users that the rule will apply to. To take advantage of user sets, you cannot be using the SecureNAT firewall client because it has no means of performing authentication. • Content types This is where you define the Multipurpose Internet Mail Extensions (MIME) types and file extensions that the rule will apply to. Content types can only be specified and used with rules for the HTTP and tunneled FTP (FTP that is handled by the Microsoft ISA Server 2004 web proxy filter) protocols, allowing you to define what specific content will be permitted (for example, denying .exe extensions in URL requests). • Schedules This is where you define the schedule during which the rule will be applied. Schedules only apply to new connections; existing connections that are in place outside of the hours that the schedule has defined are not disconnected automatically.Building the access rule is a largely wizard-driven process, with the exception ofconfiguring the content types and schedule, which must be done by editing the propertiesof an existing rule. Just right-click the firewall policy and choose New > Access Rule, asshown in Figure 8-7. Figure 8-7. Creating an Access Rule [View full size image]This will begin the New Access Rule Wizard. At the Welcome screen, assign anappropriate access rule name and click Next. At the Rule Action screen, select to Allowor Deny the traffic as appropriate and click Next. At the Protocols screen, you can selectto apply the rule to All Outbound Traffic, Selected Traffic, or All Outbound TrafficExcept Selected Traffic. If you choose the latter, you must click Add to specify theprotocols that the rule applies to. For example, Figure 8-8 shows a rule being created thatapplies to the HTTP protocol only. Figure 8-8. Protocols Screen [View full size image]When you have finished, click Next to be presented with the Access Rule Sources screen.Click Add to specify the traffic source that this rule will apply to. Figure 8-9 shows theAdd Network Entities screen that is accessed by clicking Add. Figure 8-9. Add Network Entities ScreenAfter you have specified the appropriate source, click Next to be taken to the Access RuleDestinations screen. Once again, click Add and specify the destination traffic that the rulewill apply to. When you have finished, click Next. At the User Sets screen, specify theusers that the rule will apply to. Keep in mind that only w ...