How to use the ISA Server 2006 Network Templates
Microsoft ISA Server 2006 is a Multilayer Firewall to control access between networks. ISA Server 2006 uses the following objects to establish connections between networks and to control the network traffic between the following networks:
- Network rules
- Firewall rules
ISA Server uses a multi network model which allows ISA Server Administrators to illustrate every physical network to which ISA Server is connected.
You first have to create networks as a basic element in ISA Server 2006.
After the ISA Administrator defined all necessary networks, these networks must be brought in relationship between networks where network traffic should flow through. With ISA Server 2006 it is possible to establish two different types of network rules:
A network rule from type Route establish a bidirectional network connection between two networks which routes the original IP addresses between these networks.
A network rule from type NAT (Network Address Translation) establishes a unidirectional network connection between two networks which substitutes IP addresses from the network segment with the IP address of the corresponding ISA Server network adapter.
After all networks and necessary network rules are defined, you must control the network traffic between these networks with Firewall rules.
Overview about Networks in ISA
To get an overview of the ISA Server network configuration, start the ISA Server MMC, navigate to the Configuration – Networks node. Here, you will find four different tabs:
- Network Sets
- Network Rules
- Web Chaining
The tab Networks lists all networks defined on ISA Server, Network Sets groups networks to a network group, Network rules define a Route or NAT relationship between networks and Web Chaining createS a Web routing for web requests.
Figure 1: ISA Server 2006 networks
On the right of the Task Pane you will find the templates tab. The templates tab lists all available network templates which ISA Server Administrators can use to build their own networks.
There are five templates available:
- Edge Firewall
- 3-Leg Perimeter
- Front Firewall
- Back Firewall
- Single Network Adapter
Figure 2: ISA Server 2006 network templates
The Edge Firewall template is the classic network template and connects the internal network to the Internet, protected by ISA Server.
Figure 3: ISA Server 2006 – Edge Firewall network template
A typical Edge Firewall template requires two network Adapters on the ISA Server. For more information about the Edge Firewall template, read the article from Tom Shinder called: Using ISA Server 2004 Network Templates to Automatically Create Access Policy: The Edge Firewall Template
The 3-Leg Perimeter Firewall is an ISA Server with three or more network Adapters. One network adapter connects the internal network, one network adapter connects to the external network, and one network adapter connects to the DMZ (DeMilitarized Zone), also called Perimeter Network. The Perimeter network contains services, which should be accessible from the Internet but also been protected by ISA Server. Typical services in a DMZ are Web Servers, DNS Servers and something more. A 3-Leg Perimeter Firewall is also often called the “Poor Man’s Firewall”, because it is not a “true” DMZ. A true DMZ is the zone between to (possible) different Firewalls.
Figure 4: ISA Server 2006 – 3-leg Perimeter network template
The Front Firewall template assumes that ISA Server is in Front of another Firewall directly on the Edge of the network. The place between the Front Firewall and the Back Firewall can be used as the Perimeter network or DMZ.
Figure 5: ISA Server 2006 – Front Firewall network template
The Back Firewall template can be used by ISA Server Administrators, when ISA Server is placed behind a Front Firewall. The Back firewall protects the internal network from access from the DMZ and the external network and it controls the network traffic which is allowed from DMZ hosts and from the Front Firewall.
Figure 6: ISA Server 2006 – Back Firewall network template
Single Network Adapter
The Single Network Adapter template has some limitations, because a ISA Server with only one network interface cannot be used as a real Firewall, so many services are not available. Only the following features are available:
- Forward Web Proxy requests that use HTTP, Secure HTTP (HTTPS), or File Transfer Protocol (FTP) for downloads
- Cache Web content for use by clients on the corporate network
- Web publishing to help protect published Web or FTP servers
- Microsoft Outlook Web Access, ActiveSync, and remote procedure call (RPC) over HTTP publishing
Figure 7: ISA Server 2006 – Single Network Adapter network template
Using the Network Template Wizard
ISA Server 2006 offers a Network Template Wizard which can be used to configure the network topology with networks, network rules and Firewall rules.
In the Task Pane select the required network template.
Figure 8: Network Template Wizard
The Wizard will guide you through the entire process. As a first step you should export your current ISA Server configuration as a failback method, because the Wizard will overwrite the current network configuration and Firewall policy rules, except the System policy rules.
Figure 9: Export the ISA Server Configuration
As a next step you have to define the Internal Network IP addresses. After that, you have to choice a predefined Firewall Policy. You should NOT select the Firewall Policy – Allow unrestricted access – because this rule allows all outgoing network traffic.
Figure 10: Select a Firewall Policy
Attention: After the Network Rule Template Wizard has finished, you should modify the created Firewall rule to an absolute allowed minimum. A Firewall should always have a rule set with a minimum of allowed connections.
After the Wizard has finished, you can see the results in the Configuration – Networks tab.
Figure 11: ISA Server Network rules
The Wizard creates a network rule relationship from type NAT between the Internal and the Perimeter network and a Route relationship between the Perimeter network and the external network. You have to change this if your Servers in the Perimeter network contain private IP addresses.
Customizing Network Templates
It is possible to customize the predefined Network Template graphics to extend it with your own information like Server names or your own customized topology.
Network templates consist of two components:
- An XML file pro network template
- A Bitmap graphic pro network template
The XML file contains information about the necessary settings to create the required network, network rules and Firewall rule objects. The bitmap is only a graphic which shows the selected network template. You can find the XML and BMP file in the following directory: \Program Files\Microsoft ISA Server\NetworkTemplates.
It is possible to edit the bitmap files via Microsoft Paint or any other related program as you can see in the following picture.
Figure 12: Customize the Network templates with Microsoft Paint
After you modified the template, you will see the changes in the ISA MMC.
It may be possible that you must refresh the view or to close and reopen the ISA MMC to see the changes.
Figure 13: Customized Network Template
The XML template files
The XML file contains information about the necessary settings to create the required network, network rules and Firewall rule objects. The network templates are defined in the ISA object called FPCNetworkTemplate. The FPCNetworkTemplate object allows you to set a name and description for the network template.
The XML file that contains a network template configuration includes:
- Networks and network sets
- Network rules that describe the relationships between various networks and network sets
- Policy elements
Figure 14: 3-Leg DMZ – XML Template
In this article, I tried to give you all information necessary to build your own secure network infrastructure with ISA Server 2006. I also showed you how to customize the network template bitmaps. In my opinion, network templates are a good starting point for ISA beginners, but if you are an experienced ISA Server Administrator, you should build your own infrastructure by modifying the ISA Server networks, network rules and Firewall policies manually.
- Network Concepts in ISA Server 2006
- Using ISA Server 2004 Network Templates to Automatically Create Access Policy: The Edge Firewall Template
- Configuring ISA Server 2004 on a Computer with a Single Network Adapter
- Troubleshooting Network Configuration in ISA Server 2004
- Configuring ISA Server 2004 on a Computer with a Single Network Adapter
- The features and limitations of a single-homed ISA Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer