How to use the ISA Server 2006 Network Templates

Introduction

Microsoft ISA Server 2006 is a Multilayer Firewall to control access between networks. ISA Server 2006 uses the following objects to establish connections between networks and to control the network traffic between the following networks:

  • Networks
  • Network rules
  • Firewall rules


Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Networks

ISA Server uses a multi network model which allows ISA Server Administrators to illustrate every physical network to which ISA Server is connected.

You first have to create networks as a basic element in ISA Server 2006.

Network rules

After the ISA Administrator defined all necessary networks, these networks must be brought in relationship between networks where network traffic should flow through. With ISA Server 2006 it is possible to establish two different types of network rules:

  • Route:
    A network rule from type Route establish a bidirectional network connection between two networks which routes the original IP addresses between these networks.
  • NAT:
    A network rule from type NAT (Network Address Translation) establishes a unidirectional network connection between two networks which substitutes IP addresses from the network segment with the IP address of the corresponding ISA Server network adapter.


Firewall rules

After all networks and necessary network rules are defined, you must control the network traffic between these networks with Firewall rules.

Overview about Networks in ISA

To get an overview of the ISA Server network configuration, start the ISA Server MMC, navigate to the ConfigurationNetworks node. Here, you will find four different tabs:

  • Networks
  • Network Sets
  • Network Rules
  • Web Chaining

The tab Networks  lists all networks defined on ISA Server, Network Sets groups networks to a network group, Network rules define a Route or NAT relationship between networks and Web Chaining createS a Web routing for web requests.


Figure 1: ISA Server 2006 networks

On the right of the Task Pane you will find the templates tab. The templates tab lists all available network templates which ISA Server Administrators can use to build their own networks.

There are five templates available:

  • Edge Firewall
  • 3-Leg Perimeter
  • Front Firewall
  • Back Firewall
  • Single Network Adapter


Figure 2: ISA Server 2006 network templates

Edge Firewall

The Edge Firewall template is the classic network template and connects the internal network to the Internet, protected by ISA Server.


Figure 3: ISA Server 2006 – Edge Firewall network template

A typical Edge Firewall template requires two network Adapters on the ISA Server. For more information about the Edge Firewall template, read the article from Tom Shinder called: Using ISA Server 2004 Network Templates to Automatically Create Access Policy: The Edge Firewall Template

3-Leg Perimeter

The 3-Leg Perimeter Firewall is an ISA Server with three or more network Adapters. One network adapter connects the internal network, one network adapter connects to the external network, and one network adapter connects to the DMZ (DeMilitarized Zone), also called Perimeter Network. The Perimeter network contains services, which should be accessible from the Internet but also been protected by ISA Server. Typical services in a DMZ are Web Servers, DNS Servers and something more. A 3-Leg Perimeter Firewall is also often called the “Poor Man’s Firewall”, because it is not a “true” DMZ. A true DMZ is the zone between to (possible) different Firewalls.


Figure 4: ISA Server 2006 – 3-leg Perimeter network template

Front Firewall

The Front Firewall template assumes that ISA Server is in Front of another Firewall directly on the Edge of the network. The place between the Front Firewall and the Back Firewall can be used as the Perimeter network or DMZ.


Figure 5: ISA Server 2006 – Front Firewall network template

Back Firewall

The Back Firewall template can be used by ISA Server Administrators, when ISA Server is placed behind a Front Firewall. The Back firewall protects the internal network from access from the DMZ and the external network and it controls the network traffic which is allowed from DMZ hosts and from the Front Firewall.


Figure 6: ISA Server 2006 – Back Firewall network template

Single Network Adapter

The Single Network Adapter template has some limitations, because a ISA Server with only one network interface cannot be used as a real Firewall, so many services are not available. Only the following features are available:

  • Forward Web Proxy requests that use HTTP, Secure HTTP (HTTPS), or File Transfer Protocol (FTP) for downloads
  • Cache Web content for use by clients on the corporate network
  • Web publishing to help protect published Web or FTP servers
  • Microsoft Outlook Web Access, ActiveSync, and remote procedure call (RPC) over HTTP publishing


Figure 7: ISA Server 2006 – Single Network Adapter network template

Using the Network Template Wizard

ISA Server 2006 offers a Network Template Wizard which can be used to configure the network topology with networks, network rules and Firewall rules.

In the Task Pane select the required network template.


Figure 8: Network Template Wizard

The Wizard will guide you through the entire process. As a first step you should export your current ISA Server configuration as a failback method, because the Wizard will overwrite the current network configuration and Firewall policy rules, except the System policy rules.


Figure 9: Export the ISA Server Configuration

As a next step you have to define the Internal Network IP addresses. After that, you have to choice a predefined Firewall Policy. You should NOT select the Firewall Policy – Allow unrestricted access – because this rule allows all outgoing network traffic.


Figure 10: Select a Firewall Policy

Attention: After the Network Rule Template Wizard has finished, you should modify the created Firewall rule to an absolute allowed minimum. A Firewall should always have a rule set with a minimum of allowed connections.

After the Wizard has finished, you can see the results in the ConfigurationNetworks tab.


Figure 11: ISA Server Network rules

The Wizard creates a network rule relationship from type NAT between the Internal and the Perimeter network and a Route relationship between the Perimeter network and the external network. You have to change this if your Servers in the Perimeter network contain private IP addresses.

Customizing Network Templates

It is possible to customize the predefined Network Template graphics to extend it with your own information like Server names or your own customized topology.

Network templates consist of two components:

  • An XML file pro network template
  • A Bitmap graphic pro network template

The XML file contains information about the necessary settings to create the required network, network rules and Firewall rule objects. The bitmap is only a graphic which shows the selected network template. You can find the XML and BMP file in the following directory: \Program Files\Microsoft ISA Server\NetworkTemplates.

It is possible to edit the bitmap files via Microsoft Paint or any other related program as you can see in the following picture.


Figure 12: Customize the Network templates with Microsoft Paint

After you modified the template, you will see the changes in the ISA MMC.

Note:
It may be possible that you must refresh the view or to close and reopen the ISA MMC to see the changes.


Figure 13: Customized Network Template

The XML template files

The XML file contains information about the necessary settings to create the required network, network rules and Firewall rule objects. The network templates are defined in the ISA object called FPCNetworkTemplate. The FPCNetworkTemplate object allows you to set a name and description for the network template.

The XML file that contains a network template configuration includes:

  • Networks and network sets
  • Network rules that describe the relationships between various networks and network sets
  • Policy elements
  • Policies


Figure 14: 3-Leg DMZ – XML Template

Conclusion

In this article, I tried to give you all information necessary to build your own secure network infrastructure with ISA Server 2006. I also showed you how to customize the network template bitmaps. In my opinion, network templates are a good starting point for ISA beginners, but if you are an experienced ISA Server Administrator, you should build your own infrastructure by modifying the ISA Server networks, network rules and Firewall policies manually.

Related links

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top