What Are Access Rule Elements?
Access rule elements are configuration objects in ISA Server that you use to create access rules. For example, you may want to create an access rule that allows only HTTP traffic. To do this, ISA Server provides an HTTP protocol access rule element that you can use when creating the access rule. Or you may want to limit access to the Internet to certain users or computers. To enable this, you can create a subnet or user set access rule element, and then use this element in an access rule to limit access to the Internet to only computers on the specified subnet, or to only the specified users.
How to Configure Access Rule Elements :
ISA Server includes several default access rule elements. For example, ISA Server includes a large number of protocol elements that you can use when creating an access rule. However, in some cases, you must create new access rule elements or modify existing elements.
How to Configure Protocol Elements
In some cases, you may want to create an access rule that allows or denies access to the Internet, depending on which protocol the client uses. To do this, you can use one of the protocol elements provided with ISA Server or create your own protocol definition.
In almost all cases, the preconfigured protocols defined by the ISA Server configuration provide all the flexibility you need when configuring access rules. The protocols included with ISA Server cannot be deleted. You can modify which application filters are applied to the preconfigured protocols, but you cannot modify any other settings.
You can also create new protocols by using the ISA Server Management Console. For example, you may be using a custom application that requires a specific port. You can create a protocol element that uses this port number and then use the protocol in an access rule. User-defined protocols can be edited or deleted.
To create a protocol object, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Protocols.
3. Click New, and then click Protocol or RPC Protocol.
To modify an existing protocol definition, click the protocol in the Protocols box, and then click Edit.
How to Configure User Set Elements
The second criterion that you may want to apply to an access rule specifies which users will be allowed or denied access by the access rule. To limit access to Internet resources based on users or groups, you must create a user set element. When you limit an access rule to specific users, users must authenticate before they are granted access. For each group of users, you can define the type of authentication required. You can mix different types of authentication within a user set. For example, a user set might include a Windows user or group based on domain membership, a user from a RADIUS namespace, and another user from the SecurID namespace.
ISA Server is preconfigured with the following user sets:
1- All Authenticated Users This set includes all users who have authenticated using any type of authentication. SecureNAT clients are not authenticated unless they connect through a virtual private network (VPN). This means that this group does not include non-VPN SecureNAT clients.
2- All Users This set includes all users, both authenticated and unauthenticated. If you want to allow access for SecureNAT clients, you should use this user set.
3- System and Network Service This user set includes the Local System service and the Network service on the computer running ISA Server. This user set is used in some system policy rules.
ISA Server includes several default access rule elements. For example, ISA Server includes a large number of protocol elements that you can use when creating an access rule. However, in some cases, you must create new access rule elements or modify existing elements.
How to Configure Protocol Elements
In some cases, you may want to create an access rule that allows or denies access to the Internet, depending on which protocol the client uses. To do this, you can use one of the protocol elements provided with ISA Server or create your own protocol definition.
In almost all cases, the preconfigured protocols defined by the ISA Server configuration provide all the flexibility you need when configuring access rules. The protocols included with ISA Server cannot be deleted. You can modify which application filters are applied to the preconfigured protocols, but you cannot modify any other settings.
You can also create new protocols by using the ISA Server Management Console. For example, you may be using a custom application that requires a specific port. You can create a protocol element that uses this port number and then use the protocol in an access rule. User-defined protocols can be edited or deleted.
To create a protocol object, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Protocols.
3. Click New, and then click Protocol or RPC Protocol.
To modify an existing protocol definition, click the protocol in the Protocols box, and then click Edit.
How to Configure User Set Elements
The second criterion that you may want to apply to an access rule specifies which users will be allowed or denied access by the access rule. To limit access to Internet resources based on users or groups, you must create a user set element. When you limit an access rule to specific users, users must authenticate before they are granted access. For each group of users, you can define the type of authentication required. You can mix different types of authentication within a user set. For example, a user set might include a Windows user or group based on domain membership, a user from a RADIUS namespace, and another user from the SecurID namespace.
ISA Server is preconfigured with the following user sets:
1- All Authenticated Users This set includes all users who have authenticated using any type of authentication. SecureNAT clients are not authenticated unless they connect through a virtual private network (VPN). This means that this group does not include non-VPN SecureNAT clients.
2- All Users This set includes all users, both authenticated and unauthenticated. If you want to allow access for SecureNAT clients, you should use this user set.
3- System and Network Service This user set includes the Local System service and the Network service on the computer running ISA Server. This user set is used in some system policy rules.
