How to Configure Network Rules
When you enable networks or network objects on ISA Server, you can configure network rules that define how network packets will be passed between networks or between computers. Network rules determine whether there is a relationship between two network entities and what type of relationship is defined. Network relationships can be configured as follows:
1- Route When you specify this type of connection, client requests from the source network are directly routed to the destination network. The source client address is included in the request. A route relationship is bidirectional. That is, if a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A.
2- Network Address Translation (NAT) When you specify this type of connection, ISA Server replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional. It indicates that the addresses from the source network are always translated when passing through ISA Server. For example, by default a NAT network relationship is defined between the Internet and the internal network. When a client makes a request on the Internet, the IP addresses of the internal client computer are replaced by the address on the ISA Server computer before the request is passed to the server on the Internet. On the other hand, when a packet from the Internet is returned to the client computer, the address of the server is not translated. Client computers on the internal network can access the actual addresses of computers on the Internet, but computers on the Internet cannot access the internal IP addresses.
How Network Rules and Access Rules Are Applied
ISA Server uses both network rules and access rules to determine whether a client request is passed from one network to another. Together, the network rules and access rules comprise the firewall policy.
The firewall policy is applied in the following way:
1. A user using a client computer sends a request for a resource located on another network. For example, a client on the Internal network sends a request to a server located on the Internet.
2. ISA Server checks the network rules to verify that the two networks are connected.If no network relationship is defined between the two networks, the request is refused.
3. If a network rule defines a connection between the source and destination networks,ISA Server next processes the access rules. The rules are applied in order of priority as listed in the ISA Server Management Console interface. If an allow rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule is applied, which denies all access.
4. If the request is allowed by an access rule, ISA Server checks the network rules again to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web Proxy client requested the object) or the firewall chaining configuration (if a SecureNAT client or a Firewall client requested the object) to determine how the request will be serviced.
5. The request is forwarded to the Internet Web server.
Creating a New Network Rule
To create a new network rule, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network Rules tab.
3. On the Tasks tab, click Create a New Network Rule.
4. On the Welcome to the New Network Rule Wizard page, in the Network Rule Name: box, type the name for the network rule. Click Next.
5. On the Network Traffic Sources page, click Add.
6. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
7. On the Network Traffic Sources page, click Next.
8. On the Network Traffic Destinations page, click Add.
9. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
10. On the Network Traffic Destinations page, click Next.
11. On the Network Relationship page, click Network Address Translation or Route. Click Next.
12. On the Completing The New Network Rule Wizard page, review the settings and then click Finish.
When you enable networks or network objects on ISA Server, you can configure network rules that define how network packets will be passed between networks or between computers. Network rules determine whether there is a relationship between two network entities and what type of relationship is defined. Network relationships can be configured as follows:
1- Route When you specify this type of connection, client requests from the source network are directly routed to the destination network. The source client address is included in the request. A route relationship is bidirectional. That is, if a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A.
2- Network Address Translation (NAT) When you specify this type of connection, ISA Server replaces the IP address of the client on the source network with its own IP address. A NAT relationship is directional. It indicates that the addresses from the source network are always translated when passing through ISA Server. For example, by default a NAT network relationship is defined between the Internet and the internal network. When a client makes a request on the Internet, the IP addresses of the internal client computer are replaced by the address on the ISA Server computer before the request is passed to the server on the Internet. On the other hand, when a packet from the Internet is returned to the client computer, the address of the server is not translated. Client computers on the internal network can access the actual addresses of computers on the Internet, but computers on the Internet cannot access the internal IP addresses.
How Network Rules and Access Rules Are Applied
ISA Server uses both network rules and access rules to determine whether a client request is passed from one network to another. Together, the network rules and access rules comprise the firewall policy.
The firewall policy is applied in the following way:
1. A user using a client computer sends a request for a resource located on another network. For example, a client on the Internal network sends a request to a server located on the Internet.
2. ISA Server checks the network rules to verify that the two networks are connected.If no network relationship is defined between the two networks, the request is refused.
3. If a network rule defines a connection between the source and destination networks,ISA Server next processes the access rules. The rules are applied in order of priority as listed in the ISA Server Management Console interface. If an allow rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule is applied, which denies all access.
4. If the request is allowed by an access rule, ISA Server checks the network rules again to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web Proxy client requested the object) or the firewall chaining configuration (if a SecureNAT client or a Firewall client requested the object) to determine how the request will be serviced.
5. The request is forwarded to the Internet Web server.
Creating a New Network Rule
To create a new network rule, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network Rules tab.
3. On the Tasks tab, click Create a New Network Rule.
4. On the Welcome to the New Network Rule Wizard page, in the Network Rule Name: box, type the name for the network rule. Click Next.
5. On the Network Traffic Sources page, click Add.
6. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
7. On the Network Traffic Sources page, click Next.
8. On the Network Traffic Destinations page, click Add.
9. On the Add Network Entities page, select the Network Entity to which this rule will apply. Click Add, and then click Close.
10. On the Network Traffic Destinations page, click Next.
11. On the Network Relationship page, click Network Address Translation or Route. Click Next.
12. On the Completing The New Network Rule Wizard page, review the settings and then click Finish.