You know how it goes. You install Windows and then in install ISA or TMG and then you want to get to the job of installing Firewall clients, configuring the Web Proxy clients, and setting up the site to site VPN connections on your ISA firewall. You want to get to the fun stuff!
But is that really the best way to proceed? I'll say no. Like most things in life, it's the tedious stuff you need to take care of first before getting to the fun stuff. The same is true when working with the ISA or TMG firewall. Your next step after installation isn't to configure the site to site VPN or install certificates. Your next step is to configure System Policy.
System Policy is a collection of Access Rules that control what traffic are allowed to or from the firewall itself. System Policy doesn't control what moves through the firewall. An example of System Policy is seen in the figure below.
System Policy makes assumptions about your network that may or may not be true. For example, the default system policy rule controlling what machines can connect to the firewall over RDP to manage the firewall is set to allow all machines on the default Internal network to do so. That's not what I call "least privilege", so you should consider fine tuning the Remote Management Computers computer set. There are many other examples of system policy rule settings that need to be fined tuned to meet the specific requirements for your network.
A good article on System Policy, what it does and how to configure it is on the Microsoft site. Check it out at:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer