S TUDY STRATEGIES . For each Enterprise policy assignment, develop policy elements and access policies, and then test them. . When things don’t work as expected, determine why, and test your assumption to prove it works. . There is no substitute for hands-on experience here. You must install at least two Enterprise ISA Servers in an array. . Try different approaches by creating different types of Enterprise policies and assigning them one at a time to your array. 16 mcse CH12 6/5/01 12:10 PM Page 363 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 364 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES INTRODUCTION The Enterprise edition of ISA Server, when integrated in an Active Directory domain, affords new vistas of centralized control and management. You may be well versed in how to create and trou- bleshoot ISA Server Internet access and be tempted to quickly scan this information. Don’t! Some familiar tasks are restricted, or can only take place at the Enterprise level. Many capabilities are depen- dent on the Enterprise policy applied to the array, so learning the hows and wheres in one array, might not transfer to another array you’ll visit. Your time will be well spent here, as you need to have a framework on which to hang your hands-on knowledge. Be sure to spend time implementing access policy in an array environment. Organizing your knowledge consists of: á Determining Where to Do It: An Access Policy Functional Framework á Determining Who Can Do It: An Access Policy Permissions Framework á Applying Access Policy: An Access Policy Strategy for the Enterprise á Troubleshooting Access Problems DETERMINING WHERE TO DO IT: AN ACCESS POLICY FUNCTIONAL FRAMEWORK The first indication that the rules for access policy creation have changed is the change to the ISA Server management console inter- face. Figure 12.1 (Enterprise Edition) and Figure 12.2 (Standard edi- tion) illustrate that difference. The Enterprise edition makes available the creation of enterprise level: á Site and Content Rules á Protocol Rules á Some Policy Elements 16 mcse CH12 6/5/01 12:10 PM Page 364 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 12 ACCESS CONTROL IN THE ENTERPRISE 365 FIGURE 12.1 Enterprise location of rules and policy elements. FIGURE 12.2 Standard edition location of rules and policy elements. In the Standard edition, it’s pretty straightforward: You create all access rules and policy elements right in one place. In the Enterprise edition, there are two possible places to create policy elements and rules: at the enterprise policy location, and/or the array. Also, the type of policy applied to the array controls whether you can create any of them. Depending on this policy, some things must be created at the enterprise level, some at the array level, and some at both. 16 mcse CH12 6/5/01 12:11 PM Page 365 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 366 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES Additionally, some items, such as publishing rules and dial-up entries, can only be created at the server level. Understanding what can be created, and where, is a matter of applying the meaning of the policy to the availability of the object. Table 12.1 lists rules and policy elements and defines where they can be created according to policy scope. The policy names used in the table can be cross- referenced to the policy choices in the following list: á Array Only: Use array policy only á Enterprise Only: Use this enterprise policy á Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy á Allow Publishing: Allow publishing rules TABLE 12.1 ACCESS POLICY F UNCTIONAL F RAMEWORK Access Policy Type of Policy Create at Create at Array or Policy Enterprise Element Site and Array Only No Yes Content Rules Enterprise Only Yes No Enterprise with Yes Yes (deny only) Restrictive Array Protocol Rules Array Only Yes Yes Enterprise Only Yes No Enterprise with Yes Yes (deny only) Restrictive Array Schedules All Choices Yes Yes Bandwidth Array Only No Yes Priorities Enterprise Only Enterprise with Restrictive Array Destination Sets Array Only Yes Yes Enterprise Only Enterprise with Restrictive Array TIP Which Policy Is Effective? To locate the policy that impacts the server, find the server’s array in the ISA Server Management Console. Right-click on the array object and select Properties. The Policies page lists and defines the policy assigned to this array (see Figure 12.4). EXAM FIGURE 12.3 When packet filtering is forced at Enterprise level the choice is grayed out on server. 16 mcse CH12 6/5/01 12:11 PM Page 366 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 12 ACCESS CONTROL IN THE ENTERPRISE 367 Access Policy Type of Policy Create at Create at Array or Policy Enterprise Element Client Address Sets Array Only Yes Yes Enterprise Only Enterprise with Restrictive Array Protocol Definitions Array Only Yes Yes Enterprise Only Enterprise with Restrictive Array Content Groups Array Only Yes Yes Enterprise Only Enterprise with Restrictive Array Dial-up Entries Array Only No Yes* Enterprise Only Enterprise with Restrictive Array Routing Rules Array Only Enterprise Only Enterprise with Restrictive Array Publishing Rules Array Only No No Enterprise Only Enterprise with Restrictive Array Allow Publishing No Yes* Packet Filters Array Only No if “forced on Yes, if this is Enterprise Only array.” unchecked. Enterprise with Restrictive Array No if “forced on Yes array.” (see Figures 12.3, 12.4, and 12.5) * Strictly speaking, publishing rules and dial-up entries are created for a server, not for array as a whole, but the “Allow Publishing Rules” distinction allows creating publishing rules at any server in the array. FIGURE 12.4 Packet filtering controlled at array level—policy. FIGURE 12.5 The capability to set packeting filtering is now available. 16 mcse CH12 6/5/01 12:11 PM Page 367 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 368 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES DETERMINING W HO CAN DO IT: AN ACCESS P OLICY PERMISSIONS FRAMEWORK The purpose behind this elaborate framework is twofold: á Provide for centralized control and management of multiple ISA Servers. á Allow delegation of array-level policy. Centralized control is obtained by assigning a policy to each array that meets the needs of the enterprise. Decentralized IT functions are met by the choice User Array Level Policy Only. Centralized IT functions are given all-powerful control by Use This Enterprise Policy. Arrays that need more restrictive polices can do so with Allow Array-Level Access Policy Rules That Restrict Enterprise Policy. A combination of enterprise and array management polices can be ful- filled by creating multiple arrays and assigning different enterprise policies. The second issue in an enterprise model is the capability to assign administrative chores in a manner that provides the power to do what is necessary and allowed, without being able to overstep the boundaries. This can be obtained in a straightforward manner through the standard permission set at the enterprise and array level, or by creating custom groups and applying administrative permis- sions at the level desired. In the default implementation of ISA Server Enterprise edition, only the Enterprise Admins group has full control. If a Domain Admin attempts to write enterprise policies (policy elements and rules), she will be denied access at the enterprise level (see Figure 12.6 and Figure 12.7). At the array level, the local computer Administrator, Domain Admins, and Enterprise Admins have full control. Keep in mind that before a Domain Admin can create an access rule, the capability to create rules at the array level must be specified in the policy. FIGURE 12.6 Domain admins can’t write enterprise policy ele- ments. FIGURE 12.7 Domain admins can’t write enterprise rules. 16 mcse CH12 6/5/01 12:11 PM Page 368 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 12 ACCESS CONTROL IN THE ENTERPRISE 369 APPLYING A CCESS POLICY: A N ACCESS POLICY STRATEGY FOR THE ENTERPRISE The actual act of creating policy elements and rules to manage Internet access varies little from that described previously. The dif- ference in an Enterprise deployment is not in the “how to” but in the “where” and “who”. While the previous sections of this chapter detailed the overall rules which determine the where and who, this section presents some rule and element specifics and describe a strat- egy to take advantage of the strengths of each policy type. Specifically, it will look at: á Creating Policy Elements á Creating Rules á Putting Together a Implementation Plan Creating Policy Elements Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. To create policy elements, follow the same general instructions described in the Step by Step sections detailed in Chapter 5, “Outbound Internet Access.” To determine where to create them, you must both consider where they will be used and where they can be created. Remember that enterprise level rules can only use policy elements created at the enterprise level, while array level rules (if allowed) can use enterprise and policy elements. An example of this is displayed in Figures 12.8 and 12.9. The “Enterprise Morning” schedule was created at the enterprise level, and the “Array Evenings” schedule was created as the array level. Both captures were taken during a Site and Content Rule wizard schedule choice. (Figure 12.8 at the enterprise level, and Figure 12.9 at the array level). This arrangement makes sense. Array level policy elements are prob- ably only relevant at the array level. If they are required at more than one array, then they can be created at the enterprise level. FIGURE 12.8 Only enterprise policy elements are available for enterprise rules. FIGURE 12.9 Enterprise and array level policy elements are available at the array. 16 mcse CH12 6/5/01 12:11 PM Page 369 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 370 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES Remember, policy elements in themselves do not allow or restrict access, they merely form the building blocks that can be used in rules that do. Two policy elements can only be created at the array level: band- width priorities and dial-up entries. Dial-up entries are specific to the server on which the modem is installed, so there is no need for an enterprise level policy. Bandwidth priorities are only used in cre- ating bandwidth rules. Bandwidth rules are only created at the array level. Creating Rules Create and configure access control and bandwidth policies. á Create and configure sites and content rules to restrict Internet access. á Create and configure protocol rules to manage Internet access. á Create and configure routing rules to restrict Internet access. á Create and configure bandwidth rules to control bandwidth usage. To create site and content, protocol, bandwidth, and routing rules, follow the instructions in the Step-by-Step sections detailed in Chapter 5. To determine why you might want to create them in a specific , consider the section, “Putting Together an Implementation Plan” later in this chapter. You should also keep in mind that the capability to create site and content rules and protocol rules at the array level is only allowed in two cases: á If the “Use array policy only” policy applies, rules can be either “allow” or “deny” access rules. (In the Kansas City array, this is the policy; see Figure 12.10). á If the “Use custom enterprise policy settings” policy applies, rules can only be “deny” rules. (This is the policy in the Grain Valley arrays; see Figure 12.11). FIGURE 12.10 Kansas City policy—allow or deny access. 16 mcse CH12 6/5/01 12:11 PM Page 370 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 12 ACCESS CONTROL IN THE ENTERPRISE 371 Bandwidth rules are created at the array level and this can only be done if array policies are allowed. Routing rules are also created at the array level, and only if publishing rules are allowed when speci- fied by enterprise policy, or array level rules are allowed. Putting Together an Implementation Plan If you are an administrator who has inherited policies configured by others, then you may be limited to following the rules as they are set. However, if you are the one architecting the implementation of ISA Server policies in your enterprise then you need to combine your knowledge of the policy types that are available and the needs and requirements for access control in your environment. Here are some helpful hints on how to design a structure that’s right for you. 1. If your IT administration is decentralized, then create a policy that specifies “Use array policy only.” Arrange ISA Servers in arrays that represent locations that manage their own IT function. 2. If your IT administration is highly centralized, create a policy that uses enterprise policy. 3. If you need to diversify your policies and allow the capability to restrict enterprise policies in some or all arrays, use the fea- ture to “Allow array level access policy rules that restrict enter- prise policy.” 4. If an array needs to use Web and server publishing rules, open that possibility by checking “Allow publishing policy.” 5. Design backward. Now that you know what’s possible, what does your environment need? Do local administrators need to create restrictive site and content rules, or all types of rules? Do you have multiple areas to manage and are they all differ- ent? Break it down even further: Do users at some locations have different needs than users at other locations? Determine the need for an array based on your knowledge or user needs, management policy, and administrative delegation. The easiest way to get a grip on large diverse environments is to plot the requirements first, then determine which policy model fits your requirements. FIGURE 12.11 Grain Valley policy—deny access only. 16 mcse CH12 6/5/01 12:11 PM Page 371 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 372 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES TROUBLESHOOTING ACCESS PROBLEMS Troubleshoot access problems. á Troubleshoot user-based access problems á Troubleshoot packet-based access problems When information can’t flow where it is supposed to, or rules and procedures can be thwarted to give unrestricted access where it is not allowed, there is a problem. In either case you need to determine the reason for the problem and correct it. Although many configuration elements that need to be checked, you can often reduce the time this takes by: á Examining logs for specific information on ports, protocols, source, and destination information. á Investigating configurations in the order in which rules are processed. á Identifying the problem as being user- or packet-related. Although the logs are an excellent source of information on the traf- fic denied access, they primarily provide information that tells you that a request was blocked. They can be helpful in identifying that the request reached the ISA Server, however, and should be a point of reference during troubleshooting. Information on understanding the logs and how they may be used to assist in troubleshooting access can be found in Chapter 15, “Monitoring Network Security and Usage.” Investigation Via Rule Processing Order When a client makes a request, rules are processed in the following order: 1. Protocol rule 2. Site and content 3. Packet filter 16 mcse CH12 6/5/01 12:11 PM Page 372 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... browsers to use automatic discovery If the ISA Server cannot respond directly to client requests, DHCP servers and/or DNS servers can be configured to provide Web proxy Autodiscovery Protocol (WPAD) Firewall Client A client can only be a firewall client if they have ISA Server firewall client software installed This client runs Winsock applications that use the ISA Server firewall service The firewall client... policy C Creates dial-up entries at each server in the array D Creates dial-up connections at each server in the array 3 Users are having trouble connecting to the company Web site that resides on the ISA Server You examine the ISA Server interface and find the following: Packet filtering is enabled An array rule has been set up to allow traffic inbound to this server on port 80 Automatic discovery has... Web server resides on an ISA Server, this will cause a problem HTTPS and FTP have nothing to do with whether users can reach a Web site unless that Web site requires SSL (HTTPS) or they are attempting FTP access See the section, “Determining Where to Do It: An Access Policy Functional Framework.” Suggested Readings and Resources 1 “Configuring Protocol Definitions,” ISA Server Help 2 Deployment of ISA Server. .. á ISA Server client types á Using multiple clients on a single computer á Proxy 2.0 client migration Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 385 18 mcse CH13 386 6/5/01 12:12 PM Par t IV Page 386 DEPLOYING, CONFIGURING, AND TROUBLESHOOTING THE CLIENT COMPUTER Introducing ISA Server Client Types The first step in planning deployment of client types is to match ISA Server. .. client á Web proxy client á Firewall client Table 13.1 summarizes the ISA Server client types SecureNAT Client NOTE Every client computer on the internal network that does not have the firewall client installed and can access the Internet through the ISA Server is a SecureNAT client This includes servers that are published through ISA Server publishing rules SecureNAT clients are not supported in Caching... remove this watermark 18 mcse CH13 6/5/01 12:12 PM Page 387 Chapter 13 PLANNING AND DEPLOYING CLIENTS 387 TABLE 13.1 DISTINGUISHING CLIENT TYPES Client Type Client Configuration Necessary Protocols That Can Be Used to Access Internet Resources Client OS Required Requirements ISA Server Mode SecureNAT Possible—client default gateway set to ISA Server internal interface Requires ISA Server application filters... this watermark 16 mcse CH12 6/5/01 12:11 PM Page 375 Chapter 12 ACCESS CONTROL IN THE ENTERPRISE á Protocol definitions á Application filters It is important to realize the installation mode of the ISA Server Installing the ISA Server in firewall or integrated mode expands possibilities for client access as well as your opportunities for troubleshooting failed access Installing ISA Server in caching mode... updated regularly so that it matches the ISA Server LAT á The firewall client application Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 18 mcse CH13 6/5/01 12:12 PM Page 389 Chapter 13 PLANNING AND DEPLOYING CLIENTS Using Multiple Clients on a Single Computer Multiple ISA Server clients can be used on a single computer This allows the ISA Server client to obtain the best benefits... second step is to match ISA Server client availability with your client operating systems Where these two matching decisions cannot be both resolved, that is, where you’d like to use a particular ISA Server client but you can’t with the current client OS, you must make a decision regarding accepting less functionality, or upgrading or changing the client OS There are three ISA Server client types: á... capability to use a proxy server and be compliant with Hypertext Protocol 1.1 You can determine if your application can use a Web proxy by investigating if it has a place to input the IP address of a Web proxy server If it does, configure the application with the internal network IP address of the ISA Server and the 8080 port and attempt access to the Internet á Using ISA Server Management to enable . “Configuring Protocol Definitions,” ISA Server Help. 2. Deployment of ISA Server at Microsoft, paper at http://www.microsoft.com/isaserver/tech- info/itgdeploy.htm . Suggested. filters It is important to realize the installation mode of the ISA Server. Installing the ISA Server in firewall or integrated mode expands pos- sibilities