Simplifying Access Rules for ISA Firewall Site to Site VPNs

by Santhosh Sivarajan [Published on 27 Sept. 2006 / Last Updated on 27 Sept. 2006]

We are all familiar with creating firewall access rule policies on ISA Server 2004. Let’s say we want to create a two way Firewall access rule. How do you do it?

We can create two one way firewall rules from Source to Target and from Target to Source.  If you’re like me, you are too lazy to create two firewall policies if we can find an easier method.  Here is a simple trick to achieve this without creating two separate one way firewall policies.  The trick is to select the same “Source” and “Destination” networks in the Firewall Access Rule.  I am borrowing one of Tom Shinder’s scenarios (http://www.isaserver.org/tutorials/2004ipsectunnelmode.html) to explain this:

My goal is to create a single Access Rule policy to enable two way communications between the Main office and Branch office. 

  1. Open ISA Sever Management Console. 
  2. In the right pane, right click on the Firewall Policy, select New and select Access Rule
  3. Enter the name of the Access Rule in the Welcome window.  Click Next
  4. Select Allow in the Rule Action window.  Click Next
  5. Select appropriate traffic in the Protocols window.  Click Next.
  6. In the Access Rule Sources window, select the Internal and Branch networks.  Click Next.
  7. In the Access Rule Destinations window, select the Internal and Branch networks. Click Next.
  8. Click Next in the User Sets window. 
  9. Click Finish to complete the access rule creation. 

The “From” and “To” tabs in the Access Rule properties look like the following:


Figure 1

This Access rule will enable a two way wide open communication between Internal and Branch office networks without creating two separate one way rules. As always, I would like to hear your comments and suggestions after reading this article.  If you have any questions, feel free to email me or post a comment on the newsgroup.

***

Santhosh Sivarajan is an Infrastructure and Security Architect in Houston, Texas.  His certifications include MCSE (W2K3/W2K/NT4), MCP+I, MCSA (W2K3/W2K/MSG), CCNA, and Network+.  He has worked for large networking project companies for the past 10 years.  His expertise includes Active Directory, Exchange, Migrations, Microsoft Security, ISA Server, etc.

Featured Links