How firewall policy worksUsing ISA Server 2004, you can create a firewall policy, which includes a set of publishing rules and access rules. These rules, together with the network rules, determine how clients access resources across networks. For more information, see Firewall Policy Rules. Outgoing requests One of the primary functions of ISA Server is to connect between source and destination networks, while protecting from malicious access. To facilitate this connectivity, you use ISA Server to create an access policy that permits clients on the source network to access specific computers on the destination network. The access policy determines how clients access other networks. When ISA Server processes an outgoing request, it checks network rules and firewall policy rules to determine if access is allowed. Some rules can be configured to apply to specific clients. In this case, the clients can be specified either by IP address or by user name. ISA Server processes the requests differently, depending on which type of client requests the object, and how you configure ISA Server. First, ISA Server checks the network rules, to verify that the two networks are connected. If the network rules define a connection between the source and destination network, ISA Server processes the access policy rules. For more information, see Network rules. Next, ISA Server checks the access rules, in order. If an allow rule applies to the request, ISA Server will allow the request. Specifically, ISA Server applies a rule if the request matches the following rule conditions: Protocol From (source) address and port Schedule To (destination) addresses, names, URLs Users Content groups Having applied a rule, ISA Server does not match the request to any other rule and stops rule evaluation. Subsequently, ISA Server may actually deny the request, depending on the additional protocol filtering applied to the rule. Finally, ISA Server checks the network rules again, to determine how the networks are connected. ISA Server checks the Web chaining rules (if a Web Proxy client requested the object) or the firewall chaining configuration (if a SecureNAT or firewall client requested the object) to determine how the request will be serviced. For example, assume that you installed ISA Server on a computer with two network cards: one connected to the Internet and the other connected to your local network. You have permissive corporate guidelines that allow all users access to all sites. In this case, your policy would consist of the following access policy rules: A network rule that establishes connectivity between the source network (the local network) and the destination network (the Internet). An access rule that allows all internal clients to access all sites at all times, using any protocol. Incoming requests ISA Server can make servers securely accessible to clients on another network. You use ISA Server to create a publishing policy to securely publish servers. The publishing policy, which consists of Web publishing rules, server publishing rules, secure Web publishing rules, and mail server publishing rules, together with the Web chaining rules, determines how published servers are accessed. You can use one of the following ISA Server rules to publish servers: Web publishing rules. To publish Web server content. Server publishing rules. To publish any other content. Secure Web publishing servers. To publish Secure Sockets Layer (SSL) content. When ISA Server processes an HTTP or HTTPS request from a client, it checks publishing rules and Web chaining rules to determine whether the request is allowed, and which server will service the request. For non-HTTP requests, ISA Server checks the network rules, and then checks the publishing rules to determine if the request is allowed. For an incoming Web request, rules are processed in the following order: Web publishing rules. Web chaining rules. For more information, see Web chaining rules. For example, consider a scenario, in which you have installed ISA Server on a computer with two network adapters: one connected to the Internet and the other connected to your local network. The following applies: If a Web publishing rule specifically denies the requests, the requests are denied. If a Web chaining rule specifies that the requests be routed to a specific upstream server or an alternate hosted site, the specified server handles the request. If a Web chaining rule specifies that the requests be routed to the specified server, the internal Web server returns the object. Web publishing rules and Web chaining rules Web publishing rules are processed in order, with the default Web publishing rule processed last. Web chaining rules are also processed in order. When an external client requests an object from an internal Web server, rules are processed in the following order: Web publishing rules Web chaining rules For example, consider the following rules: A Web publishing rule that redirects requests from all clients for widgets.microsoft.com to a hosted site (Web server) specified as msweb. A Web chaining rule that routes requests for a destination that includes msweb by servicing them directly. When an external (Internet) user requests an object from widgets.microsoft.com, ISA Server intercepts the request. First, it processes the Web publishing rule, determining that the request will be redirected to the msweb computer. Next, it processes the Web chaining rule, determining that the request will be serviced directly by the specified server (msweb). The following example illustrates what happens when you create a Web publishing rule, without creating an appropriate Web chaining rule: A Web publishing rule that redirects requests from all clients for a destination set that includes example.microsoft.com to a hosted site specified as myinternalms A Web chaining rule that routes requests for all destinations to an upstream server. In this case, the Web publishing rule is processed first. All requests for example.microsoft.com are redirected to myinternalms. However, the Web chaining rule specifies that the request will be routed to an upstream server (and not sent directly to the destination server). The request will always be routed to the upstream server. Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls