If you’re just getting started with ISA Server you might find that its hard to tell where the place is to start. One place you could start is by using the Getting Started Wizard. You can access the Wizard by opening the ISA Management console and clicking the topmost node in the left pane. Be sure that you have Taskpad view enabled by right clicking on an object in the left pane, then going to View and then click on Taskpad.
You’ll see something like what appears below:
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
The Getting Started Wizard walks you through the process of creating:
The Getting Started Wizard provides a very comprehensive view of the configuration elements required to fully secure your internal network and implement an Outbound Access security plan. Once you’re done with the wizard, you have to option to expand on your configuration options.
However, I recommend that you walk through the wizard the first time around, and not make any changes. Use it to give you a general idea of what configuration steps are available. Make notes of what is happening in the wizard and any ideas that are generated during your tour. Just don’t change anything yet.
Setting Up Open Access
I’ve noticed a lot of people on the isaserver.org website and Microsoft newsgroups have trouble with client access when they get started. The first thing most of them want to do is assess whether ISA Server works. The simplest assessment of whether it works or not is being able to connect to the Internet and use their favorite Internet applications. At first blush, most are not concerned with blocking access, they just to see if they can access everything and then drill down to implement a security scheme.
To solve this problem, you need to set up your machine for what I’ll call “Open Access”. This configuration allows all protocols, all sites, all contents to be available to an internal client on your network. Keep in mind that this is not a secure setup. When running this type of ISA Server configuration, you should disconnect the ISA Server from the production network, and have only the ISA Server and your test client connected to your hub or switch. In this way, if someone breaks in during your testing, no real damage will be done.
Open All Packet Filters
Packet filters are used to inspect packets moving into and out of the external interface of the ISA Server. Keep in mind that applications that run on the ISA Server itself need the appropriate packet filter open in order to access the Internet. Local applications on the ISA Server are not “run through” the Firewall Service application layer inspection, and therefore you must create packet filters for programs that use POP3, SMTP and NNTP to access the Internet. The exception to this rule is when you configure your web browser to use the internal interface of the ISA Server to configure it as a Web Proxy Client.
To open all packet filters, expand the Access Policy node in the left pane, and then right click on IP Packet Filters. Click the New command, and finally click Filter.
The first page of the New IP Packet Filter Wizard will ask you to name the filter. Give it name like All Open, and click Next.
On the Filter Mode page, select the Allow packet transmission option and click Next.
On the Filter Type page, click the Custom option, and click Next.
Since you are interested in allowing all traffic through, make sure that the IP protocol setting is set to Any and the Direction is set to Both. This will allow all IP protocols to move into and out of the external interface of the ISA Server computer in both directions. Then click Next.
On the Local Computer page, you have several options. For your open access scheme, select the Default IP addresses for each external interface on the ISA Server computer. The default IP address is the one at the top of the list if you have bound multiple IP addresses bound to an interface. Click Next to continue.
On the Remote Computers page, you want to allow inbound access to all computers. Select the All remote computers option button and click Next.
At the end of the Wizard you are provided a list of the selections you’ve made. If everything looks correct, go ahead and click the Finish button, and the new packet filter is created and will appear in the left pane.
It’s a good idea to disable this packet filter until you’re done with your configuration, so that you don’t get slowed down by attackers during the configuration process. Right click on the Open Access filter and click Disable. Be sure to enable the filter after you’re done.
Open All Site and Content
The next step is to allow access to all sites and all content located on those sites. There may already be a rule there named Allow Rule. However, if it isn’t there, go through the following procedure.
Right click on the Site and Content Rules node in the left pane, and click New and then click Rule. The first page asks you to name the rule. Give a name like Allow All, and click Next.
On the Rule Action page, click the Allow option button to begin allowing access to all sites and content. Then click Next.
On the Rule Configuration page, select the Custom option button, and click Next.
On the Destination Sets page, make sure that All destinations is selected, and click Next.
On the Schedule page, use the Always schedule, so that all sites and all content is always available, then click Next.
On the Client Type page, select the Any request option button to allow all client to access all sites and content. Then click Next.
On the Content Groups page, select the Any content type option button to all access to all content types. Then click Next.
The last page of the wizard asks you to confirm your selections. Look through the list and confirm that all the selections are correct, and then click Finish.
Opening Up All Protocols
The last step to configuring your wide open ISA Server is to create a rule that allows access to all protocols. The rule will allow you internal network client to access all protocols without restriction. Keep in mind that while all protocols will be open and available to Firewall Clients, only protocols that have a protocol definition will be available to SecureNAT clients.
To start, right click on the Protocol Rules node in the left pane, and click New and then Rule. The first step in the Wizard asks you to give the rule a name. Call it something like “Allow All” and click Next.
On the Rule Action page, select the Allow option button, then click Next.
On the Protocols page, make sure that All IP traffic appears in the Appy this rule to drop down list box. Then click Next.
On the Schedule page, insure that Always is selected in the Use this schedule drop down list box, then click Next.
On the Client Type page, select the Any request option button to allow all clients to access all protocols. Then click Next.
The last page of the wizard shows you the selections you’ve made. Make sure everything looks right, and then click Finish.
Now that you’ve opened everything up, go back to your IP Packet Filters and right click the packet filter you created and click Enable so that allow ports are open in both directions.
For your client setup, just configure the default gateway on the client to be the IP address of the internal interface of your ISA Server. This will make it a SecureNAT client. You can worry about Firewall Client setup later.
If you’re using a dial-up connection, make sure that you expand the Network Configuration node in the left pane. Right click on the Network Configuration node itself and click Properties. In the Properties dialog box, put a checkmark in the check box for Use dial-up entry and click OK.
Click on the Routing node in the left pane, then right click on the Last rule and click Properties. Click on the Action tab, and place a checkmark in the Use dial-up entry for primary route. Then click OK.
Restart your Web Proxy and Firewall Services by expanding the Monitoring node in the left pane. Then click on the Services node. Right click on each service and click Stop. After stopping all the services, right click on them and click Start.
Now your ISA Server is wide open and will not block access, either inbound or outbound. This test configuration will allow you to prove to yourself that the basic Internet access functionality of ISA Server does work. You should be able to access virtually any type of content on the Internet with this sort of configuration and also publish all of your servers without problems.
Remember that this is just a test configuration for you to use to build confidence. With this sort of setup, everything is going to look “easy” because everything will work. That’s always the case when there is no security, and you definitely have no security with this setup. But this setup will let you know that everything “can” work, so that when things start to not work when you enable security, you won’t get quite as discouraged.
After you’ve finished testing your open configuration, be sure to go back to all your “open” entries that you’ve created and either delete them or disable them. We like to disable them because it allows us to quickly open everything up during testing, and then close things up again.