1, the computer has no brain. So, when the behavior of ISA is inconsistent with your requirements, please check your configuration instead of blaming Isa.
2, only allow you want to allow the customer, source address, destination and agreement. Check every rule carefully to see if the elements of the rule are the same as what you need.
3, rejected rules must be placed in front of the allowed rules.
4, when the need to use rejection, explicit rejection is the primary consideration.
5, without affecting the effect of firewall policy execution, please put the rules of higher matching to the front.
6. If you do not affect the effect of firewall policy execution, put the rules for all users in the front.
7. Simplify your rules as much as possible, and the efficiency of executing a rule is always more efficient than executing two rules.
8. Never use the Allow 4 all rule in a commercial network (Allow all users using all protocols the from all networks to all networks) so that your Isa is just a fake.
9, if you can configure the system policy to implement, there is no need to establish a custom rule.
10. Each access rule for ISA is independent and will not be affected by other access rules when executing each access rule.
11. Never allow any network access to all protocols of the ISA native. The internal network is also unreliable.
12, Snat customers can not submit authentication information. So, when you use authentication, configure the customer as a Web proxy customer or a firewall customer.
13, whether as the purpose of the access rule or source, it is best to use IP address.
14, if you must use the domain name set or URL set in the access rule, it is best to configure the client as a Web proxy customer.
15, please do not forget that the firewall policy finally has a deny 4 all.
16, finally, keep in mind that firewall policy testing is required.