How Enterprise Policy Affects Array Policy

Microsoft Internet Security and Acceleration Server 2000

How Enterprise Policy Affects Array Policy

The enterprise administrator can select how the enterprise policy should be applied at the array level:

Enterprise policy only. In this case, the administrator at the enterprise level dictates that only the selected enterprise policy applies. No rules can be created.
Combined enterprise and array policy. In this case, an array policy is added to the enterprise policy. The enterprise policy overrides the array policy. That is, the array policy can impose additional limitations, but cannot be more permissive than the enterprise policy. You can use policy elements from the Enterprise and the Array,with the exception of protocols, that can only be taken from the Enterprise. Note that the FPCArrayPolicy object represents an access policy and the ISA Web proxy properties, but does not include the publishing rules of an array policy.
Array policy only. In this case, no enterprise policy is applied to the array. The array administrator can create any rule — rules that allow or deny access. You can only access the array's policy elements.

Note If you set the FPCEnterprise.PolicyUsedFlag property equal to fpcArrayPolicyUsed, you cannot subsequently change it to fpcEnterprisePolicyUsed, nor can you change to configuration from fpcEnterprisePolicyUsed to fpcArrayPolicyUsed. The only changes that are permitted are from fpcEnterprisePolicyUsed to fpcArrayAndEnterprisePoliciesUsed and from fpcArrayAndEnterprisePoliciesUsed to fpcEnterprisePolicyUsed.

The areas where the relationship between enterprise and array should be taken into consideration are:

Protocol Rules
Packet Filtering
Site and Content Rules
Publishing Rules

Protocol Rules

When you create a protocol rule for an array, you can only use a protocol that is defined in the enterprise. If you use any other protocol, you will receive an error message when you run the protocol rule-adding script, and the rule will not be added.

The COM object you use to create a protocol rule is FPCProtocolRule.

Packet Filtering

Packet filtering cannot be enabled at the enterprise level. However, the enterprise administrator determines whether packet filtering is forced at the array level. Alternatively, the enterprise administrator can allow the array administrator to decide if packet filtering should be made available.

If the enterprise administrator forces packet filtering through the FPCEnterprise.ForcePacketFiltering property, an array administrator will not be able to disable packet filtering through the FPCIpPacketFilter.Enabled property.

The COM object you use to create a packet filter is FPCIpPacketFilter.

Site and Content Rules

Because array policy can only be more restrictive than enterprise policy, you can only add array site and content rules that deny access to what is already allowed by the enterprise, or rules that redirect requests. The COM object you use to create a site and content rule is FPCSiteAndContentRule. You create a Deny rule by setting the FPCSiteAndContentRule.Action property equal to fpcRuleActionDeny. You create redirect rules by setting the FPCSiteAndContentRule.Action property to fpcRuleActionRedirect. If you try to create an allow (fpcRuleActionPermit) site and content rule, you will receive an error message, and the rule will not be created.

Publishing Rules

Publishing rules cannot be created at the enterprise level. However, the enterprise administrator can specify, using the FPCEnterprise.AllowPublishing property, whether an array is allowed to publish servers. If the array is allowed to publish, the array administrator can create Web publishing rules (FPCWebPublishingRule object) or server publishing rules (FPCServerPublishingRule object). If the enterprise policy does not allow publishing, then an attempt to add a Web or server publishing rule will return an error message.