12 April 2011

TMG - Using the Enterprise Management Server (EMS) to standardise System Firewall rules across multiple arrays

There are 59 system policies or firewall rules for every TMG environment.  These policies are mostly centered and the Local Host "network." By default each array needs to have this configured at array level.  If you then want to make a global change to the system policy you need to connect to every array and change the setting.  Sure, enterprise object can be used at local system policies but there is no global control mechanism.

The system policies are applied before any other rules. The sequence is as follows
  1. System Policy Rules
  2. Enterprise Policy Rules Applied Before Array Firewall Policy
  3. (Array) Firewall Policy Rules
  4. Enterprise Policy Rules Applied After Array Firewall Policy
This is significant since traffic will continue down the policy sequence until it matches a rule.  If no matches are found it is dropped by the absolute last "Default Rule" that denies all traffic.

If we want to centrally manage System Policies we will need to configure an identical rule in the "Enterprise Policy Rules Applied Before Array Firewall Policy." To find the rule so that you can see the finer rule details you need to select Show System Policy Rules from the Firewall Policy view.  You can now browse through or search for the relevant rule. Now you can open the rule and record the rule details.  


You cannot actually change the rule from here.  Right Click the rule and click on  Edit System Policy.  This will now open the System Policy Editor and have the relevant rule selected.  Because we will now be using an enterprise rule to manages this you need to ensure that the "Enable this configuration group" is unchecked.


As an example if I want to be able to turn ICMP (Ping Replies) on for all the Enterprise array members.  This is something that you would normally want to keep turned off, except for certain temporary testing scenarios.  

First I connect to each array. And make sure the "Enable this configuration group" is unchecked.
Secondly I create and Enterprise rule that is identical to the system policy rule.  In this case

Action:  Allow 
Protocol:  PING 
From:  Enterprise Remote Management Servers  
To:  Local Host

This rule is now applied with an enterprise policy.  So if I enable or disable or change this rule it will affect all they arrays managed by that Enterprise policy. In short you now have a global control mechanism for system policies.


No comments:

Post a Comment