ISA Server rules are evaluated in the order in which they appear in the firewall policy. The order of the rules affects not only the effective policy for your organization, but the efficiency with which the rules are evaluated. Since the first rule match ends the need to check additional rules, your firewall policy will work most efficiently if the rules that can be evaluated quickly, and are likely to result in a match, are placed near the top of the order.
For example, you may have rules that allow access to most users in your organization for requests that are very common. If you put those rules near the top of the rule order, those common requests will be evaluated quickly, without searching through the full rule base. If you can design that rule to depend on rule elements that can be evaluated quickly, such as IP addresses, rather than on more complex rule elements, such as domain name sets, you will increase the efficiency even more.
For more tips on firewall policy, see Best Practices Firewall Policy.
ISA Server User Education
OK, is there any way that we can programmatically determine how many hits each rule is receiving to determine the best rule order?
The problem is that ISA doesn't process rules as expected.
1.I have an "accept" rule that requires authentication.
2. Traffic hits the rule but is unauthenticated. That ISA rule denies it because it's unauthenticated and the traffic stops.
This is not the correct behavior. It is an "accept" rule, not a "deny" rule. ISA should pass the traffic through the rule base until it is accepted or finally denied on the clean-up rule at the very bottom of the rule base.
This behavior requires you to put all "no auth" rules ahead of "auth required" regardless of how many times it will be used. My HTTP anti-virus scanner gets updates once a day, but I have to put the rule ahead of the "auth required" rule for general Internet access.
I am looking for intructional manuals that details how the firewall can be used. I am looking for ways to restrict users into using only selected web sites and data bases that I can add to the firewall. Do you know where I can find these instructions or do you know how to do this?
now you should can import the new blacklist.