Simply establishing the remote site network does not automatically grant any type of access between clients on the disparate networks. To enable this type of access, ISA Network rules must first define whether the default relationship between the networks should be set to route traffic, or to apply Network Address Translation (NAT) between the networks. In addition, firewall rules must be established to specify what types of traffic will be allowed between the networks. For a more fundamental understanding of network and firewall rules, reference Chapter 3, "Exploring ISA Server 2004 Tools and Concepts." Creating Network Rules Between ISA Site Networks In the example illustrated in this chapter, the two remote networks are joined into a Route relationship, which enables clients in San Francisco to directly access the IP range of Toronto. To set this up, do the following: 1. | Open the ISA Server Management console. | 2. | From the console tree, select Configuration, Networks. | 3. | In the Details pane, select the Network Rules tab. | 4. | In the Tasks pane, click on the link titled Create a New Network Rule. | 5. | Enter a name for the Network Rule, such as Route from Toronto to San Francisco, and click Next. | 6. | Under the Network Traffic Sources dialog box, click the Add button. | 7. | Under Network Entities, select the Toronto network from the list and click Add, then click Close. | 8. | Click Next. | 9. | Under Network Traffic Destinations, click Add. | 10. | Drill down to Internal under Networks and click Add, then Close. | 11. | Click Next to continue. | 12. | Select Route under Network Relationships, as shown in Figure 10.12, and click Next. Figure 10.12. Creating a Route relationship between remote sites. | 13. | Click Finish. | 14. | Click Apply and OK. | Creating Firewall Rules Between ISA Site Networks With the network rule in place, the traffic can properly flow between the remote net works. Because ISA is secured by default, however, specific firewall rules must be established before any communications are allowed. In this example, an Allow All rule is created between the networks, but it is very common to create rules to allow only specific types of activity to occur between the networks. To set up an Allow All rule between the remote sites, do the following: 1. | Open the ISA Server Management console. | 2. | Click on the Firewall Policy node in the console tree. | 3. | In the Tasks pane, click on Create New Access Rule from the Tasks tab. | 4. | Enter a descriptive name for the rule, such as Allow All from Toronto to Internal, and click Next. | 5. | Under Rule Action, select Allow and click Next. | 6. | Under Protocols, leave the default as All Outbound Traffic and click Next. | 7. | Under Access Rule Sources, click the Add button. | 8. | Drill down under Networks, select the Toronto network, and click Add. | 9. | Select the Internal network and click Add and Close. | 10. | Click Next. | 11. | Under Access Rule Destinations, click Add. | 12. | Drill down under Networks and select Internal, click Add, select Toronto, click Add, then click Close. | 13. | With both networks chosen, as shown in Figure 10.13, click Next. Figure 10.13. Creating an allow all rule between the remote sites. | 14. | Click Next at the User Sets dialog box. | 15. | Click Finish, Apply, and OK to save the settings. | 16. | Repeat the steps on the remote ISA Server (or configure the appropriate third-party VPN rules as necessary). | With the appropriate network and firewall rules in place, the connection is established between remote sites, and traffic can flow between the two sites as needed. |