Organizing your knowledge consists of: á Determining Where to Do It: An Access Policy FunctionalFramework á Determining Who Can Do It: An Access Policy PermissionsFramework á Applying Ac
Trang 1For each Enterprise policy assignment, developpolicy elements and access policies, and thentest them.
When things don’t work as expected, determinewhy, and test your assumption to prove itworks
There is no substitute for hands-on experiencehere You must install at least two EnterpriseISA Servers in an array
Try different approaches by creating differenttypes of Enterprise policies and assigning themone at a time to your array
Trang 2I NTRODUCTION
The Enterprise edition of ISA Server, when integrated in an ActiveDirectory domain, affords new vistas of centralized control andmanagement You may be well versed in how to create and trou-bleshoot ISA Server Internet access and be tempted to quickly scanthis information Don’t! Some familiar tasks are restricted, or canonly take place at the Enterprise level Many capabilities are depen-dent on the Enterprise policy applied to the array, so learning thehows and wheres in one array, might not transfer to another arrayyou’ll visit Your time will be well spent here, as you need to have aframework on which to hang your hands-on knowledge Be sure tospend time implementing access policy in an array environment Organizing your knowledge consists of:
á Determining Where to Do It: An Access Policy FunctionalFramework
á Determining Who Can Do It: An Access Policy PermissionsFramework
á Applying Access Policy: An Access Policy Strategy for theEnterprise
á Troubleshooting Access Problems
available the creation of enterprise level:
á Site and Content Rules
á Protocol Rules
á Some Policy Elements
Trang 3F I G U R E 1 2 1 Enterprise location of rules and policy elements.
F I G U R E 1 2 2 Standard edition location of rules and policy elements.
In the Standard edition, it’s pretty straightforward: You create allaccess rules and policy elements right in one place In the Enterpriseedition, there are two possible places to create policy elements andrules: at the enterprise policy location, and/or the array Also, thetype of policy applied to the array controls whether you can createany of them Depending on this policy, some things must be created
at the enterprise level, some at the array level, and some at both
Trang 4Additionally, some items, such as publishing rules and dial-upentries, can only be created at the server level Understanding whatcan be created, and where, is a matter of applying the meaning ofthe policy to the availability of the object Table 12.1 lists rules andpolicy elements and defines where they can be created according topolicy scope The policy names used in the table can be cross-referenced to the policy choices in the following list:
á Array Only: Use array policy only
á Enterprise Only: Use this enterprise policy
á Enterprise with Restrictive Array: Allow array-level access policy rules that restrict enterprise policy
á Allow Publishing: Allow publishing rules
Protocol Rules Array Only Yes Yes
Enterprise Only Yes No Enterprise with Yes Yes (deny only) Restrictive Array
Schedules All Choices Yes Yes Bandwidth Array Only No Yes Priorities Enterprise Only
Enterprise with Restrictive Array Destination Sets Array Only Yes Yes
Enterprise Only Enterprise with Restrictive Array
Which Policy Is Effective? To locate the policy that impacts the server, find the server’s array in the ISA Server Management Console Right-click on the array object and select Properties The Policies page lists and defines the policy assigned to this array (see Figure 12.4).
F I G U R E 1 2 3 When packet filtering is forced at Enterprise level the choice is grayed out on server.
Trang 5Access Policy Type of Policy Create at Create at Array
Element
Client Address Sets Array Only Yes Yes
Enterprise Only Enterprise with Restrictive Array Protocol Definitions Array Only Yes Yes
Enterprise Only Enterprise with Restrictive Array Content Groups Array Only Yes Yes
Enterprise Only Enterprise with Restrictive Array Dial-up Entries Array Only No Yes*
Enterprise Only Enterprise with Restrictive Array Routing Rules Array Only
Enterprise Only Enterprise with Restrictive Array Publishing Rules Array Only No No
Enterprise Only Enterprise with Restrictive Array Allow Publishing No Yes*
Packet Filters Array Only No if “forced on Yes, if this is
Enterprise Only array.” unchecked.
Enterprise with Restrictive Array No if “forced on Yes
array.” (see Figures 12.3, 12.4, and 12.5)
* Strictly speaking, publishing rules and dial-up entries are created for a server, not for array as a whole, but the “Allow Publishing Rules” distinction allows creating publishing rules at any server in the array.
F I G U R E 1 2 4 Packet filtering controlled at array level—policy.
F I G U R E 1 2 5 The capability to set packeting filtering is now available.
Trang 6D ETERMINING W HO C AN D O I T : A N
A CCESS P OLICY P ERMISSIONS
F RAMEWORK
The purpose behind this elaborate framework is twofold:
á Provide for centralized control and management of multipleISA Servers
á Allow delegation of array-level policy
Centralized control is obtained by assigning a policy to each arraythat meets the needs of the enterprise Decentralized IT functionsare met by the choice User Array Level Policy Only Centralized ITfunctions are given all-powerful control by Use This EnterprisePolicy Arrays that need more restrictive polices can do so with AllowArray-Level Access Policy Rules That Restrict Enterprise Policy Acombination of enterprise and array management polices can be ful-filled by creating multiple arrays and assigning different enterprisepolicies
The second issue in an enterprise model is the capability to assignadministrative chores in a manner that provides the power to dowhat is necessary and allowed, without being able to overstep theboundaries This can be obtained in a straightforward mannerthrough the standard permission set at the enterprise and array level,
or by creating custom groups and applying administrative sions at the level desired
permis-In the default implementation of ISA Server Enterprise edition, onlythe Enterprise Admins group has full control If a Domain Adminattempts to write enterprise policies (policy elements and rules), shewill be denied access at the enterprise level (see Figure 12.6 andFigure 12.7) At the array level, the local computer Administrator,Domain Admins, and Enterprise Admins have full control Keep inmind that before a Domain Admin can create an access rule, thecapability to create rules at the array level must be specified in thepolicy
F I G U R E 1 2 6 Domain admins can’t write enterprise policy ele- ments.
F I G U R E 1 2 7 Domain admins can’t write enterprise rules.
Trang 7A PPLYING A CCESS P OLICY :
A N A CCESS P OLICY S TRATEGY FOR THE E NTERPRISE
The actual act of creating policy elements and rules to manageInternet access varies little from that described previously The dif-ference in an Enterprise deployment is not in the “how to” but inthe “where” and “who” While the previous sections of this chapterdetailed the overall rules which determine the where and who, thissection presents some rule and element specifics and describe a strat-egy to take advantage of the strengths of each policy type
Specifically, it will look at:
á Creating Policy Elements
á Creating Rules
á Putting Together a Implementation Plan
Creating Policy ElementsCreate new policy elements Elements include schedules,bandwidth priorities, destination sets, client address sets,protocol definitions, and content groups
To create policy elements, follow the same general instructionsdescribed in the Step by Step sections detailed in Chapter 5,
“Outbound Internet Access.” To determine where to create them,you must both consider where they will be used and where they can
be created Remember that enterprise level rules can only use policyelements created at the enterprise level, while array level rules (ifallowed) can use enterprise and policy elements An example of this
is displayed in Figures 12.8 and 12.9 The “Enterprise Morning”
schedule was created at the enterprise level, and the “Array Evenings”
schedule was created as the array level Both captures were takenduring a Site and Content Rule wizard schedule choice (Figure 12.8
at the enterprise level, and Figure 12.9 at the array level)
This arrangement makes sense Array level policy elements are ably only relevant at the array level If they are required at more thanone array, then they can be created at the enterprise level
prob-F I G U R E 1 2 8 Only enterprise policy elements are available for enterprise rules.
F I G U R E 1 2 9 Enterprise and array level policy elements are available at the array.
Trang 8Remember, policy elements in themselves do not allow or restrictaccess, they merely form the building blocks that can be used inrules that do.
Two policy elements can only be created at the array level: width priorities and dial-up entries Dial-up entries are specific tothe server on which the modem is installed, so there is no need for
band-an enterprise level policy Bband-andwidth priorities are only used in ating bandwidth rules Bandwidth rules are only created at the arraylevel
cre-Creating RulesCreate and configure access control and bandwidth policies
á Create and configure sites and content rules to restrict Internetaccess
á Create and configure protocol rules to manage Internet access
á Create and configure routing rules to restrict Internet access
á Create and configure bandwidth rules to control bandwidthusage
To create site and content, protocol, bandwidth, and routing rules,follow the instructions in the Step-by-Step sections detailed inChapter 5 To determine why you might want to create them in aspecific , consider the section, “Putting Together an ImplementationPlan” later in this chapter You should also keep in mind that thecapability to create site and content rules and protocol rules at thearray level is only allowed in two cases:
á If the “Use array policy only” policy applies, rules can be either
“allow” or “deny” access rules (In the Kansas City array, this isthe policy; see Figure 12.10)
á If the “Use custom enterprise policy settings” policy applies,rules can only be “deny” rules (This is the policy in the GrainValley arrays; see Figure 12.11)
F I G U R E 1 2 1 0 Kansas City policy—allow or deny access.
Trang 9Bandwidth rules are created at the array level and this can only bedone if array policies are allowed Routing rules are also created atthe array level, and only if publishing rules are allowed when speci-fied by enterprise policy, or array level rules are allowed.
Putting Together an Implementation Plan
If you are an administrator who has inherited policies configured byothers, then you may be limited to following the rules as they areset However, if you are the one architecting the implementation ofISA Server policies in your enterprise then you need to combineyour knowledge of the policy types that are available and the needsand requirements for access control in your environment Here aresome helpful hints on how to design a structure that’s right for you
1 If your IT administration is decentralized, then create a policythat specifies “Use array policy only.” Arrange ISA Servers inarrays that represent locations that manage their own IT function
2 If your IT administration is highly centralized, create a policythat uses enterprise policy
3 If you need to diversify your policies and allow the capability
to restrict enterprise policies in some or all arrays, use the ture to “Allow array level access policy rules that restrict enter-prise policy.”
fea-4 If an array needs to use Web and server publishing rules, openthat possibility by checking “Allow publishing policy.”
5 Design backward Now that you know what’s possible, whatdoes your environment need? Do local administrators need tocreate restrictive site and content rules, or all types of rules?
Do you have multiple areas to manage and are they all ent? Break it down even further: Do users at some locationshave different needs than users at other locations? Determinethe need for an array based on your knowledge or user needs,management policy, and administrative delegation The easiestway to get a grip on large diverse environments is to plot therequirements first, then determine which policy model fitsyour requirements
differ-F I G U R E 1 2 1 1 Grain Valley policy—deny access only.
Trang 10T ROUBLESHOOTING A CCESS
P ROBLEMS
Troubleshoot access problems
á Troubleshoot user-based access problems
á Troubleshoot packet-based access problemsWhen information can’t flow where it is supposed to, or rules andprocedures can be thwarted to give unrestricted access where it is notallowed, there is a problem In either case you need to determine thereason for the problem and correct it Although many configurationelements that need to be checked, you can often reduce the time thistakes by:
á Examining logs for specific information on ports, protocols,source, and destination information
á Investigating configurations in the order in which rules areprocessed
á Identifying the problem as being user- or packet-related
Although the logs are an excellent source of information on the fic denied access, they primarily provide information that tells youthat a request was blocked They can be helpful in identifying thatthe request reached the ISA Server, however, and should be a point
traf-of reference during troubleshooting Information on understandingthe logs and how they may be used to assist in troubleshootingaccess can be found in Chapter 15, “Monitoring Network Securityand Usage.”
Investigation Via Rule Processing Order
When a client makes a request, rules are processed in the followingorder:
1 Protocol rule
2 Site and content
3 Packet filter
Trang 114 Routing rule (if client is Web proxy)
5 Firewall chaining (if client is SecureNAT or Firewall)
Keep in mind, however, that the presence of a deny rule anywherealong the path will result in a denial To troubleshoot access, lookfor these items in the following order:
1 By default, all protocols are blocked Check protocol rules todetermine if a rule exists that would allow access and to besure there is no protocol rule that would deny access
2 If Step 1 does not identify the problem, check Site andContent Filters to make sure the site is not blocked, the time
of the request is not the issue, and the user and computer usedare not blocked
3 If the problem is still not resolved, check packet filters Whilepacket filters are usually used to allow or block access ofinbound requests, they can be configured to block outboundrequests Make sure that no blocking packet-filter exists
4 Finally, determine the type of client being used If the client is
a Web proxy client, then examine routing rules If the client is
a SecureNAT or Firewall client, then examine Firewall ing rules
chain-Identifying the Problem as Being
User-or Packet-BasedIdentifying problems as being user-based or packet-based can go along way to reducing the time it takes to troubleshoot the problem
For example, if you can determine that the request uses a particularprotocol, say, SMTP and your ISA Server has not been configured
to allow SMTP to pass, then you know immediately why the requestwas unsuccessful You can then determine if SMTP should beallowed to pass, for whom when, and take the appropriate action Inanother case, if you know that other users are successful in using aparticular protocol, or in accessing a particular site, then you canprobably assume that the cause of the problem is user-related andnarrow your investigation to those rules that stipulate user-relatedinformation
Trang 12Troubleshooting User-Based Access Problems
Many specific user-based access problems and troubleshooting niques are covered in section, “Troubleshooting Client AccessProblems,” in Chapter 5 More information on specific client-relatedissues having to do with the way clients are treated, and the clientconfiguration are covered in Part IV, “Deploying, Configuring, andTroubleshooting the Client Computer” In summary, troubleshoot-ing user-based access problems involves resolving the followingissues:
tech-á If the client is a Web proxy client, is the Web browser priately configured? (Are other sites accessible?)
appro-á If the client is a firewall client, is the client configuration correct?
á Is there a site and content rule that allows the user access?
á Is there any site and content rule that denies the user access?
á Have both enterprise and array level site and content rulesbeen reviewed?
á For SecureNAT and firewall clients, is the HTTP redirectorfilter enabled?
á If client is a SecureNAT client, remember that a rule that isdefined to apply to all IP protocols will only apply to all
Trang 13á Protocol definitions
á Application filters
It is important to realize the installation mode of the ISA Server
Installing the ISA Server in firewall or integrated mode expands sibilities for client access as well as your opportunities for trou-bleshooting failed access Installing ISA Server in caching moderestricts client access in the following ways:
pos-á Protocol rules only apply to HTTP, HTTPS, Gopher, andFTP
á Packet filter properties cannot be configured in caching mode
á Firewall clients are not supported in cache mode
This effectively limits client access only via HTTP, HTTPS,Gopher, and FTP If a client attempts to use other protocols, thenthe answer is clear: This type of access is not allowed
If ISA Server is installed in firewall or integrated mode, you willneed to look closely at protocol rules, and packet and applicationfilters Be sure to check array level and enterprise level policies
Follow this approach:
1 Is there a protocol rule that denies access? End of story
2 Is there a protocol rule that allows access? Either way, continue
3 Is there a packet filter that denies access? End of story
4 Is there a packet filter that allows access? Either way, continue
5 Is there an application filter enabled which denies access?
End of story
6 Is there an application filter enabled which allows access?
Trang 14Understanding ISA Server access policies in an prise can be a daunting challenge There maybe severallevels of policy to design, or if already implemented—tounderstand Enterprise level access policy is established
enter-by Enterprise Admins and assigned to arrays that aremanaged by Domain Administrators Protocol rules andsite and content rules can be created at both levels, ifenterprise policy dictates, or may be restricted to only
one Within an enterprise, all three scenarios may exist.This chapter has concentrated on the “where” and “bywhom,” instead of the “how to.”
Finally, troubleshooting client access must involve tigation of access policy at both levels and concern itselfwith packet-based and user-based issues
inves-CH A P T E R SU M M A R Y
Trang 15AP P L Y YO U R KN O W L E D G E
Answers to Exercise Questions
2 Allow and deny in array policy
3 Allow and deny in array policy Yes
2 John is a Domain Admin Sally is an EnterpriseAdmin Figure 12.13 displays the Policy on theISAArray3 array Can John create a site and con-tent rule to prevent Domain Users from accessingUbid.com?
3 John is a Domain Admin Sally is an EnterpriseAdmin Figure 12.14 displays the Policy on theISAArray3 array Can Sally write a protocol rulethat allows passage of telnet traffic?
4 When would it be advantageous to allow arraylevel administration of packet-filters?
5 Why are publishing rules created at the serverlevel?
Estimated Time: 25 minutes
1 Continue working with the arrays established inChapter 11, Exercise 11.1 Select the array thatspecifies “array only” access policy
2 As Enterprise Admin, write new policy elements,protocol rules, and site and content rules Wheredid you write them?
3 As Domain Admin, write new policy elements,protocol rules, and site and content rules Wheredid you write them? Can you write both allowand deny rules?
4 Select the array that does not have packet ing forced As Domain Admin, can you enableand disable packet filtering?
filter-5 Select an array that forces packet filtering AsEnterprise Admin, can you enable and disablepacket filtering on the array? As Domain Admin,can you?
6 Log on as Domain Admin Select the “enterpriseonly” policy array Can you write allow rules?
Can you write deny rules? Select the “enterpriseand array policy” array Can you write allowrules? Can you write deny rules?