The ISA Firewall’s Default Post Installation System Policy and Configuration

The ISA Firewall’s
Default Post Installation System Policy and Firewall Settings

By Thomas W Shinder MD, MVP


Got Questions? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000408 and ask!

ISA Firewall System Policy is a collection of Access Rules controlling access to and from the Local Host network. System Policy controls access to and from the system. You do not configure System Policy for network access between any other hosts. One of the most common errors made by new ISA firewall administrators is to use System Policy to control access from Protected Network hosts to non-Protected Network hosts.

Get the New Book!

The table below shows the list of System Policy rules and their status after installing the ISA firewall software. The Order/Comments column includes our advice regarding configuration of the specific System Policy Rule.

Order/Comments Name Action Protocols From/Listener To Condition
1

Is the ISA firewall a member of the domain? If not, disable this rule.

Allow access to directory services for authentication purposes

Allow

LDAP

LDAP (UDP)

LDAP GC (global catalog)

LDAPS

LDAPS GC (Global Catalog)

Local Host

Internal

All Users

2

If no one is going to use the remote MMC to manage the ISA firewall, then disable this rule.

Allow remote management from selected computers using MMC

Allow

Microsoft Firewall Control

NetBIOS datagram

NetBIOS Name Service

NetBIOS Session

RPC (all interfaces)

Remote Management Computers

Local Host

All Users

3

Confirm that the Remote Management Computers Computer Set has the addresses of the hosts that will manage the ISA firewall; if you don’t want to allow RDP management of the ISA firewall, then disable this rule.

Allow remote management from selected computers using Terminal Server

Allow

RDP (Terminal Services)

Remote Management Computers

Local Host

All Users

4 (Disabled by default)

Enable this rule if you want to log to SQL servers

Allow remote logging to trusted servers using NetBIOS

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

All Users

5

Will you be using RADIUS authentication? If not, then disable this rule.

Allow RADIUS authentication from ISA Server to trusted RADIUS servers

Allow

RADIUS

RADIUS Accounting

Local Host

Internal

All Users

6

Will the ISA firewall be authenticating users? If not, then disable this rule

Allow Kerberos authentication from ISA Server to trusted servers

Allow

Kerberos-Sec (TCP)

Kerberos-Sec (UDP)

Local Host

Internal

All Users

7

This rule must be enabled so that the ISA firewall can initiate DNS queries

Allow DNS from ISA Server to selected servers

Allow

DNS

Local Host

All Networks (and Local Host)

All Users

8

If the ISA firewall isn’t going to act as a DHCP client, then disable this rule

Allow DHCP requests from ISA Server to all networks

Allow

DHCP (request)

Local Host

Anywhere

All Users

9

If the ISA firewall isn’t going to act as a DHCP client, then disable this rule

Allow DHCP replies from DHCP servers to ISA Server

Allow

DHCP (reply)

Internal

Local Host

All Users

10

Confirm that you have configured the proper IP addresses for the Remote Management Computers Computer Set

Allow ICMP (PING) requests from selected computers to ISA Server

Allow

Ping

Remote Management Computers

Local Host

All Users

11

This rule must be enabled so that the ISA firewall can carry out network management tasks via ICMP

Allow ICMP requests from ISA Server to selected servers

Allow

ICMP Information Request

ICMP Timestamp

Ping

Local Host

All Networks (and Local Host Network)

All Users

12 (disabled by default)

This rule is automatically enabled when you enable the ISA firewall’s VPN server component

All VPN client traffic to ISA Server

Allow

PPTP

External

Local Host

All Users

13 (disabled by default)

This rule is automatically enabled when you enable a site to site VPN connection to this ISA firewall

Allow VPN site to site traffic to ISA Server

Allow

NONE

External

IPSec Remote Gateways

Local Host

All Users

14 (disabled by default)

This rule is automatically enabled when you enable a site to site VPN connection to this ISA firewall

Allow VPN site to site traffic from ISA Server

Allow

NONE

Local Host

External

IPSec Remote Gateways

All Users

15

Will you be trying to access file shares from the ISA firewall? If not, then disable this rule

Allow Microsoft CIFS from ISA Server to trusted servers

Allow

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

Local Host

Internal

All Users

16 (disabled by default)

Enable this rule when you choose SQL logging

Allow remote SQL logging from ISA Server to selected servers

Allow

Microsoft SQL (TCP)

Microsoft SQL (UDP)

Local Host

Internal

All Users

17

Unless you want to allow the ISA firewall to contact the Windows Update site itself, then I would disable this rule. I prefer to download updates to a management machine, scan them, and then copy them out of band to the ISA firewall and install them from that.

Allow HTTP/HTTPS requests from ISA Server to specified sites

Allow

HTTP

HTTPS

Local Host

System Policy Allowed Sites

All Users

18 (disabled by default)

This rule is enabled when you create an HTTP/HTTPS connectivity verifier

Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers

Allow

HTTP

HTTPS

Local Host

All Networks (and Local Host Network)

All Users

19 (disabled by default)

This rule is enabled if the Firewall client share is installed on the ISA firewall

Allow access from trusted computers to the Firewall Client installation share on ISA Server

Allow

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Internal

Local Host

All Users

20 (disabled by default)

Enable this rule if you want to perform remote performance monitoring of ISA firewall

Allow remote performance monitoring of ISA Server from trusted servers

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Remote Management Computers

Local Host

All Users

21

Unless you plan to access file shares from the ISA firewall, you should disable this rule

Allow NetBIOS from ISA Server to trusted servers

Allow

NetBIOS datagram

NetBIOS Name Service

NetBIOS Sessions

Local Host

Internal

All Users

22

Unless you plan to use RPC to connect to other servers, then you should disable this rule.

Allow RPC from ISA Server to trusted servers

Allow

RPC (all interfaces)

Local Host

Internal

All Users

23

This rule allows the ISA firewall to send error reports to Microsoft

Allow HTTP/HTTPS from ISA Server to specified Microsoft error reporting sites

Allow

HTTP

HTTPS

Local Host

Microsoft Error Reporting sites

All Users

24 (disabled by default)

This rule should be enabled if SecurID authentication is enabled

Allow SecurID authentication from ISA Server to trusted servers

Allow

SecurID

Local Host

Internal

All Users

25 (disabled by default)

Enable this rule if you use MOM to monitor the ISA firewall

Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent

Allow

Microsoft Operations Manager Agent

Local Host

Internal

All Users

26 (disabled by default)

This rule should be enabled if you want the ISA firewall to access CRLs – required if the ISA terminates any SSL connections

Allow all HTTP traffic from ISA Server to all networks (for CRL downloads)

Allow

HTTP

Local Host

All Networks (and Local Host)

All Users

27

You should change this rule by allowing contact with a trusted NTP server in your organization. The Internal entry allows it to contact all servers anywhere in the world

Allow NTP from ISA Server to trusted NTP servers

Allow

NTP (UDP)

Local Host

Internal

All Users

28

If you don’t plan on use SMTP to send alerts, you should disable this rule. If you do plan on sending SMTP alerts, then you should replace the Internal Destination with a specific computer that will accept the SMTP messages from the ISA firewall

Allow SMTP from ISA Server to trusted servers

Allow

SMTP

Local Host

Internal

All Users

29 (disabled by default)

This rule is automatically enabled when Content Download Jobs are enabled

Allow HTTP from ISA Server to selected computers for Content Download Jobs

Allow

HTTP

Local Host

All Networks (and Local Host)

System and Network Service

30

Unless you plan on using the remote MMC, then you should disable this rule

Allow Microsoft Firewall Control communication to selected computers

Allow

All Outbound traffic

Local Host

Remote Management Computers

All Users

The ISA firewall’s System Policy Rules are evaluated before any user defined Access Rules in the order listed in the Firewall Policy first column. View the ISA firewall’s System Policy by clicking the Firewall Policy node in the left pane of the console and then clicking the Tasks tab. In the Tasks tab, click the Show System Policy Rules link. Click the Hide System Policy Rules link when you’re done viewing the firewall’s system policy.

You can edit the ISA firewall’s System Policy by clicking the Edit System Policy link on the Tasks tab. This opens the System Policy Editor, as shown in Figure 6.12. For each System Policy Rule there is a General tab and a From or To tab. The General tab for each Configuration Group contains an explanation for the rule(s) and the From or To tab allows you to control protocol access to or from the ISA firewall machine itself.

The table below shows the default post installation configuration of the ISA firewall

Feature Default setting
User permissions Members of the Administrators group on the local computer can configure firewall policy. If the ISA firewall is a member of the domain, then the Domain Admins global group is automatically included in the local machine’s Administrators group.
Definition of Internal network The Internal network contains IP addresses you specified during setup of the ISA firewall software.
Network Rules Local Host Access

Defines a route relationship between the Local Host network and all networks. All connections between the Local Host Network (that is, the ISA firewall machine itself) is routed instead of NATed.

Internet Access

Defines a NAT (Network Address Translation) relationship between the Internal Network, Quarantined VPN Clients Network, and the VPN Clients Network — to the External network. From each of these three Networks to the Internet, the connection is NATed. Access is allowed only if you configure the appropriate Access Rules.

VPN Clients to Internal Network

Defines a route relationship between the VPN Clients Network and the Internal Network. Access is allowed only if you enable virtual private network (VPN) client access.

Firewall policy

A default rule (named Default Rule) denies traffic between all networks.

System policy

ISA Server is secure by default, while allowing certain critical services to function. Upon installation, some system policy rules are enabled to allow necessary services. We recommend that you review the system policy configuration, and customize it so that only services that are critical to your specific deployment are enabled.

Web chaining

A default rule (named Default Rule) specifies that all Web Proxy client requests are retrieved directly from the Internet.

Caching

The cache size is set to 0. All caching is therefore disabled.

Alerts

Most alerts are active. We recommend that you review and configure the alerts in accordance with your specific networking needs.

Client configuration

When installed or configured, Firewall and Web Proxy clients have automatic discovery enabled. Web browser applications on Firewall clients are configured when the Firewall client is installed.

Get the New Book!

Summary

In this article we went over the default post-installation System Policy and provided some guidance on how to reconfigure the system policy based on your own network environment. Its important to keep in mind that the ISA firewall’s System Policy only controls traffic originating from the ISA firewall itself, or terminating at the ISA firewall itself. The System Policy never controls traffic moving through the ISA firewall.

hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=24;t=000408 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top