Using Enterprise Policy in ISA Server 2006

I would like to continue the previous topic “installing configuration Storage Server”. As you installed the Configuration Storage Server, there will be an enterprise array and you may create the enterprise policy for the internal network.

How to Create Enterprise Policy?

1. right-click Enterprise tree

2.  choose New and Create Enterprise Policy

3. on New Enterprise Policy wizard, type a name of policy.Click Next

4. Then, Click Finish.

Create Access rule in the Enterprise Policy

1.Right Click On the Entprise policy you created

2.Name the rule. For example, “Allow all outbound protocol”.Next

3. Choose Allow

4. On protocol wizard, Click All outbound protocol.(This is for practise only)

5. On Access source rule, select add and on Network Sets, select All protected Network

6. On Destination rule, click Enterprise Network , click External.

7. On user sets, click Next and Finish.

How can I use this Enterprise Policy in my ISA Array?

This Enterprise Policy can be used in your ISA Server services

You must have the array first and then change the policy setting on the array.

1.Right-click the array that have been created.

2.Click Properties.

3.On Policy Setting, you select the enterprise policy you created.

After you use the enterprise policy, the access rules in the policy are used for that ISA array.

For example below, there are two policy which can be published. you can create firewall policy in the array if you click. if you notice, on the enterprise policy, it only allow to create the “Access Rule”.But when go to the ISA array, on the firewall policy, there are multiple publishing rules that have been provided.


Installing Configuration Storage Server

Back to ISA Server 2006, I would like to show some configuration which focusing the Configuration Storage Server(CSS) and ISA Server 2006.

As you all know, you can install ISA server and Configuration storage Server within a same machine. but this section will be different. I try to implement ISA Server 2006 Enterprise Edition. It means that the configuration and firewall services are installed separately.


if you see figure above. the explanation of this simple network is described below:

NETOVERME-ISA is an ISA Server 2006 is installed but no configuration storage server.  There are two network interfaces are installed for private and public network. private network is set to /24 whereas public network is set to

NETOVERME-DC – is a domain controller for Netoverme Organization. A DNS server is also installed in the server. the IP address is

NETOVERME-CSS – is a Configuration Storage Server where the array of the ISA server is stored. CSS server is really related to ISA server which is Netoverme-ISA.

What have I done to the organization?

If you can see, the CSS server is totally separated with the ISA server (Netoverme-ISA). Firstly, I installed and configured Active Directory and the Domain (at the Netoverme-DC) and secondly create a server for Netoverme-CSS and join the domain. On Netoverme-CSS, I installed ONLY the Configuration Storage Server.

Before I proceed with the ISA server 2006 in Netoverme-ISA server, I create account EntAdmin to administer the CSS. I add assign role to the EntAdmin as ISA Server Enterprise Administrator so that he can administer such as Create Array,Create Rule,etc

In Netoverme-CSS, you can create array for the Netoverme-ISA or create later as you install along the ISA server at Netoverme-ISA.

After finishing configuring the CSS server (Netoverme-CSS), you can proceed with the ISA server installed on Netoverme-ISA. you can join domain the server or make as a workgroup. In this case, I just join domain and proceeding the Installation of ISA server. in Netoverme-ISA, you only install ISA Server Component and also ISA server Management. on the Next step, it will the FQDN of  Configuration Storage Server. you just typed hostname of CSS server which is netoverme-CSS and simply click Next. You will be asked later on which array should you used. In Configuration Storage Server, the array can be multiple. In this case, the CSS hasn’t create any array yet. Therefore, in the proceeding installation, you can choose to create array. The array is important so that you can create access rule, deny or allow the policy. the credential will be asked for communicating with the CSS server. in my case, I created the EntAdmin which the user is assigned as ISA server Enterprise Administrator on CSS server. I type the entadmin as a credential and also proceed to complete the installation.

The good thing using Configuration Storage Server on different server, you can backup and restore all the configuration in that server whenever your frontend ISA server crash. Also, you may disconnect / connect the enterprise network from the ISA server.