Best Practices for Configuring Networks in ISA Server 2004
This document provides general guidelines for configuring network infrastructure and using network objects in Microsoft Internet Security and Acceleration (ISA) Server 2004.
ISA Server 2004 uses a multi-networking model to control how traffic flows between networks internal to your organization, and between internal and external networks. You create access rules to determine how clients on a source network can access resources on a destination network. When you create rules, you specify a network object as the source and destination of the rule.
To allow communication between networks, the following process is required:
- Create network objects. Create network objects to match your organization’s network infrastructure, or modify predefined network objects created by ISA Server. For more information, see Creating Network Objects later in this document.
- Configure network properties. Networks are network objects that typically correspond to your physical network layout. Configure properties of networks to determine how the network handles traffic, and supports client requests. For more information, see Configuring Network Properties later in this document.
- Create network rules. Create network rules to configure how traffic is passed between network objects. ISA Server checks network rules to determine whether source and destination networks can connect, and if so, whether traffic between the network objects should have a network address translation (NAT) or route relationship. For more information, see Creating Network Rules later in this document.
- Create access rules. Create a firewall policy by means of access rules or Web proxy routing rules, to expose communications between networks to stateful filtering and application layer traffic inspection. Use network objects to specify a source network and destination network for the rule. For more information, see Using Network Objects in Access Rules later in this document.
Creating Network Objects
There are a number of different types of network objects available for use in rules, including:
- Networks. Networks typically correspond to a physical network. Networks represent one or more Internet Protocol (IP) address range or ranges that can be reached from one of the network adapters on the ISA Server computer. For more information about the predefined networks that ISA Server defines, see Predefined ISA Server Networks later in this document.
- Network sets. A network set is a group of networks. After installation, there are two predefined network sets: All Networks and All Protected Networks (containing all ISA Server networks except the External network).
- Computers. A Computer object allows you to specify a single computer address as a source or destination in policy rules. This is useful where granular control is required to allow communications to or from a single computer.
- Address ranges. An address range is a collection of contiguous IP addresses to which you want to apply rules.
- Subnets. A subnet represents a group of computers located on the same subnet.
- Computer sets. A computer set is a collection of computers, IP address ranges, or subnets. Following installation, there are a number of predefined computer sets, including Anywhere, which includes all IP address ranges.
- URL sets. A URL set is a collection of one or more Uniform Resource Locators (URLs). Use for granular control to specify what Web site URL users can access through ISA Server. URL sets are only used with Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) requests, with some limited support for Secure HTTP (HTTPS). For more information, see Using URL and Domain Name Sets in ISA Server 2004 at the Microsoft TechNet Web site.
- Domain name sets. A collection of one or more domain names. They are similar to URL sets, except that domain name sets are relevant for all protocols.
Applying Network Templates
Although you can create networks manually, to get started creating networks and creating basic network and access rules, we recommend that you use predefined ISA Server network templates. These are provided for the most common network configurations, including deploying ISA Server as an edge firewall, a front firewall, a back firewall, a three-leg perimeter, or as a firewall with a single network adapter. When you run the Network Template Wizard to apply one of these templates, you define network IP addresses, and then select a basic firewall policy that corresponds to the template. To run the Network Template Wizard, in ISA Server Management, expand the Configuration node, and then click the Networks node. On the Templates tab, select the template you want to configure, as shown in the following figure. For more information about network templates, see Network Templates later in this document.
Applying a new template deletes all existing rules, with the exception of the predefined system policy rules. Back up your current configuration before applying a template. When you run the Network Template Wizard, you have the opportunity to save your current configuration before applying a new template.
Detecting Spoofed Traffic
The ISA Server network model incorporates spoof detection to decide whether source and destination IP addresses are valid. Every time a network adapter receives a packet, ISA Server checks whether the packet is spoofed. ISA Server checks packet validity against the properties of the network associated with the adapter, and the Microsoft Windows Server 2003 or Windows 2000 Server routing table. A packet is considered spoofed (and therefore dropped) if one of the following is true:
- The packet contains a source IP address that (according to the routing table) is not reachable through any network adapter associated with the network.
- The packet contains a source IP address that does not belong to the address range of a network (array network for Enterprise Edition) associated with a network adapter.
Guidelines for Creating Networks
Use the following guidelines when creating networks:
- ISA Server supports unlimited network adapters in accordance with hardware limitations.
- A network adapter can only be associated with one ISA Server network.
- An adapter may have zero or more addresses. Each address can only belong to one network (be associated with exactly one network adapter). There should be no overlap of address ranges on a network.
- Do not use dynamic addresses on ISA Server network adapters, except for the adapter associated with the External network.
- ISA Server does not support multiple external network interfaces.
- The ISA Server computer must have at least one network adapter configured and enabled (for communication with the Internal network). An ISA Server computer with only one network adapter should be configured with the Single Network Adapter template. In such a scenario, ISA Server recognizes only the Internal network. For more information about this scenario, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site.
- When you add a new adapter and assign it a new IP address that is not present on any other ISA Server network, configure a new network object for that adapter. You can run a new network template after a change in network adapter configuration. For example, if you add a new adapter to a computer with a single adapter, you can select an alternative template such as the Edge Firewall template, the Back Firewall template, or the Front Firewall template. Remember that selecting a new template will overwrite existing access rules, and you should back up your current configuration settings before running the Network Template Wizard.
- To create a custom Internal or perimeter network, you must have an adapter installed to associate with the new network. For example, if you have an ISA Server computer with two network adapters, one connected to the Internet, and the other to the Internal network, you will need a third network adapter to define a perimeter network.
- All IP addresses that can be reached directly from a network adapter must be defined as part of the same ISA Server network. All addresses behind a specific adapter must be included in the network object associated with that adapter. Ensure the following to make sure remote subnets reachable by ISA Server through a router are correctly configured and that traffic will not be considered as spoofed:
- Do not create networks for remote subnets physically connected to a local ISA Server subnet.
- Be sure that remote subnets are added correctly to the network definition
- Verify that the network’s IP address range matches the routing table, and that persistent static routes are defined in the routing table for each remote subnet.
- Any IP address that is not contained in ISA Server protected networks is considered part of the External network. ISA Server protected networks are included in the All Protected Networks network set configured by default after ISA Server installation. This network set contains all ISA Server networks except the External network. After installation, there are two predefined network sets: All Networks and All Protected Networks (containing all ISA Server networks except the External network).
- Because only communication between different networks should traverse ISA Server, you cannot use a network when specifying source or destination in an access rule controlling communication between two hosts in the same network. Instead, you can use other network objects, such as computers, subnets, and address ranges to control traffic between these hosts. Where appropriate, you can also use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.
The following figure shows how remote subnets should be configured.
In the preceding figure, note the following:
- The 192.168.1.0, 192.168.2.0, and 192.168.3.0 subnets are accessible to ISA Server through routers, and the Windows routing table should reflect this configuration.
- The internal network object must include all of the subnets. You cannot create a network for each subnet, because ISA Server will look at the properties of each network and attempt to find an adapter to associate with each network. This will fail because there is no such network adapter for each network, and ISA Server assumes that the adapter is either physically disconnected or disabled, and treats the network as disconnected.
- To ensure that the ISA Server network configuration matches the physical networks and the routing table, configure the Internal network properties to include address ranges of all subnets. In addition, ensure that the routing table is correctly configured. To do this, use the route add command with the -p switch to add a persistent static route for each remote subnet. This is the subnet that is not directly connected, in this case, 192.168.2.0 and 192.168.3.0. The default gateway for these routes would be the router IP address that interfaces with the same network as the ISA Server internal network adapter.
- SecureNAT clients on the remote subnets should have their default gateway set to the IP address of the router connected to the Internal network. Firewall clients and Web Proxy clients should use the address of the ISA Server internal network adapter.
Configuring Network Properties
The ISA Server predefined networks and custom networks you create have properties associated with them. These properties specify the IP address ranges associated with the network, how Firewall clients access resources in the network, how Web Proxy client requests are handled, and whether automatic discovery is configured for the network. For example, for the ISA Server predefined Internal network, you can use the following tabs (shown in the following figures) to set properties:
Addresses. On this tab, specify the IP address ranges to include in the network.
In ISA Server 2004 Enterprise Edition, you can add multiple enterprise networks into the addresses of an array-level network. This is useful to ensure that IP addresses are not considered as spoofed. IP addresses that belong to an enterprise network but do not belong to any array-level network are considered to be part of a residual address range and will be treated as spoofed addresses and dropped.
Domains. On this tab, specify a list of internal network domains for direct access. When Firewall clients connect to a domain specified in this list, the request bypasses the Firewall client configuration. This enables such clients to connect directly to servers in the local network without looping back through ISA Server. Firewall client computers configured as Web Proxy clients can use this list to bypass Web proxy when connecting to specific external sites, connecting instead as Firewall clients or SecureNAT clients. This setting is enabled when Directly access computers specified in the Domains tab is enabled on the Web Browser tab.
Web Browser. On this tab, specify how Web browsers configured to use the automatic configuration script should behave. For more information about the automatic configuration script, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site. Select as follows:
- Select Bypass proxy for Web servers in this network to specify that Web Proxy clients should connect directly to Web servers in their local network.
- Select Directly access computers specified in the Domains tab to allow Web Proxy clients to access domains listed on the Domains tab directly, bypassing the Web proxy. You can specify a list for direct access.
- Select Direct access to specify that Web Proxy clients should access sites using SecureNAT or Firewall client configuration if Web proxy is not available.
- Select Alternative ISA Server to specify an alternative Web proxy.
Auto Discovery. On this tab, specify the port number on which the network adapter should listen for Web Proxy Automatic Discovery (WPAD) and Winsock Proxy Autodetect (WSPAD) requests. By default, ISA Server publishes automatic discovery information on port 8080. For Dynamic Host Configuration Protocol (DHCP) discovery, you can specify any port. For Domain Name System (DNS), you must publish on port 80. For detailed information about configuring automatic discovery, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site. For more information about the WPAD protocol, see Web Proxy Auto-Discovery Protocol.
Firewall Client. On this tab, enable this network to listen for requests from Firewall clients, and configure Web browser settings on Firewall client computers. Specify that Firewall clients should use automatic detection to find an ISA Server computer and an automatic configuration script.
Web Proxy. On this tab, specify that the network will listen for HTTP requests from the Web proxy. You can configure authentication methods for such requests. Note that although you can select Secure Sockets Layer (SSL), Web Proxy client browsers cannot connect to the listener over an SSL connection. This is a browser limitation. Internet Explorer does not support certificate authentication to a Web proxy. This option is only for use in a Web proxy chaining scenario. In this case, you can configure a downstream ISA Server to forward Web requests to an upstream proxy over SSL.
CARP. This tab appears in ISA Server 2004 Enterprise Edition only. On this tab, enable Cache Array Routing Protocol (CARP) for a specific network. When you enable CARP, the cache drives on all array servers are treated as a single logical cache drive so that caching is efficiently distributed among the member servers. For more information about CARP, see How CARP works in ISA Server online Help.
NLB. This tab appears in ISA Server 2004 Enterprise Edition only. On this tab, enable Network Loading Balancing (NLB) on the network, and specify a virtual IP address and mask to use. When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for the network adapter accordingly. The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter associated with the network. The virtual IP address must belong to the network. For more information about NLB, see Network Load Balancing in ISA Server 2004 Enterprise Edition at the Microsoft TechNet Web site.
You can specify Web Proxy properties (and CARP properties in ISA Server 2004 Enterprise Edition) on the predefined Local Host network. This configures the Web Proxy listener for use by applications running on the ISA Server computer.
Creating Network Rules
To allow communication between networks objects, you must define network rules. Network rules define whether traffic is allowed between network objects, and the type of relationship that should be applied to traffic flowing between source and destination network objects. To create network rules, in ISA Server Management, expand the Configuration node, and then click the Networks node, as shown in the following figure.
There are two choices available when defining the relationship between networks:
- Network address translation (NAT). You will usually use a NAT relationship for communication between trusted and untrusted networks. When a NAT relationship is enabled, the IP address of the request from the source network is replaced with the IP address of the adapter on the ISA Server computer that is connected to the destination network. For example, if you create a NAT relationship between the Internal network and the External network, the source IP address of a request from the Internal network will be replaced with the IP address of the ISA Server network adapter connected to the External network. For more information about NAT, see What is NAT in the Windows Server 2003 documentation on at the Microsoft TechNet Web site.
- Route. Use a route relationship where a more transparent communication is acceptable, and IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses, or between two networks with private addresses.
Guidelines for Creating Network Rules
Use the following guidelines when creating network rules:
- A NAT relationship is unidirectional. For example, if you create a NAT relationship from the Internal network to the perimeter network, traffic returned from the perimeter network to the Internal network is not translated. You cannot use access rules to control traffic from the network that does not have NAT applied to the network that does have NAT applied. To use access rules, networks must have knowledge of IP addresses in the other network. In this example, the Internal network is aware of addresses in the perimeter network, but clients in the perimeter network are not aware of addresses in the Internal network because NAT is applied. Instead, you would use Web publishing rules or server publishing rules to allow traffic from the perimeter network to the Internal network.
- A route relationship is bidirectional. Defining a network rule with a route relationship between the Internal network and the perimeter network implicitly defines the same relationship from the perimeter network to the Internal network. You can use access rules, Web publishing rules, or server publishing rules to control traffic between networks linked with a route relationship.
- Network rules are evaluated according to the order in which they appear in the network rules list. ISA Server evaluates traffic against the ordered network rules. ISA Server takes the first rule that applies to the specific traffic, and no further network rules are evaluated.
- Route and NAT relationships are subject to stateful filtering and application layer inspection.
- In some circumstances, protocol requirements may mean that traffic will need a route relationship instead of applying NAT, because there are protocols and applications that do not work through NAT.
Using Network Objects in Access Rules
After defining networks and network relationships, you can use them to specify source and destination in firewall policy rules. Use the following guidelines when creating rules:
- ISA Server recognizes all addresses behind a specific network adapter as belonging to the same network. This includes any routed subnets on the network. With this design, you cannot use networks as a source or destination for access rules controlling traffic between hosts in the same network, because ISA Server will consider both source and destination as identical. Instead, you can define hosts in other network objects such as subnets, computers, and address ranges, and use those objects in access rules.
- When you create access rules allowing Web access, note that Web requests from clients protected by ISA Server going through Web Proxy Filter are always subject to address translation, even if there is a route relationship between the source and destination network objects in the rule. The only way around this is to disable Web Proxy Filter for the client protocol being used. For more information about scenarios where this might be an issue, see Troubleshooting Web Proxy Traffic in ISA Server 2004 at the Microsoft TechNet Web site.
This section provides a description of predefined ISA Server networks, a description of network templates, and a link for additional resources.
Predefined ISA Server Networks
The following table describes predefined ISA Server networks.
Includes all IP addresses on all ISA Server network adapters. You do not need to explicitly define IP addresses on this network, because addresses are automatically added to this network when they are added to ISA Server adapters.
Cannot modify or delete.
Represents the primary default protected network. By default following installation, ISA Server protects resources on the Internal network from all other networks except the Local Host network (the ISA Server computer). It is generally considered to contain trusted IP addresses. During installation, you specify an IP address range or select an adapter to add network adapter IP addresses to the Internal network. Following installation, you can create access rules to allow traffic from the default Internal network to access other networks, and publishing rules to allow external servers to access servers located on the Internal network.
Cannot delete. Can be modified.
Includes all IP addresses not associated with any other network. Generally, represents the Internet.
Cannot directly modify or delete. Note that the definition of this network will change as other networks are defined, because it includes all IP addresses not associated with any other network.
Includes IP addresses of currently connected remote virtual private network (VPN) clients. The VPN Clients network and the Quarantined VPN Clients network are dynamically assigned in accordance with the IP addresses allocated to remote VPN clients at a specific time.
Cannot delete. Can be modified.
Quarantined VPN Clients
Includes IP addresses of remote VPN clients currently held in quarantine.
Cannot delete. Can be modified.
ISA Server provides the following predefined network templates that you can apply:
- Edge Firewall template. Sets up the basic configuration for deploying ISA Server at the edge of your network. You should have at least two network adapters available when applying this template, an internal adapter and an external adapter. The following network configuration will be applied:
- A network rule that specifies a route relationship between the Internal network and the VPN Clients network.
- The default Internal network IP address ranges that you specified during Setup.
- 3-Leg Perimeter template. Sets up ISA Server with three or more network adapters, for the Internal network, the External network, and additional adapters for perimeter networks. After running this template, the following configuration will be applied:
- A new network object, Perimeter.
- A network rule, Perimeter Access, that specifies a route relationship between a perimeter network and the External network.
- A network rule, Perimeter Configuration, that specifies a NAT relationship between the Internal network and the perimeter network, and the VPN Clients network and the perimeter network.
- Front Firewall template. Sets up ISA Server in front of another firewall. It assumes that the network behind ISA Server is a perimeter network. The following network configuration will be applied:
- No Internal network defined, instead a new network, Perimeter.
- A network rule, Perimeter Access, that specifies a route relationship between the perimeter network and the External network, and the VPN Clients network and the External network.
- Back Firewall template. Sets up ISA Server between a perimeter network and the Internal network, with another firewall configured at the front end, possibly between the perimeter network and the External network. The following network configuration will be applied:
- A network rule that specifies a route relationship between the Internal network and the VPN Clients network.
- A network rule that specifies a NAT relationship between the Internal network and the External network, and the VPN Clients network and the External network.
You can choose from a number of predefined firewall policies available for each network template. For more information, see information about each template in the topic Network Templates in ISA Server online Help.
Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page.