Welcome to ISAserver.org

Ordering the ISA rules

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Ordering the ISA rules

Page: [1]

Message

<< Older Topic Newer Topic >>

Ordering the ISA rules - 19.Feb.2005 4:24:00 PM

Jim Harrison

Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline

Ever wonder what the "best practice" is for configuring the rules?
It's actually very simple.

ISA 2004 processes the rules list in this order:
1 - system rules
2 - array rules
In both cases, the rules are processed in the order they're listed.

You should ALWAYS group your rules thus:
Anonymous rules
- deny rules
- allow rules
Authenticated rules
- deny rules
- allow rules

"What's the logic behind this method?", came wafting up from the back of the class...
Here 'tis:
- deny rules are created to protect your ISA, clients and servers - let's give ISA a fighting chance by allowing those to fire first.
- authentication is relatively expensive for the policy engine; if we can simplify the task by allowing an unauthenticated rule to fire first, we won't waste time trying to authenticate when we don't cae who the user is.

"yeh", came the call from the front row, "but how do you define the relationship between the rules for best performance?"

Good question says I - and here's the crux of the biscuit:
- If your ISA is primarily used for outbound access (internal folks using ISA for porn-surfing), then place your access rules first, using the grouping above.
- If your ISA is used primarily to publish porn-sites, then place your publishing rules first.
-- In either case, always use the groupings I listed above and your ISA will sing and dance for you.

HTH,