Note from isablog: Our blog is now accepting postings from Microsoft MVPs. We’ve discussed firewall policy in this space before, but there’s nothing like the voice of an ISA Server enthusiast and MVP from China who deals with firewall policy every day. Read these tips, and then see Best Practices Firewall Policy for ISA Server 2004.
For the Chinese version, please visit : http://www.isacn.org/info/info.php?sessid=&infoid=194.
1. A Computer does not have a brain. You should check your ISA Server configuration when its behavior doesn’t match your expectations.
2. Allow access selectively. Only allow access for users, sources, destinations, and protocols that you need, and check each rule carefully. Only use deny rules when you can’t control access with allow rules.
3. A deny rule must come before an allow rule when both apply to the same policy elements such as users or source IPs.
4. When you must use a deny rule, an explicit deny rule, such as a deny rule for a specific user or source IP, should be considered first.
5. Place rules that will have high match rates near the top of the rule base if you can do so without changing the effect of your firewall policy. These are rules that are very likely to be matched, such as rules that apply to “All users” or “All authenticated users”. This enables ISA Server to evaluate rules more efficiently.
6. Keep your firewall policy as simple as possible.
7. Never use an allow all to all rule in a production environment. ISA Server cannot control access if you do.
8. Don’t create a rule that duplicates a system policy rule.
9. Remember that every rule is evaluated independently. Though rules are evaluated in order, each one is evaluated on its own when the firewall is going through the rules.
10. Never allow access for all to Local host. The Internal network should be considered untrusted in this regard, too.
11. SecureNAT clients can’t be authenticated, so use Web proxy clients and Firewall clients when you require user authentication.
12. When possible, use IP-address-based rule elements over user-name-based elements, because they are evaluated more quickly.
13. Configure clients as Web proxy clients when you use domain name sets or URL sets in your rules. Otherwise, the access rule maybe ignore by failed reverse domain name resolution, and may cause a slow response.
14. Only use application filtering (such as the HTTP filter) when you real need it. Use of the filters may affect performance
15. Remember that there is a deny all rule at the base of the firewall policy.
16. Finally, always test your policy in a laboratory environment before testing and then using it in production.
Thanks to my ISA Server mentors for all their help: Thomas Shinder and Ronald Beekelaar.
ISA Server MVP
Great rules! Here’s another one that I’ve found useful. It’s important to carefully consider and select the relationship between network entities before you create a rule. NAT and route relationships have a direct impact on the creation of access and publishing rules.
in fact, when ISA seems not do what we would like, these are the steps to go through:
1) check your NICs configuration
2) check static routes, if present
3) check Netork Configuration
4) check Network Rules
only after these steps you can start working in Firewall Policy
I Installed ISA 2004 Kindly Tell Me How Can I Allow Only Browsing & Messenger (Yahoo + MSN With Webcam Voice).
Kindly Help me Configure ISA With Step By Step Process.
(Mail me Screenshots If Possible Conquerer_2002@hotmail.com)
# Need ISA 2004 Configuration Help.
I Installed ISA 2004 Kindly Tell Me How Can I Allow Messenger (Yahoo + MSN With Webcam Voice).
(Mail me Screenshots If Possible firstname.lastname@example.org)
I Installed ISA 2004 Kindly Tell Me How Can I Allow Messenger.
(Mail me Screenshots If Possible email@example.com
Can somebody help me out with a couple of issues in ISA 2006 ?
1.I need to allow yahoo's voice chat and web cams thru ISA 2006
2.is Content filtering possible in ISA 2006 ? if yes please tell me how to configure it
3. how can i allocate bandwidth to the users in ISA 2006.
kindly email me a solution on
Thank you in advance
Kindly Tell Me How Can I Allow Messenger (Yahoo + MSN With Webcam Voice)in ISA 2004.
note:skype work with Web Came
my E-Mail : Ghassan_Mansi@hotmail.com
a guide on the subject (in three parts). The guide covers most aspects