HOW TO: Configure an Enterprise Policy in ISA Server

This step-by-step article describes how to configure an Internet Security and Acceleration (ISA) Server enterprise policy. ISA Server supports array and enterprise policies. Array policies apply to the ISA Servers that are participating in a particular array. Array policies do not span multiple arrays. Enterprise policies are used to create centralized ISA Server access controls that can be applied to one or more arrays in the same domain.

To apply ISA Server enterprise policies you must:

• Have an Active Directory domain.
• Initialize the Active Directory with the ISA Server enterprise initialization tool.
• At least one computer must be a member of an enterprise array.

Enterprise policies consist of a subset of the array-level policy elements and access policies. The enterprise-level policy elements include:

• Schedules
• Destination Sets
• Client Address Sets
• Protocol Definitions
• Content Groups

The enterprise-level access policies include:

• Site and Content Rules
• Protocol Rules

Policy elements and access policies are configured the same way at the enterprise level as that are at the array level. The only difference is that enterprise policies must be configured in the enterprise policy tree.

Configuring Enterprise Policies

To configure and apply enterprise policies:

1. The Active Directory must first be initialized before you can configure enterprise policies.
2. Open the ISA Management console. Expand the Enterprise node in the left pane of the console, and then expand the Policies node. Expand the default enterprise policy you created when you initialized the Active Directory. You can create new rules by right-clicking Site and Content Rules or Protocol Rules on these nodes, and then clicking New.
3. Right-click any of the Policy Elements nodes, and then click New to begin to create new policy elements that can be used to create enterprise site and content and protocol rules.
4. Expand the Servers and Arrays node in the left pane of the ISA Management console. Right-click your array name.
5. In the server Properties dialog box, click the Policies tab. If you are an enterprise administrator, you can change which enterprise policy is applied to the array. You can also select whether publishing rules are allowed at the array level and whether packet filtering is forced at the array level. If you are not an enterprise administrator, you will not be able to change these settings. If you choose the Use custom enterprise policy settings option, you can choose policies other than the default enterprise policy. The option to allow array-level policies is also available.
6. Click Apply after making changes to the array policy. You will see an Information dialog box that informs you that array configuration changes are not compatible with previous backups and that you should create a new backup after you make changes to the array policy. Click OK to continue, and then click OK in the server Properties dialog box.

Troubleshooting

Array policies can be configured to supplement enterprise policies. However, you will only be able to create Deny policies at the array level. The reason for this is that array level policies can only be used to create further restrictions on enterprise policy configuration.