MCSA/MCSE Self-Paced Training Kit (Exam 70

MCSA/MCSE Self-Paced Training Kit (Exam 70
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2005 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or
by any means without the written permission of the publisher.
Library of Congress Control Number 2004118212
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9
QWT
9 8 7 6 5
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further
information about international editions, contact your local Microsoft Corporation office or contact
Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at
www.microsoft.com/learning/. Send comments to [email protected]
Microsoft, Active Directory, ActiveSync, FrontPage, Microsoft Press, MSDN, MSN, Outlook,
PowerPoint, SharePoint, Visual Basic, Visual Studio, Win32, Windows, Windows Mobile, Windows
NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places,
and events depicted herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Product Planner: Martin DelRe
Content Development Manager: Lori Kane
Project Manager: Julie Pickering
Project Editor: Susan McClung
Technical Editor: Kurt Dillard
Technologist: Colin Lyth
Copy Editor: Peter Tietjen
Proofreaders: Jan Cocker, Cindy Gearhart, and Kiren Valjee
Indexer: Jack Lewis
Body Part No. X11-10416
As always, I dedicate this book to the three wonderful women in my life:
my wife, Rhonda, and my daughters, Angela and Amanda.
Stan Reimer
To my beautiful and lovely wife, Oksana, and my fantastic son, Rooslan.
You make this all possible.
Orin Thomas
About the Authors
Stan Reimer, Microsoft Certified System Engineer (MCSE), and
Microsoft Certified Trainer (MCT), is the president of SR Technical Services based in Winnipeg, Manitoba. Stan works as a
consultant and trainer specializing in Microsoft ISA Server,
Microsoft Exchange Server, and Active Directory design and
implementation. Stan has worked as a consultant with some of
the largest corporations in Canada, as well as some of the
smallest. He is the co-author of Active Directory for Microsoft
Windows Server 2003 Technical Reference, published by
Microsoft Press, and also authors courseware and security clinics for Microsoft Learning. In the summer, Stan finds hitting the
road on his motorcycle or hitting golf balls on a golf course to be excellent therapy. In
the winter, he just works, because it is too cold in Winnipeg to do anything else.
Orin Thomas is a writer, editor, trainer, and systems administrator who works for the certification advice Web site Certtutor.net. His work in IT has been varied: he has done
everything from providing first-level networking support to a
university department to managing mission-critical servers for
one of Australia’s largest companies. He has co-authored several MCSA/MCSE self-paced training kits for Microsoft Learning. He holds a variety of certifications, a bachelor’s degree in
science with honors from the University of Melbourne, and is
currently working toward the completion of a Ph.D in Philosophy of Science.
Contents at a Glance
Part 1
1
2
3
4
5
6
7
8
9
10
11
12
Part 2
13
14
15
16
17
18
19
Learn at Your Own Pace
Introduction to ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Securing and Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . 3-1
Installing and Managing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . 4-1
Enabling Secure Internet Access with ISA Server 2004 . . . . . . . . . . . . . 5-1
Implementing ISA Server Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Configuring ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Implementing ISA Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Integrating ISA Server 2004 and Exchange Server . . . . . . . . . . . . . . . . . 9-1
Configuring Virtual Private Networks for Remote
Clients and Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Implementing Monitoring and Reporting . . . . . . . . . . . . . . . . . . . . . . . 11-1
Implementing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . 12-1
Prepare for the Exam
Planning and Installing ISA Server 2004 (1.0) . . . . . . . . . . . . . . . . . . . 13-3
Installing and Configuring Client Computers (2.0) . . . . . . . . . . . . . . . . 14-1
Configuring and Managing ISA Server 2004 (3.0) . . . . . . . . . . . . . . . . 15-1
Configuring Web Caching (4.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Configuring Firewall Policy (5.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Configuring and Managing Remote Network Connectivity (6.0) . . . . . . 18-1
Monitoring and Reporting ISA Server 2004
Activity (7.0) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
vii
viii
Contents at a Glance
Practices
Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29
Securing the Computer Running ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Securing ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-24
Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-34
Configuring SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-25
Installing and Configuring Firewall Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-43
Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-26
Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38
Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-45
Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-56
Configuring Caching and Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-26
Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-36
Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
Implementing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . .7-43
Configuring an HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-61
Configuring DNS for Web and Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9
Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29
Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-42
Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-59
Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-71
Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-19
Configuring ISA Server to Secure OWA Client Connections . . . . . . . . . . . . . . . . . . . . . .9-34
Configuring ISA Server to Secure Outlook Client Connections . . . . . . . . . . . . . . . . . . .9-47
Configuring Virtual Private Networking for Remote Clients . . . . . . . . . . . . . . . . . . . . 10-29
Configuring Virtual Private Networking for Remote Sites . . . . . . . . . . . . . . . . . . . . . 10-44
Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-61
Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24
Configuring Session and Connectivity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
Configuring ISA Server Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-54
Installing a Configuration Storage Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48
Configuring Enterprise and Array Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-57
Installing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-62
Contents at a Glance
ix
Tables
Table 1-1: New Features in ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
Table 1-2: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Table 2-1: ISA Server 2004 Hardware Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Table 2-2: Msisaund.ini Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
Table 2-3: ISA Server Unattended Setup Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Table 3-1: Services Required for ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Table 3-2: Optional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Table 3-3: ISA Server Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Table 3-4: System Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Table 3-5: ISA Server Roles and Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Table 4-1: Comparing the ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Table 4-2: Guidelines for Choosing ISA Server Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Table 4-3: Configuring Network Settings for SecureNAT Clients . . . . . . . . . . . . . . . . . 4-13
Table 4-4: ISA Server Firewall Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Table 4-5: Application.ini File Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Table 5-1: ISA Server Internet Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Table 5-2: Configuring Dial-Up Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
Table 5-3: Access Rule Element Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
Table 5-4: Protocol Element Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-31
Table 5-5: Network Object Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36
Table 5-6: Authentication Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45
Table 5-7: Access Rule Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49
Table 6-1: ISA Server Caching Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Table 6-2: Advanced Caching Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Table 6-3: Cache Rule Options and the Default Cache Rule . . . . . . . . . . . . . . . . . . . . 6-18
Table 6-4: Configuring Content Retrieval Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Table 6-5: Configuring Content Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-21
Table 6-7: Configuring HTTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Table 6-8: Configuring FTP Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Table 6-9: Configuring Download Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32
Table 6-10: Configuring Content Download Job Details . . . . . . . . . . . . . . . . . . . . . . . . 6-34
Table 6-11: Configure Content Download Job Caching . . . . . . . . . . . . . . . . . . . . . . . . 6-35
Table 7-1: ISA Server Default Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
x
Contents at a Glance
Table 7-2: ISA Server Default Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
Table 7-3: Firewall Policies Applied by the Internet-Edge Template . . . . . . . . . . . . . . .7-29
Table 7-4: ISA Server Intrusion-Detection Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-37
Table 7-5: Configuring HTTP Policy General Properties . . . . . . . . . . . . . . . . . . . . . . . .7-51
Table 7-6: HTTP 1.1 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-52
Table 7-7: How ISA Server Evaluates Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-54
Table 7-8: Application Signatures for Common Applications . . . . . . . . . . . . . . . . . . . .7-60
Table 8-1: Web Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . .8-13
Table 8-2: Web Site Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-24
Table 8-3: Server Publishing Rule Configuration Options . . . . . . . . . . . . . . . . . . . . . . .8-48
Table 8-4: Port Override Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-51
Table 9-1: Supported SMTP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-8
Table 9-2: Configuring the SMTP Message Screener . . . . . . . . . . . . . . . . . . . . . . . . . .9-13
Table 9-3: RPC over HTTP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-44
Table 10-1: Comparing PPTP and L2TP/IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-8
Table 10-2: Site-to-Site VPN Configuration Components . . . . . . . . . . . . . . . . . . . . . 10-33
Table 10-3: Comparing Site-to-Site Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . 10-35
Table 10-4: Remote-Site VPN Gateway Configuration Components . . . . . . . . . . . . . 10-43
Table 11-1: ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-4
Table 11-2: ISA Server Management Console Dashboard Nodes . . . . . . . . . . . . . . . . .11-6
Table 11-3: ISA Server Performance Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10
Table 11-4: Alert Event Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-19
Table 11-5: Configuring an Alert Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-21
Table 11-6: Session Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32
Table 11-7: Connectivity Monitoring Configuration Options . . . . . . . . . . . . . . . . . . . 11-35
Table 11-8: ISA Server Log Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-42
Table 11-9: Configuring the ISA Server Log Summaries . . . . . . . . . . . . . . . . . . . . . . 11-49
Table 12-1: ISA Server Enterprise Edition Unattended Installation Files . . . . . . . . . 12-62
Troubleshooting Labs
Troubleshooting Lab
Troubleshooting Lab
Troubleshooting Lab
Troubleshooting Lab
Troubleshooting Lab
Troubleshooting Lab
...................................................
...................................................
...................................................
...................................................
...................................................
...................................................
3-39
5-62
5-71
7-66
8-76
9-50
Contents at a Glance
xi
Case Scenario Exercises
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-70
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-65
Case Scenario Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-73
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-59
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69
Case Scenario Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-77
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-58
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-66
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-72
Case Scenario Exercise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-81
Contents
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxix
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
About the CD-ROM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
Features of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxi
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxxiii
Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Setup Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv
The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . . . . . . xxxvii
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxix
Part 1
1
Learn at Your Own Pace
Introduction to ISA Server 2004
1-3
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Lesson 1: Overview of ISA Server Functionality . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
How ISA Server Works—An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
How ISA Server Works as a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
How ISA Server Enables Secure Internet Access . . . . . . . . . . . . . . . . . . . . . 1-9
How ISA Server Enables Internal Resource Publishing . . . . . . . . . . . . . . . . 1-11
How ISA Server Works as a VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Lesson 2: Overview of ISA Server 2004 Editions and Versions . . . . . . . . . . . . 1-17
Differences Between ISA Server Standard Edition and Enterprise Edition . . 1-17
Differences Between ISA Server 2004 and ISA Server 2000 . . . . . . . . . . . 1-19
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Lesson 3: Explaining ISA Server Deployment Scenarios . . . . . . . . . . . . . . . . . 1-22
How ISA Server Works as an Internet-Edge Firewall . . . . . . . . . . . . . . . . . . 1-22
How ISA Server Works as a Back-End Firewall . . . . . . . . . . . . . . . . . . . . . . 1-24
How ISA Server Works as a Branch Office Firewall . . . . . . . . . . . . . . . . . . 1-25
How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server 1-26
How ISA Server Works as a Proxy- and Caching-Only Server . . . . . . . . . . . . 1-27
xiii
xiv
Table of Contents
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Lesson 4: Overview of ISA Server 2004 Administration . . . . . . . . . . . . . . . . . . 1-31
The ISA Server Administration Process . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
ISA Server Management Console Features . . . . . . . . . . . . . . . . . . . . . . . 1-34
ISA Server Monitoring Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
2
Installing ISA Server 2004
2-1
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Lesson 1: Planning an ISA Server Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
The ISA Server Deployment Planning Process . . . . . . . . . . . . . . . . . . . . . . . 2-3
Network Infrastructure Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Guidelines for Capacity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Lesson 2: Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
ISA Server 2004 Installation Preparation Checklist . . . . . . . . . . . . . . . . . . 2-19
Guidelines for Installing ISA Server, Standard Edition . . . . . . . . . . . . . . . . 2-20
How to Verify a Successful ISA Server Installation . . . . . . . . . . . . . . . . . . . 2-25
How to Perform an Unattended Installation of ISA Server 2004 . . . . . . . . . 2-26
Guidelines for Troubleshooting an ISA Server Installation . . . . . . . . . . . . . 2-28
Practice: Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Lesson 3: Overview of the ISA Server 2000 Migration Process . . . . . . . . . . . . 2-33
How the ISA Server 2000 In-Place Upgrade Process Works . . . . . . . . . . . . 2-33
How an ISA Server 2000 Configuration Migration Works . . . . . . . . . . . . . . 2-34
Ways to Migrate Routing and Remote Access VPN to ISA Server 2004 . . . . 2-35
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Table of Contents
xv
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Case Scenario Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
3
Securing and Maintaining ISA Server 2004
3-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Lesson 1: Securing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
How to Harden the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Practice: Securing the Computer Running ISA Server . . . . . . . . . . . . . . . . . 3-14
How to Secure the ISA Server Configuration . . . . . . . . . . . . . . . . . . . . . . 3-15
Practice: Securing ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27
Lesson 2: Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
How to Export and Import the ISA Server Configuration . . . . . . . . . . . . . . 3-28
How to Back Up and Restore the ISA Server Configuration . . . . . . . . . . . . 3-31
How to Implement Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . 3-32
Practice: Maintaining ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38
Exercise 1: Preparing the Workstation for Remote Administration . . . . . . . . 3-39
Exercise 2: Troubleshooting Remote Administration . . . . . . . . . . . . . . . . . 3-40
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
4
Installing and Managing ISA Server Clients
4-1
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Lesson 1: Choosing an ISA Server Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
ISA Server Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Lesson 2: Configuring the SecureNAT and Web Proxy Clients . . . . . . . . . . . . . 4-12
How to Configure SecureNAT Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
How to Configure Web Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
How to Troubleshoot SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . 4-23
xvi
Table of Contents
Practice: Configuring SecureNAT and Web Proxy Clients . . . . . . . . . . . . . . . 4-25
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Lesson 3: Installing and Configuring the Firewall Client . . . . . . . . . . . . . . . . . . 4-28
How to Install Firewall Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
How to Automate Firewall Client Installation . . . . . . . . . . . . . . . . . . . . . . . 4-30
How to Configure ISA Server for Firewall Clients . . . . . . . . . . . . . . . . . . . . 4-33
Advanced Firewall Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
Practice: Installing and Configuring Firewall Clients . . . . . . . . . . . . . . . . . . 4-43
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
5
Enabling Secure Internet Access with ISA Server 2004
5-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Lesson 1: Enabling Secure Access to Internet Resources . . . . . . . . . . . . . . . . . 5-3
What Is Secure Access to Internet Resources? . . . . . . . . . . . . . . . . . . . . . . 5-3
Guidelines for Designing an Internet Usage Policy . . . . . . . . . . . . . . . . . . . . 5-5
How ISA Server Enables Secure Access to Internet Resources . . . . . . . . . . 5-8
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Lesson 2: Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . 5-11
What Is a Proxy Server? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
How to Configure ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . . . . 5-15
How to Configure Web and Firewall Chaining . . . . . . . . . . . . . . . . . . . . . . . 5-17
How to Configure Dial-Up Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Practice: Configuring ISA Server as a Proxy Server . . . . . . . . . . . . . . . . . . 5-26
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
Lesson 3: Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
What Are Access Rule Elements? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29
How to Configure Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . . . 5-30
Practice: Configuring Access Rule Elements . . . . . . . . . . . . . . . . . . . . . . . 5-38
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-39
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40
Table of Contents
xvii
Lesson 4: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 5-41
ISA Server Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-41
How to Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44
Practice: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . 5-45
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47
Lesson 5: Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . 5-48
What Are Access Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-48
How to Configure Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49
Troubleshooting Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-55
Practice: Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . 5-56
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-59
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-60
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-65
6
Implementing ISA Server Caching
6-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Lesson 1: Caching Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
What Is Caching? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
How Caching Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Caching Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
What Are Content Download Jobs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
How Caching Is Implemented in ISA Server 2004 . . . . . . . . . . . . . . . . . . . 6-7
How ISA Server Restricts Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
What Is Web Chaining and Caching? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
Lesson 2: Configuring Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
How to Enable Caching and Configure Cache Drives . . . . . . . . . . . . . . . . . 6-13
How to Configure Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
What Are Cache Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
How to Create and Manage Cache Rules . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Guidelines for Troubleshooting Caching . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Practice: Configuring Caching and Cache Rules . . . . . . . . . . . . . . . . . . . . 6-26
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-30
xviii
Table of Contents
Lesson 3: Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . 6-31
How to Configure Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . 6-31
How to Manage Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35
Practice: Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . 6-36
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-37
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
7
Configuring ISA Server as a Firewall
7-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Lesson 1: Introduction to ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . . 7-3
What Is Packet Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
What Is Stateful Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
What Is Application-Layer Filtering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
What Is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Lesson 2: Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . . 7-12
ISA Server Support for Multiple Networks . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Default Networks Enabled in ISA Server . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
How to Create and Modify Network Objects . . . . . . . . . . . . . . . . . . . . . . . 7-16
How to Configure Network Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Practice: Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . 7-20
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-23
Lesson 3: Implementing Perimeter Networks and
Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24
What Are Perimeter Networks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-24
What Are Network Templates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28
How to Implement Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29
Practice: Implementing Network Templates . . . . . . . . . . . . . . . . . . . . . . . 7-33
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-36
Table of Contents
xix
Lesson 4: Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . . 7-37
Intrusion-Detection Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . 7-37
How to Configure Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39
IP Preferences Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-40
How to Configure IP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-41
Practice: Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . 7-43
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-45
Lesson 5: Implementing Application and Web Filtering . . . . . . . . . . . . . . . . . . 7-46
What Are Application Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46
What Are Web Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48
How the HTTP Web Filter Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49
How to Configure a HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50
Practice: Configuring an HTTP Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . 7-61
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-63
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-64
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-65
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-67
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-67
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-68
8
Implementing ISA Server Publishing
8-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Lesson 1: Introduction to Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
What Are Web Publishing Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
What Are Server Publishing Rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Considerations for Configuring DNS for Web and Server Publishing . . . . . . . 8-6
Practice: Configuring DNS for Web and Server Publishing . . . . . . . . . . . . . . 8-9
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11
Lesson 2: Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Components of a Web Publishing Rule Configuration . . . . . . . . . . . . . . . . . 8-13
How to Configure Web Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14
How to Configure Path Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
How to Configure Link Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
How to Configure Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Practice: Configuring Web Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . 8-29
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
xx
Table of Contents
Lesson 3: Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . 8-33
Components of a Secure Web Publishing Rule Configuration . . . . . . . . . . . 8-33
How to Install Digital Certificates on ISA Server . . . . . . . . . . . . . . . . . . . . 8-36
How to Configure SSL Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
How to Configure SSL Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
How to Configure a New Secure Web Publishing Rule . . . . . . . . . . . . . . . . 8-39
Practice: Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . 8-42
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-46
Lesson 4: Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . 8-47
Components of a Server Publishing Rule Configuration . . . . . . . . . . . . . . . 8-47
How to Configure a Server Publishing Rule . . . . . . . . . . . . . . . . . . . . . . . . 8-49
Server Publishing Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
Guidelines for Troubleshooting Web and Server Publishing . . . . . . . . . . . . . 8-58
Practice: Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . 8-59
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62
Lesson 5: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 8-63
How Authentication and Web Publishing Rules Work Together . . . . . . . . . . 8-63
ISA Server Web Publishing Authentication Scenarios . . . . . . . . . . . . . . . . . 8-64
How to Implement RADIUS Server for Authentication . . . . . . . . . . . . . . . . . 8-67
How to Implement SecurID for Authentication . . . . . . . . . . . . . . . . . . . . . . 8-70
Practice: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . 8-71
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-74
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-78
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-78
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-79
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-79
9
Integrating ISA Server 2004 and Exchange Server
9-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Lesson 1: Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . 9-3
Known SMTP Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
How to Configure ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . . . . . 9-5
How to Configure the SMTP Application Filter . . . . . . . . . . . . . . . . . . . . . . . 9-8
How to Implement SMTP Message Screener . . . . . . . . . . . . . . . . . . . . . . 9-11
Guidelines for Implementing SMTP Message Screener . . . . . . . . . . . . . . . 9-16
Table of Contents
xxi
Practice: Configuring ISA Server to Secure SMTP Traffic . . . . . . . . . . . . . . 9-19
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25
Lesson 2: Configuring ISA Server to Secure Web
Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26
Known Web Client Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26
How to Configure ISA Server to Enable Outlook Web
Access Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28
How to Configure Forms-Based Authentication . . . . . . . . . . . . . . . . . . . . . 9-30
How to Configure ISA Server to Enable Access for Other Web Clients . . . . . 9-33
Practice: Configuring ISA Server to Secure OWA Client Connections . . . . . . 9-34
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-36
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-37
Lesson 3: Configuring ISA Server to Secure Outlook
Client Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-38
Known Outlook Client Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-39
How to Configure ISA Server to Secure Outlook RPC Connections . . . . . . . 9-40
What Is RPC over HTTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-43
How to Configure RPC-over-HTTP Connectivity . . . . . . . . . . . . . . . . . . . . . . 9-44
How to Configure E-Mail Access for POP3 and IMAP4 Clients . . . . . . . . . . . 9-46
Practice: Configuring ISA Server to Secure Outlook Client Connections . . . . 9-47
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-48
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-49
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-50
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-54
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-55
10
Configuring Virtual Private Networks for Remote
Clients and Networks
10-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Lesson 1: Planning a Virtual Private Networking Infrastructure . . . . . . . . . . . . . 10-4
What Is Virtual Private Networking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
VPN Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
VPN Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
How VPN Quarantine Control Is Used to Enforce Remote-Access
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10
How Virtual Private Networking Is Implemented Using ISA Server 2004 . . 10-11
Guidelines for Planning a VPN Infrastructure . . . . . . . . . . . . . . . . . . . . . . 10-12
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14
xxii
Table of Contents
Lesson 2: Configuring Virtual Private Networking for Remote Clients . . . . . . . 10-16
How to Configure VPN Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
How to Configure VPN Address Assignment . . . . . . . . . . . . . . . . . . . . . . 10-20
How to Configure VPN Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23
How to Configure VPN Connections from Client Computers . . . . . . . . . . . 10-27
Guidelines for Troubleshooting VPN Client Connections . . . . . . . . . . . . . . 10-28
Practice: Configuring Virtual Private Networking for Remote Clients . . . . . 10-29
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-30
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-32
Lesson 3: Configuring Virtual Private Networking for Remote Sites . . . . . . . . . 10-33
Configuring a Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-33
What Are Site-to-Site VPNs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-34
Guidelines for Choosing a VPN Tunneling Protocol . . . . . . . . . . . . . . . . . . 10-34
How to Configure a Remote-Site Network . . . . . . . . . . . . . . . . . . . . . . . . 10-36
How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode . . . . . . . . . 10-39
How to Configure Network and Access Rules for Site-to-Site VPNs . . . . . . 10-40
How to Configure the Remote-Site VPN Gateway Server . . . . . . . . . . . . . . 10-42
Guidelines for Troubleshooting Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . 10-43
Practice: Configuring Virtual Private Networking for Remote Sites . . . . . . . 10-44
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48
Lesson 4: Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . 10-50
What Is Network Quarantine Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 10-50
How Network Quarantine Control Is Implemented Using ISA Server . . . . . 10-51
How to Prepare the Client-Side Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-53
How to Configure VPN Clients Using Connection Manager . . . . . . . . . . . . 10-55
How to Prepare the Listener Component . . . . . . . . . . . . . . . . . . . . . . . . 10-56
How to Enable Quarantine Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-57
How to Configure Internet Authentication Server for
Network Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-59
How to Configure Quarantined VPN Client-Access Rules . . . . . . . . . . . . . 10-60
Practice: Configuring VPN Quarantine Control . . . . . . . . . . . . . . . . . . . . . 10-61
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-67
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-68
Scenario 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69
Scenario 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-69
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-70
Table of Contents
xxiii
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-71
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-71
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-72
11
Implementing Monitoring and Reporting
11-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Lesson 1: Planning a Monitoring and Reporting Strategy . . . . . . . . . . . . . . . . . 11-3
Why You Should Implement Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
ISA Server Monitoring Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
Guidelines for Planning a Monitoring and Reporting Strategy . . . . . . . . . . . 11-6
ISA Server Performance and Service Monitoring . . . . . . . . . . . . . . . . . . . . 11-9
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13
Lesson 2: Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
What Are Alerts? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
How to Configure Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17
Guidelines for Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23
Practice: Configuring and Managing Alerts . . . . . . . . . . . . . . . . . . . . . . . 11-24
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-28
Lesson 3: Configuring Session and Connectivity Monitoring . . . . . . . . . . . . . . 11-29
What Is Session Monitoring? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
How to Monitor Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30
What Is Connectivity Monitoring? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34
How to Configure Connectivity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 11-34
Practice: Configuring Session and Connectivity Monitoring . . . . . . . . . . . . 11-36
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Lesson 4: Configuring Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . 11-40
What Is ISA Server Logging? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40
How to Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-41
How to View ISA Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-44
What Are ISA Server Reports? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-47
How to Configure ISA Server Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-48
Practice: Configuring ISA Server Reporting . . . . . . . . . . . . . . . . . . . . . . . 11-54
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-55
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-57
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-59
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-61
xxiv
12
Table of Contents
Implementing ISA Server 2004, Enterprise Edition
12-1
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
Lesson 1: ISA Server 2004 Enterprise Edition Overview . . . . . . . . . . . . . . . . . 12-3
Why Deploy ISA Server, Enterprise Edition? . . . . . . . . . . . . . . . . . . . . . . . 12-3
How Does ISA Server, Enterprise Edition, Store Configuration Information? . 12-5
ISA Server Enterprise Edition Configuration Components . . . . . . . . . . . . . . 12-8
How Enterprise Policies and Array Policies Work . . . . . . . . . . . . . . . . . . . 12-11
How Enterprise Edition Integrates with Network Load Balancing . . . . . . . . 12-13
How Enterprise Edition Enables Virtual Private Networking . . . . . . . . . . . 12-15
How Enterprise Edition Enables Distributed Caching Using CARP . . . . . . . 12-15
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18
Lesson 2: Planning an ISA Server 2004 Enterprise Edition Deployment . . . . . 12-20
ISA Server Enterprise Edition Deployment Scenarios . . . . . . . . . . . . . . . . 12-20
Guidelines for Planning the Configuration Storage Server Deployment . . . 12-22
Guidelines for Planning Enterprise and Array Policy Configuration . . . . . . . 12-24
Guidelines for Planning for Centralized Monitoring and Management . . . . 12-26
Guidelines for Planning a Back-to-Back Firewall Deployment . . . . . . . . . . . 12-27
Guidelines for Planning a Branch-Office Deployment . . . . . . . . . . . . . . . . 12-35
How Migrating from ISA Server 2000, Enterprise Edition, Works . . . . . . . 12-38
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-39
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-41
Lesson 3: Implementing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . 12-43
Requirements for Installing Enterprise Edition . . . . . . . . . . . . . . . . . . . . 12-43
How to Install Configuration Storage Server . . . . . . . . . . . . . . . . . . . . . . 12-45
Practice: Installing a Configuration Storage Server . . . . . . . . . . . . . . . . . 12-48
How to Configure Enterprise Policies and Networks . . . . . . . . . . . . . . . . . 12-50
How to Configure Arrays and Array Policies . . . . . . . . . . . . . . . . . . . . . . . 12-53
Practice: Configuring Enterprise and Array Policies . . . . . . . . . . . . . . . . . 12-57
How to Install ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . . . . 12-60
Practice: Installing ISA Server 2004, Enterprise Edition . . . . . . . . . . . . . . 12-62
How to Configure NLB and CARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-65
Lesson Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-70
Lesson Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-71
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-73
Exam Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-74
Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-74
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-75
Table of Contents
Part 2
13
xxv
Prepare for the Exam
Planning and Installing ISA Server 2004 (1.0)
13-3
Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Plan an ISA Server 2004 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6
Objective 1.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Objective 1.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Assess and Configure the Operating System, Hardware, and Network Services . . 13-21
Objective 1.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22
Objective 1.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26
Deploy ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30
Objective 1.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-31
Objective 1.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-35
14
Installing and Configuring Client Computers (2.0)
14-1
Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
Install Firewall Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3
Objective 2.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4
Objective 2.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6
Configure Client Computers for ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . 14-8
Objective 2.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9
Objective 2.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11
Configure a Local Domain Table (LDT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13
Objective 2.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14
Objective 2.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17
Configure ISA Server 2004 for Automatic Client Configuration by
Using Web Proxy Automatic Discovery (WPAD) . . . . . . . . . . . . . . . . . . . . . . . . 14-19
Objective 2.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20
Objective 2.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22
Diagnose and Resolve Client Computer Connectivity Issues . . . . . . . . . . . . . . 14-24
Objective 2.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-25
Objective 2.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-29
15
Configuring and Managing ISA Server 2004 (3.0)
15-1
Testing Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3
Configure the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
Objective 3.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6
Objective 3.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10
xxvi
Table of Contents
Back Up and Restore ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-14
Objective 3.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-15
Objective 3.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-18
Define Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-21
Objective 3.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-22
Objective 3.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-26
Configure Firewall Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-29
Objective 3.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-30
Objective 3.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-33
Configure ISA Server 2004 for Network Load Balancing . . . . . . . . . . . . . . . . . 15-36
Objective 3.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-37
Objective 3.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-39
Configure ISA Server 2004 to Support a Network Topology . . . . . . . . . . . . . . . 15-41
Objective 3.6 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-42
Objective 3.6 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-44
16
Configuring Web Caching (4.0)
16-1
Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2
Configure Forward Caching and Reverse Caching . . . . . . . . . . . . . . . . . . . . . . . 16-4
Objective 4.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5
Objective 4.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7
Optimize Performance on the ISA Server 2004 Cache . . . . . . . . . . . . . . . . . . 16-13
Objective 4.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-14
Objective 4.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17
Diagnose and Resolve Caching Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-21
Objective 4.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-22
Objective 4.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-24
17
Configuring Firewall Policy (5.0)
17-1
Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-3
Plan a Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-5
Objective 5.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-6
Objective 5.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-10
Create Policy Elements, Access Rules, and Connection Limits . . . . . . . . . . . . 17-13
Objective 5.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-14
Objective 5.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-17
Create Policy Rules for Web Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19
Objective 5.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-20
Table of Contents
xxvii
Objective 5.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25
Create Policy Rules for Mail Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . 17-32
Objective 5.4 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-33
Objective 5.4 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-36
Create Policy Rules for Server Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-38
Objective 5.5 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-39
Objective 5.5 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-42
18
Configuring and Managing Remote Network Connectivity (6.0)
18-1
Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2
Configure ISA Server 2004 for Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . 18-4
Objective 6.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Objective 6.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-8
Configure ISA Server 2004 as a Remote-Access VPN Server . . . . . . . . . . . . . 18-12
Objective 6.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-13
Objective 6.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-16
Diagnose and Resolve VPN Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . 18-20
Objective 6.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-21
Objective 6.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-27
19
Monitoring and Reporting ISA Server 2004
Activity (7.0)
19-1
Tested Skills and Suggested Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1
Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-2
Monitor ISA Server 2004 Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-4
Objective 7.1 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-5
Objective 7.1 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-10
Configure and Run Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-15
Objective 7.2 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-16
Objective 7.2 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-18
Configure Logging and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-20
Objective 7.3 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-21
Objective 7.3 Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-24
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .I-1
xxviii
Acknowledgements
Writing a book is always enjoyable because it gives me a chance to learn everything I
can about an interesting product and then communicate what I have learned to you,
the reader. Writing this book has been particularly enjoyable because everything that
happened around the writing part went so smoothly. For that I have to thank the team
that worked with me on the book.
Special thanks to my daughter, Amanda, who helped out a great deal with the technical
writing of this book. And thanks to Gary Dunlop, who wrote most of the review questions and scenarios in the first part of the book.
As usual, the team at Microsoft Learning was great. Julie Pickering got me involved in
the project and managed the project with her usual sense of humor. Lori Kane and
Colin Lyth provided book design and technical guidance. Most of the actual editing for
the book was handled by another team headquartered at nSight in Burlington, Mass.
Sue McClung, the project manager, kept us all on schedule. The expertise in network
security provided by Kurt Dillard, the technical editor, made this a better book. In addition, the editing team included the following: Peter Tietjen, copy editor; Peter Amirault,
desktop production specialist; Jan Cocker, Cindy Gierhart, Tempe Goodhue, and Kiren
Valjee, proofreaders; and Jack Lewis, indexer. Thanks to all of you.
Stan Reimer
I would love to thank my wife Oksana and son Rooslan for their love, support, and
patience.
I would also like to deeply thank the following people at Microsoft Learning and nSight
who have been instrumental in bringing about a successful conclusion to the writing
process: Julie Pickering, Susan McClung, Stan Reimer, Kurt Dillard, Lori Kane, Randall
Galloway, Peter Tietjen, Peter Amirault, Colin Lyth, and Paul Blount.
Finally, I’d like to thank Mick, Lards, Kasia, Shan, Linton, Corey, Lee, Gillian, Joan, Neil,
Elena, Alex, Serge, Chris, Mike, Sergio, Michael, and Aunt Galina for all the ways in
which they have made my family’s life brighter.
Orin Thomas
About This Book
Welcome to MCSA/MCSE Self-Paced Training Kit (Exam 70-350): Implementing
Microsoft Internet Security and Acceleration (ISA) Server 2004. This training kit is
designed to provide the knowledge you need to pass the 70-350 certification exam.
More importantly, this training kit also provides you with the knowledge and skills
required to implement, manage and administer ISA Server 2004 in a real-world environment. This goal is much more important than just passing the exam; after all, passing an exam is of little value if you cannot actually use the knowledge you have gained
to implement ISA Server 2004. To help you gain the required knowledge and skill, this
book uses conceptual information, hands-on exercises and troubleshooting labs, realworld scenarios based on the author’s consulting experiences, and questions designed
to reinforce what you have learned.
Note For more information about becoming a Microsoft Certified Professional, see the section titled “The Microsoft Certified Professional Program” later in this introduction.
Intended Audience
This book was developed for information technology (IT) professionals who plan to
take the related Microsoft Certified Professional exam 70-350: Implementing Microsoft
Internet Security and Acceleration Server 2004, as well as IT professionals who
design, develop, and implement Microsoft ISA Server 2004 for Microsoft Windowsbased environments.
Note
Exam skills are subject to change without prior notice and at the sole discretion of
Microsoft.
Prerequisites
This training kit requires that students meet the following prerequisites:
Candidates for this exam operate in medium-sized to very large networked computing
environments that use Microsoft Windows 2000 Server and Microsoft Windows Server
2003 operating systems. Candidates have a basic understanding of Active Directory
directory service, DNS, DHCP, WINS, Certificate Services, RADIUS, Routing and Remote
xxix
xxx
About This Book
Access Service, FTP, HTTP, HTTPS, TCP/IP, IMAP, POP3, RDP, SMTP, and SSL. They
have a minimum of one year’s experience implementing and administering networks
and operating systems in environments that have the following characteristics:
■
Between 50 and 10,000-plus supported users
■
Multiple physical locations
■
Outbound access for typical client services and applications, such as Web access,
e-mail, Telnet, FTP, VPN, desktop management, Instant Messaging, and access
control policies
■
Hosting of network services, such as internal and external Web hosting, messaging, Instant Messaging, RDP, and firewall
■
Connectivity requirements that include connecting individual offices and users at
remote locations to the corporate network and connecting networks to the Internet
■
Using ISA Server firewall or caching services, or both, in a production environment
About the CD-ROM
For your use, this book includes a Supplemental CD-ROM, which contains a variety of
informational aids to complement the book content:
■
The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of
practice tests and objective reviews contains questions of varying degrees of complexity and offers multiple testing modes. You can assess your understanding of
the concepts presented in this book and use the results to develop a learning plan
that meets your needs.
■
An electronic version of this book (eBook). For information about using the
eBook, see the section entitled “The eBook” later in this introduction.
A second CD-ROM contains a 180-day evaluation edition of ISA Server 2004, Standard
Edition.
About This Book
xxxi
Features of This Book
This book has two parts. Use Part 1 to learn at your own pace and practice what you’ve
learned with practical exercises. Part 2 contains questions and answers you can use to
test yourself on what you’ve learned.
Part 1: Learn at Your Own Pace
Each chapter identifies the exam objectives that are covered within the chapter, provides an overview of why the topics matter by identifying how the information is
applied in the real world, and lists any prerequisites that must be met to complete the
lessons presented in the chapter.
The chapters are divided into lessons. Lessons contain practices that include one or
more hands-on exercises. These exercises give you an opportunity to use the skills
being presented or explore the part of the application being described.
After the lessons, you are given an opportunity to apply what you’ve learned in a case
scenario exercise. In this exercise, you work through a multi-step solution for a realistic
case scenario. In many chapters, you are also given an opportunity to work through a
troubleshooting lab that explores difficulties you might encounter when applying what
you’ve learned on the job.
Each chapter ends with a short summary of key concepts and a short section listing key
topics and terms you need to know before taking the exam. This section summarizes
the key topics you’ve learned, with a focus on demonstrating that knowledge on the
exam.
Real World Helpful Information
You will find sidebars like this one that contain related information you might
find helpful. “Real World” sidebars contain specific information gained through
the experience of IT professionals just like you.
Part 2: Prepare for the Exam
Part 2 helps to familiarize you with the types of questions you will encounter on the
MCP exam. By reviewing the objectives and sample questions, you can focus on the
specific skills you need to improve before taking the exam.
See Also
For a complete list of MCP exams, go to http://www.microsoft.com/learning/
mcp/mcp/requirements.asp.
xxxii
About This Book
Part 2 is organized by the exam’s objectives. Each chapter covers one of the primary
groups of objectives, referred to as Objective Domains. Each chapter lists the tested
skills you need to master to answer the exam questions, and it includes a list of further
readings to help you improve your ability to perform the tasks or skills specified by the
objectives.
Within each Objective Domain, you will find the related objectives that are covered on
the exam. Each objective provides you with several practice exam questions. The
answers are accompanied by explanations of each correct and incorrect answer.
Note
These questions are also available on the companion CD as a practice test.
Informational Notes
Several types of reader aids appear throughout the training kit.
■
Tip contains methods of performing a task more quickly or in a not-so-obvious
way.
■
Important contains information that is essential to completing a task.
■
Note contains supplemental information.
■
Caution contains valuable information about possible loss of data; be sure to read
this information carefully.
■
Warning contains critical information about possible physical injury; be sure to
read this information carefully.
■
See Also contains references to other sources of information.
■
Planning contains hints and useful information that should help you to plan the
implementation.
■
On the CD points you to supplementary information or files you need that are on
the companion CD.
■
Security Alert highlights information you need to know to maximize security in
your work environment.
■
Exam Tip flags information you should know before taking the certification
exam.
■
Off the Record contains practical advice about the real-world implications of
information presented in the lesson.
About This Book
xxxiii
Notational Conventions
The following conventions are used throughout this book:
■
Characters or commands that you type appear in bold type.
■
Italic in syntax statements indicates placeholders for variable information. Italic is
also used for book titles.
■
Names of files and folders appear in Title Caps, except when you are to type them
directly. Unless otherwise indicated, you can use all lowercase letters when you
type a file name in a dialog box or at a command prompt.
■
File name extensions appear in all uppercase.
■
Acronyms appear in all uppercase.
■
Monospace type represents code samples, examples of screen text, or entries that
you might type at a command prompt or in initialization files.
■
Square brackets [ ] are used in syntax statements to enclose optional items. For
example, [filename] in command syntax indicates that you can choose to type a
file name with the command. Type only the information within the brackets, not
the brackets themselves.
■
Braces { } are used in syntax statements to enclose required items. Type only the
information within the braces, not the braces themselves.
Keyboard Conventions
■
A plus sign (+) between two key names means that you must press those keys at
the same time. For example, “Press ALT+TAB” means that you hold down ALT while
you press TAB.
■
A comma ( , ) between two or more key names means that you must press each
of the keys consecutively, not together. For example, “Press ALT, F, X” means that
you press and release each key in sequence. “Press ALT+W, L” means that you first
press ALT and w at the same time, and then release them and press L.
Getting Started
This training kit contains hands-on exercises to help you learn about ISA Server 2004
by performing the actual steps required to implement, configure, and troubleshoot ISA
Server 2004. These exercises provide hands-on skills training that you will need to pass
the exam, and to deploy ISA Server successfully in your network environment. Use this
section to prepare your self-paced training environment.
xxxiv
About This Book
To complete some of these procedures, you must have up to four networked computers or be connected to a larger network. All computers must be capable of running
Microsoft Windows Server 2003 or Microsoft Windows XP. One of the computers must
also be capable of running Microsoft Exchange Server 2003.
Caution
Several exercises might require you to make changes to your servers. This might
have undesirable results if you are connected to a larger network. Check with your Network
Administrator before attempting these exercises.
Hardware Requirements
Each computer must have the following minimum configuration. All hardware should
be on the Windows Server 2003 or Windows XP Hardware Compatibility List.
■
A personal computer with a 550 megahertz (MHz) or higher Pentium III–compatible
CPU.
■
256 megabytes (MB) of memory.
■
For the computers that will be configured as ISA Server computers, you need one
network adapter for communication with the internal network and an additional
network adapter for each network directly connected to the ISA Server 2004 computer. You need two network adapters for most exercises, with a third network
adapter required for one exercise.
■
One local hard disk partition that is formatted with the NTFS file system and that
has at least 150 megabytes (MB) of available hard-disk space. If you enable caching and logging, you will need additional hard-disk space.
■
CD-ROM drive.
■
Microsoft Mouse or compatible pointing device.
Software Requirements
The following software is required to complete the procedures in this training kit. (A
180-day evaluation edition of ISA Server 2003, Enterprise Edition, is included on the
CD-ROM.)
■
Microsoft Windows Server 2003, Enterprise Edition
■
Microsoft Internet Security and Acceleration Server 2004, Standard Edition
■
Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
(required only for Chapter 12, “Implementing ISA Server, Enterprise Edition”)
About This Book
xxxv
■
Microsoft Exchange Server 2003, either Standard or Enterprise Edition (required
only for Chapter 9, “Integrating ISA Server 2004 and Exchange Server,” and Chapter 11, “Implementing Monitoring and Reporting”)
■
Microsoft Windows XP, Professional Edition
■
Microsoft Outlook 2003
Caution
The 180-day Evaluation Edition that is provided with this training kit is not the full
retail product and is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support these evaluation editions. For additional support information
regarding this book and the CD-ROMs (including answers to commonly asked questions
about installation and use), visit the Microsoft Press Technical Support Web site at
http://www.microsoft.com/learning/support/default.asp. You can also e-mail [email protected] or send a letter to Microsoft Press, Attn: Microsoft Press Technical Support, One Microsoft Way, Redmond, WA 98502-6399.
Setup Instructions
Set up your computer according to the manufacturer’s instructions.
For the exercises that require networked computers, you need to make sure the computers can communicate with each other. The first computer will be configured as a
domain controller in the cohovineyard.com domain and installed as DC1. This computer should have an IP address of 10.10.0.10. If you use a different IP address, you
will need to modify the practices and labs that use this IP address.
A second computer will act as an ISA Server 2004 computer for most of the procedures
in this course. This computer will have Windows Server 2003 installed, use a computer
name of ISA1, and will be configured as a domain member in the cohovineyard.com
domain. This server should have two network interfaces installed. The network interface assigned to the internal network should have an IP address of 10.10.0.1. The network interface assigned to the external network can use any IP address that is
compatible with the IP addresses used for your test network.
To complete some of the exercises in this training kit, you will also require a Windows
XP computer installed as CLIENT1. This computer should have Outlook 2003 installed.
This computer should be a member of the cohovineyard.com domain. This computer
must have an IP address on the same network as DC1.
A third Windows Server 2003 computer named SERVER1 is required for some exercises. This computer should not be a member of the cohovineyard.com domain. This
computer should have an IP address that is on the same network as the external interface of the ISA Server computer.
xxxvi
About This Book
To complete the exercises in Chapter 9, you will also require a Windows Server 2003
server installed as MAIL1. This server needs to be a member of the cohovineyard.com
domain and have a default installation of Exchange Server 2003 on it. The Exchange
Server computer requires at least two mailboxes configured on it. This computer
should use an IP address of 10.10.0.12.
In addition, to complete the exercises in Chapter 12, you also require two additional
ISA Server computers running Windows Server 2003, using computer names of ISA2
and ISA3, and configured as a domain members in the cohovineyard.com domain.
These servers should have two network interfaces installed. The internal network interface for ISA2 should use an IP address of 10.10.0.2, and the internal network interface
for ISA3 should use an IP address of 10.10.0.3. The network interface assigned to the
external network on both computers can use any IP address that is compatible with the
IP addresses used for your test network.
Caution
If your computers are part of a larger network, you must verify with your network
administrator that the computer names, domain name, and other information used in setting
up Windows Server 2003, Windows XP, and ISA Server 2004 do not conflict with network operations. If they do conflict, ask your network administrator to provide alternative values and
use those values throughout all the exercises in this book.
The Readiness Review Suite
The CD-ROM includes a practice test made up of 300 sample exam questions and an
objective-by-objective review with an additional 125 questions. Use these tools to reinforce your learning and to identify any areas in which you need to gain more experience before taking the exam.
To install the practice test and objective review
1. Insert the Supplemental CD-ROM into your CD-ROM drive.
Note
If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD-ROM.
2. Click Readiness Review Suite on the user interface menu.
The eBook
The CD-ROM includes an electronic version of the Training Kit. The eBook is in portable document format (PDF). To view the document, you must have either Adobe Acrobat or Adobe Acrobat Reader, which are both available at the Adobe Web site (http://
www.adobe.com).
About This Book
xxxvii
To use the eBook
1. Insert the Supplemental CD-ROM into your CD-ROM drive.
Note
If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD-ROM.
2. Click Training Kit eBook on the user interface menu. You can also review any of
the other eBooks that are provided for your use.
The Microsoft Certified Professional Program
The Microsoft Certified Professional (MCP) program provides the best method to prove
your command of current Microsoft products and technologies. The exams and corresponding certifications are developed to validate your mastery of critical competencies
as you design and develop, or implement and support, solutions with Microsoft products and technologies. Computer professionals who become Microsoft-certified are recognized as experts and are sought after industry-wide. Certification brings a variety of
benefits to the individual and to employers and organizations.
See Also
For detailed information about the MCP program, go to http://
www.microsoft.com/learning/itpro/default.asp.
Certifications
The Microsoft Certified Professional program offers multiple certifications, based on
specific areas of technical expertise:
■
Microsoft Certified Professional (MCP). Demonstrated in-depth knowledge of at
least one Microsoft Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part
of a business solution for an organization.
■
Microsoft Certified Solution Developer (MCSD). Professional developers qualified
to analyze, design, and develop enterprise business solutions with Microsoft
development tools and technologies including the Microsoft .NET Framework.
■
Microsoft Certified Application Developer (MCAD). Professional developers
qualified to develop, test, deploy, and maintain powerful applications using
Microsoft tools and technologies including Microsoft Visual Studio .NET and
XML Web services.
xxxviii
About This Book
■
Microsoft Certified Systems Engineer (MCSE). Qualified to effectively analyze the
business requirements, and design and implement the infrastructure for business
solutions based on the Microsoft Windows and Microsoft Server 2003 operating
system.
■
Microsoft Certified Systems Administrator (MCSA). Individuals with the skills to
manage and troubleshoot existing network and system environments based on the
Windows and Windows Server 2003 operating systems.
■
Microsoft Certified Desktop Support Technician (MCDST). Individuals who support end users and troubleshoot desktop environments running on the Windows
operating system.
■
Microsoft Certified Database Administrator (MCDBA). Individuals who design,
implement, and administer Microsoft SQL Server databases.
■
Microsoft Certified Trainer (MCT). Instructionally and technically qualified to
deliver Microsoft Official Curriculum through a Microsoft Certified Technical Education Center (CTEC).
Requirements for Becoming a Microsoft Certified Professional
The certification requirements differ for each certification and are specific to the products and job functions addressed by the certification.
To become a Microsoft Certified Professional, you must pass rigorous certification
exams that provide a valid and reliable measure of technical proficiency and expertise.
These exams are designed to test your expertise and ability to perform a role or task
with a product, and are developed with the input of professionals in the industry.
Questions in the exams reflect how Microsoft products are used in actual organizations,
giving them “real-world” relevance.
■
Microsoft Certified Professional (MCP) candidates are required to pass one current
Microsoft certification exam. Candidates can pass additional Microsoft certification
exams to further qualify their skills with other Microsoft products, development
tools, or desktop applications.
■
Microsoft Certified Solution Developers (MCSDs) are required to pass three core
exams and one elective exam. (MCSD for Microsoft .NET candidates are required
to pass four core exams and one elective.)
■
Microsoft Certified Application Developers (MCADs) are required to pass two core
exams and one elective exam in an area of specialization.
■
Microsoft Certified Systems Engineers (MCSEs) are required to pass five core
exams and two elective exams.
About This Book
xxxix
■
Microsoft Certified Systems Administrators (MCSAs) are required to pass three core
exams and one elective exam that provide a valid and reliable measure of technical proficiency and expertise.
■
Microsoft Certified Desktop Support Technician (MCDSTs) are required to pass
two core exams.
■
Microsoft Certified Database Administrators (MCDBAs) are required to pass three
core exams and one elective exam that provide a valid and reliable measure of
technical proficiency and expertise.
■
Microsoft Certified Trainers (MCTs) are required to meet instructional and technical requirements specific to each Microsoft Official Curriculum course they are
certified to deliver. The MCT program requires on-going training to meet the
requirements for the annual renewal of certification. For more information about
becoming a Microsoft Certified Trainer, visit http://www.microsoft.com/traincert/
mcp/mct/ or contact a regional service center near you.
Technical Support
Every effort has been made to ensure the accuracy of this book and the contents of the
companion disc. If you have comments, questions, or ideas regarding this book or the
companion disc, please send them to Microsoft Press using either of the following
methods:
E-mail:
[email protected]
Postal Mail:
Microsoft Press
Attn: MCSA/MSCE Self-Paced Training Kit (Exam 70-350): Implementing
Microsoft Internet Security and Acceleration Server 2004, Editor
One Microsoft Way
Redmond, WA 98052-6399
For additional support information regarding this book and the CD-ROM (including
answers to commonly asked questions about installation and use), visit the Microsoft
Press Technical Support Web site at http://www.microsoft.com/learning/support/
default.asp. To connect directly to the Microsoft Press Knowledge Base and enter a
query, visit http://www.microsoft.com/mspress/support/search.asp. For support information regarding Microsoft software, please connect to http://support.microsoft.com/.
Evaluation Edition Software Support
The 180-day Evaluation Edition provided with this training is not the full retail product
and is provided only for the purposes of training and evaluation. Microsoft and
Microsoft Technical Support do not support this evaluation edition.
xl
About This Book
Caution
The Evaluation Edition of ISA Server 2004, Standard Edition, that is included with
this book should not be used on a primary work computer. The evaluation edition is unsupported. For online support information relating to the full version of ISA Server 2004, Standard Edition, which might also apply to the Evaluation Edition, you can connect to http://
support.microsoft.com/.
Information about any issues relating to the use of this evaluation edition with this
training kit is posted to the Support section of the Microsoft Press Web site at http://
www.microsoft.com/learning/support/default.asp. For information about ordering the
full version of any Microsoft software, please call Microsoft Sales at (800) 426-9400 or
visit http://www.microsoft.com.
Part 1
Learn at Your Own Pace
1 Introduction to ISA Server
2004
Exam Objectives in this Chapter:
■
Plan an ISA Server 2004 deployment
Why This Chapter Matters
This chapter is designed to give you the big picture of what Microsoft Internet
Security and Acceleration (ISA) Server 2004 can do for your organization. In most
cases when learning a new technology, it is beneficial to get a high-level overall
picture of how the technology works before delving into the details of implementing and managing the technology. This chapter provides you with that overall picture–how ISA Server 2004 works, and when and how you should use it.
ISA Server is primarily a firewall designed to ensure that all unwanted traffic from
the Internet is kept out of an organization’s network. At the same time, ISA Server
can also be used to provide internal users with selective access to Internet
resources and Internet users with selective access to internal resources, such as
Web or e-mail servers. ISA Server is usually deployed at the perimeter of an organization’s network, which is where its internal network connects to an external
network like the Internet.
Lessons in this Chapter:
■
Lesson 1: Overview of ISA Server Functionality . . . . . . . . . . . . . . . . . . . . . . .1-4
■
Lesson 2: Overview of ISA Server 2004 Editions and Versions . . . . . . . . . . . .1-17
■
Lesson 3: Explaining ISA Server Deployment Scenarios . . . . . . . . . . . . . . . . .1-22
■
Lesson 4: Overview of ISA Server 2004 Administration . . . . . . . . . . . . . . . . .1-31
Before You Begin
This chapter provides a high-level overview of ISA Server 2004 and how it can be used
to secure your organization’s network. There are no activities in this chapter that
require you to use ISA Server, so no lab preparation is required. Later chapters will provide the details about how to implement the concepts discussed here.
1-3
1-4
Chapter 1
Introduction to ISA Server 2004
Lesson 1: Overview of ISA Server Functionality
ISA Server 2004 is a valuable component in an overall plan to secure an organization’s
network. Because ISA Server is deployed at the connecting point between an internal
network and the Internet, ISA Server’s role is critical. Almost all organizations provide
some level of access to the Internet for its users. ISA Server can be used to enforce
security policies dealing with the types of access users should have to the Internet. At
the same time, many organizations also allow remote users some type of access to
internal servers. For example, almost all organizations allow e-mail servers on the
Internet to connect to internal e-mail servers to send Internet e-mail. Many companies
also host internal Web sites, or want employees to be able to access internal resources
from the Internet. ISA Server 2004 can be used to ensure that access to these internal
resources is secure.
After this lesson, you will be able to
■ List the functionality provided by ISA Server 2004
■ Describe how ISA Server 2004 operates as a firewall
■ Describe how ISA Server 2004 can be used to enable secure access to Internet
resources
■ Describe how ISA Server 2004 can be used to enable secure access to internal network
resources for Internet users
■ Describe how ISA Server 2004 can be used to enable secure access to Microsoft
Exchange Server
■ Describe how ISA Server 2004 can be used to enable virtual private network (VPN)
access for remote access clients and networks
Estimated lesson time: 30 minutes
How ISA Server Works—An Overview
ISA Server is designed to secure the perimeter of an organization’s network. In most
cases, this perimeter is between the organization’s internal local area network (LAN)
and a public network such as the Internet. Figure 1-1 shows an example of where ISA
Server may be deployed.
Lesson 1
E-Mail Server
File Server
Overview of ISA Server Functionality
1-5
Web Server
ISA Server
Internet
F01im01
Figure 1-1
ISA Server is used to protect the perimeter of an organization’s network.
Figure 1-1 shows a simple example of an ISA Server deployment. The internal network,
or protected network, is usually located on an organization’s premises and is under the
control of the organization’s IT staff. The internal network is considered to be relatively
secure; that is, normally only authorized users have physical access to the internal network. Also, the IT staff have a great deal of control over the types of traffic that are
allowed on the internal network.
Security Alert
Even though the internal network is more secure than the Internet, don’t
make the mistake of thinking that you just need to secure the network perimeter. To protect
your network fully, you must employ a defense-in-depth strategy, which includes steps to
ensure that the internal network is secure even in the event of a perimeter breach. Many
recent network attacks like viruses and worms have devastated networks that have secure
perimeters. ISA Server is critical in securing the network perimeter, but don’t think that your
job is done after you finish deploying ISA Server.
An organization has no control over who is accessing the Internet or over the security
of network traffic on the Internet. Anyone in the world with an Internet connection can
locate and access any other Internet connection using almost any application or protocol. Also, network packets sent via the Internet are not secure because they can be
captured and inspected by anyone running a packet sniffer on an Internet network
segment. A packet sniffer is an application that can be used to capture and view all the
network traffic on a network. In order to capture network traffic, the packet sniffer
must be connected to a network segment located between two routers.
1-6
Chapter 1
Introduction to ISA Server 2004
Security Alert
The Internet is a fascinating and incredible invention. You can find information
on literally anything online. You can locate other people who share your interests and communicate with those people regardless of national boundaries or physical distance. At the same time,
the Internet is also a hazardous place, simply because anyone can access it. The very nature of
the Internet makes securing it almost impossible. For example, the Internet is not designed to
distinguish between the legitimate user and the hacker—both users can gain access to the Internet. This means that as soon as your organization creates a connection to the Internet, that connection is exposed to anyone on it. This may be a legitimate user looking for information on your
organization’s Web site, or it may be a hacker trying to deface your Web site or steal customer
data from you. A good first step in securing your Internet connection is to assume the worst—
begin by assuming that every user connecting to you is a hacker until proven otherwise.
Figure 1-1 showed a simple example of a network configuration where the boundary
between an organization’s internal network and the Internet is easy to define. In reality,
defining the boundary between an organization’s internal network and the rest of the
world is not so simple. Figure 1-2 shows a more complicated, but more realistic, scenario.
Encrypted
VPN
Connections
E-Mail Server
File Server
Business
Partner
Network
Web Server
ISA Server
Internet User
Main Office
Network
ISA Server
Internet
Public Non-secure
Connections
Branch Office
Network
Remote
Employee
F01im02
Figure 1-2 An organization’s network may include multiple access points.
Lesson 1
Overview of ISA Server Functionality
1-7
The network perimeter is much more difficult to define in a scenario such as the one
shown in Figure 1-2. For example, company requirements may mean that the boundary
between the internal network and the Internet can be crossed in several different ways:
■
Any user on the Internet should be able to access the public Web site.
■
Only users from a partner organization should be able to access a private Web site,
and these users should be limited in what they can see on the site. These users are
accessing the private Web site from the Internet.
■
Users from a branch office should be able to gain full access to network resources
on the internal network. The only connection between the branch office and the
main office networks passes through the Internet.
■
Employees that are out of the office and have an Internet connection should have
access to internal network resources, including e-mail and file servers.
■
Users on an internal network should be able to access the Internet, but should be
limited to using only specific applications and allowed access to only specific
Internet resources.
This scenario makes securing the Internet connection much more difficult. Regardless
of the company scenario, ISA Server is designed to provide the required security at the
network perimeter. For example, in the scenario shown in Figure 1-2, ISA Server can
provide perimeter security by doing the following:
■
Enabling anonymous access to the public Web site while filtering out malicious
code aimed at compromising the Web site
■
Authenticating users from the partner organization before granting access to the
private Web site
■
Enabling VPN access between the organization’s locations so that users in the
branch office can get access to internal network resources
■
Enabling access to the internal e-mail servers for remote employees, and enabling
client VPN access to internal file servers
■
Enforcing the organization’s Internet access policies by limiting the protocols
available to users, and by filtering each user request to ensure they are accessing
only the permitted Internet resources
The following sections go into more detail about how ISA Server provides this functionality.
How ISA Server Works as a Firewall
A firewall is a device that is located between one segment of a network and another,
and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be
1-8
Chapter 1
Introduction to ISA Server 2004
allowed to pass through. A firewall may be positioned and configured to protect an
organization from the Internet, or it may be positioned internally to protect specific
sections of an organization’s corporate network.
In most cases, firewalls are deployed at the network perimeter. The primary purpose of
a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization’s internal network unless it has been
explicitly permitted. For example, the organization may have an internal Web server
that needs to be accessible to Internet users. The firewall can be configured to allow
Internet traffic to access only that Web server.
ISA Server 2004 provides firewall functionality. By default, when you deploy ISA
Server, it will block all traffic between networks that are attached to the server, including internal networks, perimeter networks (also known as demilitarized zones, or
DMZs), and the Internet. ISA Server 2004 uses three types of filtering rules to block or
allow network traffic: packet filtering, stateful filtering, and application-layer filtering.
Packet Filtering
Packet filtering works by examining the header information for each network packet
that arrives at the firewall. When the packet arrives at the ISA Server network interface,
ISA Server opens the packet header and checks information such as the source and
destination addresses and the source and destination ports. ISA Server compares this
information against its firewall rules that define which packets are allowed. If the
source and destination addresses are allowed, and if the source and destination ports
are allowed, the packet passes through the firewall to the destination network. If the
addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall.
Stateful Filtering
Stateful filtering uses a more thorough examination of the network packet to make
decisions on whether to forward it or not. When ISA Server uses a stateful inspection,
it examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP)
headers to determine the state of a packet within the context of previous packets that
have passed through ISA Server, or within the context of a TCP session. For example,
a user on the internal network may send a request to a Web server on the Internet. The
Web server sends a reply to that request. When the reply packet arrives at the firewall,
the firewall inspects the TCP session information that is part of the packet. The firewall
determines that the packet is part of a currently active session that was initiated by the
internal user, so the packet is forwarded to the user’s computer. If a user from outside
the network attempts to connect to a computer inside the organization’s network, the
firewall determines that the packet is not part of a currently active session and the
packet is dropped.
Lesson 1
Overview of ISA Server Functionality
1-9
Application-Layer Filtering
ISA Server also uses application-layer filtering to determine whether a packet is allowed or
not. Application-layer filtering examines the actual content of a packet to determine if the
packet can be forwarded through the firewall. An application filter opens the entire packet
and examines the actual data in it before making a forwarding decision. For example, a
user on the Internet may request a page from the internal Web server using the Hypertext
Transfer Protocol (HTTP) GET command. When the packet arrives at the firewall, the
application filter inspects the packet and detects the GET command. The application filter
checks its policy to determine if the GET command is allowed. In most cases, the GET
command is allowed and the packet is forwarded to the internal Web server.
If the user sends a similar packet to the Web server, but uses the HTTP POST command, ISA Server again examines the packet. Because the POST command is used to
write information to the Web server, the command is likely to be blocked. ISA Server
notices the POST command, determines that the command is not allowed by the firewall policy, and drops the packet. The HTTP application filter provided with ISA Server
2004 can check for any information in the data, including virus signatures, Uniform
Resource Locator (URL) length, page header content, and file extensions. ISA Server
includes other application filters for securing other protocols and applications in addition to the HTTP filter.
Real World
Application-Layer Filtering
Virtually all firewalls available today perform packet and stateful filtering. However, many of these firewalls do not have the ability to perform application-layer
filtering. And yet application-layer filtering has become one of the most critical
components in securing a network perimeter. For example, virtually all organizations allow HTTP traffic (port 80) from the internal network to the Internet. As a
result, many applications can now be tunneled through HTTP. For example, MSN
Messenger and some peer-to-peer file sharing applications, such as Kazaa, use
HTTP as a protocol. HTTP traffic can also include viruses or other malicious code.
The only way to block unwanted network traffic, while still allowing legitimate
HTTP usage, is to implement a firewall that is capable of application-layer filtering.
The application-layer firewall can examine the contents of packets and block traffic
based on HTTP methods (to block applications) or signatures (to block viruses,
malicious code, or applications). ISA Server 2004 is exactly the type of sophisticated
application-layer firewall that has become critical in protecting networks.
How ISA Server Enables Secure Internet Access
Almost all organizations provide Internet access for their users. The use of the World
Wide Web as a source of information and as a communication tool means that most
organizations cannot afford to be without access to it. At the same time, ensuring that
1-10
Chapter 1
Introduction to ISA Server 2004
the Internet connection is secure is critical.
Providing secure Internet access for users in an organization means the following:
■
Users can access required resources. In many organizations, users must be able to
access the Internet using a Web browser or other application.
■
Users can access only permitted resources. Most organizations have an Internet
usage policy that defines the types of applications that can be used to the Internet,
and the types of Internet resources that can be accessed.
■
The connection to the Internet is secure. Ideally, the connection to the Internet
should not reveal any information about the internal system that can be used to
launch an attack against the client computer. Information about the individual
computer (for example, the computer name, user logon name, or shared folders),
as well as details about the network configuration (for example, the client IP
address), should be hidden.
■
Data that users transfer to and from the Internet is secure. In some cases, users
might send confidential personal data, such as credit card information, or confidential organizational information, such as client data, over the Internet. This data
must be secure when it leaves the organization.
ISA Server 2004 can be used to secure connections for clients accessing resources on
the Internet. To enable this, you must configure all client connections to the Internet so
that they pass through ISA Server. When you configure this option, ISA Server operates
as a proxy server between the internal client and the Internet resource.
When you configure internal clients to send all Internet requests through ISA Server,
the client requests are sent to the proxy server component in ISA Server. ISA Server
then sends the request to the Web server on the Internet. The Web server responds to
the request and sends the reply back to the proxy server. The proxy server then forwards the reply back to the client that requested the information.
Using a proxy server means that there is no direct connection between the internal client and the Web server. The client’s internal network information is not sent across the
Internet. In addition to providing a secure connection, ISA Server 2004 can also filter
Internet requests based on information such as user name, client IP address, protocol,
and request content. This means that you can restrict which users can access information on the Internet, which applications they can use to access that information, and
what types of information the users can access.
ISA Server can also operate as a caching server. The ISA Server cache is a store of frequently retrieved objects and URLs located on the cache drive of an ISA Server computer. Caching improves network performance because ISA Server can return
information to a client from the cache rather than from the Internet. For example, when
a user requests a page from a Web server that is not in the ISA Server cache, the ISA
Lesson 1
Overview of ISA Server Functionality
1-11
Server computer retrieves the object from the Web and then retains a copy in its cache
before delivering the object to the user. The benefit of caching is that when a second
user requests the same Web page, ISA Server returns the object from its cache, saving
time and eliminating additional Internet traffic.
How ISA Server Enables Internal Resource Publishing
Most organizations want Internet users to be able to access some resources located on
their internal or protected networks. At a minimum, most organizations need to provide access to a public Web site. Organizations that are using the Internet to complete
business transactions may need to make confidential information available or collect
confidential information via a secure Web site. In addition, organizations may need to
enable access to non-Web-based resources, such as DNS servers, media servers, or
database servers.
Making internal resources accessible via the Internet increases security risks for an organization. To reduce these risks, the firewall at the perimeter of a network must be able to
block all malicious traffic from entering the organization’s network, and ensure that Internet users can access only the required servers. The firewall may also need to redirect traffic to more than one internal server, and provide access to multiple Web sites or internal
servers while shielding the internal network configuration from the Internet.
You can use ISA Server 2004 to provide secure access to internal resources for Internet
users by using ISA Server to publish the internal resources. To configure ISA Server
publishing, you configure a publishing rule that specifies how ISA Server will respond
to requests from the Internet. ISA Server provides three different types of publishing
rules: Web publishing rules, secure Web publishing rules, and server publishing rules.
Web Publishing Rules
ISA Server 2004 uses Web publishing to enable secure access to internal Web servers
for Internet clients. When you create a Web publishing rule, you are configuring ISA
Server to listen for HTTP requests from the Internet. When the request for a Web page
arrives, ISA Server evaluates the request. If the request matches the properties of a Web
publishing rule, ISA Server forwards the request to an internal Web server. The internal
Web server sends the requested Web page to ISA Server, which then forwards the Web
page to the Internet client. If caching is enabled on ISA Server, subsequent requests for
the Web page can be provided from the ISA Server cache.
ISA Server provides several options for securing access to the internal Web server.
When you configure a Web publishing rule, you specify which Web server is being
published by the Web publishing rule. Only published servers are accessible from the
Internet. In addition, you can limit the URLs that ISA Server will respond to. For example, you can configure ISA Server to respond only to a URL like www.cohovine
1-12
Chapter 1
Introduction to ISA Server 2004
yard.com. If an Internet user uses any other URL to try to connect to a Web server, the
ISA Server computer will drop the request. You can also limit IP addresses and address
ranges that are allowed to connect to the Web site.
ISA Server Web publishing rules can also be used to hide the complexity of the internal
network from Internet users. Frequently, an organization may need to publish multiple
Web sites, but may have only a single IP address that is routable on the Internet. Or a
Web server may contain multiple virtual directories, but the organization may want to
hide the actual names of those directories from Internet users. In some cases, a Web site
may contain links to other internal servers that are not accessible from the Internet. ISA
Server can be used in all of the situations to provide a single entry point to the internal
Web sites, while hiding the complexity of the internal configuration from Internet users.
Secure Web Publishing Rules
Some organizations need additional security for their Web sites. The sites may contain
confidential organizational data that can be accessed only by specified users, or they
may collect confidential data from Internet users, including personal and credit card
information. The data may need to be encrypted while it is crossing the Internet. You
can help to protect such Web servers from Internet attacks by using ISA Server as a firewall, and by using Web publishing rules to enable access to the site. To encrypt traffic
between the internal network and the Internet client, you need to configure a secure
Web publishing rule.
A secure Web publishing rule is a regular Web publishing rule that uses Secure Sockets
Layer (SSL) on port 443 to encrypt all traffic passed from the internal network to the
Internet client. ISA Server provides multiple options for using SSL. For example, you
can configure ISA Server to encrypt all traffic between ISA Server and the Internet client, but not to encrypt the traffic on the internal network. Alternatively, you can
encrypt only traffic on the internal network. You can also configure ISA Server to
encrypt traffic on both the internal network and to and from the Internet. You can configure ISA Server to apply application filtering on the encrypted packets as well. With
this configuration, the ISA Server computer will decrypt the packet, filter it, and then
encrypt the packet again.
Another important part of enabling secure access to a Web site is to ensure that only
authorized personnel have access to the site. Both Web publishing rules and secure
Web publishing rules can be configured to do this. ISA Server supports multiple methods for authenticating users, including certificates, Active Directory directory service,
Remote Authentication Dial-In User Service (RADIUS), and RSA SecureID. You can also
configure authentication at different locations. For example, you can configure ISA
Server to authenticate all users before granting access to a Web site. Or you can configure ISA Server to pass the user credentials to the Web server, and then configure the
Lesson 1
Overview of ISA Server Functionality
1-13
Web server to authenticate the users. In some cases, you may want to authenticate
users at both ISA Server and Web server levels.
Server Publishing Rules
Web publishing and secure Web publishing can grant access only to Web servers using
HTTP or Hypertext Transfer Protocol Secure (HTTPS). To grant access to internal
resources using any other protocol, you must configure server publishing rules. When
you create a server publishing rule, you are configuring ISA Server to listen for client
requests using a particular port number. When ISA Server receives a request on the
external interface for that port, it checks the server publishing rule to determine which
internal server is providing the service. ISA Server then passes the request to the internal server configured in that server publishing rule. The internal server responds to the
client request, forwarding the response through ISA Server.
Server publishing rules can be used to publish any server as long as ISA Server has a definition for the protocol that the server is using. ISA Server includes more than 20 protocol
definitions. For some protocols, ISA Server includes both secure and non-secure definitions. For example, you can configure a server publishing rule using the Internet Mail
Access Protocol version 4 (IMAP4), or you can use the Internet Mail Access Protocol
Secure (IMAPS) protocol so that all the traffic will be encrypted using SSL. ISA Server also
includes specific application filters for many of the supported protocols. If ISA Server
does not have an existing definition for a desired protocol, you can create it.
How ISA Server Enables E-Mail Server Publishing
In addition to granting access to Web sites, almost all organizations also provide access to
e-mail servers from the Internet. In order to receive e-mail from Internet users, organizations must configure their e-mail server to accept Simple Mail Transfer Protocol (SMTP)
port 25 connections. In most cases, an organization’s e-mail server is located on an internal
network, which means that the organization must allow SMTP connections through the
firewall. Many organizations use Exchange Server as their e-mail server. Exchange Server
operates as an SMTP server, but also provides several options for users to access their email from the Internet. This means that securing access to Exchange Server computers usually includes securing both SMTP server connections as well as client connections.
ISA Server 2004 provides the following features to help secure access to Exchange
Server computers:
■
SMTP server publishing rules and SMTP application and content filters. ISA Server
2004 includes a SMTP server publishing rule that can be used to publish the internal SMTP server. It also includes a SMTP application filter that can block specific
SMTP commands or malformed commands. For example, attackers may attempt a
buffer overflow attack on an Exchange Server computer by sending SMTP commands with larger-than-normal payloads. The SMTP application filter can block
this type of attack.
1-14
Chapter 1
Introduction to ISA Server 2004
■
SMTP Message Screener. Message Screener can filter out the unwanted e-mail that
enters an organization. All organizations are bombarded with unwanted e-mail, either
in the form of unsolicited commercial e-mail (or spam), or e-mails with virus-bearing
attachments. Message Screener can block e-mail messages based on who sent the
message and whether the message contains specific attachments or keywords.
■
Pre-configured Web publishing rules that can provide access to the Exchange
Server computer for Microsoft Outlook Web Access (OWA) and Outlook Mobile
Access (OMA) clients. OWA provides access to mailboxes on the Exchange Server
computer for users using Web browsers, while OMA provides e-mail access to
wireless Web clients. The specialized Web publishing rules are preconfigured so
that when you create a new mail publishing rule, many of the configuration
options are enabled by default. You can also use the ISA Server HTTP filter to
apply application-layer filtering to Web client connections, to block potentially
dangerous attachments or message contents.
■
Web or server publishing rules that make Exchange Server computers accessible to
Internet clients. Exchange Server computers support many different e-mail clients.
One of the most popular clients is Microsoft Outlook, which uses remote procedure call (RPC) connections to the Exchange Server computer. RPC connections
are very difficult to secure because the ports used for RPC are dynamically
assigned when a client connects to the server. ISA Server can provide secure
access for Outlook clients with an included RPC filter that can manage dynamic
RPC ports. ISA Server can also be used to publish Exchange Server computers
using other e-mail protocols, such as IMAP and Post Office Protocol (POP).
How ISA Server Works as a VPN Server
In addition to granting Internet users access to specific internal servers, many organizations also need to provide remote users with access to all internal network resources.
For example, an employee may be traveling and need access to resources located on
the internal servers. Or an organization may have multiple locations, with employees
from one office requiring access to network resources in another. To enable this level
of access to the internal network, many organizations implement VPNs.
A VPN is a secure network connection created through a public network such as the
Internet. The VPN is secured by using authentication and encryption, so that even if
network packets are captured on the public network the packets cannot be read or
replayed. VPNs can be created between a remote access user and the internal network,
or between two company locations.
A remote access VPN provides an alternative to dial-up connections by providing
secure access from any Internet location. This means that a user can connect to the
Internet by using a local dial-up account or a high-speed Internet connection such as
a DSL, and then connect to the VPN gateway. All packets sent across the Internet using
the VPN are secured.
Lesson 1
Overview of ISA Server Functionality
1-15
A site-to-site VPN provides an alternative to using a dedicated wide area network
(WAN) to connect company locations. A site-to-site VPN is created when a VPN gateway server in one company location creates a secure VPN tunnel through the Internet
to a second VPN gateway server located at another location. In most cases, using a
VPN is much more cost-effective than using a WAN to connect company locations.
ISA Server provides a VPN remote access solution that is integrated within the firewall.
When remote clients connect to a computer running ISA Server using a VPN, the clients
are assigned to the VPN Clients network. This network is treated just like any other network on ISA Server, which means you can configure firewall rules to filter all traffic
from VPN clients. ISA Server also provides VPN quarantine control functionality. VPN
quarantine control delays normal remote access to a private network until the configuration of the remote access client has been examined and validated by a client-side
script. If you enable VPN quarantine control, all VPN clients are assigned to the Quarantined VPN Clients network until they have passed specific security checks. You can
configure firewall rules that filter all traffic from the clients in the Quarantined VPN Clients network to any other network on a computer running ISA Server.
ISA Server also enables site-to-site VPNs. In this scenario, you configure an ISA Server
in each company location. When the ISA Server computer in one location receives network traffic destined for the other location, the ISA Server computer initiates a site-tosite VPN connection and routes the traffic through it to the other location. To configure
site-to-site VPN connections, you create a remote-site network on ISA Server, and then
define the access rules that determine the types of traffic to be allowed to flow
between the networks.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed ISA Server 2004 at the perimeter of your network. You need to
ensure that all users are able to access the Internet through the ISA Server computer. However, you also need to ensure that users can access only approved Web
sites. What should you do?
2. You have deployed ISA Server 2004 at the perimeter of your network. You now
need to configure the ISA Server computer so that the organization’s Web site is
available to all users on the Internet. You also need to ensure that only remote
1-16
Chapter 1
Introduction to ISA Server 2004
employees can access a Web site that contains confidential customer information.
The data on the confidential Web site must not be readable when it is sent across
the Internet. What should you do?
3. You have deployed ISA Server 2004 as a VPN remote access server. What ISA
Server feature can be used to ensure that all client computers are in compliance
with the organization’s security policies before granting the user access to the
network?
a. PPTP
b. RADIUS authentication
c. Quarantine control
d. Application-layer filtering
Lesson Summary
■
ISA Server 2004 is normally installed at a network perimeter and is used to block
all unauthorized access to an internal network, as well as allow limited access
from the internal network to the Internet.
■
ISA Server 2004 provides firewall functionality. As a firewall, ISA Server provides
packet filtering, stateful filtering, and application-layer filtering.
■
ISA Server 2004 enables secure access to the Internet by ensuring that clients can
access only the required resources on the Internet, and by ensuring that the connection and data transfer both to and from the Internet is secure.
■
ISA Server 2004 allows secure access from the Internet to internal network
resources through the use of Web publishing rules, secure Web publishing rules,
and server publishing rules. These publishing rules limit who can access the internal network and what can be viewed once the internal network is accessed.
■
ISA Server 2004 can enable secure access to e-mail servers by blocking attacks
against those servers and filtering incoming mail for unwanted spam and attachments. ISA Server can also enable secure client connections to Exchange Server
for clients using a variety of client protocols.
■
ISA Server 2004 can enable secure connections to internal network resources by
enabled VPN connections for remote clients and sites.
Lesson 2
Overview of ISA Server 2004 Editions and Versions
1-17
Lesson 2: Overview of ISA Server 2004 Editions and Versions
ISA Server 2004 comes in two versions, Standard Edition and Enterprise Edition. The
types of functionality provided by the two editions are very similar; however, Enterprise
Edition includes several enhancements that make is easy to deploy multiple ISA Server
computers with the same configuration and configured for load balancing. Both editions
of ISA Server 2004 are upgrades of ISA Server 2000 and include several new features.
After this lesson, you will be able to
■ Describe the differences between ISA Server, Standard Edition, and ISA Server, Enter-
prise Edition
■ Describe the differences between ISA Server 2004 and ISA Server 2000
Estimated lesson time: 15 minutes
Differences Between ISA Server Standard Edition and Enterprise Edition
ISA Server 2004 is available in two versions, Standard Edition and Enterprise Edition. In
simple terms, Standard Edition is the version for you if you are deploying a single ISA
Server, or if you are deploying a single ISA Server in a specific role. For example, if you
are deploying a single ISA Server as a proxy server and firewall, or if you are deploying
one ISA Server in one or more branch offices as well as an ISA Server in a central
office, you should choose Standard Edition. However, if you are deploying multiple
servers in each role, you should look at Enterprise Edition. For example, if you are
working for a large organization that requires multiple servers deployed as proxy and
caching servers in a central office, you should consider deploying Enterprise Edition.
ISA Server, Standard Edition, and ISA Server, Enterprise Edition, provide similar functionality. The most significant difference between the two versions is that Enterprise
Edition provides enhanced scalability because it supports the following:
■
Centralized storage of configuration data
■
Support for the Cache Array Routing Protocol (CARP)
■
Integration of network load balancing (NLB)
Centralized Storage of Configuration Data
One of the primary differences between Standard Edition and Enterprise Edition is how
the two versions store their configuration information. Standard Edition stores its configuration information in the local computer registry. This means that if you want to
deploy two computers running Standard Edition with the same ISA Server configuration, you install and configure one server and then export the configuration and import
it in to the second server. If you need to change the configuration, you must make the
changes on both servers.
1-18
Chapter 1
Introduction to ISA Server 2004
ISA Server Enterprise Edition stores its configuration information in a separate directory
rather than in the local registry. When you install Enterprise Edition, you must configure one or more Configuration Storage servers. The Configuration Storage server uses
Active Directory Application Mode (ADAM) to store the configuration for all ISA Server
computers in the organization. Because ADAM can be installed on multiple servers and
the data replicated between the servers, you can have multiple Configuration Storage
servers. You can also install ADAM on a server that is running ISA Server. By using
ADAM, you can configure an enterprise policy that defines configuration settings for all
of the ISA Server computers in the organization. You can also configure arrays and
array policies. Arrays are groups of ISA Servers that share the same array policy, which
is a set of configuration settings that apply to an array. After installing the Configuration
Storage server and creating the enterprise and array policies, you can install ISA Server
and assign them to a specific array. The enterprise and array policies will be assigned
automatically to each ISA Server computer in the array.
To change the ISA Server Enterprise Edition configuration, you simply change the
information in the Configuration Storage server. The Enterprise Edition computers periodically access the Configuration Storage server to check if there are any configuration
changes. If there are changes, the servers will update their local (registry-based) storage to reflect the recent changes.
Support for the Cache Array Routing Protocol
ISA Server 2004 Enterprise Edition provides enhanced scalability by enabling shared
Web caching across an array made up of multiple servers. With Enterprise Edition, multiple ISA Server computers can be configured as a single logical cache so that the caching capacity for all the ISA Server computers is combined.
To enable this feature, ISA Server uses the Cache Array Routing Protocol (CARP). When
a user requests a page from the Internet, CARP determines which ISA Server in the
array will retrieve and cache the requested item. When another user requests the same
page, CARP again determines which ISA Server computer in the array has cached the
page; the client request is sent to that computer. ISA Server uses CARP to optimize Web
caching, which means that the ISA Server caching can be scaled to almost any size.
Integration of Network Load Balancing
The third additional feature available with Enterprise Edition is the integration of
network load balancing (NLB) with ISA Server. NLB is a Windows network component available with Windows 2000 Server and Windows Server 2003 that enables loadbalancing of IP traffic across a number of hosts, helping to enhance the scalability and
availability of IP-based services. NLB also provides high availability by detecting host
failures and automatically redistributing traffic to surviving hosts. With NLB, several
computers can be clustered so that the entire group of servers shares a single IP
address. A cluster is a group of independent computers that work together to provide
Lesson 2
Overview of ISA Server 2004 Editions and Versions
1-19
a common set of services and present a single-system image to clients. When client
computers connect to the NLB cluster, the client connections are automatically distributed across all of the servers in the cluster. If one of the servers is not available, the client connections are redirected to the available servers.
With ISA Server 2004, Standard Edition, you can configure NLB manually. With Enterprise
Edition, NLB is integrated so that NLB can be managed from ISA Server. This means that
NLB configuration is performed through ISA Server management. ISA Server also provides NLB health monitoring and manages the failover from one ISA Server in the cluster
to another. During NLB failover, all the functionality provided by one of the computers in
the cluster is transferred to another computer or computers in the cluster.
Differences Between ISA Server 2004 and ISA Server 2000
ISA Server 2004 is an upgrade of ISA Server 2000. While the two products share many
of the same features and provide much of the same functionality, ISA Server 2004 provides numerous enhancements to the functionality provided by ISA Server 2000. Table
1-1 provides an overview of the new features available in Server 2004.
Table 1-1
New Features in ISA Server 2004
Feature
Description
Multiple network
support
ISA Server 2004 supports multiple networks, each with distinct relationships to other networks. ISA Server 2000 supported only three
networks, the internal network defined by the local address table
(LAT), the external network, and the perimeter network. By default,
ISA Server 2004 includes the VPN Clients Network and VPN Quarantined Clients network. You can also configure an unlimited number
of networks on ISA Server 2004.
Policies assigned per
network
In ISA Server 2004, all access policies can be defined relative to any
of the networks, not just relative to the internal network. Because of
limited network support in ISA Server 2000, all access policies
defined access to or from the internal network or used static packet
filters to configure access between the perimeter network and the
external network. In ISA Server 2004, you can define distinct access
rules for each network on the server. For example, you can create a
perimeter network that is separate from an internal network and
configure different access rules for it.
Routed and NAT network ISA Server 2004 supports both routed and network address translarelationships
tion (NAT) relationships between networks. In some cases, you
may want more secure, less transparent communication between
the networks; for these scenarios you can define a NAT relationship. In other scenarios, you may want to route traffic through ISA
Server 2004; in this case, you can define a routed relationship.
1-20
Chapter 1
Introduction to ISA Server 2004
Table 1-1 New Features in ISA Server 2004
Feature
Description
Extended protocol
support
ISA Server 2004 extends ISA Server 2000 functionality by letting
you control access and usage of any protocol, including IP-level
protocols. This enhancement enables features such as publishing
Point-to-Point Tunneling Protocol (PPTP) servers. In addition,
IP Security (IPSec) tunnel-mode traffic can be used to create siteto-site VPN connections.
Advanced application
filtering
ISA Server 2004 provides enhanced application filtering by controlling application-specific traffic with application-command and
data-aware filters. Traffic can be accepted, rejected, redirected, and
modified based on its contents through intelligent filtering of VPN,
HTTP, File Transfer Protocol (FTP), SMTP, Post Office Protocol 3
(POP3), Domain Name System (DNS), H.323 conferencing, streaming
media, and remote procedure call (RPC) traffic.
Enhanced authentication ISA Server 2004 supports authentication using built-in Windows,
options
RADIUS, and RSA SecurID authentication. You can define different
authentication rules for users or user groups in any namespace.
VPN and quarantine
integration
ISA Server 2004 extends the Routing and Remote Access Service to
provide VPN access. It also enables VPN quarantine, which can be
used to provide limited network access to VPN clients until they pass
a security check.
Stateful inspection
for VPN
Because VPN clients are configured as a separate network in ISA
Server 2004, you can create distinct policies for them. The rules engine
checks requests from VPN clients, statefully inspects these requests,
and dynamically opens connections based on the access policy.
Export and import
ISA Server 2004 enables the option to export and import configuration information. You can use this feature to save configuration
parameters to an Extensible Markup Language (XML) file and then
import the information from the file to another server, or use this file
for disaster recovery.
Delegated permissions
wizard for firewall
administrator roles
ISA Server 2004 includes the Administration Delegation Wizard,
which helps you assign administrative roles to users and groups.
These predefined roles indicate the level of administrative control
users are allowed over specified ISA Server 2004 services.
Enterprise Edition
configuration storage
ISA Server 2000 Enterprise Edition stores its configuration information
in Active Directory. This means that before you can install Enterprise
Edition, you needed to modify the Active Directory schema to accommodate the ISA Server 2000 configuration. The ISA Server computers
also had to be members of the Active Directory domain in order to
read the configuration information. By contrast, ISA Server 2004, Enterprise Edition, stores its configuration information using ADAM rather
than Active Directory. This means that the Configuration Storage
server and ISA Server computers do not need to be members of an
Active Directory domain.
Lesson 2
Overview of ISA Server 2004 Editions and Versions
1-21
Note Some of the features in ISA Server 2004 were first released with ISA Server 2000
Feature Pack 1. Feature Pack 1 added the SMTP filter, the RPC filter for Outlook e-mail clients,
support for RSA SecureID, and more. If you have been using ISA Server 2000 without Feature
Pack 1, these features will be new to you.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You are considering upgrading your current ISA Server 2000 deployment to ISA
Server 2004. You would like to be able to create two perimeter networks, one for
all your Web servers that permit anonymous access, and another perimeter network for all servers that require authentication. What feature in ISA Server 2004
will help you to meet your requirements?
2. You are planning to deploy ISA Server 2004 and need to decide whether you want
to deploy Standard Edition or Enterprise Edition. You will be deploying several
ISA Servers and want to reduce the effort required to configure and manage all of
them. What ISA Server version should you deploy? What ISA Server feature will
address your requirement to reduce management effort?
Lesson Summary
■
ISA Server 2004 comes in a Standard Edition and an Enterprise Edition. The Enterprise Edition provides enhanced scalability by using ADAM to store configuration
information, supporting CARP for efficient caching and integrating NLB with ISA
Server.
■
ISA Server 2004 is an upgrade of ISA Server 2000. Some of the most important new
features include support for an unlimited number of networks, VPN integration
with the firewall, and enhanced administration tools.
1-22
Chapter 1
Introduction to ISA Server 2004
Lesson 3: Explaining ISA Server Deployment Scenarios
You can use ISA Server 2004 to provide secure access to the Internet and access to
internal network resources for Internet users. The exact configuration of ISA Server will
be unique to each organization’s security and access requirements. This lesson
describes the most common deployment scenarios for ISA Server, including how ISA
Server can be used as a primary security boundary or as a secondary firewall in a multiple-firewall configuration; and how ISA Server can be used for both large organizations with multiple locations and small organizations with the need for only one ISA
Server computer.
After this lesson, you will be able to
■ Describe how ISA Server functions as an Internet-edge firewall
■ Describe how ISA Server functions as a back-end firewall
■ Describe how ISA Server functions as a branch office firewall
■ Describe how ISA Server functions as an integrated firewall, proxy, and caching server
■ Describe how ISA Server functions as a proxy- and caching-only server
Estimated lesson time: 30 minutes
How ISA Server Works as an Internet-Edge Firewall
One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge
firewall. An Internet-edge firewall is deployed at the connecting point between the
Internet and the internal network. In this scenario, ISA Server provides both a secure
gateway for internal users to the Internet and a firewall that prevents unauthorized
access and malicious content from entering the network. Figure 1-3 shows an example of how ISA Server can be deployed as an Internet-edge firewall.
Lesson 3
E-Mail Server
File Server
Explaining ISA Server Deployment Scenarios
1-23
Web Server
Web Server
ISA Server
Main Office
Network
Internet
Remote User
F01im03
Figure 1-3
Deploying ISA Server as an Internet-edge firewall
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary
security boundary, between the internal network and the Internet. ISA Server is deployed
with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that
is connected to a perimeter network. In this scenario, the following occurs:
■
ISA Server blocks all Internet traffic from entering an organization’s network
unless the traffic is explicitly allowed. Because ISA Server is the primary security
boundary, all components of ISA Server firewall functionality are implemented,
including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened to protect against operating system–level attacks.
■
ISA Server is used to make specified servers or services on the internal network
accessible to Internet clients. This access is configured by publishing the server or
by configuring firewall access rules. ISA Server filters all inbound requests and
allows only traffic specified by the access rules.
■
ISA Server may also be the VPN access point to the internal network. In this case,
all VPN connections from the Internet are routed through ISA Server. All access
rules and quarantine requirements for VPN clients are enforced by ISA Server.
■
All client requests for resources on the Internet pass through ISA Server. ISA Server
enforces an organization’s policies defining which users are allowed to access the
Internet, which applications and protocols can be used to do so, and which Web
sites are permitted.
1-24
Chapter 1
Introduction to ISA Server 2004
How ISA Server Works as a Back-End Firewall
In some cases, an organization may choose to deploy ISA Server as a second firewall
in a multiple-firewall configuration. This scenario enables organizations to use their
existing firewall infrastructure but also enables the use of ISA Server as an advanced
application-filtering firewall. Figure 1-4 shows an example of how ISA Server can be
deployed as a back-end firewall.
E-Mail Server
File Server
Web Server
Web Server
ISA Server
Firewall
Main Office
Network
Internet
Web Server
Remote User
F01im04
Figure 1-4 Deploying ISA Server as a back-end firewall
Many organizations implement a back-to-back firewall configuration. In this configuration, one network adapter on the front-end firewall is connected to the Internet while
the second network adapter on the firewall is connected to the perimeter network. The
back-end firewall has one network adapter that is connected to the perimeter network
and a second network adapter connected to the internal network. All network traffic
must flow through both firewalls and through the perimeter network to pass between
the Internet and the internal network.
For organizations that already have a hardware-based firewall deployed as the Internet-edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA
Server can ensure that specific applications are published securely. In this scenario,
the following occurs:
■
ISA Server can be used to provide secure access to an organization’s Exchange
Server computers. Because computers running Exchange Server must be members
of an Active Directory domain, some organizations prefer not to locate the
Exchange Server computers in a perimeter network. ISA Server enables access to
the Exchange Server computers on the internal network through secure OWA pub-
Lesson 3
Explaining ISA Server Deployment Scenarios
1-25
lishing, secure SMTP server publishing, and secure Exchange RPC publishing for
Outlook clients.
■
ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be
configured to publish the Web servers to the Internet. In this case, the advanced
application filters on ISA Server can be used to inspect all network traffic being
forwarded to the Web server.
■
ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the
perimeter network pass through ISA Server. ISA Server enforces the organization’s
policies for secure Internet access.
How ISA Server Works as a Branch Office Firewall
A third deployment scenario for ISA Server is as a branch office firewall. In this scenario, ISA Server can be used to secure the branch office network from external threats
as well as connect the branch office networks to the main office using site-to-site VPN
connections. Figure 1-5 shows an example of how ISA Server can be deployed as a
branch office firewall.
E-Mail Server
File Server
Web Server
ISA Server or
other VPN
Gateway
Corporate
Headquarters
ISA Server
Branch Office
Network
F01im05
Figure 1-5
Deploying ISA Server as a branch office firewall
Internet
1-26
Chapter 1
Introduction to ISA Server 2004
For organizations with multiple locations, ISA Server can function as a branch office
firewall in conjunction with additional ISA Servers at other locations. If a branch office
has a direct connection to the Internet, ISA Server may operate as an Internet-edge firewall for the branch, securing the branch office network and also publishing server
resources to the Internet. If the branch office has only a dedicated WAN connection to
the other offices, ISA Server can be used to publish servers in the branch office such as
Microsoft SharePoint Portal Server or a local Exchange Server.
One of the benefits of using ISA Server as a branch office firewall is that it can operate
as a VPN gateway that connects the branch office network to the main office network
using a site-to-site VPN connection. Site-to-site VPN provides a cost-effective and
secure method of connecting offices. In this scenario, the following occurs:
■
ISA Server can be used to create a VPN from a branch office to other office locations. The VPN gateway at other sites can be either additional computers running
ISA Server or third-party VPN gateways. ISA Server supports the use of three tunneling protocols for creating the VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPSec.
■
ISA Server can perform stateful inspection and application-layer filtering of the
VPN traffic between the organization’s locations. This can be used to limit the
remote networks that can access the local network and to ensure that only
approved network traffic can access it.
How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server
In a small or medium organization, a single ISA Server computer may provide all Internet access functionality. The ISA Server computer is used to create a secure boundary
around the internal network, and to provide Web proxy and caching services for internal users. Figure 1-6 shows an example of how ISA Server can be deployed as an integrated firewall, proxy, and caching server.
E-Mail Server
File Server
Web Server
ISP Server
Web Server
ISA Server
Main Office
Network
Internet
F01im06
Figure 1-6 Deploying ISA Server as an integrated firewall, proxy, and caching server
Lesson 3
Explaining ISA Server Deployment Scenarios
1-27
Small or medium-size organizations often have significantly different Internet access
requirements than larger organizations. Small organizations may have dial-up or other
slow connections to the Internet. Almost all organizations provide at least some level of
Internet access to employees, but these offices may need to limit access because of the
slow connections. Small organizations frequently do not require any services published
to the Internet because their ISP may be hosting both their organization’s Web site and
their e-mail servers. Other organizations may have much more complex requirements,
including requirements for SMTP, FTP, and HTTP server publishing as well as VPN
access. Another unique situation faced by many small or medium-size organizations is
that a single network administrator performs all network administration tasks. This
means that the administrator is usually not a firewall or Internet security expert.
ISA Server is flexible enough to meet almost any small or medium organization's
requirements:
■
Configuring caching on ISA Server computers means that Web pages are cached
on the ISA Server hard disk. This can reduce the use of slow Internet connections
or reduce the cost of a connection where cost is based on bandwidth usage.
■
ISA Server supports the option of using dial-up connections to access the Internet
or other networks. You can configure ISA Server to dial the connection automatically when a request is made for access to Internet resources.
■
Installation of ISA Server is secure out of the box. By default, ISA Server 2004 will
not accept any connections from the Internet after installation. This means that if
the organization does not require any resources to be accessible from the Internet,
the administrator does not need to configure ISA Server to block all incoming traffic. All the administrator has to do in this scenario is configure the server to enable
Internet access for internal users and the configuration is complete.
■
ISA Server provides network templates and server publishing wizards that can be
used to configure most required settings. Configuring ISA Server to provide access
to Internet resources can be as simple as applying a network template and using
the wizard to configure the security settings. ISA Server provides several server
publishing wizards that make it easy to securely publish internal servers to the
Internet.
How ISA Server Works as a Proxy- and Caching-Only Server
A final deployment scenario for ISA Server 2004 is as a proxy server and caching
server only. In this scenario, ISA Server is not used to provide a secure boundary
between the Internet and the internal network, but only to provide Web proxy and
caching services. Figure 1-7 shows an example of how ISA Server can be deployed
as a proxy- and caching-only server.
1-28
Chapter 1
Introduction to ISA Server 2004
E-Mail Server
Web Server
File Server
ISA Server
Web Server
Main Office
Network
Firewall
Internet
F01im07
Figure 1-7 Deploying ISA Server as a proxy- and caching-only server
In most cases, computers running ISA Server are deployed with multiple network
adapters to take advantage of ISA Server’s ability to connect and filter traffic between
multiple networks. However, if ISA Server is deployed as a Web proxy- and cachingonly server, it can be deployed with a single network adapter. When ISA Server is
installed on a computer with a single adapter, it recognizes only one network—the
internal network.
If an organization already has a firewall solution in place, it can still take advantage of
the proxy and caching functionality of ISA Server. To deploy ISA Server as a proxy and
caching server, you only need to configure it to allow users to access resources on the
Internet. You would then configure the Web browsers on all client computers to use
the computer running ISA Server as a Web proxy server.
When you install ISA Server on a computer with a single adapter, the following ISA
Server features cannot be used:
■
Firewall and SecureNAT clients
■
Virtual private networking
■
IP packet filtering
■
Multi-network firewall policy
■
Server publishing
■
Application-level filtering
These restrictions mean that ISA Server provides very few security benefits for the
network.
Lesson 3
Explaining ISA Server Deployment Scenarios
1-29
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. What features are available in ISA Server 2004 when installed on a machine with
a single network adapter? (Choose all that apply.)
a. Proxy & Caching
b. IP Packet Filtering
c. Server Publishing
d. RADIUS
e. VPN Gateway services
f. None of the above; two network adapters are always required for ISA Server
2004
2. Your company has purchased ISA Server 2004 and has deployed it as an integrated
firewall, proxy, and caching solution. You complete a default install of ISA Server
2004. What must you do next to block incoming connections from the Internet?
a. Configure the firewall rules
b. Configure a VPN quarantine policy
c. Nothing
d. Configure application-layer filtering
3. Your company wants to publish a Web site that hosts an e-commerce application.
The application must have access to a SQL server on your internal network; security of the SQL database is the most important consideration. What ISA Server 2004
deployment scenario would you recommend for this environment?
1-30
Chapter 1
Introduction to ISA Server 2004
Lesson Summary
■
When ISA Server 2004 is deployed as an Internet-edge firewall, it blocks all Internet traffic to the internal network unless it is explicitly allowed, and allows access
to only specific resources on the internal network.
■
When ISA Server 2004 is deployed as a back-end firewall it can be used to provide
secure access to an organization’s Exchange Server computers and to publish
other secure Web sites. In this scenario, ISA Server is most frequently used for
application-layer filtering.
■
When ISA Server 2004 is deployed as a branch office firewall for organizations
with multiple locations it can be used to allow secure access to the internal network for all locations by enabling site-to-site VPNs.
■
ISA Server 2004 works as an integrated firewall, proxy, and caching server by creating a secure boundary around the internal network, and by providing Web
proxy and caching services for internal users. This is particularly useful in small- to
medium-sized organizations where only one ISA Server is needed.
■
ISA Server functions as a proxy- and caching-only server when deployed with a
single network interface. In this configuration, ISA Server is not used to provide a
secure boundary between the Internet and the internal network, but only to provide Web proxy and caching services.
Lesson 4
Overview of ISA Server 2004 Administration
1-31
Lesson 4: Overview of ISA Server 2004 Administration
As the ISA Server administrator in your organization, you likely are responsible for
designing the ISA Server infrastructure and deploying the ISA Server computers
required to meet the company requirements. After deployment, you will also be
responsible for ongoing configuration and monitoring of the ISA Server computer. To
do this, you will primarily use the ISA Server Management interface.
After this lesson, you will be able to
■ List the phases included in deploying and managing an ISA Server environment
■ Describe the features of the ISA Server Management interface
■ List the monitoring features available in ISA Server 2004
Estimated lesson time: 25 minutes
The ISA Server Administration Process
In most organizations, ISA Server administrators are responsible for the initial deployment of ISA Server as well as for the ongoing management of ISA Server infrastructure.
The entire ISA Server administration process consists of the following phases:
■
Designing ISA Server implementation
Server implementation are as follows:
Steps included in designing an ISA
❑
In most organizations, the first step in deploying any new technology is to
gather the company requirements related to the technology. With ISA Server,
the organization’s security requirements will be critical in designing your
implementation, but you should also gather functional requirements. For
example, you should determine the types of protocols users require to gain
access to Internet resources, and the types of internal resources that need to
be accessible from the Internet. You may also need to consider company
requirements for scalability and redundancy.
❑
Once you have gathered the organization’s requirements, you can begin
designing the ISA Server deployment. This design will include the number
and placement of ISA Server computers as well as the configuration required
for each server.
❑
If you already have an ISA Server 2000 server in place, you need to design a
migration plan for transferring the configuration to the new servers. If you are
replacing another firewall or proxy server with ISA Server 2004, you also
need to plan for the migration to the new servers.
❑
An essential component in designing an ISA Server implementation is creating a test plan for server functionality. Before you deploy ISA Server to all
users, you should know how you will test the implementation to ensure that
it meets the organization’s requirements.
1-32
!
Chapter 1
Introduction to ISA Server 2004
Exam Tip As you look over this list of ISA Server administration tasks, you may be thinking
that some of these tasks do not apply to you. For example, you may already have a VPN solution in place, or you may be taking over the management of an existing ISA Server infrastructure and were not involved in the design phase. However, the ISA Server 2004 exam is based
on all aspects of ISA Server functionality and includes a design component as well as all the
administrative tasks listed here. As you prepare for the exam, you may want to pay special
attention to the ISA Server functions that you are not implementing because you may not
have as much experience with these areas.
■
■
■
Installing and securing ISA Server 2004
securing ISA Server are as follows:
Tasks included in installing and
❑
You should secure the operating system for the computer that will be running
ISA Server before installing ISA Server.
❑
If you are creating a new ISA Server infrastructure using ISA Server 2004,
Standard Edition, you can start deploying the servers. The default configuration for ISA Server is to block all traffic between networks, so you can begin
deploying ISA Servers without compromising network security.
❑
If you are creating a new ISA Server infrastructure using ISA Server 2004,
Enterprise Edition, you will start the implementation by deploying the Configuration Storage server. You can then configure the enterprise and array policies and install ISA Servers into the appropriate arrays.
❑
If you are upgrading an existing ISA Server 2000 implementation, then implement your migration plan. In this scenario, many of the current settings can
be migrated to ISA Server 2004.
Installing and configuring ISA Server client computers
deploying ISA Server clients are as follows:
Tasks included in
❑
ISA Server supports three types of ISA Server clients: SecureNAT clients, Web
proxy clients, and Firewall clients. All these clients are used to provide access
to Internet resources for internal users, and each client provides different levels of functionality. As the ISA Server administrator, you will be responsible
for choosing the ISA Server client and configuring the client application.
❑
The Firewall Client computers require that the Firewall Client be installed on
the computer. If you choose to use this client, you will need to devise a plan
for deploying the client software to each client computer.
Configuring ISA Server 2004 to enable access to the Internet for internal
users Tasks included in configuring ISA Server to enable access to the Internet
are as follows:
❑
In many organizations, ISA Server is used as a proxy and caching server to
provide secure access to Internet resources. Most organizations have an Inter-
Lesson 4
Overview of ISA Server 2004 Administration
1-33
net usage policy that defines the types of access users can have to Internet
resources.
■
■
■
❑
You can use ISA Server to enforce and monitor compliance with the organization’s Internet usage policy. To enforce policy compliance, configure access
rules that define the protocols that can be used to access Internet resources and
the resources that will be available to users. You can also use the ISA Server
logging option to monitor all access to Internet resources by internal users.
❑
To optimize Internet access, many organizations also enable Web caching on
ISA Server. By default, ISA Server does not cache any client requests; you
need to enable and configure caching before it is enabled.
Configuring ISA Server 2004 to enable access by Internet users to internal
resources Tasks included in enabling access to internal resources are as follows:
❑
The second primary role for ISA Server is to make internal resources accessible to Internet users. In most cases, ISA Server publishing rules provide
access to internal resources.
❑
To enable access to Web sites that do not require security, create a Web publishing rule. If the Web sites require security, create a secure Web publishing
rule so that all network traffic is protected by using SSL. For all internal
resources that are not accessible by using HTTP or HTTPS, configure a server
publishing rule.
❑
If your organization is using Exchange Server as an e-mail server, you also
need to configure secure access to the Exchange Server computers for other
SMTP servers on the Internet, or for clients accessing their e-mail from the
Internet.
Configuring ISA Server for VPN access
Server for VPN access are as follows:
Tasks included in configuring ISA
❑
Many organizations also require VPN access to the internal network. If your
organization requires that users connect to your network from the Internet
using a VPN, configure ISA Server to enable the client connections. For additional security, you can also enable VPN quarantine.
❑
If your organization has multiple locations, you may also need to configure a
site-to-site VPN between the company locations.
Monitoring ISA Server 2004
follows:
Tasks included in monitoring ISA Server are as
❑
As soon as you deploy the first ISA Server, you should begin monitoring it.
ISA Server provides features such as alerts, intrusion detection, and session
monitoring to detect real-time events on the ISA Server computer.
❑
You should also configure logging and reports to monitor usage of the ISA
Server computer.
1-34
Chapter 1
Introduction to ISA Server 2004
ISA Server Management Console Features
One of the new features in ISA Server 2004 is the management interface. The ISA
Server Management Console provides a single interface for monitoring and managing
ISA Server 2004. The ISA Server Management Console implements many of the components that are common to all MMCs, including the tree view for navigation with the
details pane for detailed information, configuration wizards, context-sensitive help,
and typical dialog boxes. Because the MMC is already a familiar interface for most
administrators, the ISA Server management interface does not require any additional
learning time. Figure 1-8 shows the ISA Server Management Console.
F01im08
Figure 1-8 The ISA Server Management Console
The ISA Server Management Console has the following features:
■
Getting Started page The ISA Server Management Console opens to a Getting
Started page. This page provides an overview of the steps required to configure
ISA Server with links to specific locations within the interface where configuration
actions will be performed. By following the steps outlined on the Getting Started
page, you can implement a secure deployment of ISA Server 2004.
■
Monitoring dashboard The Management Console provides a single interface
for monitoring the ISA Server performance and security-related information. The
dashboard provides additional tabs that can be accessed to provide detailed monitoring information.
Lesson 4
Overview of ISA Server 2004 Administration
1-35
■
Single firewall rule base and policy editor All system policy and firewall
rules are displayed in a single interface. From this interface you can create or modify all firewall or system policy rules, as well as manage server publishing rules.
■
Context-sensitive task lists Most console pages provide a context-sensitive
task list that itemizes all relevant tasks. The task list includes links to wizards or
dialog boxes where you can complete the tasks.
■
Context-sensitive toolbox Many console pages include a context-sensitive
toolbox. The toolbox presents a list of relevant objects that can be modified.
■
Network templates Much of the management of ISA Server 2004 can be done
through scenario-based wizards. One example of these wizards is the network
template wizard, which enables you to pick a network scenario that matches your
deployment scenario and then use the wizard to configure many of the firewall
rules that are appropriate for that network template.
■
Consolidated VPN management ISA Server 2004 uses and extends the Routing and Remote Access Service (RRAS) on Microsoft Windows 2000 Server or Windows Server 2003 to enable VPN access. However, all VPN configurations are
performed in the ISA Server management interface.
ISA Server Monitoring Overview
Monitoring is the daily task of ensuring that critical ISA Server services are running
properly and ensuring that the ISA Server computer is providing the required security
and functionality. The goal of daily monitoring is to identify problems before they
impact your users. In addition, monitoring will also allow you to identify trends that
can indicate future problems and allow you to plan for future growth.
Monitoring tasks that are performed on a daily basis allows you to determine what is
normal for your ISA Server and when abnormal events occur. These tasks include the
following:
■
Monitoring the Event Viewer Use Event Viewer to obtain information about
service failures, application errors, and warnings when system resources such as
virtual memory or available disk space are running low. Using Event Viewer
enables you to identify problems that must be resolved and trends that will require
future action.
■
Monitoring server performance When you install ISA Server, a pre-configured ISA Server Performance Monitor console is created. This console includes the
critical ISA Server counters. Use this console to monitor server performance. Performance data can be viewed in a report or in various graph and log formats. A
performance log can be useful in monitoring counters over an extended period of
time. Performance alerts can be configured to create an event when counters
reach certain values. These events could include creating a log entry, sending a
network message, or running a program.
1-36
Chapter 1
■
Introduction to ISA Server 2004
Using the ISA Server Management Console to monitor the ISA Server computer The ISA Server Management Console provides many components that
can be used to monitor the computer running ISA Server. ISA Server provides the
monitoring options listed in Table 1-2.
Table 1-2 ISA Server Monitoring Components
Monitoring
Components
Explanation
Alerts
Monitors ISA Server for configured events and then performs actions
when the specified events occur. The alert service is configured to monitor many events by default. You may configure additional alert definitions.
Sessions
Provides information on all of the current client sessions on ISA Server.
ISA Server lists sessions of the following types: Firewall client,
SecureNAT, VPN client, VPN site-to-site, and Web proxy.
Logging
Provides detailed information about the Web proxy, firewall service, or
SMTP Message Screener. You can use the logs to monitor the activity on
ISA Server in real time, or you can review the log files at a later date.
Reports
Summarizes information about the usage patterns on ISA Server. For
example, you can create reports that summarize information about the
users who access the most sites through ISA Server and which sites they
access, or about the protocols and applications that are being used most
often. You can also use reports to monitor the security of your network.
For example, you can generate reports that track malicious attempts to
access internal resources.
Connectivity
Enables regular monitoring of connections from the computer running
ISA Server to any other computer or URL on any network. For example,
you can use connectivity options to monitor connections to domain
controllers, DNS servers, published Web servers, and external Web servers. This feature provides advance warning when the connection to any
required service or network fails.
Performance
Collects performance data on the computer running ISA Server. You can
monitor server performance in real time, create a log file of server performance over a longer period of time for detailed analysis, or configure performance alerts to create an event when counters reach certain values.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You have just finished deploying and configuring ISA Server 2004. However, now
users report that one of the critical internal Web sites is no longer available from the
Case Scenario Exercise
1-37
Internet. Which ISA Server administrative task was not completed correctly during
the ISA Server deployment? What do you need to do to make the site available?
2. You deployed ISA Server 2004 several months ago. Now your manager is asking
for information on how the ISA Server computer is performing. He wants to know
how much traffic is flowing through the ISA Server computer, what applications
are being used to access the Internet, and which Web sites are most frequently
accessed. What ISA Server monitoring feature will you use to provide this information? (Choose the best answer.)
a. Reports
b. Logs
c. Alerts
d. Sessions
Lesson Summary
■
As an ISA Server administrator, you are likely to be responsible for the complete
ISA Server deployment, including the initial design, ongoing configuration, and
management.
■
The ISA Server Management Console is used to manage and monitor almost all ISA
Server activity. The console includes many features that can simplify your management tasks.
■
As part of your role as an ISA Server administrator, you should constantly monitor
the server. ISA Server provides several features that allow you to collect real-time
information about server performance and security, as well as allow you to collect
and analyze long-term usage trends.
Case Scenario Exercise
In this exercise, you will create a design for an ISA Server 2004 deployment for a fictitious organization. Read the scenario and then answer the question that follows. If
you have difficulty completing this work, review the material in this chapter before
beginning the next chapter. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter.
1-38
Chapter 1
Introduction to ISA Server 2004
Scenario
You are a systems engineer working for Contoso Pharmaceuticals, an international corporation involved in drug manufacturing and sales. Contoso Pharmaceuticals has two main
offices: the European headquarters located in Berlin and the North American headquarters
located in Toronto. The corporation also has offices in Johannesburg, Atlanta, and São
Paolo. The Contoso Pharmaceuticals network configuration is shown in Figure 1-9.
Internet
Web
Server
Exchange
Server
Web
Server
Toronto LAN
Exchange
Server
Berlin LAN
Web Server
Web Server
Web Server
Atlanta LAN
Johannesburg LAN
São Paolo LAN
F01im09
Figure 1-9 The Contoso Pharmaceutical network configuration
Contoso Pharmaceuticals is planning to deploy ISA Server 2004. Your boss hands you
the following deployment requirements:
■
All current firewalls will be replaced by computers running ISA Server. Additional
computers running ISA Server will be deployed if required.
■
There should be no restrictions on the flow of network traffic between any of the
office locations. The existing WANs between offices will not be replaced.
Case Scenario Exercise
1-39
■
All Internet traffic flows through either Berlin or Toronto. Because the WAN links
between the offices are utilized at 70 to 80 percent during business hours, this
configuration needs to be changed. New Internet connections will be installed in
Johannesburg, Atlanta, and São Paolo. These Internet connections must be as
secure as possible.
■
All company Exchange Server computers are located in Berlin and Toronto. All
inbound and outbound e-mail must flow through these locations.
■
Each office hosts a public Web site, as well as a secure Web site that is used by customers. These Web sites must be available through the local Internet connection.
■
Contoso Pharmaceuticals is deploying a new sales application in the Toronto
office. This application must be accessible to sales personnel whether they are in
or out of the office. When outside the office, the sales personnel must connect to
the Toronto office using a VPN before being granted access to the application. You
must be able to filter all traffic that flows between this application server and other
servers on the internal network. Sales personnel should not be able to access any
resources on the company network except for the sales application using the VPN,
unless the computer they are using passes all security requirements.
■
All users need to be able to access their e-mail on the Exchange Server computers
from the Internet using a Web browser.
Case Scenario Question
1. Design the ISA Server 2004 deployment to meet your company’s requirements.
What will you tell your boss that Contoso Pharmaceuticals should do?
Chapter Summary
■
ISA Server 2004 is normally installed at the network perimeter and is used to block
all unauthorized access to the internal network, as well allow limited access from
the internal network to the Internet. To secure the network perimeter:
❑
ISA Server uses packet filtering, stateful filtering, and application-layer filtering to provide firewall functionality.
❑
Ensures that clients can access only the required resources on the Internet
and that the connection and data transfer to and from the Internet is secure.
❑
Enables secure access from the Internet to internal network resources
through the use of Web publishing rules, secure Web publishing rules, and
1-40
Chapter 1
Introduction to ISA Server 2004
server publishing rules. ISA Server 2004 also includes specialized e-mail publishing rules and application filters to secure server and client connections to
Exchange Server for clients using a variety of protocols.
❑
Enables secure connections to internal network resources by enabling VPN
connections for remote clients and sites.
■
ISA Server 2004 includes a Standard Edition and an Enterprise Edition. The Enterprise Edition provides enhanced scalability by using ADAM to store configuration
information, supporting CARP for efficient caching, and integrating NLB. ISA Server
2004 is an upgrade of ISA Server 2000. Some of the most important new features
include support for an unlimited number of networks, VPN integration with the firewall, and enhanced administration tools.
■
ISA Server 2004 can be deployed in a variety of configurations that include Internet-edge firewall; back-end firewall; branch office firewall; integrated firewall,
proxy, and caching server; and proxy- and caching-only server.
■
As an ISA Server administrator, you are likely to be responsible for the complete ISA
Server deployment, including its initial design and ongoing configuration and management. You can use the ISA Server Management Console to manage and monitor
almost all ISA Server activity.
Exam Highlights
Because this chapter is an introduction designed to provide you with an overview of ISA
Server 2004, it has not dealt with topics in detail. However, as you prepare for the exam
by reading the rest of this book, pay special attention to the key points that follow.
Key Points
■
ISA Server provides advanced firewall functionality as an application filter.
Understand how application filters work and how they can be used to secure
your network.
■
ISA Server can be deployed in many different scenarios. As you prepare for the
exam, understand the different scenarios and the different ISA Server configurations used in each scenario.
■
You will use the ISA Server Management Console to perform almost all ISA Server
administrative tasks. You will become familiar with this administrative interface as
you complete the hands-on exercises in this book.
Key Terms
1-41
Key Terms
application-layer filtering A type of filtering in which a firewall examines the
actual content of a network packet to determine whether the packet will be forwarded through the firewall. The firewall opens the entire packet and examines
the actual data in the packet before making a forwarding decision.
firewall A device that is located between one portion of a network and another portion, and allows only authorized network traffic to pass between the networks.
The firewall is configured with traffic filtering rules that define what types of network traffic will be allowed to pass through the firewall.
proxy server A firewall component that manages Internet traffic to and from a local
area network and can provide other functions, such as caching and access control.
1-42
Chapter 1
Introduction to ISA Server 2004
Questions and Answers
Page
1-15
Lesson 1 Review
1. You have deployed ISA Server 2004 at the perimeter of your network. You need to
ensure that all users are able to access the Internet through the ISA server. However, you also need to ensure that users can access only approved Web sites. What
should you do?
In order for all users to gain access to Internet resources using ISA Server, you must configure
the client computers to use the ISA Server computer as a proxy server. To ensure that users
can access only approved Web sites, configure ISA Server to block access to all sites except for
the approved sites. You can use either domain names or URLs to define approved Web sites.
2. You have deployed ISA Server 2004 at the perimeter of your network. You now
need to configure the ISA server so that the organization’s Web site is available to
all users on the Internet. You also need to ensure that only remote employees can
access a Web site that contains confidential customer information. The data on the
confidential Web site must not be readable when it is sent across the Internet.
What should you do?
To configure access to the organization’s Web site, you should configure a Web publishing rule
to publish the Web site to the Internet. This Web publishing rule should allow anonymous
access to the Web site. To configure access to the confidential Web site, you should configure
a secure Web publishing rule that will require the use of SSL to encrypt all network traffic to and
from the Web site. To ensure that only employees have access to the confidential Web site, you
should also configure ISA Server to require authentication.
3. You have deployed ISA Server 2004 as a VPN remote access server. What ISA
Server feature can be used to ensure that all client computers are in compliance
with the organization’s security policies before granting the user access to the
network?
a. PPTP
b. RADIUS authentication
c. Quarantine control
d. Application-layer filtering
C is correct. Quarantine control limits connecting computers' access based on whether they
meet security criteria defined by the administrator. A is incorrect; PPTP is a VPN tunneling protocol, but it does not test the client computer configuration before allowing the client to connect. B is incorrect; RADIUS is an authentication protocol used to confirm the user’s identity. D
is incorrect; application-layer filtering is used to check the contents of packets to ensure they
are legitimate traffic. Application-layer filtering can block specific packets, but it cannot block a
user from connecting to the network using VPN.
Questions and Answers
Page
1-21
1-43
Lesson 2 Review
1. You are considering upgrading your current ISA Server 2000 deployment to ISA
Server 2004. You would like to be able to create two perimeter networks, one for
all your Web servers that permit anonymous access, and another perimeter network for all servers that require authentication. What feature in ISA Server 2004
will help you to meet your requirements?
ISA Server 2004 supports an unlimited number of networks, which means that you can easily
create multiple perimeter networks with different firewall rules controlling access to each network.
2. You are planning to deploy ISA Server 2004 and need to decide whether you want
to deploy Standard Edition or Enterprise Edition. You will be deploying several
ISA Servers and want to reduce the effort required to configure and manage all of
them. What ISA Server version should you deploy? What ISA Server feature will
address your requirement to reduce management effort?
You should plan on deploying ISA Server Enterprise Edition. Because Enterprise Edition stores
its configuration information in ADAM on the Configuration Storage server, you can create enterprise and array policies in the directory and then deploy ISA Servers as part of an array. All the
enterprise and array policies will automatically be applied to the ISA Server computers in the
array.
Page
1-29
Lesson 3 Review
1. What features are available in ISA Server 2004 when installed on a machine with
a single network adapter? (Choose all that apply.)
a. Proxy & Caching
b. IP Packet Filtering
c. Server Publishing
d. RADIUS
e. VPN Gateway services
f. None of the above; two network adapters are always required for ISA Server
2004
A is correct. All other configurations require two network adapters. Although deploying ISA
Server with a single network interface is an option, remember that most of the security features
included with ISA Server 2004 are not available in this configuration.
2. Your company has purchased ISA Server 2004 and has deployed it as an integrated
firewall, proxy, and caching solution. You complete a default install of ISA Server
2004. What must you do next to block incoming connections from the Internet?
a. Configure the firewall rules
b. Configure a VPN quarantine policy
1-44
Chapter 1
Introduction to ISA Server 2004
c. Nothing
d. Configure application-layer filtering
C is correct. By default, ISA Server 2004 will not accept connections from the Internet. A, B,
and D are incorrect because these services need be configured only if you plan to accept traffic
from the Internet.
3. Your company wants to publish a Web site that hosts an e-commerce application.
The application must have access to a SQL server on your internal network; security of the SQL database is the most important consideration. What ISA Server 2004
deployment scenario would you recommend for this environment?
The most secure option in this case would be to deploy ISA Server as a back-end firewall with
another firewall (which could be another ISA Server) as a front-end firewall. The Web server can
then be placed in the perimeter network and the back-end ISA Server can be used to protect
the internal network.
Page
1-36
Lesson 4 Review
1. You have just finished deploying and configuring ISA Server 2004. However, now
users report that one of the critical internal Web sites is no longer available from the
Internet. Which ISA Server administrative task was not completed correctly during
the ISA Server deployment? What do you need to do to make the site available?
The design phase of the deployment project was not completed correctly. During the design
phase, you should identify all Web sites that need to be available on the Internet and configure
the ISA Server computer to publish those sites. To make the site available, you need to determine the security requirements for the site. For example, does the site require SSL or authentication? Once you have gathered the requirements, you can create the appropriate Web
publishing rule to make the Web server available from the Internet.
2. You deployed ISA Server 2004 several months ago. Now your manager is asking
for information on how the ISA Server computer is performing. He wants to know
how much traffic is flowing through the ISA Server computer, what applications
are being used to access the Internet, and which Web sites are most frequently
accessed. What ISA Server monitoring feature will you use to provide this information? (Choose the best answer.)
a. Reports
b. Logs
c. Alerts
d. Sessions
Case Scenario Exercise
1-45
A is correct. The best ISA Server monitoring feature to use in this case is the Reports feature.
A report presents information in a summary format so that you can easily show the required
information to your manager. The Logs function would provide too much information because it
includes details about every connection on the ISA Server computer, while the Alerts and Sessions features do not provide information on server usage, as they are used to provide realtime details on current activity.
Case Scenario Exercise
Page
1-39
1. Design the ISA Server 2004 deployment to meet your company’s requirements.
What will you tell your boss that Contoso Pharmaceuticals should do?
To meet the company requirements, you should deploy ISA Server computers as listed here.
In Toronto, you should do the following:
❑
Deploy an Internet-edge firewall using all the firewall functionality of ISA Server.
❑
To meet the requirement for isolating the sales application, you could either deploy a second ISA Server computer between the sales application and the internal network, or you
could configure an additional network adapter and network on the Internet-edge firewall
and install the sales application in the new network.
❑
To meet the VPN requirements for Toronto, deploy ISA Server as a VPN server. Configure
a VPN quarantine for all clients when they connect. Allow the users access to the sales
application while in the VPN quarantine, but do not allow any traffic to the internal network
until the client has passed the security checks.
❑
Use the secure-server publishing functionality of ISA Server to publish the non-secure
Web site and the secure customer Web site, as well as to publish the Exchange SMTP
server and the Exchange Outlook Web Access server.
❑
Configure the ISA Server computer as a proxy server so that all clients in the office connect to the Internet through ISA Server.
In Berlin, you should do the following:
❑
Deploy an Internet-edge firewall using all the firewall functionality of ISA Server.
❑
Use the secure-server publishing functionality of ISA Server to publish the non-secure
Web site and the secure customer Web site, as well as to publish the Exchange SMTP
server and the Exchange Outlook Web Access server.
❑
Configure the ISA Server computer as a proxy server so that all clients in the office connect to the Internet through ISA Server.
In Johannesburg, Atlanta, and São Paolo, you should do the following:
❑
Deploy an Internet-edge firewall using all of the firewall functionality of ISA Server.
❑
Use the secure-server publishing functionality of ISA Server to publish the non-secure
Web site and the secure customer Web site.
❑
Configure the ISA Server computer as a proxy server so that all clients in the office connect to the Internet through ISA Server.
C02621691.fm Page 1 Tuesday, January 25, 2005 1:26 PM
2 Installing ISA Server 2004
Exam Objectives in this Chapter:
■
■
■
Plan an ISA Server 2004 deployment
❑
Analyze requirements for branch office deployment
❑
Analyze baseline network traffic usage
❑
Analyze requirements for high availability and fault tolerance
❑
Pilot and test an ISA Server 2004 deployment
Assess and configure the operating system and platform requirements
❑
Analyze operating system and platform requirements
❑
Prepare network interfaces
❑
Analyze hardware and network requirements
❑
Configure operating system settings for installing ISA Server 2004
Deploy ISA Server 2004
❑
Migrate from ISA Server 2000 to ISA Server 2004
❑
Install ISA Server 2004, Standard Edition
❑
Install ISA Server 2004, Enterprise Edition
❑
Define the network routing requirements
❑
Verify the installation of ISA Server 2004
Why This Chapter Matters
Before deploying Microsoft Internet Security and Acceleration (ISA) Server 2004 in
your organization, you must determine what you plan to accomplish by doing so.
ISA Server is a great product, but, in most organizations, merely stating this fact will
not convince the top executives that it is worth the investment required to purchase, deploy, and maintain it. In most organizations, you must show that a product
will address some business need. So before you think too much about what your
ISA Server deployment will look like, you must gather the company’s requirements.
Why does your organization need ISA Server? What business goals or security
requirements do you plan to satisfy with your ISA Server deployment? Once you
have answered these questions, you are ready to consider where the ISA Server
computers will be placed, how many ISA Server computers will be deployed, and
the ISA Server configurations. Your business requirements will drive the ISA Server
infrastructure design. This chapter will help you assess ISA Server in these terms—
how the ISA Server design is affected by business requirements.
2-1
C02621691.fm Page 2 Tuesday, January 25, 2005 1:26 PM
2-2
Chapter 2
Installing ISA Server 2004
The second part of planning your ISA Server installation is to ensure that the
deployment goes well. Your ISA Server will be integrated into an existing network,
and you must determine how it will be integrated. This chapter provides guidance
about how to design the network services to ensure a smooth deployment.
The third step in the planning process is ensuring that the actual hardware and
server you deploy meet the company’s requirements as well as the software and
hardware requirements for installing ISA Server 2004. This involves dealing with
the questions of scalability, redundancy, and the specific hardware and software
requirements of ISA Server 2004.
Lessons in this Chapter:
■
Lesson 1: Planning an ISA Server Deployment . . . . . . . . . . . . . . . . . . . . . . . .2-3
■
Lesson 2: Installing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
■
Lesson 3: Overview of the ISA Server 2000 Migration Process . . . . . . . . . . . . 2-36
Before You Begin
This chapter presents the skills and concepts related to planning an ISA Server installation and then deploying ISA Server computers. If you plan to complete the practices and
lab in this chapter, you should prepare the following:
■
A server with Microsoft Windows Server 2003 (either Standard or Enterprise Edition)
installed as DC1 and configured as a domain controller in the cohovineyard.com
domain.
■
A second server with Windows Server 2003 installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. This server should have two
network interfaces installed.
C02621691.fm Page 3 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-3
Lesson 1: Planning an ISA Server Deployment
Before you install ISA Server 2004, you need to plan the deployment. This lesson provides a brief summary of the planning process, and then specifically examines the planning of network infrastructure components and the server requirements. The lesson also
considers capacity planning, including redundancy and availability arrangements.
After this lesson, you will be able to
■ Describe the planning process for the deployment of an ISA Server infrastructure
■ Describe the network infrastructure requirements for deploying ISA Server
■ List the server requirements for installing ISA Server
■ Perform capacity planning
Estimated lesson time: 20 minutes
The ISA Server Deployment Planning Process
Most organizations install ISA Server to address security requirements. ISA Server is a firewall that is likely to be among the critical components to ensuring that your organization’s network is secure. In addition, the ISA Server computer is likely to be the primary
connection point for all internal network traffic to access the Internet. This means that
when you design your ISA Server deployment, you must consider a wide variety of security and functional requirements. The following is an overview of the process of planning
an ISA Server deployment.
1. Understand the current network infrastructure. The first step in planning
an ISA Server deployment is to understand the current networking environment.
When you start planning, collect network diagrams that provide details on the network infrastructure. These diagrams should include the Internet Protocol (IP) networks, router configurations, and client and server networking configuration.
Collect information on the current configuration of network services. For example,
all internal clients must be able to resolve Domain Name System (DNS) names on
the Internet to connect to Internet resources. You need to understand how clients do
this now. Also collect information about other network services such as Dynamic
Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS)
if you have Microsoft Windows NT or Microsoft Windows 2000 clients.
Collect information about the current domain structure. ISA Server can be integrated
with Active Directory directory service to enable authentication.
2. Review company security policies. Every organization should have security
policies. These policies usually include general security requirements such as
Internet or e-mail usage policies. The policies can also be very specific and define
what protocols are not allowed through the firewall, what Web sites users can
C02621691.fm Page 4 Tuesday, January 25, 2005 1:26 PM
2-4
Chapter 2
Installing ISA Server 2004
access, and what types of information can be sent from the internal network to the
Internet. For example, most organizations have policies defining what types of
customer information can be sent in an e-mail.
Reviewing the company security policies is critical when planning the ISA Server
deployment. ISA Server can be used to enforce at least some of the security policies.
For example, you can use ISA Server to block access to a particular Web site, or to
restrict which protocols can be used to access the Internet. Other policies, such as
what types of information can be sent to the Internet or what sites users access
when they take their mobile computers out of the company location, are more difficult to enforce using ISA Server.
See Also
If your company does not have a well-defined security policy, now is a good time
to develop one. There are numerous resources available on the Internet to help define the
policy, including the SANS Institute Security Policy Project, located at http://www.sans.org/
resources/policies, and the Site Security Handbook, Request for Comments (RFC) 2196,
located at http://ietf.org/rfc/rfc2196.txt on the Internet Engineering Task Force page.
3. Plan the required network infrastructure. For your ISA Server installation to
meet the company requirements, you must plan for some specific network infrastructure components. For example, if the ISA Server computer is an Internet-edge
firewall and is the only access point to the Internet, you must ensure that all client
computers can connect to the ISA Server computer. If you have a single network,
this solution can be as simple as configuring the default gateway on each client
computer to use the internal network interface on the server running ISA Server. If
you have multiple locations within your organization, or if you deploy multiple ISA
Servers, this solution can be more complex.
Your ISA Server implementation may also depend on additional network infrastructure components such as DNS, DHCP, and Certificate Services. These components
must be taken into account when planning an ISA Server installation.
Planning
Some aspects of planning the ISA Server installation will be covered in detail in
this chapter. For example, planning the network infrastructure components will be covered
later in this chapter. Other aspects of planning will be covered in detail in later chapters.
4. Plan for branch office installations. If your organization has more than one
location, you must also plan for how the branch office networks will be integrated
with the main office. In some cases, you may have existing wide area network
(WAN) connections between the offices with routing already in place. In other
cases, you may plan to replace the WAN link with a site-to-site virtual private network (VPN) or plan to deploy an ISA Server in each branch office.
C02621691.fm Page 5 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-5
See Also
Planning for branch office installations will be discussed in more detail in Chapter 5, “Enabling Secure Internet Access with ISA Server 2004,” and in Chapter 10, “Configuring Virtual Private Networks for Remote Clients and Networks.”
5. Plan for availability and fault tolerance. Each organization will have different
requirements regarding availability and fault tolerance. In some organizations (for
example, organizations that are publishing e-commerce sites that are doing several
million dollars of business per day), a few minutes of downtime or even slow
response times can cost large amounts of money. Other organizations may be
using ISA Server just to provide Internet access for internal users. In this case,
downtime may not be as critical. ISA Server can be configured to enable fault tolerance, so you must understand your organization’s requirements to get the right
level of availability.
6. Plan for access to the Internet. Most companies that deploy ISA Server use it
as a proxy server for users to access the Internet. Some organizations enable full
access to the Internet so that all users can use all protocols to access any Internet
resource. Other organizations limit access based on protocols or applications, and
users or groups, and they also limit users’ access to Web sites.
Once you have gathered your organization’s requirements for granting Internet
access, you can plan the ISA Server access rule configuration to meet the organization’s Internet access and caching requirements.
See Also The detailed information required to plan for access to the Internet is discussed
in Chapter 5, “Enabling Secure Internet Access with ISA Server 2004,” and in Chapter 6,
“Implementing ISA Server Caching.”
7. Plan the ISA Server client implementation and deployment. An essential
part of deploying an ISA Server infrastructure is to plan for ISA Server client configuration and deployment. ISA Server supports three clients: SecureNAT clients,
Web Proxy clients, and Firewall clients. The use of each client has advantages and
disadvantages. As part of your ISA Server deployment, you must know why you
use each client and how to configure each client.
See Also
The detailed information required to plan ISA Server client implementation and
deployment is discussed in Chapter 4, “Installing and Managing ISA Server Clients.”
8. Plan for server publishing. Most organizations also publish some internal
resources to the Internet. Because this allows network traffic from the Internet to
your internal network, it is essential that the connection between the internal servers is as secure as possible.
C02621691.fm Page 6 Tuesday, January 25, 2005 1:26 PM
2-6
Chapter 2
Installing ISA Server 2004
There are two components to planning server publishing. The first component is
knowing what servers are going to be published and how to configure the publishing rules. The second component is a bigger question: How do you design the network connection to the Internet to ensure security? Many organizations deploy
servers that are accessible from the Internet in a perimeter network. This limits
access between the perimeter network and the internal network. You need to
choose a perimeter network configuration as part of the planning process.
See Also
Planning for server publishing is discussed in more detail in Chapter 8, “Implementing ISA Server Publishing.”
9. Plan for VPN deployment. ISA Server can operate as a VPN remote access
server for external clients and as a VPN gateway for site-to-site VPNs. If you plan
to deploy ISA Server in either configuration, include this in your planning.
An extra level of planning is required if you choose to implement VPN network
quarantine. With VPN network quarantine, you can restrict access to the internal
network until the VPN clients pass a security configuration check. To perform the
security configuration check, you must run a script or application on the client computer. The script can check for virtually any setting on the computer. In your planning, therefore, you must decide which security settings you will check on the client
computer. This can be complicated. For example, you may decide that all clients
that connect to your network must have an antivirus application installed, and that
the virus detection files must be up to date. However, if you allow users to use any
antivirus software, the script must check for all acceptable antivirus applications.
The script that checks the security configuration on the client computer can become
very complicated, so you must plan to have very competent scripting help available.
See Also
Planning for VPN deployment is discussed in more detail in Chapter 10.
10. Plan the implementation. All your planning to this point has created a target
state for your ISA Server implementation. The next step is to plan the actual implementation. How will you move your organization from where it is now to the target state? The following components are involved in the implementation planning:
❑
When you implement a new technology, you will almost always have an
impact on the current environment, and you must define that impact. For
example, when you deploy ISA Server, you may choose to deploy the Firewall Client to all client computers, or you may decide to implement new
restrictions on what resources users can access on the Internet. Your
deployment plan must identify all the ways that your implementation will
affect the current environment. Whenever possible, strive to make the
C02621691.fm Page 7 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-7
impact as transparent as possible; that is, your goal should be to minimize
the impact on the users.
❑
Define an implementation plan. At a high level, there are two possible scenarios for implementing a new technology. One option is to deploy the new
technology alongside the existing technology and complete all your testing
before switching to the new technology. This is the preferred implementation
plan because it carries the least risk. If you deploy ISA Server for the first time
in your organization, this is probably the best approach. The second deployment scenario is to upgrade the existing technology rather than create a parallel implementation. This is a typical approach when you upgrade an
existing infrastructure. For example, if you upgrade from ISA Server 2000 to
ISA Server 2004, you can install ISA Server 2004 servers and migrate most of
the ISA Server 2000 configuration settings to the new servers. Regardless of
which approach you use, your implementation plan should clearly define
how the ISA Server computers will be deployed, and how the environment
will be switched over to the new technology.
❑
Another important part of your planning is a user education plan. If the enduser experience will change as a result of the implementation, you must
define a process for informing users. If the impact is minimal, you may be
able to inform users with a simple e-mail. For example, if the only impact on
users is that they will be limited in what resources or protocols they can use
to access the Internet, then an e-mail explaining the differences, with a link to
an intranet site that lists the organization’s security policy, may be all that is
required. If the impact is significant, you may need to plan more formal training. For example, if you implement a remote access VPN for the first time,
you may need to provide training about how to install and configure the
remote access VPN client.
❑
Test the implementation and conduct a pilot project. Before deploying a new
technology into production, it is critical that you test and pilot the implementation. A test implementation is usually performed under strict restrictions.
The initial test implementation should not affect any actual users. For example, perform the tests using test accounts from test client computers. If you
use ISA Server to publish internal servers, the initial testing should not include
a production server, but rather a test server. In most cases, a pilot implementation uses a small group of actual users to test the configuration. For example, you may choose a small group of users and reconfigure their default
gateway or Web proxy configuration to point to the ISA Server computer for
Internet access. You can then use this group of users to test the access rules.
If you are piloting publishing, configure a publishing rule that will publish a
non-critical server before publishing all the internal servers.
C02621691.fm Page 8 Tuesday, January 25, 2005 1:26 PM
2-8
Chapter 2
Installing ISA Server 2004
Network Infrastructure Requirements
For your ISA Server implementation to succeed, you must ensure that the network infrastructure supports the ISA Server implementation. To support your ISA Server infrastructure, the following networking services must be installed and configured on your
network:
■
DNS
■
Domain controllers
■
DHCP
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Domain Name System Requirements
To connect to resources on the Internet, client computers must be able to resolve the
DNS names for servers on the Internet to IP addresses. If you publish internal servers to
the Internet, users on the Internet must be able to resolve the DNS names for the published servers to an IP address. To enable both of these scenarios, a DNS infrastructure
must be in place to provide name-resolution services.
!
Exam Tip
Without DNS name resolution, users cannot connect to any resources located
on a remote network. If an exam question mentions that users cannot connect to a resource,
and the users are using a fully qualified domain name (FQDN) to connect to the resource,
always check whether DNS name resolution could be the cause of the problem. If DNS name
resolution is not the problem, then check the firewall access rule configuration.
To enable access to Internet resources, ensure that all client computers can resolve
Internet DNS names. At a high level, you have two options for enabling name resolution for Internet resources: You can use an internal DNS server that can resolve both
internal and Internet DNS addresses, or you can use an external DNS server to resolve
IP addresses on the Internet.
To Use an Internal DNS Server Many organizations have deployed DNS servers on
their internal networks. If you have deployed Active Directory in Microsoft Windows
2000 Server or in Windows Server 2003, DNS is required for domain replication and
user authentication, so all client computers running Windows 2000 or later must be
able to resolve the DNS names for domain controllers. In this environment, the internal
DNS server is configured with DNS zones for your Active Directory domains.
C02621691.fm Page 9 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-9
To allow internal users to access Internet resources, the internal DNS servers must also
be configured to resolve Internet DNS names. One way to enable this is to configure
the DNS servers to forward all requests for Internet name resolution to DNS servers on
the Internet. When you configure a DNS server to use a forwarder, it sends to the forwarder requests for domains for which it is not authoritative. To configure a DNS server
to use a forwarder, perform the following steps:
1. Open the DNS console from the Administrative Tools menu.
2. Right-click your server name in the left pane of the console, and then click Properties.
3. Click the Forwarders tab, as shown in Figure 2-1.
F02im01
Figure 2-1 Configuring a DNS forwarder
4. Click Enable Forwarders and type the IP address of the DNS servers that you want
to use as forwarders. In most cases, this will be the DNS server or servers of your
Internet service provider (ISP).
Important
For the internal DNS servers to resolve Internet domain names using forwarders, ensure that the access rules on ISA Server allow the internal DNS servers to send DNS
queries to the Internet.
A second option for configuring the internal DNS servers to resolve Internet names is to
use root hints. The Internet root servers are authoritative for the DNS root domains, so if
your DNS server is configured to use the root servers, it will use iterative queries to
resolve DNS names on the Internet. By default, when you install DNS on a Windows
2000 Server or Windows Server 2003 that can connect to the Internet, the Internet root
servers are automatically added to the root hints list. If you do not configure a forwarder,
the DNS server will use the Internet DNS root servers to resolve Internet addresses.
C02621691.fm Page 10 Tuesday, January 25, 2005 1:26 PM
2-10
Chapter 2
Installing ISA Server 2004
Security Alert In most cases, using a DNS forwarder is considered more secure than using
root hints. If you use a DNS forwarder, you can configure the firewall access rules so that DNS
queries from the internal network are allowed only to the DNS servers configured as forwarders.
If you use root hints, you must allow DNS queries to any DNS server on the Internet.
To Use an External DNS Server Some organizations have not deployed internal DNS
servers or have not configured the internal DNS servers to resolve Internet DNS
addresses. In this situation, all Internet name resolution must be performed by DNS
servers on the Internet. You have two options to enable this. If you use Web Proxy clients and Firewall clients, ISA Server can function as a DNS proxy server to resolve
Internet DNS requests on the client’s behalf.
When Web Proxy and Firewall clients connect to the ISA Server computer, ISA Server
informs the clients which domain names are considered local. ISA Server uses the
domains defined on the Domains tab on the Internal Properties dialog box to determine which resources are local and which resources are remote. To access the dialog
box in ISA Server Management, expand Configuration, click Networks and the Networks tab, and double-click Internal. Figure 2-2 shows the Domains tab in the Internal
Properties dialog box. When you add your internal domain to the Domains list, ISA
Server instructs the Web Proxy and Firewall clients to use the internal DNS server on
your network to resolve these names. When a client requests the IP address for any client that is not listed on the Domains tab, the ISA Server computer will attempt to
resolve the IP address using DNS servers on the Internet. To enable this, you must configure the external network interface on the server running ISA Server with the IP
addresses for DNS servers on the Internet.
F02im02
Figure 2-2 The Domains tab should list all the domains on the internal network.
C02621691.fm Page 11 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-11
SecureNAT clients cannot use ISA Server for DNS name resolution. The SecureNAT client must be configured with the IP address of a DNS server that can resolve both internal and external host names. If you have no need to resolve internal host names (for
example, if you use WINS to resolve internal names), then you can configure the
SecureNAT clients with the IP address of a DNS server on the Internet. In this scenario,
you also need to create an access rule that allows the client computers to access the
Internet using the DNS protocol. In addition, with this configuration, you cannot use
DNS to resolve the IP addresses for internal network resources.
If you use ISA Server to resolve DNS names for Web Proxy and Firewall client computers, ISA Server uses its own DNS cache component that is built on top of the Windows
DNS resolver. Whenever a DNS name is resolved through ISA Server by a DNS client
on the internal network, ISA Server caches the lookup result. The purpose of the cache
is to reduce the number of DNS queries that exit the firewall boundaries.
The DNS cache consists of three separate elements:
■
A cache of DNS name-to-address resolutions.
■
A cache of DNS address-to-name resolutions (also called the reverse cache).
■
A cache of failures to perform DNS address-to-name resolutions. This cache is also
called the negative cache. Its purpose is to mitigate possible DOS attacks on the
reverse cache. After a failure to locate an entry in the reverse cache, the negative
cache is consulted; if the entry is found there, the firewall will not attempt a
reverse DNS query against the Windows DNS resolver.
!
Exam Tip
If you get an exam question in which the problem seems to be name resolution,
but the DNS settings all appear correct, the problem may be that ISA Server has the DNS
name stored in its negative cache. You can use the DNSTools.exe utility from the ISA Server
Resource Kit to view and delete entries from the DNS cache.
Entries are removed from the three caches in one of the following ways:
■
When ISA Server retrieves an entry from the DNS cache, it checks the time-to-live
(TTL) on the entry. If the TTL has expired, ISA Server removes the entry from the
cache. ISA 2004 uses the TTL given by the DNS server. However, if the TTL is fewer
than 6 minutes, it is changed to 6 minutes; if it is more than 6 hours it is changed to
6 hours.
■
When the cache size reaches the maximum threshold defined by the DnsCacheSize
registry setting, 25 percent of the entries will be removed from the cache, according
to the ones whose TTL is earlier. By default, the DNSCacheSize is set to 3000.
■
The firewall service also traverses the three caches once every 30 minutes and
removes cache entries whose TTL has been reached.
C02621691.fm Page 12 Tuesday, January 25, 2005 1:26 PM
2-12
Chapter 2
Installing ISA Server 2004
See Also
If you are publishing internal resources to the Internet, you also need to configure DNS to resolve published resources. Details on how to configure this will be provided in
Chapter 8.
Domain Controller Requirements
If you want to restrict access to Internet resources based on user accounts, or if you want
to require authentication before users can access published servers, ISA Server must be
able to access a directory of user accounts to determine whether the user should have
access. ISA Server provides several options for authenticating the users, including
Remote Authentication Dial-In User Service (RADIUS), RSA SecureID, or the local user
account database on the computer running ISA Server. However, the easiest option to
implement for most organizations is to use a domain directory service to authenticate the
users. Most organizations already have a domain infrastructure that includes all the user
accounts; in such cases, ISA Server can use this directory service to authenticate user
accounts.
You can use Windows 2000, Windows Server 2003, or Windows NT 4 domains to perform this service. To use the domain for authentication, the server running ISA Server
must be a member of the domain. In addition, ISA Server must be able to communicate
with the domain controllers on the internal network. If you use Active Directory in
Windows Server 2003 or Windows 2000, you must configure the internal network interface on the ISA Server computer with the IP address of a DNS server that can resolve
the IP addresses for the local domain controllers.
Real World Should the ISA Server Computer Be a Member of the
Internal Domain?
One of the more controversial debates when deploying ISA Server is the question
of whether the ISA Server computer should be a member of a domain or whether
it should be a stand-alone computer. Using a stand-alone computer is generally
considered more secure because of the dangers of exposing a domain member
directly to the Internet. If a computer that is a member of a domain is compromised, it is much easier for the attacker to gain access to the domain information,
including the account names for all domain user accounts. In addition, if the ISA
Server computer is a member of the internal domain, you must enable domain
authentication traffic as well as Lightweight Directory Access Protocol (LDAP) and
global catalog traffic from the ISA Server computer to the domain controllers on
the internal network.
C02621691.fm Page 13 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-13
On the other hand, configuring authentication on ISA Server is much more complicated if the ISA Server computer is not a domain member. This is particularly
true if you require authentication for outgoing Internet requests. Usually, all users
in the organization are granted some level of access to the Internet, and duplicating all the user accounts on the ISA Server computer or using an alternative
authentication mechanism such as RADIUS is just too complicated.
It might be more reasonable to use an alternative means of authentication for
granting access to published resources for Internet users. For example, if only a
few users are accessing a secured Web site, then using SecurID, RADIUS, or certificate-based authentication may be feasible.
One way to meet the requirement to use domain authentication for Internet
access requests for internal users, but still ensure that the ISA Server computer at
the Internet-edge is not a domain member, is to use two ISA Server computers.
One ISA Server computer that is not a domain member can be the Internet-edge
server, and it will authenticate all user requests using a means other than domain
authentication. A second ISA Server computer that is a domain member can then
be used as the proxy server for all internal users, and it can use domain authentication to authenticate outgoing requests.
Dynamic Host Configuration Protocol Requirements
DHCP is not required to support an ISA Server infrastructure, but it is highly recommended to simplify network management. Even on relatively small networks of 250 or
fewer computers, you will benefit from reduced administrative effort by configuring a
DHCP server on your network. The advantage of using DHCP is that it can provide the IP
configuration for all the client computers on your network automatically. This can make
your ISA Server deployment much more efficient. For example, if you need to reconfigure
the default gateway for all your client computers to point to the new ISA Server computer
or to a new DNS server for Internet name resolution, you can just change the scope setting
on the DHCP server and all the clients will be reconfigured automatically.
Tip The IP address configuration for all network hosts can be assigned using DHCP. However, most organizations do not configure servers as DHCP clients. In particular, domain controllers, DNS servers, and ISA Server computers must not be DHCP clients.
DHCP is also used to support VPN remote access connections to ISA Server. By default,
ISA Server will use DHCP to assign IP addresses to all VPN clients. When you enable
remote VPN client access on ISA Server, it will obtain a set of IP addresses from the
DHCP server and assign the IP address to the VPN clients. By default, ISA Server 2004
will also assign DNS or WINS server addresses based on the DHCP scope information.
C02621691.fm Page 14 Tuesday, January 25, 2005 1:26 PM
2-14
Chapter 2
Installing ISA Server 2004
Server Requirements
To install ISA Server 2004, you must ensure that you have the correct operating system
and hardware configurations.
Operating System Requirements
ISA Server 2004, Standard Edition, can be installed only on computers running Windows
2000 Server or Windows Server 2003. You can install ISA Server on the Standard Edition,
Enterprise Edition, or Datacenter Edition of either Windows Server 2003 or Windows
2000 Server with Service Pack 4.
When installing ISA Server 2004 on a server running Windows 2000 Server, note the
following additional requirements:
■
You must install Windows 2000 Service Pack 4.
■
You must install Microsoft Internet Explorer 6.
■
If you installed Windows 2000 from media that included the Service Pack (SP4)
files, install the hotfix specified in article KB821887, “Events for Authorization
Roles Are Not Logged in the Security Log When You Configure Auditing for
Windows 2000 Authorization Manager Runtime,” in the Microsoft Knowledge Base
at http://support.microsoft.com/default.aspx?scid=kb;en−us;821887.
Note
If you are installing ISA Server on a server running Windows 2000, the following
options are not supported:
■ Configuring the Layer 2 Tunneling Protocol (L2TP) IPSec pre-shared key is not
supported.
■ Quarantine mode for VPN clients is not supported when using RADIUS policy.
Hardware Requirements
The minimum hardware requirements for installing ISA Server 2004 are as follows:
■
A personal computer with a 550 megahertz (MHz) or higher Pentium III–compatible CPU.
■
256 megabytes (MB) of memory.
■
One network adapter for communication with the internal network.
■
An additional network adapter for each network directly connected to the ISA
Server 2004 computer. If you are using the ISA Server computer as a proxy and
caching-only server, you do not need an additional network adapter.
C02621691.fm Page 15 Tuesday, January 25, 2005 1:26 PM
Lesson 1
■
Planning an ISA Server Deployment
2-15
One local hard disk partition that is formatted with the NTFS file system and that
has at least 150 megabytes (MB) of available hard disk space. If you enable caching and logging, you will need additional hard disk space.
Tip
As you can see from the previous list, ISA Server does not require a high-powered
server in most environments. If you are deploying ISA Server in a small to medium-sized organization, you can probably reuse older hardware that has been replaced. Just ensure that you
have all the appropriate Windows drivers if you are using older hardware.
ISA Server Enterprise Edition Installation Requirements
ISA Server 2004, Enterprise Edition, must be installed on a computer that is running
Windows Server 2003. In addition to the hardware requirements listed above, you will
need the following minimum disk space requirements for the ISA Server components:
■
ISA Server Services—106 MB
■
Configuration Storage server—58 MB
■
ISA Server Services and Configuration Storage server—156 MB
■
ISA Server management—32 MB
Planning These hard disk specifications are the minimum requirements for installing the
Configuration Storage server or ISA Server. By default, ISA Server logs all connections or
attempted connections. On a busy ISA Server computer, these log files can amount to several
hundred megabytes (MB) per day. During a denial-of-service (DoS) attack or a virus outbreak,
these logs can be several gigabytes (GB) per day, so ensure that you have sufficient hard-disk
space for the log files. In addition, if you activate caching, ensure that you have enough harddisk space to store a cache file that meets your requirements.
Guidelines for Capacity Planning
ISA Server can be scaled to support an organization of almost any size, either by increasing the hardware level on individual ISA Server computers or by deploying multiple ISA
Server computers. The following factors should influence your choice in hardware configuration:
■
Bandwidth of the Internet connection
■
Firewall policy configuration
■
Logging requirements
■
Availability and redundancy requirements
C02621691.fm Page 16 Tuesday, January 25, 2005 1:26 PM
2-16
Chapter 2
Installing ISA Server 2004
See Also For more information about scaling ISA Server, see the article “ISA Server Performance Best Practices” at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/
bestpractices.mspx.
Internet Connection Bandwidth
ISA Server is designed to provide very fast data throughput, even if each packet is
inspected at multiple layers. In most cases, the throughput of ISA Server will exceed the
throughput of the Internet connection. A typical default deployment of ISA Server securing outbound Web access (Hypertext Transfer Protocol [HTTP] traffic) requires the hardware configurations for various Internet links shown in Table 2-1.
Table 2-1
ISA Server 2004 Hardware Scalability
Internet Link Bandwidth
Up to 5 T1 7.5 Mbps Up to 25 Mbps
Up to T3 45 Mbps
Processors
1
1
2
Processor type
Pentium III
550 MHz or higher
Pentium 4
2.0–3.0 GHz
Xeon
2.0–3.0 GHz
Memory
256 MB
512 MB
1 GB
Disk space
150 MB
2.5 GB
5 GB
Network adapters
10/100 Mbps
10/100 Mbps
100/1000 Mbps
Concurrent VPN remote
access connections
150
700
850
In most situations, a single computer has enough processing power to secure traffic
going through standard Internet links. If you are using ISA Server primarily as a Web
proxy server with minimal packet filtering, ISA Server running on a single Pentium 4,
2.4-GHz processor can provide a throughput of approximately 25 megabits per second
(Mbps) at 75 percent CPU utilization. This means that, for each T1 Internet link
(1.5 Mbps), the firewall service will use only 4.5 percent of CPU capacity. Dual Xeon
2.4-GHz processors can provide a throughput of approximately 45 Mbps (T3) at 75
percent of CPU, or 2.5 percent of CPU for every T1.
As you increase the level of application filtering, or if you are publishing multiple servers, the processor usage will increase. However, unless if you have an Internet connection faster than 25 Mbps, the throughput on a single computer running ISA Server will
exceed the capacity of the network connection.
Firewall Policy Configuration
ISA Server uses application filters to perform application level security inspection. An
application filter is a dynamic-link library (DLL) that registers to a specific protocol port.
Whenever a packet is sent to this protocol port, it is passed to the application filter, which
inspects it according to application logic and decides what to do according to policy.
C02621691.fm Page 17 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-17
When no application filter is assigned to a protocol, data undergoes TCP stateful filtering.
At this level, ISA Server only checks the Transmission Control Protocol/Internet Protocol
(TCP/IP) header information.
In general, application level filtering requires more processing than TCP stateful filtering for several reasons:
■
Application filters inspect the data payload, while TCP stateful filtering looks only
at the TCP/IP header information. Application filters can perform other actions
with the data payload, such as looking at it and blocking it, or changing content
according to application logic.
■
Application filters work in user mode space. Transport level filtering works in kernel mode. This means extra processing overhead for passing the data through the
full operating system networking stack.
Because application filters extend firewall processing, they can affect performance. To
optimize the performance of your ISA Server computers when using application filters,
do the following:
■
Obtain performance information for the filters you use and tune them to be as efficient as possible. One example is the HTTP Web filter that can be configured to look
at HTTP payload and search for specific signatures. You can configure the HTTP filter to examine both request and response headers as well as the body of the request
and response. If you are trying to block a specific signature (for example, to stop
users from using a particular application that uses HTTP), configure the HTTP filter
to examine only the relevant request or response component. When you configure
the HTTP filter to search request or response bodies, you can configure how many
bytes will be scanned by the filter. If you know that the particular signature that you
want to block always appears in the first 100 bytes of the response body, configure
the HTTP filter to examine only the first 100 bytes rather than the entire response.
■
Where applicable, consider using ISA Server rules instead of a filter. For example,
site blocking using access rule destination sets may be more efficient than a Web
filter that does the same thing.
The number and type of published servers can also affect your ISA Server performance. The more servers you publish on ISA Server, the more server resources are
needed. This is especially true if you publish secure Web sites because of the extra
resources required to decrypt and encrypt Secure Sockets Layer (SSL) traffic.
Logging Requirements
ISA Server provides two options for logging firewall activity:
■
MSDE logging This method is the default logging method for firewall and Web
activity. ISA Server writes log records directly to a Microsoft SQL Server Desktop
Engine (MSDE) database to enable online sophisticated queries on logged data.
C02621691.fm Page 18 Tuesday, January 25, 2005 1:26 PM
2-18
Chapter 2
■
Installing ISA Server 2004
File logging With this method, ISA Server writes log records to a text file in a
sequential manner.
MSDE has more features, but it uses more system resources. Specifically, you can expect
an overall 10 percent to 20 percent improvement in processor utilization when switching
to file logging from MSDE. MSDE logging also consumes more disk storage resources.
MSDE logging performs about two disk accesses on every megabit. File logging will
require the same amount of disk accesses for 10 megabits. One way to improve ISA
Server performance is to switch from MSDE to file logging. This is recommended only
when there is a performance problem caused by saturated processor or disk access.
Redundancy and Availability Requirements
A single high-end server running ISA Server can meet the performance requirements for
most organizations. However, in addition to server performance, an organization might
also have redundancy and availability requirements. Even if one server can provide more
throughput than can the connection to the Internet, your organization may still want to
consider installing additional ISA Server computers to ensure that an ISA Server computer
is always available in the event of a single server failure.
ISA Server 2004, Enterprise Edition, is designed for these deployment scenarios. Enterprise Edition integrates network load balancing (NLB), which can be used to distribute
the load on the ISA Server computers across multiple computers. If one of the ISA
Server computers in the NLB cluster fails, the other servers in the cluster provide redundancy. In most cases, the server failure will be transparent to users. Enterprise Edition
also uses the Configuration Storage server, so you can add and remove servers from
arrays without configuring each individual server.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review the
material in this lesson before beginning the next lesson. You can find answers to these
questions in the “Questions and Answers” section at the end of this chapter.
1. You want to implement SecureNAT clients for Internet access for all employees
and provide for Internet and internal name resolution. You want to minimize the
number of DNS servers that are accessed from the internal network. What steps
must you take? (Choose all that apply.)
a. Configure the clients’ TCP/IP settings to point to the internal DNS server.
b. Configure delegation on the internal DNS server.
c. Configure the internal DNS server to forward irresolvable queries to an external DNS server.
C02621691.fm Page 19 Tuesday, January 25, 2005 1:26 PM
Lesson 1
Planning an ISA Server Deployment
2-19
d. Configure the clients’ default gateway to point to the internal interface on ISA
Server.
e. Configure root hints on the internal DNS server.
f. Configure the clients’ default gateway to point to the external interface on ISA
Server.
2. Your organization’s IT security policy states that the internal DNS server supports
only Active Directory and should never perform iterative queries to the Internet.
Your clients run the Web Proxy client for Internet access. What steps must you
take to ensure that your clients can access Internet resources without violating the
IT security policy? (Choose all that apply.)
a. Configure the client’s Web browsers to use the ISA Server computer as a
proxy server.
b. Configure the external interface on ISA Server with the IP address of an external DNS server.
c. Configure the client computer’s default gateway to use the internal interface
on ISA Server.
d. Configure the internal interface on ISA Server to use an external DNS server.
e. Configure the internal DNS server to forward irresolvable queries to the ISA
Server computer.
Lesson Summary
■
The deployment of ISA Server is one of the critical aspects of ensuring that your
organization’s network is secure; therefore, the planning process is crucial. There
is a wide variety of security and functional requirements that must be considered
when planning your ISA Server deployment.
■
To ensure the success of your ISA Server installation, make sure that your network
infrastructure will support ISA Server implementation. DNS, Domain controllers,
and DHCP are essential.
■
To install ISA Server 2004, ensure that you have the correct operating system and
hardware configurations. ISA Server, Standard Edition, can be installed on Windows 2000 Server or Windows Server 2003 with a relatively low level of hardware
(see the lesson for details). ISA Server, Enterprise Edition, must be installed on
Windows Server 2003.
■
A single server running ISA Server 2004 will provide enough throughput for most
small to medium-sized organizations. However, larger organizations with fast
Internet connections, complex firewall configurations that require application filtering, or high availability requirements might want to deploy ISA Server, Enterprise Edition, on multiple servers to meet their requirements.
C02621691.fm Page 20 Tuesday, January 25, 2005 1:26 PM
2-20
Chapter 2
Installing ISA Server 2004
Lesson 2: Installing ISA Server 2004
After you complete your planning, you are ready to install your first computer running
ISA Server 2004. This lesson describes how to install ISA Server 2004 and how to verify
and troubleshoot an ISA Server installation. It also describes how to perform both a manual and an unattended installation of ISA Server 2004. Finally, this lesson provides an
overview of how to migrate from ISA Server 2000 to ISA Server 2004.
After this lesson, you will be able to
■ List the steps in the ISA Server 2004 installation preparation process
■ Install ISA Server, Standard Edition
■ Verify a successful installation of ISA Server 2004
■ Perform an unattended installation of ISA Server 2004
■ Troubleshoot an ISA Server 2004 installation
Estimated lesson time: 45 minutes
ISA Server 2004 Installation Preparation Checklist
As you prepare to install ISA Server 2004, use the following checklist to ensure that you
are ready to complete the installation:
■
Install Windows 2000 Server or Windows Server 2003 on the server. Ensure that
Microsoft Internet Information Services (IIS) is not installed during the installation
unless you plan to publish a Web site on the ISA Server computer. As a best practice, install all service packs and security updates on the server before installing
ISA Server.
■
Ensure that you have the ISA Server installation media available.
■
Log on as a local administrator. You must be a local administrator on the server in
order to install ISA Server.
■
Configure the network interfaces on the server.
■
Understand the installation types and the implications of choosing each option.
Choose one of the installation types.
■
Understand the installation options and the implications of choosing each option.
Choose which options you will select during installation.
■
Prepare a plan for verifying the ISA Server installation.
Important
Before installing ISA Server 2004, review the Release Notes file that is located
on the ISA Server 2004 installation CD-ROM. This file contains important information on
installation issues that you could encounter.
C02621691.fm Page 21 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-21
Guidelines for Installing ISA Server, Standard Edition
Installing ISA Server, Standard Edition, is a fairly simple process if you have planned the
installation carefully. You will begin by configuring the network interface cards on the
ISA Server computer and then complete the installation. This section shows the overall
process and provides some guidelines for performing the installation. You will install ISA
Server, Standard Edition, as part of the practice.
To Configure the ISA Server Network Interfaces
In most cases, the server running ISA Server is situated between multiple networks. At a
minimum, when ISA Server is deployed as an Internet-edge firewall, it will have two network interfaces, one connected to the Internet and the other connected to the internal
network. You can also configure ISA Server to support additional networks, for example,
you may have a perimeter network (also known as a demilitarized zone, or DMZ)
attached to the server running ISA Server. The configuration of the network interfaces
depends on which network the network interface is connected to.
!
Exam Tip
One of the more common reasons explaining why an ISA Server computer does
not perform as expected is that the network interfaces are not correctly configured. If you see
an exam question that asks you to troubleshoot a problem, and you are provided with the configuration settings for the network interfaces, you can be fairly certain that the problem is with
the network interface configuration.
The Internal Interface Use the following guidelines to configure the internal interface
of the ISA Server computer:
■
The internal interface of the ISA Server computer must have an IP address that is
on the local network. If you are using network address translation (NAT) on the
ISA Server computer, you can use addresses from the private IP address range for
the internal network.
Note
The private IP address ranges are 10.0.0.0, 172.16.0.0—172.32.0.0 and
192.168.0.0—192.168.255.0. These addresses cannot be routed on the Internet, so you
can use any of these addresses internally.
■
The internal interface of the ISA Server computer should be configured with a
DNS server address that can resolve internal host names. When incoming requests
from external clients are forwarded to the internal network, the ISA Server computer will use the DNS server configured on the internal interface to resolve the
internal host name. This is especially important if you choose to use host names
when publishing internal servers using Web publishing rules.
C02621691.fm Page 22 Tuesday, January 25, 2005 1:26 PM
2-22
Chapter 2
■
Installing ISA Server 2004
Do not configure a default gateway on the internal interface of the ISA Server
computer. The only interface that should have a default gateway is the external
interface of the ISA Server computer.
The External Interface Use the following guidelines to configure the external interface of the ISA Server computer:
■
The IP address assigned to the external interface must be routable on the Internet.
In most cases, this IP address is provide by your ISP.
■
Only the external interface on the ISA Server computer should be configured with
a default gateway. If that interface is directly attached to the Internet, then configure the network interface to use the default gateway provided by your ISP.
■
If you want ISA Server to provide DNS proxy services for internal Web Proxy and
Firewall clients, then configure the external interface with the IP addresses of DNS
servers on the Internet.
Tip
By default, the network interfaces on Windows servers are named Local Area Connection, Local Area Connection 2, and so on. To make it easier to distinguish between the network interfaces, you should rename them with more descriptive names, such as Internal,
External, and Perimeter.
Perimeter Network Interfaces Use the following guidelines to configure the external
interface of the ISA Server computer:
■
If you are using NAT between the Internet and the perimeter network, you can use
private IP addresses for the perimeter network. In this case, assign one of the private IP addresses to the ISA Server interface on that network. If you are using a
route relationship between the Internet and perimeter network, then you must use
an address that is routable on the Internet (that is, you cannot use an address from
the private IP address range).
See Also
The differences between a NAT and a route network relationship, and recommendations for using each option, will be discussed in Chapter 7, “Configuring ISA Server
as a Firewall.”
ISA Server Installation Options
When you install ISA Server 2004, you must choose the type of installation to perform
and determine the components to install. When you start the ISA Server installation, you
have a choice of three installation types:
■
Typical Installation
This type installs Firewall Services and ISA Server Management.
C02621691.fm Page 23 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-23
■
Full Installation This type installs all four ISA Server components: Firewall services, ISA Server Management, Firewall Client Installation Share, and the SMTP
Message Screener.
■
Custom Installation
installed.
This type enables you to select which components will be
If you choose to perform a custom installation, you can select which ISA Server components are installed during the installation. Figure 2-3 shows the interface where you
can choose the components. The following components are available:
■
Firewall Services These services control access and traffic between networks.
Services must be installed on the ISA Server computer.
■
ISA Server Management ISA Server Management is the management console
used to manage the ISA Server configuration.
■
Firewall Client Installation Share This option installs a shared folder named
\\ServerName\mspclnt, from which client computers can install the Firewall Client
software. The client installation files are typically installed on a computer other than
the ISA Server computer, so it is not part of the Typical Installation option. You can
install the Firewall Client share on computers running Windows Server 2003,
Windows 2000 Server, or Microsoft Windows XP.
■
Message Screener This feature performs content filtering on Simple Mail Transfer Protocol (SMTP) traffic arriving on an ISA Server computer. Configure this component to screen e-mail messages for keywords and attachments. You can install
this feature on the computer running ISA Server only if the IIS SMTP service is
installed on the computer.
F02im03
Figure 2-3
Options for installing the ISA Server components
C02621691.fm Page 24 Tuesday, January 25, 2005 1:26 PM
2-24
Chapter 2
Installing ISA Server 2004
Configuration Choices During Installation
When you install ISA Server 2004, you must make several decisions regarding the
installation. One of the more important configuration options is to configure the IP
addresses associated with the internal network. In addition, you can choose whether
to allow earlier versions of the Firewall client.
!
Exam Tip
Getting the IP address assignment for the Internal network right is critical to
ensure a functional ISA Server installation. When you get a troubleshooting exam question
that includes information about the IP addresses assigned to the Internal network, check the
IP address configuration carefully.
Choices for Configuring the Internal Network IP Addresses One of the options that
you must configure during the ISA Server installation is the configuration of the internal
network. The internal network can contain the IP addresses associated with all the network interfaces on the ISA Server computer except the network adapter connected to
the Internet. You can also configure the internal network to contain a set of IP addresses
associated with only one network interface, while the IP addresses assigned to other
network interfaces are used to create additional networks. By default, ISA Server Setup
also assigns the private IP address ranges as part of the internal network.
During the ISA Server installation, you must choose which IP addresses are associated
with the internal network, as shown in Figure 2-4.
F02im04
Figure 2-4 Assigning IP addresses to the internal network
C02621691.fm Page 25 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-25
To add the IP addresses associated with the internal network, click Add on the Internal
Network page, producing the interface shown in Figure 2-5.
F02im05
Figure 2-5
Adding IP addresses to the internal network
In this dialog box, you can either type the IP address ranges that comprise the internal
network, or you can click Select Network Adapter. If you choose Select Network
Adapter, the interface shown in Figure 2-6 appears.
F02im06
Figure 2-6
Using a network adapter to add IP addresses to the internal network
On the Select Network Adapter page, you can choose which adapter or adapters are
connected to the internal network. When you choose this option, ISA Server Setup
constructs the internal network based on the network adapter, and it uses the Windows
routing table to determine which address ranges are internal. You can also choose to
include the private IP address ranges in the internal network.
C02621691.fm Page 26 Tuesday, January 25, 2005 1:26 PM
2-26
Chapter 2
Installing ISA Server 2004
Caution
If the routing table is not set correctly, the ISA Server internal network may not be
built correctly. This can result in a client request for an internal IP address being routed to the
Internet or being redirected through the Microsoft Firewall service. Before starting the installation of ISA Server, ensure that the routing table on the server is correct.
Choices for Allowing Earlier Versions of Firewall Client Software Another choice that
you must make during the ISA Server installation is whether to allow earlier versions of
the Firewall Client software. ISA Server supports earlier versions of the software, including Firewall Client for ISA Server 2000 and the Winsock Proxy client (from Microsoft
Proxy Server 2). However, these clients cannot use encryption when connecting to the
ISA Server computer, so you may want to prevent these versions of the Firewall Client
software installed on earlier versions of Windows operating systems from connecting to
your ISA Server computer. By default, the ISA Server 2004 installation does not allow
non-encrypted Firewall Client connections. The interface for making this installation
decision is shown in Figure 2-7. To enable older clients to connect to the ISA Server computer during the installation, select the option Allow Firewall Clients Running Earlier Versions Of The Firewall Client Software To Connect.
F02im07
Figure 2-7 Allowing earlier versions of the Firewall Client software
Note
When you use the ISA Server 2004 version of the Firewall Client software, only network traffic sent using the control channel is encrypted. When a Firewall client connects to
the Firewall service on ISA Server, information such as authentication credentials, nameresolution queries, and port negotiations are sent along the control channel. Firewall clients use TCP and UDP Port 1745 to connect to the control channel. After the initial connection, data sent between the Firewall client and the ISA Server computer is not encrypted.
C02621691.fm Page 27 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-27
Additional Services Disabled or Stopped During Installation
As part of the ISA Server 2004 installation process, the following services are disabled:
■
Internet Connection Firewall or Internet Connection Sharing
■
IP Network Address Translation
In addition, the following services are stopped during installation. These services are
restarted after the installation finishes:
■
Simple Network Management Protocol (SNMP) service
■
File Transfer Protocol (FTP) Publishing service
■
Network News Transfer Protocol (NNTP)
■
Internet Information Services (IIS) Admin service
■
World Wide Web Publishing service
Important
In most cases, it is recommended that you not run IIS or any of the IP services
on the ISA Server computer. This is particularly important if you are deploying ISA Server as
an Internet-edge firewall.
How ISA Server Is Installed Using Remote Desktop
You can install ISA Server 2004 on a server running Windows 2000 using Terminal Services, or on a server running Windows Server 2003 using Remote Desktop. The installation process is the same as if you perform the installation from the server console, except
that the System Policy on ISA Server will be configured to allow remote administration
only from the computer that you used to install ISA Server.
Note
The MSDE component is not properly installed when you use Terminal Services in
application server mode to install ISA Server remotely on a server running Windows 2000.
Use Terminal Services in administration mode to install MSDE properly. The MSDE component is properly installed if you install ISA Server 2004 using Remote Desktop on a server
running Windows Server 2003.
How to Verify a Successful ISA Server Installation
After completing the ISA Server installation, you should verify that the installation was
successful and included all expected components. Verification is essential to ensure that
all ISA Server Services and MSDE were installed and started, as well as to ensure that
C02621691.fm Page 28 Tuesday, January 25, 2005 1:26 PM
2-28
Chapter 2
Installing ISA Server 2004
Firewall Service has been started. There are several steps that you can perform to verify
that the ISA installation completed successfully. These steps include the following:
1. Use the Services console from the Administrative Tools folder to verify that the ISA
Server services are installed and started. Performing a default installation of ISA
Server creates and starts the following services:
❑
Microsoft Firewall
❑
Microsoft ISA Server Control
❑
Microsoft ISA Server Job Scheduler
❑
Microsoft ISA Server Storage
2. Use the Services console from the Administrative Tools folder to verify that the
MSDE services are installed and started. ISA Server installs the MSDE and adds the
following services:
❑
MSSQL$MSFW—This service is started and set for automatic start.
❑
MSSQLServerADHelper—This service is not started and is set for manual start.
3. Installing the MSDE service also creates the initial log files for ISA Server. By default,
these log files are located in C:\Program Files\Microsoft ISA Server\ISALogs. Use
Windows Explorer to ensure that these files exist.
4. The ISA Server installation creates three setup log files. These files are located in
the %Windir%/temp directory and are named ISAWRAP_###, ISAMSDE_###, and
ISAFWSV_###, where ### is a three-digit number. The ISAWRAP file contains a
summary of the installation, including a statement on whether the installation was
successful. The other two files provide detailed information about the installation
of MSDE and ISA Server. Check the ISAWRAP file to ensure that the last entry in
the file indicates a successful installation.
5. Check the Application Log in the Event Viewer. If the installation was a success, the
Event Log will include events indicating that the ISA Services started successfully.
6. Using the ISA Server Management Console, check for ISA Server Alerts. If the
installation completed successfully, an ISA Server alert is created showing that the
Firewall Service started.
Important
By default, the ISA Server computer will deny all access to Internet resources
after the installation. This means that you cannot use a client to test access through the ISA
Server computer until you have configured a firewall rule enabling access.
C02621691.fm Page 29 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-29
How to Perform an Unattended Installation of ISA Server 2004
In some cases, you may want to perform an unattended installation of ISA Server. There
are several scenarios in which you may want to use an unattended, rather than a manual,
installation of ISA Server 2004:
■
To ensure an identical and error-free installation If you deploy multiple ISA
Server computers that all require the same configuration, you can configure the
installation information file once, and you can then use that file repeatedly to
ensure that all servers are installed the same way.
■
To rapidly rebuild a failed server If a server fails, you can use the installation
information file that you used to build the server to rapidly install ISA Server on
another server. You can configure the installation file to use an exported XML file
to configure the ISA Server settings.
To perform the unattended installation, create or modify the Msisaund.ini file and then
configure the ISA Server installation process to use this file when completing the setup.
To Modify the Msisaund.ini file
The Msisaund.ini file contains the configuration information that is used by ISA Server
setup in unattended mode. The entries and values in the Msisaund.ini file are described
in Table 2-2. If a value is not specified in this file, a default value is used.
Table 2-2
Msisaund.ini Parameters
File Entry
Description
PIDKEY
Specifies the tnbaroduct key. This is the 25-digit number
located on the back of the ISA Server CD-ROM case.
INTERNALNETRANGES
Specifies the range of addresses in the internal network. Msisaund.ini must specify at least one IP address. Otherwise,
setup fails. The syntax specifies the number of internal networks and the network numbers. For example, if you have
two internal network ranges, you would use a line such as the
following: INTERNALNETRANGES=2 192.168.1.0 –
192.168.1.255, 192.168.2.0 – 192.168.2.255.
InstallDir = {install_directory}
Specifies the installation directory for ISA Server. If not specified, it defaults to the first disk drive with enough space. The
syntax is Drive:\Folder. The default folder is: %Program
Files%\Microsoft ISA Server.
COMPANYNAME =
Company_Name
Specifies the name of the company installing the product.
DONOTDELLOGS = {0|1}
If set to 1, log files on the computer are not deleted. The
default is 0.
C02621691.fm Page 30 Tuesday, January 25, 2005 1:26 PM
2-30
Chapter 2
Installing ISA Server 2004
Table 2-2
Msisaund.ini Parameters
File Entry
Description
DONOTDELCACHE = {0|1}
If set to 1, cache files on the computer are not deleted. The
default is 0.
ADDLOCAL =
{MSFirewall_Management},
{MSFirewall_Services},
{Message_Screener},
{Publish_Share_Directory},
{MSDE}
Specifies a list of components (delimited by commas) that
should be installed on the computer. To install all the components, set ADDLOCAL = ALL.
REMOVE =
{MSFirewall_Management},
{MSFirewall_Services},
{Message_Screener},
{Publish_Share_Directory},
{MSDE}
Specifies a list of components (delimited by commas) that
should be removed from the computer. To remove all the
components, set REMOVE = ALL.
IMPORT_CONFIG_FILE =
Importfile.xml
Specifies a configuration file to import. This can be used
to apply an ISA Server Configuration to the server after
installation.
A sample Msisaund.ini file is located on the ISA Server 2004 CD-ROM in the FPC folder.
To modify the file, you can open the file using a text editor such as Notepad. In the
sample file, all the configuration lines are prefaced by a semicolon (;). To enable a setting, remove the semicolon and then modify the file to meet your requirements. For
example, to install ISA Server with the Firewall Services, the ISA management tools,
MSDE with a single internal network range, and a company name of Coho Vineyards,
you would modify the following lines.
ADDLOCAL=MSFirewall_Management,MSFirewall_Services,MSDE
INTERNALNETRANGES =1 192.168.1.0-192.168.1.255
COMPANYNAME=Coho Vineyards
To Run an Unattended Setup
After modifying the Msisaund.ini file, use the ISA server setup program with the appropriate parameters to complete the unattended installation. The command-line syntax is
shown here:
PathToISASetup\Setup.exe [/[X|R]] /V" /Q[b|n]
FULLPATHANSWERFILE=\"PathToINIFile\MSISAUND.INI\""
The parameters for the unattended setup are described in Table 2-3.
C02621691.fm Page 31 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Table 2-3
Installing ISA Server 2004
2-31
ISA Server Unattended Setup Parameters
Parameter
Description
PathToISASetup
The path to the ISA Server 2004 installation files. The path may be the
root folder of the ISA Server CD-ROM or a shared folder on the network that contains the ISA Server files.
/Q [b|n]
Performs a quiet, unattended setup. If b is specified, the exit dialog
box displays when setup completes. If n is specified, no dialog boxes
are displayed.
/R
Performs an unattended reinstallation.
/X
Performs an unattended uninstallation.
/V
Provides verbose logging during the installation.
PathToINIFile
The path to the folder containing the unattended installation
information.
For example, to perform an unattended installation of ISA Server 2004 with the source
files on the CD-ROM and the Msisaund.ini file at the root of the C:\ drive, you can use
this command:
D:\FPC\Setup.exe" /V /Qb FULLPATHANSWERFILE=\C:\MSISAUND.INI"
Guidelines for Troubleshooting an ISA Server Installation
In most cases, the ISA Server installation will complete without error. However, occasionally the installation may fail, or the services may not start after the installation is complete.
Use the following guidelines to troubleshoot the ISA Server installation:
!
■
When you start the installation, you may receive a message that says, “The system
administrator has set policies to prevent this installation.” This message appears
when you do not have sufficient permissions to install ISA Server. To install ISA
Server, you must be a member of the local Administrators group.
■
If the installation fails, check the error message. Usually, the error message contains information explaining why the ISA Server installation failed, and it also provides information about how to correct the problem.
■
If the installation fails, check Application Log. The installation process writes
events to the Application Log that may provide useful information for troubleshooting the error.
Exam Tip When you see a troubleshooting question on the exam, always read the question
carefully and look for evidence within the question that will point you to the right answer. When
you are troubleshooting a problem in the real world, always collect as much information as possible to determine the cause of the problem. Use the same approach when you take the exam.
C02621691.fm Page 32 Tuesday, January 25, 2005 1:26 PM
2-32
Chapter 2
■
Installing ISA Server 2004
If the installation fails, check the installation log files. When you install ISA Server
2004, the Setup program automatically generates log files that contain detailed
installation information. The information in the ISA Server 2004 Setup log file is
based on Windows Installer logging. Windows Installer logs errors and other
events that occur when the ISA Server 2004 Setup program runs. Review these log
files for detailed information on when the ISA Server installation failed. In addition, the log files frequently contain details on why the installation failed. When
you install ISA Server 2004, the following three log files are created:
❑
%Windir%\Temp\ISAWRAP_###.log (where ### is a three-digit number) —
The setup wrapper log file records general information about the success or
failure of the Firewall and MSDE installation.
❑
%Windir%\Temp\ISAFWSV_###.log (where ### is a three-digit number) —
The Firewall service setup log file records events and errors related to the
configuration of the ISA 2004 Firewall service.
❑
%Windir%\Temp\ISAMSDE_number.log — The ISA 2004 database setup log
file records events and errors related to MSDE.
Practice: Installing ISA Server 2004
In this practice, you will install ISA Server 2004 on the ISA1 computer. You will then verify that ISA Server installed correctly on the server.
Important
You must complete this practice to complete other practices in this book.
Exercise 1: Installing ISA Server
1. Log on to the ISA1 server using an Administrator account.
2. Insert the ISA Server CD-ROM into the server’s CD-ROM drive. If Autorun is
enabled, the Microsoft ISA Server 2004 Setup page will open automatically. If it
does not open, open Windows Explorer, browse to the CD-ROM drive, and double-click Isaautorun.exe.
3. On the Microsoft ISA Server 2004 Setup page, click Install ISA Server 2004.
4. On the Welcome To The Installation Wizard For Microsoft ISA Server 2004 Setup
page, click Next.
5. On the License Agreement page, review the terms and conditions stated in the
End-User License Agreement (EULA). Then select the I Accept The Terms In The
License Agreement check box, and click Next.
6. On the Customer Information page, enter the User Name, Organization, and Product Serial Number information, and then click Next.
C02621691.fm Page 33 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-33
7. On the Setup Type page, chose the type of installation you want to perform. For
this practice, click Custom. Click Next.
8. On the Custom Setup page, click Firewall Client Installation Share, click the menu
for Firewall Client Installation Share, and then select the This Feature Will Be
Installed On Local Hard Drive option. Click Next.
9. On the Internal Network page, click Add.
10. Click Select Network Adapter.
11. Click the check box for the network card that is attached to your internal network,
clear the Add The Following Private Ranges: check box, and then click OK.
12. Review the Setup Message and then click OK.
13. Review the internal network address ranges. If you are using the network
addresses suggested in “About This Book,” the internal network address range
should include 10.10.0.0 – 10.10.0.255 and 10.255.255.255. Click OK.
14. On the Internal Network page, click Next.
15. On the Firewall Client Connections Settings page, click Next.
16. On the Services page, click Next. The Services page states that during the installation the SNMP Service and IIS Admin Service will be stopped, and that the Internet
Connection Firewall (ICF)/Internet Connection Sharing (ICS) and the IP Network
Address Translation services will be disabled.
17. On the Ready To Install The Program page, click Install.
18. On the Installation Wizard Completed page, click Finish.
19. Click Yes to restart the computer.
Exercise 2: Verifying the ISA Server 2004 Installation
1. After the server restarts, log on using the Administrator account.
2. In the Internet Explorer dialog box, select the In The Future, Do Not Show This
Message check box and then click OK. Close Internet Explorer.
3. Open the Services management console from the Administrative Tools folder.
Ensure that the following services are installed and running:
❑
Microsoft Firewall
❑
Microsoft ISA Server Control
❑
Microsoft ISA Server Job Scheduler
❑
Microsoft ISA Server Storage
❑
MSSQL$MSFW
4. Ensure that the MSSQLServerADHelper is installed and configured for manual startup, but not running. Close the Services management console.
C02621691.fm Page 34 Tuesday, January 25, 2005 1:26 PM
2-34
Chapter 2
Installing ISA Server 2004
5. On the desktop, ensure that the MSDE icon is displayed in the System Tray. To
remove the MSDE icon from the System Tray, right-click the icon and click Exit.
6. Open Windows Explorer and browse to the C:\Program Files\Microsoft ISA
Server\ISALogs folder. Ensure that several .mdf and .ldf files are in this folder.
7. Browse to the C:\Windows\Temp folder. Open the ISAWRAP_###.log file (where
### is a three-digit number). Review the log file, ensuring that the log indicates
that the firewall installation ended successfully. Close all open windows.
8. Open the Event Viewer from the Administrative Tools folder. Open the Application log and review the events listed. You may see two error messages from the
Firewall Service indicating network routing errors. These error messages can be
safely ignored. Close the Event Viewer.
9. Open ISA Server Management from the All Programs\Microsoft ISA Server folder.
Expand ISA1. Click Monitoring and then click Alerts. Review the alerts that were
created during the installation. If a configuration error alert is listed that indicates
the same network routing error as was displayed in the Application log, it can be
safely ignored. Close all open windows.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review the
material in this lesson before beginning the next lesson. You can find answers to these
questions in the “Questions and Answers” section at the end of this chapter.
1. What file can provide information to an unattended install of ISA Server 2004?
a. Winnt.sif
b. Unattend.txt
c. ISAMSDE###
d. Msisaund.ini
2. You have just finished an installation of ISA Server 2004. The server’s external network card is connected to the Internet and the internal network card is connected
to the internal network. You install the Firewall Client software on a client computer and configure it to use the ISA Server computer. You try to connect to the
Internet from the client that is running the Firewall Client software. You cannot
connect to the Internet but receive an error message from the ISA Server computer. Why are you getting the error message?
C02621691.fm Page 35 Tuesday, January 25, 2005 1:26 PM
Lesson 2
Installing ISA Server 2004
2-35
Lesson Summary
■
There are three ISA Server 2004 installation types:
❑
A typical installation installs Firewall Services as well as ISA Server Management.
❑
A full installation installs all four components of ISA Server including the Firewall Client file share and the SMTP Message Screener.
❑
A custom installation allows you to select which components will be installed.
■
There are several configuration choices that must be made when installing ISA
Server 2004. You must configure the IP addresses associated with the internal network. Another choice that must be made during installation is whether to allow
earlier versions of Firewall Client software.
■
To verify that ISA Server 2004 has been installed, there are several checks that
must be done. Verify that the ISA Server Services are installed and started, that
MSDE services is installed and started, and that no error messages are listed in the
Application log or in the ISA Server Alerts view.
■
To perform an unattended installation of ISA Server 2004, create or modify the
Msisaund.ini file and then configure ISA Server Installation process to use this file
in the setup.
■
To troubleshoot the ISA Server installation, ensure that you are logged on as a
local administrator, and then use the Application Log error messages and the ISA
Server setup logs to determine the cause of the installation failure.
C02621691.fm Page 36 Tuesday, January 25, 2005 1:26 PM
2-36
Chapter 2
Installing ISA Server 2004
Lesson 3: Overview of the ISA Server 2000 Migration
Process
ISA Server 2004, Standard Edition, supports an upgrade path for ISA Server 2000, Standard Edition. Most ISA Server 2000 rules, network settings, monitoring configurations,
and cache configurations will be upgraded to ISA Server 2004.
There are three options for upgrading from ISA Server 2000 to ISA Server 2004:
■
Perform an in-place upgrade
■
Migrate an ISA Server 2000 configuration to ISA Server 2004
■
Migrate a Routing and Remote Access (RRAS) configuration to ISA Server 2004
See Also
Upgrading ISA Server 2000, Enterprise Edition, to ISA Server 2004, Enterprise
Edition, is not supported. More details about how to migrate a ISA Server 2000, Enterprise
Edition, infrastructure to ISA Server 2004 are provided in Chapter 12, “Implementing ISA
Server 2004, Enterprise Edition.”
After this lesson, you will be able to
■ Explain the ISA Server 2000 in-place upgrade process
■ Explain how ISA Server 2000 configuration migration works
■ Describe the ways to migrate Routing and Remote Access to ISA Server 2004
Estimated lesson time: 15 minutes
How the ISA Server 2000 In-Place Upgrade Process Works
To perform an in-place upgrade, you install ISA Server 2004 on the computer that is
already running ISA Server 2000. Before doing this, ensure that ISA Server 2000 Service
Pack 1 (SP1) is installed on the computer. When you perform an in-place upgrade, ISA
Server 2000 is removed and ISA Server 2004 is installed with the migrated configuration.
When you perform an in-place upgrade, you do not have to run any migration tool to
migrate the ISA Server configuration.
When you perform an in-place upgrade, the following ISA Server 2000 objects and
configuration settings are not migrated to ISA Server 2004:
■
Bandwidth rules are no longer supported in ISA Server 2004, so the rules are not
migrated.
■
Permission settings, such as system access control lists (SACLs), are not upgraded.
■
Logging and reporting configuration and information are not migrated.
C02621691.fm Page 37 Tuesday, January 25, 2005 1:26 PM
Lesson 3
Overview of the ISA Server 2000 Migration Process
2-37
In addition, the following settings are modified when you upgrade from ISA Server
2000 to ISA Server 2004:
■
IP packet filters are replaced by access rules or system policy rules that provide
the same filtering functionality.
■
Protocol rules are replaced by access rules that provide the same functionality.
■
Site and content rules are replaced by access rules and access rule elements such
as computer sets.
■
Server and Web publishing rules are migrated with some modifications for where
ISA Server access rule elements are different than ISA Server 2000 components.
See Also
For detailed information about how configuration options and settings are
migrated from ISA Server 2000 to ISA Server 2004, see “Upgrading from Microsoft Internet
Security and Acceleration (ISA) Server 2000 Standard Edition.” This document is included on
the ISA Server 2004 CD-ROM and can be accessed by selecting Read Migration Guide from
the Autorun startup screen.
How an ISA Server 2000 Configuration Migration Works
When you perform an ISA Server configuration migration, you install ISA Server 2004 and
then migrate the ISA Server 2000 configuration to the new ISA Server computer. To
migrate the ISA Server 2000 configuration to ISA Server 2004, complete the following
high-level steps:
1. Run the ISA Server Migration Wizard on the ISA Server 2000 computer. The wizard
creates an .xml file with the configuration information.
2. If you are moving ISA Server to another server, install ISA Server 2004 on the new
server. If you are installing ISA Server 2004 on the same server, completely uninstall ISA Server 2000 and then install ISA Server 2004.
3. Import the .xml file to the ISA Server 2004 computer. Before you import the .xml
file, perform a full backup of the current settings on the ISA Server 2004 computer.
Tip
The actual IP address of the external network adapter on the original ISA Server 2000
computer is saved in the .xml file with the configuration information. If ISA Server 2004 is
installed on a different computer, you must correct the IP address after you import the .xml file.
When you perform a configuration migration, the ISA Server 2000 configuration is
migrated with the same limitations as when you perform an in-place upgrade.
C02621691.fm Page 38 Tuesday, January 25, 2005 1:26 PM
2-38
Chapter 2
Installing ISA Server 2004
Ways to Migrate Routing and Remote Access VPN to ISA Server 2004
If you have a Windows Server computer providing VPN access through RRAS, you can
upgrade some of the VPN settings to ISA Server 2004. If you install ISA Server 2004 on a
server running RRAS, the VPN configuration is migrated into ISA Server automatically.
The server does not need to be running ISA Server 2000. You can also use the ISA Server
Migration Wizard to migrate the RRAS settings to a new installation of ISA Server 2004.
When you upgrade RRAS to ISA Server 2004, the following limitations apply:
■
The maximum number of remote VPN clients allowed to connect to ISA Server
2004 is set to whichever is larger on RRAS: the number of Point-to-Point Tunneling
Protocol (PPTP) ports or the number of L2TP ports.
■
If the number of IP addresses statically assigned is smaller than the number of VPN
clients, the number of VPN clients is reduced to fit the size of the static address pool.
■
Pre-shared keys configured for RRAS and for site-to-site connections are not
exported.
■
If an invalid IP address is configured for the DNS or WINS servers, the addresses
are not exported. The DHCP settings are used instead, and a warning message is
issued.
■
If a site-to-site connection on RRAS is configured as PPTP first (and then L2TP), it
is upgraded to a remote site network on ISA Server 2004 that uses PPTP only. If a
site-to-site connection on RRAS is configured as L2TP first (and then PPTP), it is
upgraded to a remote site network on ISA Server 2004 that uses L2TP only.
■
Credentials configured for site-to-site connections in Routing and Remote Access
are not exported. On ISA Server 2004, outgoing VPN connections are disabled
until you reconfigure them.
Warning
Application filters and Web filters supplied by third-party vendors for ISA Server
2000 are not compatible with ISA Server 2004. Some third-party vendors have created new
versions for ISA Server 2004. To upgrade to the new versions, uninstall the application filters
and Web filters from the ISA Server 2000 computer. Then perform the upgrade to ISA Server
2004 and install the new version of the application filter or Web filter.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review the
material in this lesson before beginning the next lesson. You can find answers to these
questions in the “Questions and Answers” section at the end of this chapter.
C02621691.fm Page 39 Tuesday, January 25, 2005 1:26 PM
Lesson 3
Overview of the ISA Server 2000 Migration Process
2-39
1. Your organization is currently running ISA Server 2000, installed on servers running Windows 2000. You plan to install ISA Server 2004 to replace your current
ISA Server. However, to minimize the disruption caused by the migration, you
need to migrate the current ISA Server 2000 configuration to the new ISA Server
2004. You also decide that you want to install ISA Server 2004 on a computer
running Windows Server 2003. The standard operating procedure for your organization states that server operating systems should not be upgraded unless there
is no other way to perform an application migration to a new operating system.
How can you complete your migration? (Choose two correct answers, both of
which are required to complete the migration.)
a. Upgrade the operating system on the computers running Windows 2000 servers to Windows Server 2003.
b. Install ISA Server 2004 on computers running Windows Server 2003.
c. Perform an in-place upgrade of ISA Server 2000 to ISA Server 2004.
d. Export the configuration from ISA Server 2000. Import the configuration on
ISA Server 2004.
2. You have migrated from ISA Server 2000 to ISA Server 2004 successfully. You run
a streaming video application which uses a vendor-specific application filter. The
application appears to have stopped functioning. What is the problem?
Lesson Summary
■
There are three options for upgrading to ISA Server: an in-place upgrade, a migration of the ISA Server 2000 configuration to ISA Server 2004, and a migration of the
RRAS VPN configuration to ISA Server 2004.
■
When you perform an in-place upgrade, you install ISA Server 2004 on the same
computer that is running ISA Server 2000. Most of the configuration settings are
migrated to ISA Server 2004.
■
When you migrate the ISA Server 2000 configuration to ISA Server 2004, you either
install ISA Server 2004 on a different computer, or completely remove ISA Server
2000 before installing ISA Server 2004. In either case, you must use the Migration
Tool to export the ISA Server 2000 configuration, and then transfer the configuration information to ISA Server 2004.
■
To migrate the RRAS VPN configuration to ISA Server 2004, you can either install
ISA Server on the computer running RRAS to perform an in-place upgrade or you
can use the Migration Tool to copy the RRAS VPN information to ISA Server 2004.
C02621691.fm Page 40 Tuesday, January 25, 2005 1:26 PM
2-40
Chapter 2
Installing ISA Server 2004
Case Scenario Exercises
In these exercises, you will read two scenarios about installing and configuring ISA
Server 2004, and then answer the questions that follow. If you have difficulty completing
this work, review the material in this chapter before beginning the next chapter. You can
find answers to these questions in the “Questions and Answers” section at the end of this
chapter.
Scenario 1
Your organization’s security department has just completed a security audit. During the
audit, several violations were discovered where users were using unapproved applications to access Internet resources and were also downloading inappropriate material
from the Internet. In some cases, users were downloading files that contained viruses or
Trojan horse applications. In addition, the security audit found that the publicly accessible Web servers are located on the internal network.
You have been asked to incorporate the following changes using ISA Server 2004:
■
Users must have restricted access to the Internet. Users must be authenticated
before they get access to the Internet and must be prevented from accessing inappropriate Internet resources.
■
Users must not be able to use unapproved applications to access the Internet. For
example, peer-to-peer file sharing applications and MSN Messenger should be
blocked from accessing the Internet.
■
All publicly accessible Web servers must be removed from the internal network,
but must still be protected from Internet access by a firewall. Your corporate public Web site must be accessible to all users on the Internet.
■
The DNS administrator for your organization also requests that the internal DNS
server should not be used to resolve Internet names.
Scenario 1 Question
1. What configuration would you recommend?
C02621691.fm Page 41 Tuesday, January 25, 2005 1:26 PM
Case Scenario Exercises
2-41
Scenario 2
You are currently using ISA Server 2000 and have made the decision to move up to
ISA Server 2004. You currently run ISA Server 2000 on a 450 MHz processor with 512
MB RAM. You support Internet access using Web Proxy clients and you publish a
secure Web site. In addition, you support site-to-site VPN connections from a branch
office to the head office through RRAS. You want to migrate to ISA Server 2004.
Scenario 2 Question
1. What steps should you take to perform the upgrade?
Chapter Summary
■
To ensure the success of your ISA Server installation, you must ensure that:
❑
Your network infrastructure will support ISA Server implementation. DNS,
domain controllers, and DHCP are essential.
❑
You have the correct operating system and hardware configurations. ISA Server,
Standard Edition, can be installed on Windows 2000 Server or Windows Server
2003. ISA Server, Enterprise Edition, must be installed on Windows Server 2003.
❑
Your ISA Server provides sufficient performance. A single server running ISA
Server 2004 will provide enough throughput for most small to medium-sized
organizations.
■
There are three ISA Server 2004 installation types. A typical installation installs ISA
Server Services as well as ISA Server Management. The full installation installs all
four components of ISA Server including the Firewall Client file share and the
SMTP Message Screener. A custom installation allows you to select which components will be installed. When you install ISA Server, ensure that you configure the
IP addresses for the internal network correctly.
■
When you perform an in-place upgrade, you install ISA Server 2004 on the same
computer that is running ISA Server 2000. When you migrate the ISA Server 2000
configuration to ISA Server 2004, you install ISA Server 2004, use the Migration
Tool to export the ISA Server 2000 configuration, and then transfer the configuration information to ISA Server 2004. In either scenario, most configuration settings
are migrated to ISA Server 2004.
C02621691.fm Page 42 Tuesday, January 25, 2005 1:26 PM
2-42
Chapter 2
Installing ISA Server 2004
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.
Key Points
■
Planning your ISA Server installation is always driven by requirements. When you
see an exam question that asks you to configure ISA Server, make sure that you
have a clear understanding of the requirements.
■
One of the key requirements that you may see when planning an ISA Server installation is for redundancy and availability. The only way to meet these requirements
with ISA Server 2004 is to deploy multiple servers. Ideally, you should use ISA
Server 2004, Enterprise Edition, to simplify the management of multiple servers.
■
DNS name resolution is critical for both internal users accessing Internet resources
and for Internet users accessing published resources. To enable Internet name resolution, you can use an internal DNS server that can resolve Internet addresses, or
use the DNS proxy functionality of ISA Server.
■
ISA Server 2004, Standard Edition, can be installed on Windows 2000 Server and
Windows Server 2003. ISA Server 2004, Enterprise Edition, can be installed on
Windows Server 2003 only. ISA Server 2004 has fairly minimal hardware
requirements.
■
When migrating from ISA Server 2000 to ISA Server 2004, or from a Windows 2000
RRAS VPN server implementation to ISA Server 2004, you can perform an in-place
upgrade or use the ISA Server Migration Wizard to migrate the server configuration.
Key Terms
DNS forwarder A Domain Name System (DNS) server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network.
ISA Server clients Client computers that access network resources by passing the
request through an ISA Server computer. ISA Server 2004 supports three types of clients: SecureNAT, Web Proxy, and Firewall clients.
unattended installation An automated installation method in which a setup information file provides the information required by the installation program to complete the product installation.
C02621691.fm Page 43 Tuesday, January 25, 2005 1:26 PM
Questions and Answers
2-43
Questions and Answers
Page
2-18
Lesson 1 Review
1. You want to implement SecureNAT clients for Internet access for all employees
and provide for Internet and internal name resolution. You want to minimize the
number of DNS servers that are accessed from the internal network. What steps
must you take? (Choose all that apply.)
a. Configure the clients’ TCP/IP settings to point to the internal DNS server.
b. Configure delegation on the internal DNS server.
c. Configure the internal DNS server to forward irresolvable queries to an external DNS server.
d. Configure the clients’ default gateway to point to the internal interface on ISA
Server.
e. Configure root hints on the internal DNS server.
f. Configure the clients’ default gateway to point to the external interface on ISA
Server.
A, C, and D are correct. B is incorrect because delegation is used to delegate authority for portions of the DNS namespace. E is incorrect because this would mean that the internal DNS
servers would need to be able to send queries to any DNS server on the Internet. F is incorrect
because internal clients can only point to a default gateway that is on their subnet; the external
card is not.
2. Your organization’s IT security policy states that the internal DNS server supports
only Active Directory and should never perform iterative queries to the Internet.
Your clients run the Web Proxy client for Internet access. What steps must you
take to ensure that your clients can access Internet resources without violating the
IT security policy? (Choose all that apply.)
a. Configure the clients’ Web browsers to use the ISA Server computer as a
proxy server.
b. Configure the external interface on ISA Server with the IP address of an external DNS server.
c. Configure the client computers’ default gateways to use the internal interface
on ISA Server.
d. Configure the internal interface on ISA Server to use an external DNS server.
e. Configure the internal DNS server to forward irresolvable queries to the ISA
Server computer.
A and B are correct. C would be correct only for Secure NAT clients; D is incorrect because the
internal card should point to an internal DNS server; and F is incorrect because you cannot forward queries to an ISA Server computer.
C02621691.fm Page 44 Tuesday, January 25, 2005 1:26 PM
2-44
Page
2-34
Chapter 2
Installing ISA Server 2004
Lesson 2 Review
1. What file can provide information to an unattended install of ISA Server 2004?
a. Winnt.sif
b. Unattend.txt
c. ISAMSDE###
d. Msisaund.ini
D is correct. Winnt.sif and Unattend.txt are answer files, but not for ISA Server 2004.
ISAMSDE### provides information about the install of MSDE.
2. You have just finished an installation of ISA Server 2004. The server’s external network card is connected to the Internet and the internal network card is connected
to the internal network. You install the Firewall Client software on a client computer and configure it to use the ISA Server computer. You try to connect to the
Internet from the client that is running the Firewall Client software. You cannot
connect to the Internet but receive an error message from the ISA Server computer. Why are you getting the error message?
The default installation of ISA Server does not allow any network traffic to flow through the
server. The only firewall rule that is created on the server is the default rule that denies all network traffic for everyone. You would need to configure a firewall rule to enable access to the
Internet.
Page
2-38
Lesson 3 Review
1. Your organization is currently running ISA Server 2000, installed on servers running Windows 2000. You plan to install ISA Server 2004 to replace your current
ISA Server. However, to minimize the disruption caused by the migration, you
need to migrate the current ISA Server 2000 configuration to the new ISA Server
2004. You also decide that you want to install ISA Server 2004 on a computer running Windows Server 2003. The standard operating procedure for your organization states that server operating systems should not be upgraded unless there is no
other way to perform an application migration to a new operating system. How
can you complete your migration? (Choose two correct answers, both of which are
required to complete the migration.)
a. Upgrade the operating system on the computers running Windows 2000 servers to Windows Server 2003.
b. Install ISA Server 2004 on computers running Windows Server 2003.
c. Perform an in-place upgrade of ISA Server 2000 to ISA Server 2004.
d. Export the configuration from ISA Server 2000. Import the configuration on
ISA Server 2004.
B and D are correct. Although A and D would upgrade the ISA Server computer, it would violate
the organization’s operating procedure, which says that server operating systems should be
C02621691.fm Page 45 Tuesday, January 25, 2005 1:26 PM
Questions and Answers
2-45
upgraded only as a last resort. Doing B and D will meet the request to have ISA Server 2004
running on Windows Server 2003 with the same configuration as the ISA Server 2000 computer had.
2. You have migrated from ISA Server 2000 to ISA Server 2004 successfully. You run
a streaming video application which uses a vendor-specific application filter. The
application appears to have stopped functioning. What is the problem?
Third-party application filters were not migrated to the ISA Server 2004 installation. You will
have to get an updated version of the filter from the vendor.
Case Scenario Exercises
Page
2-40
Scenario 1 Question
1. What configuration would you recommend?
Use ISA Server 2004 to create a perimeter network. You can configure a back-to-back configuration with two computers running ISA Server 2004 to establish the perimeter network, or you
can create a third network on the ISA Server computer as the perimeter network. Place the Web
server in the perimeter network and configure Web publishing rules on the ISA Server computer
for the corporate Web site.
Then configure the Web Proxy client on all client computer Web browsers. Enable the Web Proxy
service on ISA Server and configure ISA Server to require all users to authenticate. Configure the
external card on the ISA Server computer with the IP address of an external DNS server. Configure
application layer filters on the ISA Server computer to allow only authorized HTTP traffic.
Page
2-41
Scenario 2 Question
1. What steps should you take to perform the upgrade?
You must upgrade the hardware to meet the requirements of ISA Server 2004. Because you
must use new hardware, run the ISA Server Migration Wizard on the ISA Server 2000 server
and import the .xml file to the new installation of ISA Server 2004. You will use the same wizard
to migrate the RRAS settings. After you complete the migration, you must still configure any preshared keys and configure credentials for site-to-site VPN access.
C02621691.fm Page 46 Tuesday, January 25, 2005 1:26 PM
3 Securing and Maintaining
ISA Server 2004
Exam Objectives in this Chapter:
■
■
Assess and configure the operating system, hardware, and network services
❑
Prepare network interfaces
❑
Enable required network and server services
❑
Configure operating system settings for installing ISA Server 2004
Deploy ISA Server 2004
❑
■
■
■
Plan for disaster recovery
Configure the system policy
❑
Enable infrastructure communications
❑
Lock down the system policy
❑
Modify rules
❑
Limit network access to the firewall
❑
Limit access to logs and reports
Back up and restore ISA Server 2004
❑
Backup and restore an ISA Server 2004 configuration
❑
Perform disaster recovery
❑
Transfer ISA Server 2004 configuration settings between ISA Server
computers
Define administrative roles
❑
Assign and delegate administrative roles
❑
Remove delegation rights
❑
Manage access to firewall configuration
3-1
3-2
Chapter 3
Securing and Maintaining ISA Server 2004
Why This Chapter Matters
Microsoft Internet Security and Acceleration (ISA) Server 2004 is a core component in your organization’s overall security strategy. When you deploy ISA Server
as an Internet-edge firewall, your ISA Server computer is accessible to everyone
on the Internet. Even if your ISA Server computer is not an Internet-edge firewall,
it is likely to be accessible from the Internet. Because ISA Server is the gateway to
the Internet, a security compromise on the ISA Server computer can have significant repercussions for your entire network.
Securing and maintaining ISA Server is therefore a critical topic for you as you
deploy your ISA Server infrastructure. You need to ensure that the ISA Server
computer is secure. This starts with the physical security of the computer running
ISA Server and includes network layer security and operating system security.
Once the computer on which ISA Server is running is secured, you must address
securing the ISA Server configuration.
Lessons in this Chapter:
■
Lesson 1: Securing ISA Server 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
■
Lesson 2: Maintaining ISA Server 2004. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
Before You Begin
This chapter presents the skills and concepts related to securing and maintaining
ISA Server. If you plan to complete the practices and lab in this chapter, prepare the
following:
■
A Microsoft Windows Server 2003 (either Standard Edition or Enterprise Edition)
computer installed as DC1 and configured as a domain controller in the cohovine
yard.com domain.
■
Download the Windows Server 2003 Security Guide from http://go.microsoft.com/
fwlink/?linkid=14846. Create a folder named Security Templates at the root of the
C drive on DC1. Copy the Security Guide templates to the Security Templates
folder.
■
A second Windows Server 2003 computer installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. This server should have two
network interfaces installed. You must have completed the exercises from Chapter
2, “Installing ISA Server 2004,” on this server.
■
To complete the troubleshooting lab, you will also need a Microsoft Windows XP
computer installed as CLIENT1. This computer should be a member of the
cohovineyard.com domain.
Lesson 1
Securing ISA Server 2004
3-3
Lesson 1: Securing ISA Server 2004
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the
operating system running on the computer, and the ISA Server configuration. After
installation, ISA Server starts with a default configuration that blocks all traffic between
networks connected to ISA Server but enables some traffic between the ISA Server
computer and other networks. As an ISA Server administrator, you will need to modify
the default configuration. The third step in ensuring ISA Server security is to manage
the administrative permissions users have on ISA Server.
Real World
Defense in Depth
Deploying ISA Server 2004 is a critical component of an organization’s overall
security design. However, merely deploying ISA Server 2004 at the perimeter of
the network does not guarantee security throughout the network. For example,
you may use ISA Server at the network perimeter to block all attacks from the
Internet. However, the ISA Server computer is not effective if a user brings an
infected laptop computer to work and connects it to the network. To provide
security throughout the network, you must implement a defense-in-depth security
strategy.
A defense-in-depth security strategy means that you use multiple levels of
defense to secure your network. If one level is compromised, it does not necessarily mean that your entire organization is compromised. As a general guideline,
you design and build each level of your security on the assumption that every
other layer of security has been breached, and that the level you’re working on is
the final roadblock to an attacker’s gaining access to resources on your network.
If you assume that, you will ensure that each layer is as secure as possible.
When you use a defense-in-depth strategy, you increase an attacker’s risk of
detection and reduce an attacker’s chance of success. Because you monitor for
illegitimate activity at many levels, you are more likely to detect an attacker’s
actions. In addition, because you monitor at many levels, you can correlate
related events from various monitoring sources to identify the attack and determine which levels have been compromised. The defense-in-depth strategy also
reduces the attacker’s chance of success. The attacker may use a particular strategy to defeat one level of defense, but must then use a completely different strategy to compromise the next level. The defense-in-depth layers are illustrated on
the next page.
3-4
Chapter 3
Securing and Maintaining ISA Server 2004
Data
Application
Host
Internal Network
Perimeter
Physical Security
Polices, Procedures,
and Awareness
G03im01
Each level in the defense-in-depth strategy forms part of the overall strategy, as
follows:
■
Policies, procedures, and awareness—Many network attacks succeed
because an organization’s employees deliberately or inadvertently create a
breach. One of the first components in creating the security strategy is to
develop organizational policies and procedures dealing with security and
then to train users about them.
■
Physical security—Ensure that only authorized personnel can gain physical
access to the resources. At a minimum, all critical network resources should
be located in a secured facility.
■
Perimeter—Almost all companies provide some form of access to the Internet, so it is critical that the connecting point between the Internet and the
internal network is as secure as possible. Options for providing this security
include firewalls or multiple firewalls, secure virtual private network (VPN)
access that uses quarantine procedures, and secure server publishing to provide required access to internal resources. ISA Server can have a primary role
in providing perimeter security.
■
Internal networks—Even if the perimeter is secure, you must still ensure that
the internal networks are secure for cases in which the perimeter is compromised or when the attacker is within the organization. Options include network segmentation to isolate networks that carry highly confidential network
traffic, using Internet Protocol Security (IPSec) to encrypt network traffic, and
a network intrusion-detection system (NIDS) at each network access point.
Lesson 1
Securing ISA Server 2004
3-5
■
Operating systems—Many security attacks take advantage of security vulnerabilities that are available within operating systems. These attacks can be
prevented by hardening server and client operating systems, ensuring that all
security updates are efficiently deployed, requiring strong authentication
methods, and using a host-based intrusion-detection system (HIDS).
■
Applications—Security attacks also take advantage of vulnerabilities in application security. These attacks can be mitigated by ensuring that applications
are designed with security in mind, hardening the applications so that the
applications are secure and run with the least possible permissions, and
ensuring that appropriate antivirus software is deployed on each application
server. Using a firewall, such as ISA Server 2004 with application filtering
functionality, can further help secure applications.
■
Data—The final level in the defense-in-depth strategy is protecting the data
that is located on network resources. This data can be protected by using
access control lists (ACLs), and using a data encryption mechanism such as
Encrypting File System (EFS) to ensure that only authorized users can gain
access to the data.
ISA Server 2004 is a critical component in the overall defense-in-depth security strategy. When designing your ISA Server implementation, consider how ISA Server will fit
into your defense-in-depth strategy. However, don’t make the mistake of thinking that
once you have deployed ISA Server, your network is secure.
After this lesson, you will be able to
■ Harden the operating system components on the server running ISA Server
■ Modify the ISA Server default configuration to enhance security
■ Configure ISA Server administrative roles for delegated permissions
Estimated lesson time: 60 minutes
How to Harden the Server
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows
Server 2003, so the first step of securing ISA Server is to ensure that the computer and
operating system are as secure as possible. Securing the computer includes the following components:
■
Securing the network interfaces
■
Ensuring that only required system services are enabled
■
Ensuring that security updates are applied
3-6
Chapter 3
Securing and Maintaining ISA Server 2004
Security Alert
One of the critical components in securing ISA Server is to ensure that the
ISA Server computer is stored in a physically secure location. If an attacker can gain physical
access to a server, the attacker can circumvent the operating system security fairly easily. To
maintain a secure environment, restrict physical access to the ISA Server computer.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.
By default, network interfaces in both Windows 2000 Server and Windows Server 2003
are configured to facilitate connecting other computers on the network to the server.
On an ISA Server computer, ensure that clients can connect to the network interfaces
only to access specific resources. Although both the interface connected to the Internet
and the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface The external interface of your ISA Server
computer is likely to be directly attached to the Internet, where it may be exposed to
an attack from anywhere on the Internet. To secure the external interface on the ISA
Server computer, complete the following actions:
■
Disable File and Printer Sharing for Microsoft Networks and Client for
Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the
machine to share Server Message Block/Common Internet File System (SMB/CIFS)
resources. The Client for Microsoft Networks allows the machine to access SMB/
CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both
of which are used for conventional file sharing and access on Microsoft networks.
■
Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client, needs to send out NetBIOS broadcasts, needs to send out browser service
announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
■
Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable
NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware
that this option is disabled for all network interfaces on the ISA Server computer.
■
Disable automatic Domain Name System (DNS) name registration. By
default, Windows 2000 and Windows Server 2003 computers attempt to register
their IP addresses with a DNS server. The ISA Server computer should not register
the IP address for its external interface with DNS servers on the Internet or with
DNS servers inside the network.
Securing the Internal Network Interface In addition to securing the external interface, you should secure the internal interface on the computer running ISA Server.
Lesson 1
Securing ISA Server 2004
3-7
However, in many cases, you may require more functionality on the internal interface,
so you must ensure that you disable only the components that are not required.
■
Leave File and Printer Sharing for Microsoft Networks enabled on the internal
interface if you want internal network clients to access the Firewall Client software. If the client installation files are stored on another computer, you can disable
File and Printer Sharing.
■
Client for Microsoft Networks must also be enabled if you want to access
resources on the internal network or authenticate to internal resources.
■
Disable NetBIOS over TCP/IP if you do not have any legacy client computers or NetBIOS-based applications on the network that need access to the ISA Server computer.
■
Leave automatic DNS name resolution enabled on the internal network interface
so that the ISA Server computer’s IP address is registered in DNS. If you do not
have automatic updates enabled on the DNS zone, disable this option and manually configure the host record in DNS.
Note If you have additional interfaces on the computer running ISA Server, disable as many
services as possible on these interfaces. If the network interface is connected to a perimeter
network, configure it as you would the Internet interface.
Managing System Services on the ISA Server Computer
A second step in securing the computer running ISA Server is to disable all services on
the computer that are not required. Several core services are required for ISA Server to
run properly, and additional services can be enabled depending on the functionality
required. All other services should be disabled.
Security Alert
This lesson is focused on reducing the attack surface of the computer
running ISA Server and of ISA Server itself. Reducing the attack surface means that you
eliminate as many of the avenues of attack as possible without losing the required functionality. For example, you disable a system service so that an attacker can never gain access to
the server using that service. You avoid running non-essential applications on the computer
running ISA Server to ensure that a security flaw in that application cannot be used to compromise the server. Reducing the attack surface can also mean that you reduce the larger risk
to your organization in the event of a security breach on the ISA Server computer. For example, never install ISA Server on a domain controller because Windows domain controllers
require many different ports to be accessible to client computers, resulting in a complicated
configuration. In addition, if an attacker can gain access to the domain database, the
attacker may be able to compromise all user accounts, or perhaps damage the database so
that no one can log on. As much as possible, your ISA Server computer should be dedicated
to operating only as an ISA Server computer with all other functionality disabled.
3-8
Chapter 3
Securing and Maintaining ISA Server 2004
Services Required by ISA Server Table 3-1 lists the core services that must be enabled
for ISA Server and the ISA Server computer to function properly.
Table 3-1 Services Required for ISA Server 2004
Service Name
Rationale
Startup Mode
COM+ Event System
Core operating system
Manual
Cryptographic Services
Core operating system
Automatic
Event Log
Core operating system
Automatic
IPSec Services
Core operating system
Automatic
Logical Disk Manager
Core operating system
Automatic
Logical Disk Manager Administrative
Service
Core operating system
Manual
Microsoft Firewall
Required for ISA Server
Automatic
Microsoft ISA Server Control
Required for ISA Server
Automatic
Microsoft ISA Server Job Scheduler
Required for ISA Server
Automatic
Microsoft ISA Server Storage
Required for ISA Server
Automatic
MSSQL$MSFW
Required when MSDE logging is used Automatic
Network Connections
Core operating system
Manual
NTLM Security Support Provider
Core operating system
Manual
Plug and Play
Core operating system
Automatic
Protected Storage
Core operating system
Automatic
Remote Access Connection Manager
Required for ISA Server
Manual
Remote Procedure Call (RPC)
Core operating system
Automatic
Secondary Logon
Core operating system
Automatic
Security Accounts Manager
Core operating system
Automatic
Server
Required for ISA Server Firewall
Client Share
Automatic
Smart Card
Core operating system
Manual
SQLAgent$MSFW
Required when MSDE logging is used Manual
System Event Notification
Core operating system
Automatic
Telephony
Required for ISA Server
Manual
Virtual Disk Service (VDS)
Core operating system
Manual
Windows Management
Instrumentation (WMI)
Core operating system
Automatic
WMI Performance Adapter
Core operating system
Manual
You may need to enable additional services on ISA Server, depending on the functionality you require from the server. The ISA Server computer may need to provide
Lesson 1
Securing ISA Server 2004
3-9
additional server functionality such as operating as a VPN remote access server, or as
a terminal server for remote desktop. The ISA Server computer, in some cases, also acts
as a network client. For example, the ISA Server computer may need to be a DNS client, or you may want to be able to access shared folders on the Internal network from
the ISA Server computer. Table 3-2 lists additional services that may need to be enabled
on the computer running ISA Server.
Table 3-2
Optional Services
Functionality Required
Services Required
Startup Mode
Routing and Remote Access Server
Routing and Remote Access
Manual
Terminal Server for Remote Desktop
Administration
Server Terminal Services
Automatic (for
Server); Manual (for
Terminal Services)
To install applications using the
Microsoft Installer Service
Windows Installer
Manual
To collect performance data on
the ISA Server computer
Performance Logs and Alerts
Automatic
To enable remote management of the Remote Registry
Windows server
Automatic
To allow the ISA Server computer to
register its IP address with a DNS
Server automatically
DHCP Client
Automatic
To perform DNS lookups
DNS Client
Automatic
To assign the ISA Server computer
to a domain
Network location awareness
Net Logon
Manual
Automatic
To allow the ISA Server computer to
connect to other Windows clients
Workstation
Automatic
To allow the ISA Server computer to TCP/IP NetBIOS Helper
perform WINS-based name resolution
Automatic
See Also Table 3-2 lists the most common optional services that you may need to enable.
For a complete list of all the services that may be required, and a description of the specific
situations when you may require the services, see the Security Hardening Guide, located at
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx.
To manage system services on the computer running ISA Server, follow this procedure:
1. Open the Services console from the Administrative Tools folder.
2. Right-click the service that you are configuring and click Properties.
3-10
Chapter 3
Securing and Maintaining ISA Server 2004
3. On the service Properties page, on the General tab, select the Startup type. You
can also start, stop, pause, or resume the service.
Tip
Many system services require that other services be running before the service can
start. If you have configured a service to start automatically and it will not start, check for
service dependencies on the Dependencies tab on the service Properties dialog box. The
Dependencies tab also includes information detailing which services depend on the service
with which you are working.
Using Security Templates to Manage Services You can manage the system services
manually on the computer running ISA Server 2004. However, if you have multiple
computers running ISA Server, you should automate the process of managing the services. One option for managing the system services is to use security templates. Security templates are preconfigured sets of security settings that can be applied to users
and computers. Security templates can be used to configure the following:
■
Audit Policy settings These settings specify the security events that are
recorded in the Event Log. You can monitor security-related activity such as who
accesses or attempts to access an object, when a user logs on or logs off a computer, or when changes are made to an Audit Policy setting.
■
User Rights Assignment These settings specify which users or groups have
logon rights or privileges on the member servers in the domain.
■
Security Options These settings are used to enable or disable security settings
for servers, such as digital signing of data, administrator and guest account names,
driver installation behavior, and logon prompts.
■
Event Log settings These settings specify the size of each event log and actions
to take when each event log becomes full.
■
System services These settings specify the startup behavior and permissions for
each service on the server.
Implementing Security Templates If your computer is a member of an Active Directory directory service domain, you can apply security templates using Group Policy at
a domain or organizational unit (OU) level. If your computer is not a member of a
domain, you can use the Security Configuration and Analysis Microsoft Management
Console (MMC) snap-in or the Secedit command-line tool.
!
Exam Tip
For the exam, you need not worry about how the security templates are being
applied, but you must be aware of the security template settings, especially how the template
relates to system services.
Lesson 1
Securing ISA Server 2004
3-11
Microsoft has released the Windows Server 2003 Security Guide, which includes several templates that you can use to secure servers on your network. The templates are
grouped into three categories:
■
Enterprise Client templates are designed for most networking environments that
contain only Windows 2000 or later computers.
■
Legacy Client templates are designed for networking environments that contain
older computers.
■
High Security templates are designed to be deployed only in networks that require
very high security.
Caution
The High Security templates set very restrictive security policies that may interfere
with network functionality. These policies should be deployed only in environments that
require this level of security, and only after thorough testing.
The Security Guide also provides multiple templates based on server roles, as follows:
■
For member servers in a domain, the Security Guide recommends that you first
apply the Member Server Baseline template, which provides a set of baseline
security settings that can be applied to all member servers in the domain.
■
After you have applied baseline security settings, you can use additional security
templates provided in the Security Guide to apply additional, incremental, security
settings to member servers that perform specific roles, such as infrastructure servers, file servers, print servers, and Microsoft Internet Information Services (IIS)
servers.
See Also
The Windows Server 2003 Security Guide can be found at http://go.microsoft.com/
fwlink/?LinkId=14845. The Microsoft Windows 2000 Security Hardening Guide can be found
at http://go.microsoft.com/fwlink/?LinkID=22380.
ISA Server and Security Templates Security templates are the ideal means to configure the security settings on an ISA Server computer. By applying these templates, you
can ensure a consistently high level of security on the ISA Server computer. To apply
the security templates to the ISA Server computer, perform the following steps:
1. Using the Security Templates MMC snap-in, shown in Figure 3-1, analyze the security templates included with the Windows Server 2003 Security Guide and determine which template most closely meets your organization’s requirements. Modify
those parts of the template that do not match your requirements.
3-12
Chapter 3
Securing and Maintaining ISA Server 2004
F03im01
Figure 3-1 Configuring the security template services
2. Apply the security templates to your ISA Server computer or computers. If your
ISA Server computers are members of an Active Directory domain, create an OU
that contains only the ISA Server computers and then create a Group Policy Object
(GPO) to apply the security template to the servers. If your ISA Server computer
is not a member of the domain, use the Security Analysis and Configuration tool
to apply the security policy to the ISA Server computer.
Applying Security Updates
Another critical component in keeping the computer running ISA Server secure is to
ensure that all security updates and patches are applied. Security updates are product
updates that eliminate known security vulnerabilities. To keep ISA Server secure, you
must ensure that the security updates for both ISA Server and the operating system are
current by installing the latest fixes. If the operating system is vulnerable, ISA Server
is also vulnerable. When a security update becomes available, quickly evaluate your
system to determine if the update is relevant to your current situation.
Monitor and install security patches for multiple components for the computer running
ISA Server. These include the latest updates for the operating system, for ISA Server,
and for other components installed by ISA Server, including Microsoft SQL Server 2000
Desktop Engine (MSDE) and Office Web Components 2002 (OWC).
Monitoring Security Updates The first step in applying security updates is to be aware
of which security updates are available and the security issues that each update is
designed to fix. Resources that help you stay aware of the latest security updates
include the following:
■
Microsoft and many third-party antivirus vendors provide security bulletins that
enable you to stay current on security issues and fixes. To receive the Microsoft
notifications, register at Microsoft Security Notification Service, which is located at
http://www.microsoft.com/technet/security/bulletin/notify.mspx.
Lesson 1
Securing ISA Server 2004
3-13
■
Monitor the Microsoft Security Web site, located at http://www.microsoft.com/security.
■
For ISA Server–specific information, monitor the Microsoft Internet Security and
Acceleration Security Center, located at http://www.microsoft.com/technet/security/
prodtech/isa/default.mspx. You can also check the ISA Server 2004 Download
Center, located at http://go.microsoft.com/fwlink/?LinkId=28791.
■
Search for the latest updates for MSDE and OWC, at Microsoft Security Bulletin
Search, located at http://go.microsoft.com/fwlink/?LinkId=28687.
ISA Server and Security Updates Because ISA Server security is critical, you must
ensure that the most recent security patches for the operating system, ISA Server, and
other components such as MSDE are installed on the ISA Server computer. At the same
time, you need to ensure that you don’t install a security patch that breaks something
else on the ISA Server computer or prevents users from using the ISA Server computer. Follow these guidelines when deploying security patches on your ISA Server
computer:
■
Evaluate the security update severity and risk. When a new security update is
released, evaluate the severity of the security issue that it is fixing and evaluate the
risk to your organization. If the security patch is fixing a security hole that is
extremely difficult to exploit, or if the fix pertains to a feature that you have not
implemented, you may choose to wait until the next service pack to apply the
patch. In some cases, you may also be able to mitigate the vulnerability by disabling a service or feature instead of using the patch. However, if the patch fixes
a critical security issue that directly affects your organization, you should implement the patch immediately.
■
Apply the security update in a test environment. Maintain a test environment that
closely mirrors your production environment, and install the patch in this environment first to see if it disrupts any ISA Server functionality.
■
Monitor others’ experience with the security patch. Monitor Internet newsgroups
and forums to see if other people are having problems with the patch. This will
reveal not only problems with the patch itself, but with the patch installation as
well. If the patch causes problems, you may be able to avoid the vulnerability
by implementing an alternative control, such as disabling the relevant service or
feature.
■
Prepare a backup plan. Despite your best efforts, deploying the security update
may interfere with ISA Server functionality. Be prepared with a backup plan that
enables you to restore ISA Server functionality as rapidly as possible.
■
Deploy the security update in the production environment. Once you are confident that the patch will not interfere with the functionality in the production environment, deploy the patches to the production ISA Server computers.
3-14
Chapter 3
Securing and Maintaining ISA Server 2004
Practice: Securing the Computer Running ISA Server
In this practice, you will secure the ISA Server computer’s external network interface.
You will then use security templates to manage the system services running ISA Server.
Exercise 1: Securing the Network Interface
1. Log on to ISA1 as an Administrator.
2. Open Network Connections from the Control Panel, and then click External. Click
Properties.
3. On the External Properties page, clear the check box for Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks.
4. Click Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/IP)
Properties dialog box opens.
5. Click Advanced. On the DNS tab, clear the check box for Register This Connection’s Address In DNS.
6. On the WINS tab, clear the check box for Enable LMHOSTS Lookup and select
Disable NetBIOS Over TCP/IP. Click OK twice and close all open windows.
Exercise 2: Using Security Templates and Group Policy to Manage System
Services
1. Log on to DC1 as an Administrator.
2. Open Active Directory Users and Computers from the Administrative Tools folder
on the Start menu.
3. Create a new OU in the cohovineyard.com domain named ISA Servers.
4. Right-click ISA Servers and click Properties.
5. On the Group Policy tab, click New.
6. Type ISA Server Security Settings and then click Edit.
7. Expand Computer Configuration and then click Windows Settings.
8. Right-click Security Settings and select Import policy.
9. In the Import Policy From dialog box, browse to the C:\Security Templates folder.
Click Enterprise Client—Member Server Baseline and click Open.
Tip
When you move the ISA Server computer account into the ISA Servers OU, the member
server baseline security template settings will be applied. This template disables several
services required for ISA Server, so you must modify the template to enable the ISA Services
to run.
Lesson 1
Securing ISA Server 2004
3-15
10. Expand Security Settings, and then click System Services. Double-click Remote
Access Connection Manager.
11. Click Manual and then click OK.
12. Enable the Routing and Remote Access service and configure it for manual start.
13. Enable the Telephony service and configure it for manual start.
14. Enable the Secondary Logon service and configure it for automatic start.
15. Close the Group Policy Object Editor and close the ISA Servers Properties page.
16. Move the ISA1 computer object from the Computers container to the ISA Servers OU.
17. Reboot ISA1.
How to Secure the ISA Server Configuration
After securing the computer running ISA Server, the next step is to ensure that your ISA
Server configuration is as secure as possible. After installation, ISA Server, Standard Edition, starts with a default configuration that provides a high level of security. As an ISA
Server administrator, you must understand what the default configuration is and how
you may need to modify it to provide additional security or functionality.
Note
This default configuration information applies only to ISA Server, Standard Edition.
When you install ISA Server 2004, Enterprise Edition, you assign the server to an array, and
the enterprise and array policies are applied to the server.
The ISA Server Default Configuration
After a standard installation, ISA Server starts with a default configuration. This configuration provides a high level of security because it does not allow access to any Internet or internal resources through the ISA Server computer. However, the default
configuration also includes several other settings. Table 3-3 summarizes the default
configuration.
Table 3-3
ISA Server Default Configuration
ISA Server Feature
Default Configuration
Administrator
permissions
Members of the Administrators group on the local computer can
configure all ISA Server settings. If the ISA Server computer is a
member of a domain, the Domain Admins group is a member of
the local Administrators group, so the Domain Admins also has full
ISA Server management rights. No other users have any Administrator permissions on ISA Server.
3-16
Chapter 3
Securing and Maintaining ISA Server 2004
Table 3-3 ISA Server Default Configuration
ISA Server Feature
Default Configuration
Default networks
The following networks are configured:
Local Host. This network represents the ISA Server computer.
External. This network includes all computers (IP addresses) that
are not explicitly associated with any other network. The external
network is generally considered an untrusted network and represents all hosts on the Internet.
Internal. This network includes all computers (IP addresses) that
were specified as internal during the installation process.
VPN Clients. This network contains addresses of currently connected VPN clients. The range of possible addresses is configured
when you configure the VPN properties.
Quarantined VPN Clients. This network contains addresses of VPN
clients that have not yet cleared quarantine.
Network settings
The following network relations are created:
Local Host Access. Defines a network rule that states that all traffic
between the Local Host (the ISA Server computer) and all networks will be routed. This does not enable the routing of traffic,
but it states that traffic between the ISA Server computer and any
other network will be routed rather than use network address
translation (NAT).
Internet Access. Defines a NAT network relationship from the Internal network, the Quarantined VPN Clients network, and the VPN
Clients network, to the External network. Again, this does not grant
any access; it only states that NAT will be used for traffic between
these networks.
VPN Clients to Internal Network. Defines a routed network relationship between the VPN Clients network and the Internal network.
Firewall Access Rules
The following default rules are created:
System policy rules. A series of rules that enable interaction
between the ISA Server computer and other network resources.
Default rule. This rule denies all traffic between all networks.
Because this is the only firewall access rule that is created by
default, all traffic between different networks on the ISA Server
computer is blocked.
Publishing
No internal servers are accessible to external clients.
Lesson 1
Table 3-3
Securing ISA Server 2004
3-17
ISA Server Default Configuration
ISA Server Feature
Default Configuration
Caching
The cache size is set to 0. All caching is therefore disabled.
Firewall Client Install
Share
When you install the Firewall Client Share, a system policy rule
named Allow Access To Firewall Client Share To Trusted Computers, which allows clients on the Internal network to access the
share, is enabled. This rule must be enabled to allow the clients to
install the software from the share.
The default configuration of a newly installed ISA Server means that traffic can occur
between the ISA Server computer and other networks. For example, Lightweight Directory Access Protocol (LDAP) traffic is permitted from the ISA Server computer to the
internal network. This enables the ISA Server computer to operate as a member of an
Active Directory domain. However, by default, no traffic is permitted through the ISA
Server computer from one network to another.
Because ISA Server blocks all network traffic between connected networks, you must
modify the default ISA Server configuration to use ISA Server. Modify the default settings by configuring firewall access rules and publishing rules so that users can access
resources on other networks through the ISA Server computer. You may also want to
modify the default configuration by modifying the system policies on the server or by
assigning administrative roles.
Configuring System Policies
When ISA Server 2004 is installed, a default system policy is configured on the server.
This system policy includes a variety of access rules that provide an initial configuration for ISA Server 2004. Depending on your organization’s requirements, you may
need to modify the system policy configuration, either by disabling some of the rules
or enabling and modifying the rules.
System policy rules are used to define what traffic is allowed between the ISA Server
computer and the connected networks. All the system policies define access between
the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks.
!
Exam Tip System policies are the primary means for restricting or enabling access to the
ISA Server computer. When you see questions on the exam that relate to accessing the ISA
Server computer (called the Local Network in the ISA Server Management interface), check
the system policy settings.
3-18
Chapter 3
Securing and Maintaining ISA Server 2004
The firewall access rules defined by the system policy function the same way as other
access rules in that they enable or disable access. However, the implementation of the
system policy rules is different. When you create an access rule, you must define all
components for that rule. The system policy rules are defined in advance; all you need
to do is decide whether to enable or disable the rule and then choose which networks
are affected by the rule.
System Policy Settings A default system policy is applied when you install ISA Server
2004. This policy enables the functionality needed to manage the ISA Server computer
and provide network connectivity. Table 3-4 summarizes the system policy configuration options.
Table 3-4 System Policy Settings
Configuration Group
Configuration Options
Network Services
Defines which networks are accessible from the ISA Server computer
for DNS, Dynamic Host Configuration Protocol (DHCP), and Network
Time Protocol (NTP). You can modify the system policy so that only
particular computers on the internal network can be accessed, or add
networks if the services are found on a different network.
Authentication Services To authenticate users, ISA Server must be able to communicate with
the authentication servers. By default, ISA Server can communicate
with Active Directory servers (for Windows authentication) and with
Remote Authentication Dial-In User Service (RADIUS) servers located
on the internal network. You can modify which networks are accessible for authentication as well as limit which authentication options
can be used.
Remote Management
By default, ISA Server can be managed by running a remote MMC
snap-in or by using Terminal Services on any computer in the built-in
Remote Management Computers computer set. When ISA Server is
installed, this empty computer set is created. Add all computers that
will manage ISA Server remotely to this set. Until this is done, remote
management is not available from any computer.
Firewall Client
If the Firewall Client Share component was installed when you
installed ISA Server, the Firewall Client Installation Share configuration
group is enabled by default. All computers on the Internal network
can access the shared folder.
Lesson 1
Table 3-4
Securing ISA Server 2004
3-19
System Policy Settings
Configuration Group
Configuration Options
Diagnostic Services
The system policy rules that allow access to diagnostic services are
enabled, with the following permissions:
■ Internet Control Message Protocol (ICMP) is allowed to all networks. This service is important for determining connectivity
to other computers.
■
Windows networking. This allows NetBIOS communication to
computers on the Internal network.
■
Logging and Remote
Monitoring
Microsoft error reporting. This allows Hypertext Transfer Protocol (HTTP) access to the Microsoft Error Reporting sites
Uniform Resource Locator (URL) set to allow reporting of
error information. By default, this URL set includes specific
Microsoft sites.
These system policy rules allow remote logging and monitoring. The
following configuration groups are disabled by default:
■ Remote Logging (NetBIOS)
■ Remote Logging (SQL)
■ Remote Performance Monitoring
■
Microsoft Operations Manager
SMTP
The Simple Mail Transfer Protocol (SMTP) configuration group is
enabled, allowing SMTP communication from ISA Server to computers on the Internal network. This is required to send alert information
in an e-mail message.
Scheduled Download
Jobs
The scheduled download jobs feature is disabled. When a content
download job is created, the administrator is prompted to enable this
system policy rule.
Allowed Sites
By default, the allowed sites configuration group is enabled, allowing
ISA Server to access content on specific sites that belong to the System Policy Allowed Sites URL set. This URL set includes various
Microsoft Web sites by default. The URL set can be modified to
include additional Web sites.
Modifying System Policy After installing ISA Server, you should analyze the default
system policy configuration and modify the policy to meet your organization’s requirements. The default system policy enables more options than are required for most
organizations. If your organization does not require a specific type of functionality
enabled by a system policy rule, then disable the rule. For example, the default system
policy enables both RADIUS and Active Directory authentication, and most organizations will use one or the other. If you are using only one type of authentication, then
disable the rule pertaining to the other.
3-20
Chapter 3
Securing and Maintaining ISA Server 2004
Modify the default system policy settings to match your organization’s requirements.
First, identify the functionality that you require on the ISA Server computer. Then review
the system policy settings and disable all the system policy rules that you do not require.
For example, if no users will ever access ISA Server using Remote Desktop, then disable
the Terminal Server system policy that enables Remote Desktop connections.
Second, for the system policy rules that you leave enabled, you should limit which networks are included in the system policy setting. For example, by default, the DNS system policy allows ISA Server to perform DNS lookups on any connected network. If
you want the ISA Server computer to be able to perform lookups only on the Internal
network, then modify the system policy setting. You can limit the scope of some system policy rules even more. For example, Remote Desktop connections are permitted
only from the computers listed in the Remote Management Computer set. You should
add the IP addresses for the computers used by the ISA Server administrators to this
group, rather than allow access based on a network.
To modify the default system policy, use the following procedure:
1. In the console tree of ISA Server Management, click Firewall Policy.
2. On the Tasks tab, click Edit System Policy. The interface is shown in Figure 3-2.
F03im02
Figure 3-2 Modifying the ISA Server system policy
3. Click the configuration group that you want to configure. For example, to configure the DHCP settings, click DHCP in the Configuration Groups box.
4. On the General tab, click Enable or clear the Enable check box to enable or disable the configuration group.
Lesson 1
Securing ISA Server 2004
3-21
5. On the From tab, configure the source of network traffic. You can use any network
entity to configure the source network. You can also define exceptions to the rule.
Note
The system policy settings all configure traffic to or from the Local Host network. For
some configuration groups, such as DHCP, you define the source network for the traffic on
the From tab. For other configuration groups, such as Active Directory authentication, you
configure the destination network on the To tab.
6. When you enable a system policy setting, ISA Server configures one or more system policy rules. To display the system policy rules, click Firewall Policy in ISA
Server Management and then, on the Tasks tab, click Show System Policy Rules.
Security Alert In addition to configuring system policy to reduce the attack surface, disable the ISA Server features that you do not use. For example, if you do not require caching,
disable caching. If you do not require the VPN functionality of ISA Server, disable VPN client
access. Both options are disabled by default.
How to Configure ISA Server Administrative Roles
Another component to securing the ISA Server computer is to configure the ISA Server
administrative permissions. As a general rule, user accounts should always be configured with the minimum privileges necessary to perform a specific task. You can use
role-based administration to organize your ISA Server administrators into separate,
defined roles, each with its own set of privileges and corresponding tasks. The roles
assigned in ISA Server are based on Windows users and groups. If the ISA Server computer is a member of a domain, these users and groups can be either local accounts or
domain accounts. If the ISA Server computer is not a member of a domain, you must
assign local users and groups to the roles.
ISA Server includes three administrative roles that are defined in advance:
■
ISA Server Basic Monitoring Users and groups assigned this role can monitor
the ISA Server computer and network activity, but cannot configure specific monitoring functionality.
■
ISA Server Extended Monitoring Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert-definition configuration,
and all monitoring functions available to the ISA Server Basic Monitoring role.
■
ISA Server Full Administrator Users and groups assigned this role can perform any ISA Server task, including rule configuration, application of network
templates, and monitoring.
3-22
!
Chapter 3
Securing and Maintaining ISA Server 2004
Exam Tip
The only way to assign permissions in ISA Server is to use administrative roles.
If an exam question mentions a user’s having too many or too few permissions, check the
administrative role configuration.
Each ISA Server role has a specific list of ISA Server tasks associated with it. Table 3-5 lists
some ISA Server administrative tasks, as well as the roles in which they are performed.
Table 3-5 ISA Server Roles and Tasks
ISA Server
ISA Server Basic Extended
Monitoring
Monitoring
ISA Server Full
Administrator
View Dashboard, alerts,
connectivity, sessions, services
X
X
X
Acknowledge alerts
X
X
X
View log information
X
X
Create alert definitions
X
X
Create reports
X
X
Stop and start sessions and services
X
X
View firewall policy
X
X
Activity
Configure firewall policy
X
Configure cache
X
Configure VPN
X
Any Windows user can be a member of these ISA Server administrative groups. No
special privileges or Windows permissions are required. The only exception is that to
view the ISA Server performance counters using either Performance Monitor or the ISA
Server Dashboard, the user must be a member of the Windows Server 2003 Performance Monitor Users group.
Security Alert
When configuring ISA Server administrative roles, apply the principle of
least privilege, whereby a user has the minimum privileges necessary to perform a specific
task. This helps ensure that if a user account is compromised, the impact is minimized by the
limited privileges granted that user. In particular, remember that the users in the Administrators local group on the computer running ISA Server are assigned the role of ISA Server Full
Administrator, meaning that they also have full rights to configure and monitor ISA Server.
This group should contain as few users as possible.
Lesson 1
Securing ISA Server 2004
3-23
To assign administrative roles, use the following procedure:
1. In the console tree of ISA Server Management, click the ISA Server computer
name.
2. On the Tasks tab, click Define Administrative Roles.
3. On the Welcome to the ISA Server Administration Delegation Wizard page, click
Next.
4. On the Delegate Control page, to add groups, click Add. Figure 3-3 shows the
interface.
F03im03
Figure 3-3
Using the Administration Delegation Wizard to assign administrative roles
5. On the Administration Delegation page, click Browse to locate the group or user
account.
6. On the Select User Or Group page, click Locations and select the appropriate
directory location. Click OK.
7. Type the name of the user or group that you want to add, and then click OK.
8. In the Role box, select the ISA Server role that you want to assign to this user or
group. Click OK.
9. Click Next, review the changed roles, and then click Finish.
10. To remove or change the roles assigned to a user or group, run the ISA Server
Administration Delegation Wizard again. Select the user or group whose role you
want to change. If you are removing the user or group’s administrative role, click
Remove. If you are changing the administrative role, click Edit and change the
role.
3-24
Chapter 3
Securing and Maintaining ISA Server 2004
Practice: Securing ISA Server
In this practice, you will examine the configuration of an ISA Server computer after
installation. Then you will examine and modify the default system policies. Finally, you
will create a new user and group in your domain and assign an ISA Server administrative role to the user.
Exercise 1: Examining the Default ISA Server Configuration
1. On ISA1, open ISA Server Management. Right-click ISA1 and click Administration Delegation.
2. On the Welcome To The ISA Server Administration Delegation Wizard page, click
Next.
3. What roles have been assigned to the following groups?
a. Cohovineyard\Administrator
b. Builtin\Administrators
4. Click Cancel.
5. Expand Configuration and click Networks. In the details pane, click Network
Rules.
6. Review the Network Rules. List the network relationships between the networks
listed below:
a. Local Host and All Networks
b. Quarantined VPN Clients, VPN Clients, and Internal
c. Quarantined VPN Clients, VPN Clients, Internal, and External
7. In the console tree, click Firewall Policy. What rule(s) are listed? Describe the rule
configuration.
8. On the Tasks tab, click Show System Policy Rules. Locate the rule named Allow
Access From Trusted Computers To The Firewall Client Installation Share On ISA
Server. Double-click the rule. What does this rule enable? What network is
included in this rule?
9. In the console tree, expand Configuration and click Cache. Under Tasks, click
Define Cache Drives. What is the default size of the maximum cache size? What
does this indicate about the default cache configuration? Click OK.
10. Close all open windows. If you receive a message about unsaved changes, click
Discard Changes.
Exercise 2: Examining and Modifying the Default System Policy
1. On ISA1, open ISA Server Management and click Firewall Policy.
Lesson 1
Securing ISA Server 2004
3-25
2. On the Tasks tab, click Edit System Policy.
3. In the Configuration Groups box, ensure that DHCP is selected. On the From tab,
ensure that Internal is listed in the This Rule Applies To Traffic From These
Sources box.
4. On the General tab, clear the check box for Enable.
5. In the Configuration Groups box, click Microsoft Management Console. On the
From tab, ensure that Remote Management Computers is listed in the This Rule
Applies To Traffic From These Sources box.
6. Click Remote Management Computers, and then click Edit. Click Add, and then
click Computer.
7. In the New Computer Rule Element dialog box, type DC1 as the computer name,
and 10.10.0.10 as the IP Address. Click OK twice.
8. Under Authentication Services, click RADIUS. Clear the check box for Enable.
Click OK.
9. Click Apply to apply the changes and click OK when the changes have been
applied.
10. Locate the rule named Allow DHCP Requests From ISA Server To All networks.
Right-click the rule and then click Properties. Confirm that the rule is disabled and
that you cannot modify the rule. Click OK.
Exercise 3: Configuring Administrative Roles
1. Log on to DC1 as an Administrator.
2. Create a group in the Users container named ISA Admins. You will assign ISA
Server administrative permissions to this group.
3. Create a user in the Users container. Use your first name and last initial as the user
logon name. Add this user account to the ISA Admins group.
4. On ISA1, open ISA Server Management. Right-click ISA1 and click Administration Delegation.
5. On the Welcome To The ISA Server Administration Delegation Wizard page, click
Next.
6. On the Delegate Control page, click Add.
7. In the Administration Delegation dialog box, click Browse. Click Locations,
expand Entire Directory and then click Cohovineyard.com. Click OK.
8. In the Enter The Object Name To Select box, type ISA Admins and then click OK.
Select ISA Server Full Administrator from the Role drop-down list. Click OK.
9. On the Delegate Control page, click Next.
3-26
Chapter 3
Securing and Maintaining ISA Server 2004
10. On the Completing The Administration Delegation Wizard page, click Finish.
11. Click Apply to apply the changes and click OK when the changes have been
applied. Close all open windows.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You want your Help Desk group to be able to monitor the ISA Server Dashboard.
Your organization has a security policy that requires that all users be assigned as
few permissions as possible to complete their tasks. You assign the ISA Server
Basic Monitoring role to the Help Desk group on the ISA Server computer. However, none of your help desk employees can view the performance information in
the ISA Server Dashboard. What is the problem and how would you resolve it?
a. The Help Desk group needs to be added to the local Administrators group on
the computer running ISA Server.
b. You need to create an access rule to allow the Help Desk group to connect to
the ISA Server computer.
c. The Help Desk group needs to be added to the local Performance Monitor
Users group on the computer running ISA Server.
d. The Help Desk group needs to be added to the Server Operators domain
local group.
2. You work for a large company with several branch offices. Each of the locations
has an Internet connection as well as a dedicated wide area network (WAN) connection to the corporate head office. You install and configure ISA Server 2004 in
each branch office. The ISA Server computers are not members of an Active Directory domain. You need to ensure that the same operating system security settings
are applied to each ISA Server. What should you do?
a. Create a script that shuts down all the services that are not required on one of
the servers running ISA Server. Run the same script on all the computers running ISA Server.
b. Document the security settings on one of the servers. Send the document to
an administrator in each office, asking them to duplicate the configuration.
c. Create a security template with your security settings. Apply the security template using Group Policy.
d. Create a security template with your security settings. Apply the security template using Security Configuration and Analysis.
Lesson 1
Securing ISA Server 2004
3-27
3. Your organization has deployed ISA Server 2004. You install a third-party product
on the server running ISA Server. However, when you try to access the company
Web site from the ISA Server computer, you cannot connect to the site. You need
to connect to the company Web site from ISA Server to download updates. How
can you configure your server to support this requirement?
a. Enable Schedule Download Jobs on the ISA Server computer.
b. Add the company Web site to the System Policy Allowed Sites domain name
set on the ISA Server computer.
c. Configure an access rule that enables access from the internal network to the
company Web site.
d. Configure the Web browser on the ISA Server computer as a Web Proxy client.
Lesson Summary
■
The first step in securing ISA Server is to harden the network interfaces and the
operating system on the computer that hosts ISA Server. To harden the network
interfaces, remove all services and functionality that is not required.
■
The second step to securing ISA Server is to ensure that only required services are
running on the computer. To function properly, ISA Server requires some system
services; all other services should be disabled. The best way to manage system services on the ISA Server computer is to use security templates.
■
The default configuration of ISA Server 2004 is secure and does not allow access
to any Internet or internal resources. It also is configured to allow traffic to flow
between the ISA Server computer and other networks.
■
The system policy is a set of firewall policy rules that control how the ISA Server
computer interacts with the connected networks. Following installation, the policy should be modified to meet your organization’s requirements. You may need
to enable some system policy settings, and you should disable all system policies
that are not required.
■
Securing ISA Server also means ensuring that users do not have more administrative permissions on the ISA Server computer than they require. ISA Server provides three administrative roles that enable different levels of administrative
permissions. Use the Administration Delegation Wizard to assign appropriate roles
on ISA Server.
3-28
Chapter 3
Securing and Maintaining ISA Server 2004
Lesson 2: Maintaining ISA Server 2004
After the ISA Server computer has been deployed and secured, you need to continuously maintain your ISA Server infrastructure. As part of this maintenance, you must
ensure that you can recover your ISA Server installation as quickly as possible in the
event of a configuration error or a server failure. ISA Server 2004 provides two options
for saving and restoring an ISA Server configuration. This lesson explains how to
export and import the ISA Server configuration as well as how to back up and restore
the configuration. In addition, this lesson discusses how to implement remote administration on ISA Server 2004.
See Also
Another important part of maintaining an ISA Server implementation is monitoring
ISA Server. This topic is explored in Chapter 11, “Implementing Monitoring and Reporting.”
After this lesson, you will be able to
■ Import and export the ISA Server configuration
■ Back up and restore the ISA Server configuration
■ Implement remote administration of ISA Server 2004
Estimated lesson time: 45 minutes
How to Export and Import the ISA Server Configuration
Among the new features in ISA Server 2004 is the option to export and import the ISA
Server configuration. With this option, you can save and restore the ISA Server configuration information. When you use the ISA Server export feature, the configuration
parameters are exported and stored in an .xml file.
The import and export features are useful in several scenarios:
■
Cloning a server You can export a configuration from one ISA Server computer and then import the settings on another computer, thereby easily duplicating
a server configuration. For example, after configuring an ISA Server computer at
one branch office, you can export the configuration to an .xml file. Then you can
import the file on a computer running ISA Server at another branch office. The
two ISA Server computers will have a duplicate configuration.
■
Saving a partial configuration You can export and import any part of the ISA
Server configuration. For example, you can export a single rule, an entire policy,
or an entire configuration. This is helpful when you want to copy all the firewall
policy rules, but not the monitoring configuration, from one ISA Server to another.
This is also useful when you want to modify a specific rule. You can export that
Lesson 2
Maintaining ISA Server 2004
3-29
rule and have the exported configuration available in case you need to roll back
the rule modification.
■
Sending a configuration for troubleshooting You can export your configuration information to a file and send it to support professionals for analysis and
troubleshooting.
■
Rolling back a configuration change As a best practice, before modifying any
ISA Server settings you should export the specific component that you are modifying. If your modification is not successful, you can easily restore the previous
configuration by importing the policy file.
Exporting the ISA Server Configuration
You can export the entire ISA Server configuration, or just parts of it, depending on
your specific needs. You can export the following objects:
■
The entire ISA Server configuration
■
All the connectivity verifiers, or one selected connectivity verifier
■
All the networks, or one selected network
■
All the network sets, or one selected network set
■
All the network rules, or one selected network rule
■
All the Web chaining rules, or one selected Web chaining rule
■
Cache configuration
■
All the content-download jobs, or one or more selected content-download jobs
■
The entire firewall policy, or one selected rule
Tip
The system policy rules are not exported when you export the firewall policy. To export
the system policy configuration, you must select the Export System Policy task.
When you export an entire configuration, all general configuration information is
exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can choose to
export user permission settings and confidential information such as user passwords.
Confidential information included in the exported file is encrypted.
Caution
When you export an entire configuration, certificate settings are also exported.
However, if you import the configuration to an ISA Server computer with different certificates,
the Microsoft Firewall service will fail to start and an event message will be logged. To avoid
this, use the Certificates MMC snap-in to copy the certificates from the first server to the second server, or modify the ISA Server computer settings that require certificates.
3-30
Chapter 3
Securing and Maintaining ISA Server 2004
To export the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object the settings of which you want to export. Remember if you select
a container object (such as the Firewall Policy), all the objects in the container will
be exported.
3. On the Tasks tab, click the Export task. The exact name for the task will vary
depending on the type of object that you select.
4. Enter a file name for the exported .xml file and click Export.
Security Alert
Ensure that you save the exported files to a secure location on the local
server or on a network share. Only administrators of the ISA Server computer should have
read permissions to the location. If an attacker can access the configuration file, the intruder
will have complete information about your ISA Server configuration.
Importing the ISA Server Configuration
When you import a previously exported file, all properties and settings defined in the
file are imported, overwriting the current configuration on the ISA Server computer.
However, if you export only a specific component, such as a specific firewall rule, the
file import overwrites only that particular rule.
Note When you import the configuration, the configuration file must be imported at the
appropriate node. For example, after you export a rule, you must import the configuration file
at the Firewall Policy node level or by selecting another rule.
To import the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object whose settings you want to import. You must select the correct
type of object for the configuration file that you are using.
3. On the Tasks tab, click the import task. The exact name for the task will vary,
depending on the type of object that you selected.
4. Select the exported .xml file and click Import.
5. Click Apply to apply the changes and click OK when the changes have been
applied.
Lesson 2
Maintaining ISA Server 2004
3-31
How to Back Up and Restore the ISA Server Configuration
ISA Server 2004 also includes backup and restore features that enable you to save and
restore the ISA Server configuration information. The backup procedure also stores the
configuration information in an .xml file.
The primary use of the backup and restore option in ISA Server is for disaster recovery.
You should regularly back up the configuration on the ISA Server computer so that you
can restore the computer with the same settings in case of a computer failure. The
backup functionality saves the appropriate information to ensure that an identical configuration can be restored.
Real World
Disaster Recovery with ISA Server 2004
Disaster recovery is often a complicated and painful process for an organization.
In my experience, many organizations do not have a documented disaster recovery plan in place. Even if an organization has such a plan, disaster recovery is
usually very difficult and results in significant downtime for the network and
often a loss of data. As a result, most network administrators find the whole topic
of disaster recovery very stressful.
The good news is that disaster recovery with ISA Server 2004 is really quite easy.
Because you can back up an entire ISA Server configuration to an .xml file, you
can restore ISA Server functionality very rapidly on another server. In the simplest
scenario, you configure a replacement server with the same IP address configuration as the failed server. If you use Group Policy to assign a security template to
the ISA Server computers, you can move the new ISA Server into the applicable
OU to apply all the Windows security settings. Then install ISA Server on the
replacement server and import the ISA Server settings from the failed server.
This doesn’t mean that you need not plan for handling a disaster. For example,
ensure that you have a recent backup of the ISA Server configuration. This
backup must be stored in a network location other than the ISA Server computer
in case of a hard-disk failure on the server. You must also have a replacement
server available. The good news is that because you are not restoring any operating system components, the replacement server need not be running on the
same hardware as the failed server.
If you are using digital certificates for Secure Sockets Layer (SSL) on the ISA
Server computer, you also need to have backup copies of the digital certificates
available. If you do not have a backup copy of the original certificate, you will
need to obtain another certificate with the same name before you can restore full
ISA Server functionality. Because of this, use the Certificates MMC snap-in to
export all the certificates on the ISA Server computer and store these certificates
with the ISA Server backups.
3-32
Chapter 3
Securing and Maintaining ISA Server 2004
Backing up an ISA Server configuration backs up all configuration options on the
server. This includes firewall policy rules, rule elements, alert configuration, cache
configuration, system policy and VPN configuration. One of the differences between
backing up the server configuration and exporting the configuration is that you can
only back up the entire ISA Server configuration, not individual components or groups
of components.
The restore process reconstructs the configuration information that was backed up. By
restoring a backup, you can rebuild the ISA Server configuration or restore it after a
configuration error.
To back up and restore the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management and click the server name. The option to back up
and restore the ISA Server configuration is available only when you select the
server name.
2. On the Tasks tab, click Backup This ISA Server Configuration.
3. Enter a file name for the backup file and click Backup.
4. You must provide a password for the ISA Server backup
5. To restore the backup, click the server name in ISA Server Management. Then
click Restore this ISA Server Configuration and select the appropriate ISA Server
backup file.
6. Click Apply to apply the changes and click OK when the changes have been
applied.
How to Implement Remote Administration
In most organizations, you will not perform ISA Server administration directly from the
ISA Server computer console. The ISA Server computer should be located in a physically secure server room and you should administer the server from your client computer. If your organization has multiple locations with ISA Servers installed in each
location, you may need to manage all the servers from your desktop. Remote administration enables you to administer ISA Server in all these cases.
You have two options for remotely administrating ISA Server. You can use a Terminal
Services or Remote Desktop connection to administer the server, or you can install the
ISA Server Management Console on another computer and use it to manage the ISA
Server computer.
If you have installed ISA Server on a server running Windows 2000, you can use Terminal Services to manage the ISA Server computer. If ISA Server is installed on a computer running Windows Server 2003, you can use Remote Desktop in the same way.
When you use Terminal Services or Remote Desktop to administer the ISA Server
Lesson 2
Maintaining ISA Server 2004
3-33
computer, you can view the desktop of the ISA Server computer as if you were in front
of the monitor attached to the ISA Server computer. The advantage of using Terminal
Services or Remote Desktop to administer ISA Server is that you can manage virtually
all the settings on the server, not just ISA Server.
Security Alert Remote Desktop also has additional benefits related to security. For example, the Remote Desktop Protocol (RDP) uses TCP Port 3389 by default, but you can modify
this setting. RDP traffic is also encrypted. If you want to use the ISA Server Management Console to administer ISA Server remotely, you must enable File And Printer Sharing on the ISA
Server computer. In addition, the MMC traffic is not encrypted.
To enable remote administration of ISA Server on computers running Windows Server
2003, you must be a member of the Administrators group or Remote Desktop Users
group on the ISA Server computer, or be granted permission to use Remote Desktop
to connect to the server. To enable remote administration of ISA Server running on a
Windows 2000 computer, you must install Terminal Services on the server in either
Application or Remote Administration mode. Then the user properties must be configured to allow remote connections using Terminal Services.
You can also perform remote administration of ISA Servers using the ISA Server Management Console snap-in. To install the MMC snap-in on a computer not running ISA
Server, perform a custom installation, installing only ISA Server Management. After
installation, you can connect to any computer with ISA Server installed.
There are advantages to remote administration with ISA Server Management. Using ISA
Server Management, you can connect to and display information from many ISA Server
computers at once. This is useful for central administration of geographically dispersed
ISA Server computers.
To run ISA Server Management, you need the following:
■
A personal computer with a 300-megahertz (MHz) or higher, Pentium II–compatible
CPU
■
Windows Server 2003, Windows 2000 Server or Windows 2000 Professional, or
Windows XP
■
256 megabytes (MB) of memory
■
19 MB of available hard-disk space
When you install ISA Server, the default system policy allows remote administration
from all members of a computer set named Remote Management Computers. This
computer set is used to assign remote access permissions in both the MMC system policy configuration group and the Terminal Services configuration group. By default, no
3-34
Chapter 3
Securing and Maintaining ISA Server 2004
computers are in this group, so no computers can connect to the ISA Server computer
for remote management. To enable remote management on the ISA Server computer,
you must configure remote administration by editing the appropriate MMC or Terminal
Server configuration group in the System Policy editor.
!
Exam Tip
Remember that to use the ISA Server Management Console from a remote computer, your computer must be added to the Remote Management Computers computer set.
Similarly, to use Terminal Services or Remote Desktop to administer ISA Server, your computer must be added to the Remote Management Computers computer set, and you must
also have permission to create a terminal session to the server. Just to complicate matters
further, you must also ensure that the Terminal Services or Microsoft Management Console
system policy configuration groups are enabled. And there is one more thing to be aware of: If
you installed ISA Server using Terminal Services or Remote Desktop, the IP address of the
computer from which you performed the install is automatically added to the Remote Management Computers computer set. Keep all this in mind when you see a question dealing with
remote access permissions.
Practice: Maintaining ISA Server 2004
In this practice, you will install the ISA Server Management Console on another server
and then use the MMC to back up the ISA Server configuration. You will then connect
to the ISA Server computer using Remote Desktop and export and import settings on
the ISA Server computer.
Exercise 1: Using the ISA Server Management Console for Remote
Administration
1. Log on to the DC1 computer as an Administrator.
2. Insert the ISA Server CD-ROM into the server CD-ROM drive. If Autorun is
enabled, the Microsoft ISA Server 2004 Setup page will open automatically. If it
does not open, open Windows Explorer, browse to the CD-ROM, and double-click
Isaautorun.exe.
3. On the Microsoft ISA Server 2004 Setup page, click Install ISA Server 2004.
4. On the Welcome To The Installation Wizard for Microsoft ISA Server 2004 Setup
page, click Next.
5. On the License Agreement page, review the terms and conditions stated in the
end-user license agreement. Then click I Accept The Terms In The License Agreement and click Next.
6. On the Customer Information page, click Next.
7. On the Setup Type page, click Custom and then click Next.
Lesson 2
Maintaining ISA Server 2004
3-35
8. On the Custom Setup page, modify the Firewall Services option so that it will not
be installed. Ensure that ISA Server Management is configured to be installed on
the local hard drive and click Next.
9. On the Ready To Install The Program page, click Install.
10. When the program is installed, click Finish. Close all open windows.
11. Open ISA Server Management. In the console tree, right-click Microsoft Internet
Security And Acceleration Server 2004 and click Connect To.
12. In the Connect To dialog box, type ISA1 and click OK.
13. Click ISA1. On the Tasks tab, click Back Up This ISA Server Configuration.
14. In the Backup Configuration dialog box, in the File name box, type ISA1 Backup
and then click Backup.
Note
The backup .xml file is stored on the local computer, not on the computer running ISA
Server.
15. In the Set Password dialog box, type a password in the Password and Confirm
password boxes. Click OK.
16. When the backup is complete, click OK. Close all open windows.
Exercise 2: Using Remote Desktop for Remote Administration
1. On DC1, open Remote Desktop Connection from the Communications folder.
2. In the Remote Desktop Connection screen, in the Computer box, type ISA1 and
then click Connect. The connection will fail.
3. When the Remote Desktop Disconnected message appears, review the contents of
the message and click OK.
4. On ISA1, open the System control panel.
5. On the Remote tab, select the check box for Allow Users To Connect Remotely To
This Computer. Click OK to clear the Remote Sessions warning.
6. Click Select Remote Users. Notice that the Administrator account already has
access. Close all open windows.
7. On DC1, in the Remote Desktop Connection box, click Connect.
8. The connection should succeed. In the Logon Warning dialog box, click OK.
9. Log on using the Administrator account.
10. Within the Remote Desktop, open ISA Server Management.
3-36
Chapter 3
Securing and Maintaining ISA Server 2004
11. Expand ISA1, then expand Configuration, click Networks, select the Tasks tab, and
then click Export Existing Networks.
12. In the Export Configuration dialog box, in the File Name box, type Networks
Export. Click Export.
Note Notice that the export file this time is stored on the ISA Server computer, not on the
local computer.
13. After the export completes, click OK.
14. Click Internal and then click Edit Selected Network. On the Addresses tab, remove
all Address ranges. Click OK.
15. Click Apply to apply the changes and click OK when the changes have been
applied. Check the Internal network properties to ensure that the addresses have
been deleted.
16. Click Networks and on the Tasks tab, click Import Networks.
17. Select Networks Export.xml and click Import. Click OK to acknowledge the successful import.
18. Click Apply to apply the changes and click OK when the changes have been
applied.
19. Confirm that all of the Address ranges have been restored to the Internal network.
Close all open windows and log off the Remote Desktop connection.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You work for a large company with several branch offices. Each location has an
Internet connection as well as a dedicated WAN connection to the corporate head
office. You install and configure ISA Server 2004 on a computer running Windows
Server 2003 in each branch office. You need to ensure that you can administer all
the ISA Server computers. You need to be able to manage all components on the
servers, not just ISA Server. You should be able to administer the ISA Server computers only from your desktop computer. What should you do? (Choose two correct
answers, both of which are required to complete the configuration.)
a. Configure a system policy rule on each ISA Server that allows Remote Desktop connections from your desktop computer’s IP address.
Lesson 2
Maintaining ISA Server 2004
3-37
b. Configure a system policy rule on each ISA Server that allows MMC connections from your desktop computer’s IP address.
c. Configure the computer to support Remote Desktop connections.
d. Install ISA Server Management on your desktop computer.
2. You have exported your entire ISA Server configuration for the purpose of cloning
the ISA Server computer in your branch offices. When you go to import the configuration to the branch server, the option to import the user permissions is
unavailable. What has happened?
3. You recently backed up your ISA Server computer. Since then, you have changed
several firewall rules. Now you would like to restore one of those rules from the
backup. How would you do this?
Lesson Summary
■
You can use the export and import features in ISA Server 2004 to save and restore
most ISA Server configuration information. The import and export features can be
useful when rolling back a configuration change, sending a configuration for troubleshooting, saving a partial configuration, and cloning a server.
■
ISA Server 2004 includes backup and restore features that enable you to save and
restore the ISA Server configuration information, primarily for disaster recovery.
These features back up the server’s firewall policy rules, rule elements, alert configuration, cache configuration, and VPN configuration.
■
You can perform all ISA Server administrative tasks remotely. You can use a Terminal Services or Remote Desktop connection to administer the server, or you can
install the ISA Server Management Console on another computer and use it to
manage an ISA Server computer.
3-38
Chapter 3
Securing and Maintaining ISA Server 2004
Case Scenario Exercises
Scenario 1
You have successfully installed ISA Server 2004 and now must configure it to meet your
organization’s needs. Your company’s security policy states the following:
1. Users must be able to ping the ISA Server computer from the Internal network
only.
2. ISA Server will use Active Directory only for authentication.
3. Administrators must be able to administer ISA Server remotely using an MMC
installed on a computer on the Internal network.
4. ISA Server Firewall clients will not be deployed.
5. Microsoft Operations Manager will be used for remote monitoring.
6. Remote logging will be done to an internal SQL database.
7. You need to be able verify connectivity to a published Web site from the ISA Server
computer.
Scenario 1 Question
1. You want all your ISA Server computers to have the same system policies. How
must system policies be modified, disabled, or enabled to meet your requirements?
How will you ensure that all ISA servers have the same policy configuration?
Scenario 2
You work for a large insurance company. Your company needs to deploy a firewall
solution and has decided to use ISA Server 2004. Currently you have a head office and
10 branch offices in a multiple-domain environment.
Scenario 2 Question
1. What steps should you take to ensure that ISA Server is protected from Internet
attacks? How can you ensure that only authorized users have administrative permissions on the ISA Server computers and that these users can provide remote
management using Remote Desktop and MMCs? How can you most efficiently configure all ISA Server computers in the branch offices with a standard configuration?
Lesson 2
Maintaining ISA Server 2004
3-39
Troubleshooting Lab
In this lab, you will install ISA Server Management Console on a workstation running
Windows XP. You will then attempt to use the MMC and Remote Desktop to administer
the ISA Server computer. You will then identify the reasons why you cannot administer
the ISA Server computer remotely from the workstation and correct the problems so
that you can do so.
Exercise 1: Preparing the Workstation for Remote Administration
1. Log on to CLIENT1 as an Administrator.
2. Add the ISA Admins group from the cohovineyard.com domain to the local
Administrators group on CLIENT1.
3. Log off CLIENT1 and log back on using your user name.
4. Insert the ISA Server CD-ROM into the server CD-ROM drive. If Autorun is
enabled, the Microsoft ISA Server 2004 Setup page will open automatically. If it
does not open, open Windows Explorer, browse to the CD-ROM, and double-click
Isaautorun.exe.
5. On the Microsoft ISA Server 2004 Setup page, click Install ISA Server 2004.
6. On the Welcome To The Installation Wizard for Microsoft ISA Server 2004 Setup
page, click Next.
7. On the License Agreement page, review the terms and conditions stated in the
end-user license agreement. Click I Accept The Terms In The License Agreement
and then click Next.
8. On the Customer Information page, click Next.
9. On the Installation Requirements Summary page, review the issues and click Next.
10. On the Custom Setup page, ensure that ISA Server Management is configured to
be installed on the local hard drive and click Next.
11. On the Ready To Install The Program page, click Install.
12. When the program is installed, click Finish. Close all open windows.
13. Open ISA Server Management. In the console tree, right-click Microsoft Internet
Security And Acceleration Server 2004 and click Connect To.
14. In the Connect To dialog box, type ISA1 and click OK. The connection will fail.
Review the details of the error message and close all open windows.
15. Open Remote Desktop Connection from the Communications folder.
3-40
Chapter 3
Securing and Maintaining ISA Server 2004
16. In the Remote Desktop Connection screen, in the Computer box, type ISA1 and
then click Connect. The connection will fail.
17. When the Remote Desktop Disconnected message appears, review the contents of
the message, click OK, and close Remote Desktop Connection.
Exercise 2: Troubleshooting Remote Administration
1. Log on to ISA1 as an Administrator.
2. Open ISA Server Management.
3. If necessary, expand ISA1 and click Firewall Policy. On the Tasks tab, click Edit
System Policy.
4. Under Remote Management, click Microsoft Management Console (MMC).
5. On the From tab, click Remote Management Computers and then click Edit. Notice
that remote ISA Management Console connections are allowed only from DC1.
6. Click Add and then click Subnet. In the New Subnet Rule Element dialog box, in
the Name box, type Internal Computers.
7. In the Network Address box, type 10.10.0.0. In the Network Mask box, type
255.255.255.0. Click OK twice.
8. Click OK to close the System Policy Editor dialog box.
9. Apply the configuration changes.
10. Open ISA Server Management Console. In the console tree, right-click Microsoft
Internet Security And Acceleration Server 2004 and click Connect To.
11. In the Connect To dialog box, type ISA1 and click OK. The connection will succeed. Close ISA Server Management.
12. Open Remote Desktop Connection from the Communications folder.
13. In the Remote Desktop Connection screen, in the Computer box, type ISA1 and
click Connect. The connection will succeed.
14. Try to log on using your user name and password. The logon will fail. Review the
contents of the logon message and click OK.
15. On ISA1, add the ISA Admins group from the cohovineyard.com domain to the
local Administrators group.
16. On Client1, in the Remote Desktop Connection screen, in the Computer box, type
ISA1 and click Connect. The connection will succeed.
17. Try to log on using your user name and password. The logon will succeed. Log off
and close all open windows.
Lesson 2
Maintaining ISA Server 2004
3-41
Chapter Summary
■
■
Securing ISA Server includes the following components:
❑
Hardening the network interfaces and the operating system on the computer
that is hosting ISA Server.
❑
Ensuring that only required services are running on the computer. ISA Server
requires some system services in order to function, but all other services
should be disabled.
❑
Modifying the default ISA Server configuration to allow only required network traffic.
❑
Modifying the system policy to meet your organization’s requirements. You
may need to enable some system policy settings, and you should disable all
system policies that are not required.
❑
Ensuring that users do not have more administrative permissions on the ISA
Server computer than they require. ISA Server provides three administrative
roles that enable different levels of administrative permissions.
To manage the ISA Server computer, you can use the export and import features
in ISA Server 2004 to save and restore most ISA Server configuration information.
ISA Server 2004 also includes backup and restore features that enable you to save
and restore the ISA Server configuration information, primarily for disaster recovery. You can manage ISA Server computers remotely. You can use a Terminal Services or Remote Desktop connection to administer the server, or you can install
the ISA Server Management Console on another computer and use it to manage an
ISA Server computer.
Exam Highlights
Before taking the exam, review the key topics and terms that are presented in this
chapter. You need to know this information.
Key Points
■
To ensure ISA Server security, you need to ensure that the operating system on the
host computer is secure. This includes configuring the network interfaces, disabling all system services that are not required, and installing security updates.
However, you can also lock down the operating system components too much.
3-42
Chapter 3
Securing and Maintaining ISA Server 2004
For example, if you disable a system service that is required by ISA Server, ISA
Server will not function correctly.
■
ISA Server administrative roles are the only way that you can assign ISA Server
administrative permissions.
■
Use the export and import features in ISA Server to save part of the ISA Server configuration. The backup and restore feature saves the entire ISA Server configuration.
■
To perform remote administration on ISA Server, you must be assigned to the
appropriate ISA Server administrative role. In addition, the system policy configuration groups must be configured to enable remote desktop, and your workstation
must be added to the Remote Management Computers computer set. To use Terminal Services or Remote Desktop, you must also have permission to make this
type of connection to the server.
Key Terms
administrative role Used to assign permissions on ISA Server. Each administrative
role has a predefined set of permissions that allow the user to perform specific tasks on
the ISA Server computer.
firewall access rule A configuration object on ISA Server that defines what types of
network traffic will be allowed on the ISA Server computer. By default, all network traffic is blocked unless a firewall access rule allows the specific traffic.
Remote Management Computers A computer set that is used to provide remote
management access to ISA Server. This computer set should include all the IP
addresses of the computers that are used to perform remote administration on the ISA
Server computer.
system policy A set of firewall access rules that controls how the ISA Server computer communicates with computers on the attached networks.
Lesson 2
Maintaining ISA Server 2004
3-43
Questions and Answers
Page
3-24
Lesson 1 Practice
Exercise 1: Examining the Default ISA Server Configuration
1. On ISA1, open ISA Server Management. Right-click ISA1 and click Administration Delegation.
2. On the Welcome To The ISA Server Administration Delegation Wizard page, click
Next.
3. What roles have been assigned to the following groups?
a. Cohovineyard\Administrator
ISA Server Full Administrator
b. Builtin\Administrators
ISA Server Full Administrator
4. Click Cancel.
5. Expand Configuration and click Networks. In the details pane, click Network
Rules.
6. Review the Network Rules. List the network relationships between the networks
listed below:
a. Local Host and All Networks
Route
b. Quarantined VPN Clients, VPN Clients, and Internal
Route
c. Quarantined VPN Clients, VPN Clients, Internal, and External
NAT
7. In the console tree, click Firewall Policy. What rule(s) are listed? Describe the rule
configuration.
Last Default rule. The rule blocks denies all traffic from All Networks to All Networks.
8. On the Tasks tab, click Show System Policy Rules. Locate the rule named Allow
access from trusted computers to the Firewall Client installation share on ISA
Server. Double-click the rule. What does this rule enable? What network is
included in this rule?
The rule enables access to the Firewall Client installation share on the computer running ISA
Server. Only the Internal network is included in the rule.
3-44
Chapter 3
Securing and Maintaining ISA Server 2004
9. In the console tree, expand Configuration and click Cache. Under Tasks, click
Define Cache Drives. What is the default size of the Maximum cache size? What
does this indicate about the default cache configuration? Click OK.
The cache drive size is set to 0, which means that caching is disabled.
Page
3-26
Lesson 1 Review
1. You want your Help Desk group to be able to monitor the ISA Server Dashboard.
Your organization has a security policy that requires that all users be assigned as
few permissions as possible to complete their tasks. You assign the ISA Server
Basic Monitoring role to the Help Desk group on the ISA Server computer. However, none of your help desk employees can view the performance information in
the ISA Server Dashboard. What is the problem and how would you resolve it?
a. The Help Desk group needs to be added to the local Administrators group on
the computer running ISA Server.
b. You need to create an access rule to allow the Help Desk group to connect to
the ISA Server computer.
c. The Help Desk group needs to be added to the local Performance Monitor
Users group on the computer running ISA Server.
d. The help desk group needs to be added to the Server Operators domain local
group.
C is correct. The Help Desk group needs to be added to the Performance Monitor Users group
on the computer running ISA Server. Users that are assigned to the ISA Server Basic Monitoring
role can view all ISA Server Dashboard information except the performance counters. Adding
the Help Desk group to the local Administrators group would give them the required permissions, but would also give them full administrative rights on the ISA Server computer, so this
would violate the company policy.
2. You work for a large company with several branch offices. Each of the locations
has an Internet connection as well as a dedicated wide area network (WAN) connection to the corporate head office. You install and configure ISA Server 2004 in
each branch office. The ISA Server computers are not members of an Active Directory domain. You need to ensure that the same operating system security settings
are applied to each ISA Server. What should you do?
a. Create a script that shuts down all the services that are not required on one of
the servers running ISA Server. Run the same script on all the computers running ISA Server.
b. Document the security settings on one of the servers. Send the document to
an administrator in each office, asking them to duplicate the configuration.
c. Create a security template with your security settings. Apply the security template using Group Policy.
Lesson 2
Maintaining ISA Server 2004
3-45
d. Create a security template with your security settings. Apply the security template using Security Configuration and Analysis.
D is correct. The only way to ensure a consistent application of the security settings is to create a security template. Because these servers are not members of an Active Directory
domain, you cannot use Group Policy to apply the template; you must use Security Configuration and Analysis or Secedit. Answer B would not guarantee a consistent application of the
security settings because of the potential for human error. Answer A is not correct because
the security settings include more than just which services are running.
3. Your organization has deployed ISA Server 2004. You install a third-party product
on the server running ISA Server. However, when you try to access the company
Web site from the ISA Server computer, you cannot connect to the site. You need
to connect to the company Web site from ISA Server to download updates. How
can you configure your server to support this requirement?
a. Enable Schedule Download Jobs on the ISA Server computer.
b. Add the company Web site to the System Policy Allowed Sites domain name
set on the ISA Server computer.
c. Configure an access rule that enables access from the internal network to the
company Web site.
d. Configure the Web browser on the ISA Server computer as a Web Proxy client.
B is correct. The default system policy on the ISA Server computer enables access from the ISA
Server computer to all Web sites listed in the System Policy Allowed Sites domain name group.
By adding the Web site to this group, you will be able to access it. Enabling Schedule Download
Jobs will not enable access to any additional Web sites. Configuring an access rule for the internal network does not allow access from the ISA Server computer. And configuring the Web
browser as a Web Proxy client does not bypass the system policy that is blocking access.
Page
3-36
Lesson 2 Review
1. You work for a large company with several branch offices. Each location has an
Internet connection as well as a dedicated WAN connection to the corporate head
office. You install and configure ISA Server 2004 on a computer running Windows
Server 2003 in each branch office. You need to ensure that you can administer all
the ISA Server computers. You need to be able to manage all components on the
servers, not just ISA Server. You should be able to administer the ISA Server
computers only from your desktop computer. What should you do? (Choose two
correct answers, both of which are required to complete the configuration.)
a. Configure a system policy rule on each ISA Server that allows Remote Desktop connections from your desktop computer’s IP address.
b. Configure a system policy rule on each ISA Server that allows MMC connections from your desktop computer’s IP address.
3-46
Chapter 3
Securing and Maintaining ISA Server 2004
c. Configure the computer to support Remote Desktop connections.
d. Install ISA Server Management on your desktop computer.
A and C are correct. The only way to administer all components on a server remotely is to use
Remote Desktop. To enable Remote Desktop on a server running ISA Server, you must configure a system policy rule and configure the server to allow Remote Desktop connections. You
can use ISA Server Management Console only to administer the ISA Server computer.
2. You have exported your entire ISA Server configuration for the purpose of cloning
the ISA Server computer in your branch offices. When you go to import the configuration to the branch server, the option to import the user permissions is
unavailable. What has happened?
The Import User Permission setting is available only if the Export User Permission Settings check
box was selected in the Export Configuration dialog box during the original export procedure.
3. You recently backed up your ISA Server computer. Since then, you have changed
several firewall rules. Now you would like to restore one of those rules from the
backup. How would you do this?
You cannot restore individual items from a backup of ISA Server. You would have had to export the
elements prior to making the changes and import individual elements back into the configuration.
Case Scenario Exercises
Page
3-38
Scenario 1 Question
1. You want all your ISA Server computers to have the same system policies. How
must system policies be modified, disabled, or enabled to meet your requirements?
How will you ensure that all ISA servers have the same policy configuration?
Networking services may be left at the default settings. Authentication services must be
changed to disable the RADIUS policy. Remote Management policy must be changed to disable
Terminal Services connections. The Firewall Client policy must be disabled. Diagnostic services
must be modified to allow ICMP traffic from the Local Network only, and HTTP Connectivity Verifiers must be enabled to allow HTTP GET requests to test connectivity. The logging policy must
be modified to enable Remote SQL logging. Remote monitoring must be modified to enable
Microsoft Operations Manager.
Once system policy is configured properly, it can be exported to an .xml file and imported to all
ISA Server computers.
Page
3-38
Scenario 2 Question
1. What steps should you take to ensure that ISA Server is protected from Internet
attacks? How can you ensure that only authorized users have administrative permissions on the ISA Server computers and that these users can provide remote
Lesson 2
Maintaining ISA Server 2004
3-47
management using Remote Desktop and MMCs? How can you most efficiently configure all ISA Server computers in the branch offices with a standard configuration?
The first step will be to secure the external interface by disabling unneeded services like File
and Printer Sharing and NetBIOS over TCP/IP. This could be accomplished manually on each
machine or by configuring the settings on the initial server and exporting those registry settings
to a custom security template.
Then you will need to harden the operating system by disabling all services that are not
required for server functionality. This could be accomplished by configuring the services in a
custom security template.
For ISA Administrators to have remote management access, you must assign the proper administrative role to them and add their computers’ names and IP addresses, or the appropriate
subnet, to the Remote Management Computers group in the ISA Server system policy. You
must also ensure that the ISA Administrators are in the Remote Desktop Users group on each
ISA Server computer.
To configure all branch office ISA Server computers to be the same, you could export the configuration of the original server to an .xml file and then import it on all other servers. You could
apply the custom security policy that you created to the OU in each domain that contains the
ISA Server computer accounts.
4 Installing and Managing ISA
Server Clients
Exam Objectives in this Chapter:
■
Plan an ISA Server 2004 deployment.
❑
Plan for client computer connectivity.
■
Install Firewall Client software.
■
Configure client computers for ISA Server 2004. Considerations include Web Proxy
client, Firewall Client, and secure network address translation (SecureNAT) client.
❑
Modify Firewall Client configuration files.
■
Configure a local domain table (LDT).
■
Configure ISA Server 2004 for automatic client configuration by using Web Proxy
Automatic Discovery (WPAD).
■
❑
Configure and publish client configuration settings on ISA Server 2004.
❑
Configure Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) for Automatic Discovery.
❑
Configure client computers for Automatic Discovery. Methods of configuration include Firewall Client and Internet Explorer.
Diagnose and resolve client computer connectivity issues.
❑
Diagnose and resolve name-resolution issues.
❑
Diagnose and resolve protocol support issues.
❑
Diagnose and resolve routing issues.
❑
Diagnose and resolve authentication issues.
4-1
4-2
Chapter 4
Installing and Managing ISA Server Clients
Why This Chapter Matters
Now that you have installed and secured Microsoft Internet Security and Acceleration (ISA) Server 2004, the next step is to configure the server to perform a useful function. In most organizations, ISA Server is used to provide secure access to
Internet resources. This means that, to gain access to the Internet, users must go
through ISA Server. You can then use ISA Server to restrict which applications
users can use to access the Internet, block access to specific types of content, or
limit which users can access Internet resources.
To set up such restrictions, you must first configure the internal computers as ISA
Server clients. An ISA Server client is simply any computer that accesses resources
on another network through ISA Server. ISA Server supports three types of clients:
Firewall clients, Web Proxy clients, and SecureNAT clients. Each of these clients
has some advantages, as well as some disadvantages, so you need to know when
to use each type of client. You must also know how to configure and troubleshoot each type of client.
Lessons in this Chapter:
■
Lesson 1: Choosing an ISA Server Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
■
Lesson 2: Configuring the SecureNAT and Web Proxy Clients . . . . . . . . . . . . 4-12
■
Lesson 3: Installing and Configuring the Firewall Client . . . . . . . . . . . . . . . . 4-28
Before You Begin
This chapter presents the skills and concepts related to deploying and configuring ISA
Server clients. If you plan to complete the practices and lab in this chapter, you should
prepare the following:
■
A Microsoft Windows Server 2003 (Standard Edition or Enterprise Edition) computer installed as DC1 and configured as a domain controller in the cohovineyard.com domain.
■
A second Windows Server 2003 computer installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. This server should have two
network interfaces installed. You must have completed the exercises from
Chapter 2, “Installing ISA Server 2004,” on this server.
■
A Microsoft Windows XP computer installed as CLIENT1. This computer should be
a member of the cohovineyard.com domain.
Lesson 1
Choosing an ISA Server Client
4-3
Lesson 1: Choosing an ISA Server Client
Before you configure ISA Server to grant access to Internet resources, you must choose
which ISA Server clients to use within your network. ISA Server 2004 supports three clients: SecureNAT clients, Firewall clients, and Web Proxy clients. The Firewall client
provides the highest level of functionality but also requires that the Firewall Client
application be installed and configured on all client computers. SecureNAT and Web
Proxy clients are easier to deploy because they do not require a client application
installation, but SecureNAT clients and Web Proxy clients also provide more limited
functionality. One of your tasks as an ISA Server administrator is to choose the client
that best suits your organization.
After this lesson, you will be able to
■ Describe the three types of clients supported by ISA Server 2004.
■ Choose the most appropriate ISA Server client for your organization.
Estimated lesson time: 25 minutes
ISA Server Client Options
An ISA Server client is a client computer that connects to resources on another network
by going through the ISA Server computer. In most cases, ISA Server clients are used to
provide access to the Internet for users on the Internal network. The type of client you
use on your network depends primarily on your security requirements and on whether
you want to deploy Firewall Client software to each client computer on your network.
ISA Server supports three types of clients:
■
Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client
software installed requests resources on the Internet, the request is directed to the
Firewall service on the ISA Server computer. The Firewall service authenticates
and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.
■
SecureNAT clients SecureNAT clients do not require any client installation or
configuration. SecureNAT clients are configured to route all requests for resources
on other networks to the internal Internet Protocol (IP) address of the ISA Server
computer. If the network includes only a single segment, the SecureNAT client is
configured to use the internal IP address on the computer running ISA Server as
the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.
4-4
Chapter 4
■
Installing and Managing ISA Server Clients
Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web
browsers. Requests from Web Proxy clients are directed to the Firewall service on
the ISA Server computer. Because most client computers already run Web Proxy–
compatible applications, Web Proxy clients do not require the installation of
special software. However, the Web application must be configured to use the ISA
Server computer.
Both Firewall client computers and SecureNAT client computers may also be Web
Proxy clients. If the Web application on the computer is configured explicitly to use
ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext
Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.
What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application
must be installed on each client computer.
Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers.
Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser
uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this
case, the socket includes the IP address of the destination computer, the protocol used
(TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.
The Firewall Client application changes how a client computer connects to resources
on the Internet using Winsock applications. After you install the Firewall Client, when
the client computer initiates a Winsock application, the Firewall Client intercepts the
application calls. The Firewall Client checks the destination computer name or IP
address and determines whether to route the request to the ISA Server computer or to
a server on the local network. If the destination computer is not local, the request is
sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any
filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server
responds to the ISA Server computer, which then replies to the client computer.
Lesson 1
Choosing an ISA Server Client
4-5
When the client makes a request for a resource that is located on the local network, the
Firewall Client checks the destination address and confirms that the address is in the
range of addresses included in the local network. In this case, the application request
is sent directly to the application server rather than through the ISA Server computer.
The Firewall client provides the highest level of security and functionality of any of the
ISA Server clients. The advantages of using Firewall clients include the following:
■
Firewall clients enable user or group based access control and logging. This
means that you can limit access to Internet resources based on the user or the
groups to which the user belongs. You can also log, by user name, what the user
can access.
■
When a Firewall client connects to ISA Server, the Firewall service automatically
authenticates the user.
■
You can use the Firewall Client software to configure the Web Proxy browser
automatically.
■
Firewall clients support all Winsock applications. Web Proxy clients can only be
used to connect to Internet resources using HTTP, HTTPS, and FTP. SecureNAT
clients can use a wider variety of protocols than Web Proxy clients, but SecureNAT
clients cannot use some applications that will fail when they must traverse a network device that uses network address translation (NAT) or that requires secondary protocol connections. Therefore, Firewall clients support the broadest range of
protocols and applications
However, the Firewall client also has some disadvantages:
!
■
You must install the Firewall Client software on the client computers. If you have
a large number of client computers in your organization and have no means of
automating the client installation, it will require a significant effort to deploy the
client. Once the software has been distributed, you can automatically configure all
client settings.
■
The Firewall client can only be installed on Windows computers. If you have other
clients on your network, you will need to use a different ISA Server client.
Exam Tip
Keep this last point in mind when you write the exam. If the exam question asks
you to choose an ISA Server client and there are any clients on the network other than
Windows computers, you must choose a client other that the Firewall client.
4-6
Chapter 4
Installing and Managing ISA Server Clients
What Is a SecureNAT Client?
Client computers that do not have Firewall Client software are secure network address
translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet
resources through the ISA Server computer. To enable this, you must configure the
default gateway on the SecureNAT clients and configure network routing, so that all
traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed
first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then
directed to the Firewall service to determine whether access is allowed. Finally, the
request may be filtered by application filters and other extensions. The Firewall service
may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration,
SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
■
SecureNAT clients also provide almost as much functionality as Firewall clients.
For example, because SecureNAT client requests are passed through the Firewall
Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
■
Requests from SecureNAT clients can be passed to application filters, which can
modify the requests to enable handling of complex protocols. For example, the
FTP application filter in ISA Server manages the secondary connections for
SecureNAT clients as well as for Firewall clients.
■
SecureNAT can use the Web Proxy service for Web access filtering and caching.
The Firewall service can pass all HTTP requests to the Web Proxy service, which
handles caching and ensures that site and content rules are applied appropriately.
■
Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
■
You cannot control access to Internet resources based on users and groups.
SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be authenticated. This means that if you configure access
rules that require authentication, SecureNAT clients cannot access the resources
enabled by the rule.
Lesson 1
■
Choosing an ISA Server Client
4-7
SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by
default, the client initiates a primary connection to the server and the server then
initiates a secondary connection to the client. ISA Server must use an application
filter that edits the data stream to allow SecureNAT clients to use such protocols
and applications. ISA Server includes several application filters, such as an FTP filter and an H.323 filter. If ISA Server does not include the appropriate application
filter for a protocol or an application, SecureNAT clients cannot use this protocol
or application.
Important
When you publish servers to the Internet, ensure that the servers are configured as SecureNAT clients. One reason for this is that the Firewall Client software can interfere with the publishing. Moreover, by configuring the published server as a SecureNAT client,
no special configuration is required on the server after you create the publishing rule on ISA
Server. Just ensure that published servers use the IP address assigned to the internal network interface of the ISA Server computer as the default gateway.
What Is a Web Proxy Client?
A Web Proxy client is a client computer that has an HTTP 1.1–compliant Web browser
application and is configured to use the ISA Server computer as a Web Proxy server.
Virtually all current Web browsers comply with this HTTP standard, so any client computer can be configured as a Web Proxy client, including computers which are
SecureNAT or Firewall clients.
When a Web Proxy client tries to access resources on the Internet, the requests are
directed to the Firewall service on the ISA Server computer. If the access rule is configured to require authentication, the ISA Server computer requests authentication from
the Web Proxy client. The Firewall service then determines whether the user is allowed
to access the Internet and checks the access rules to determine whether the request is
allowed. For example, you can configure access to rules to block access to specified
sites, or to block requests with certain keywords in the client request. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
One of the advantages of using Web Proxy clients is that most client computers already
run compatible Web browsers, so Web Proxy clients require no special software to be
installed. However, you must configure the Web browser to use the ISA Server computer as a proxy server. In most cases, this is a simple configuration. If you install Firewall Client software, you can use it to configure the Web browser to use the ISA Server
4-8
Chapter 4
Installing and Managing ISA Server Clients
computer as a proxy server. After you have completed the initial configuration of the
Web Proxy client, you can also automate the configuration of the Web Proxy client
using the ISA Server Management Console.
Using Web Proxy clients provides several advantages:
■
As mentioned earlier, almost all client computers already run compatible Web
browsers, which means you do not need to install any software on the client computers. All you need to do is configure the software, and this can be automated.
■
Web Proxy clients support authentication, so you can restrict access to Internet
resources based on users and groups.
■
Client computers can be running any operating system that supports compatible
Web browsers.
■
All client requests and responses are passed through the Web Proxy filter on ISA
Server. This means that you can use application layer filtering to filter all traffic
from the Web Proxy clients to the Internet, and from the Internet to the Web Proxy
clients.
The primary disadvantage of using Web Proxy clients is that the clients can use only
HTTP, HTTPS, and FTP over HTTP to access Internet resources. No other protocols are
allowed, so if you want to enable access to Internet resources using any other protocol,
you must configure the client computers as SecureNAT clients or Firewall clients.
!
Exam Tip If an exam question asks you to choose an ISA Server client, and the required
protocols include anything other than HTTP, HTTPS, or FTP over HTTP, you must choose a client
other than the Web Proxy client.
Guidelines for Choosing an ISA Server Client
ISA Server clients are used to provide access to Internet resources. This means that one
of the choices that you must make as you deploy ISA Server 2004 is which ISA Server
client you will deploy. Table 4-1 compares the ISA Server clients.
Lesson 1
Choosing an ISA Server Client
4-9
Table 4-1
Comparing the ISA Server Clients
Feature
SecureNAT Client
Client installation
No client installation but Client installation
some client computer
required
configuration
No client installation
but application
configuration
Operating system
support
All operating systems
that support TCP/IP
Only Windows clients
All operating systems
that support compatible
Web applications
Protocol support
Application filters
required for multipleconnection protocols
All Winsock
applications
HTTP, HTTPS, and FTP
over HTTP
User level
authentication
No, except for VPN
connections
Yes
Yes
Firewall Client
Web Proxy Client
Table 4-2 lists some guidelines to use as you decide which clients to deploy.
Table 4-2
Guidelines for Choosing ISA Server Clients
If You Need To
Then Use
Avoid deploying or configuring
client software
SecureNAT clients. SecureNAT clients do not require any
software or specific configuration. Firewall clients
require that you deploy Firewall Client software and
Web Proxy clients require that you configure Web applications on client computers.
Use ISA Server only for accessing
Web resources using HTTP or
HTTPS
SecureNAT or Web Proxy clients. If you use SecureNAT
clients in this scenario, you need not deploy any special
software or configure the client computers. Web Proxy
clients require some application configuration but also
support Web access.
Allow access only for
authenticated clients
Firewall clients or Web Proxy clients. For Firewall clients, you can configure user-based firewall policy rules.
You can also configure user-based rules for Web Proxy
clients, but the rule will be effective only if the Web
application can pass the authentication information.
Publish servers that are located
on your Internal network
SecureNAT clients. Internal servers can be published as
SecureNAT clients. This eliminates the need for creating
special configuration files on the publishing server.
Improve Web performance in an
environment with non-Windows
operating systems
Web Proxy or SecureNAT clients. Non-Windows operating systems cannot be configured as Firewall clients, but
can be configured as SecureNAT and Web Proxy clients.
Both of these clients improve Web performance by
enabling caching.
4-10
Chapter 4
Installing and Managing ISA Server Clients
Real World Choosing an ISA Server Client
For most of the organizations that I work with, the decision on which ISA Server
client to deploy usually depends on whether the organization wants to make the
extra effort of deploying the Firewall Client application. The Firewall Client provides more security and functionality than the other clients, but for most organizations, the effort required to deploy the software is not worth the trouble. As
with any other deployment decision, this decision becomes a question of functionality versus effort of deployment.
In my experience, most organizations opt for using SecureNAT clients and Web
Proxy clients. This combination provides all the functionality that most organizations need. With this configuration, you can enforce security policies based on
user accounts for access to Web-based resources because the Web Proxy clients
can be authenticated. Web Proxy clients are also easy to configure. You can use
the Automatic Discovery option, or you can use Group Policy in Active Directory
directory service to configure the Web Proxy settings if you use Microsoft Internet
Explorer. If the ISA Server computer is a member of the internal domain, user
authentication is transparent to users.
Most companies also have very few requirements to access any resources on the
Internet using any protocols other than HTTP, HTTPS, or FTP. When this functionality is required, the client computers are configured as SecureNAT clients. Again,
SecureNAT clients are easy to configure. In most cases, you can complete this
configuration by making a change to the DHCP server and waiting a day or two
until the client computers refresh their IP addresses.
All this means that most organizations that I work with do not deploy the Firewall
client. Organizations that deploy the Firewall client usually have an effective
means of distributing software to client computers, or they are organizations that
have a strong requirement for the extra functionality that the Firewall client
provides.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed ISA Server 2004 as your enterprise firewall solution. Your
enterprise consists of multiple operating systems, including UNIX and Novell
clients. You run TCP/IP as your network protocol. The client IP addresses and
options are assigned through DHCP. All clients have HTTP 1.1–compliant Web
Lesson 1
Choosing an ISA Server Client
4-11
browsers installed. All internal employees will require the same level of access to
the Internet. You need to minimize the effort required to deploy the ISA Server clients. What ISA Server client will work best to provide simple Internet access for
your internal employees?
2. You have deployed ISA Server 2004 as your enterprise firewall solution. You use
Active Directory and all your client computers run Microsoft operating systems.
Due to limited Internet bandwidth, you must restrict Internet access to selected
departments during business hours. Your employees also need access to a RealPlayer streaming media application on an external Web site. What ISA Server client
works best for your situation?
Lesson Summary
■
ISA Server supports three types of clients: Firewall clients, SecureNAT clients, and
Web Proxy clients. Firewall clients provide the highest level of functionality but do
require the installation of the Firewall Client software. SecureNAT clients are the
easiest to configure because they do not require any application installation or
configuration, but SecureNAT clients do not support user authentication. Web
Proxy clients are any computers that run HTTP 1.1–compatible Web browsers. The
applications must be configured to use the ISA Server computer as a proxy server.
■
As you prepare to deploy ISA Server, you must choose an ISA Server client that
best meets your organization’s requirements. Factors that you should consider
when choosing the client include protocol and operating system support, support
for authentication, and the effort required to deploy the clients.
4-12
Chapter 4
Installing and Managing ISA Server Clients
Lesson 2: Configuring the SecureNAT and Web Proxy Clients
The biggest advantage of using the SecureNAT client or Web Proxy client is that you do
not need to deploy special software for either. Both the SecureNAT client and the Web
Proxy client, however, still require some configuration. This lesson describes how to
configure SecureNAT and Web Proxy clients, how to use ISA Server to automate the
configuration of the Web Proxy clients, and how to troubleshoot issues for both clients.
After this lesson, you will be able to
■ Configure SecureNAT clients
■ Configure Web Proxy clients
■ Configure Automatic Discovery
■ Troubleshoot Web Proxy and SecureNAT clients
Estimated lesson time: 45 minutes
How to Configure SecureNAT Clients
SecureNAT clients are the easiest ISA Server clients to configure because you need only
configure the network settings on the client computers. If your network consists of a
single subnet, configuring SecureNAT clients may be as simple as configuring the client
computers to use the internal address of the ISA Server computer as their default gateway. The primary concern, when using SecureNAT clients, is to ensure that the clients
can route Internet requests to the ISA Server computer, and to ensure that the clients
can resolve Internet names using DNS.
!
Exam Tip
If you see an exam question in which a SecureNAT client cannot access
resources on the Internet, look for hints in the question that suggest that the client cannot
route the requests to the ISA Server computer. If the client can route the requests, but still
cannot connect, then look for hints that suggest that the client cannot resolve Internet
names.
Configuring SecureNAT Clients to Route Internet Requests
For SecureNAT clients to access Internet resources, the client computers must be able
to route Internet requests to the ISA Server computer. If the SecureNAT client is on the
same network as the ISA Server computer, you must configure the client computer so
that all traffic destined for the Internet is sent through the ISA Server computer. To do
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-13
this, set the SecureNAT client’s IP default gateway settings to the IP address of the
ISA Server computer’s internal network interface. You can configure clients manually
or by using the DHCP service.
Most medium-sized or large organizations have more than one IP network separated
by routers. For example, Figure 4-1 shows an example of a typical network for a larger
organization.
Main Office
Network1
Perimeter
Network
Router1
Internet
Main Office
Network2
ISA Server
Router2
Router3
Branch Office
Network
F04im01
Figure 4-1
A typical network for a larger organization
In this environment, configuring the SecureNAT clients to route Internet requests to the
ISA Server computer is more complicated. For example, none of the client computers
are on the same network as the ISA Server computer. This means that you must configure the client computers and the routers correctly to route the SecureNAT client
requests. For example, Table 4-3 shows the network configuration required to enable
the clients to access Internet resources.
4-14
Chapter 4
Installing and Managing ISA Server Clients
Table 4-3 Configuring Network Settings for SecureNAT Clients
SecureNAT Client
Required Network Configuration
Located on the Branch Office
Network
The client computers must be configured with Router3 as the
default gateway.
Router3 must be configured with Router2 as the default
gateway.
Router2 must be configured to route Internet requests to
Router1.
Router1 must be configured to route Internet requests to the
ISA Server computer.
Located on Main Office
Network2 or Main Office
Network1
The client computers must be configured to route all Internet
requests to Router1.
Router1 must be configured to route Internet requests to the
ISA Server computer.
Configuring SecureNAT Clients for Internet Name Resolution
In order for SecureNAT clients to access Internet resources, the client computers must
also be able to resolve the DNS names for computers on the Internet. You have two
options for configuring name resolution:
■
!
Configure an internal DNS server to enable Internet DNS name resolution,
and then configure the SecureNAT clients to use the internal DNS server
for name resolution. If your internal DNS servers can resolve Internet DNS
names, then the easiest option is to configure the SecureNAT clients to use the
internal DNS server. If you choose this option, the SecureNAT clients will be able
to resolve both internal and Internet names.
Exam Tip
If the SecureNAT clients are using an internal DNS server, you need to ensure
that the internal DNS server can resolve Internet names. By default, ISA Server does not
allow requests from internal DNS servers to the Internet, so you need to configure an access
rule that allows this access.
■
Configure the SecureNAT clients to use a DNS server on the Internet for
name resolution. If you do not have an internal DNS server that can resolve
Internet names, then you need to configure the SecureNAT clients with the
IP address of a DNS server on the Internet that they can use for Internet name
resolution. In this case, you must also configure an access rule that allows all
SecureNAT clients to send DNS queries to the Internet.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-15
Important
If you configure the SecureNAT clients to use an Internet DNS server to resolve
DNS queries, the client will not be able to resolve internal DNS names. If you have deployed
Active Directory, Windows 2000 and Windows XP clients must be able to use DNS to locate
domain controllers. The domain controller records should never be stored on the Internet
DNS servers. Obviously these two configurations are not compatible. This means that if you
are deploying Active Directory, you must configure an internal DNS server, and you must configure the SecureNAT clients to use that DNS server. To also provide Internet access for those
SecureNAT clients, you really have no option other than enabling Internet name resolution on
those internal DNS servers.
How to Configure Web Proxy Clients
A Web Proxy client is a client computer that has a Web Proxy application installed and
configured to use the ISA Server computer as a proxy server. The most common type
of Web Proxy application is a Web browser. You do not have to install any software to
configure Web Proxy clients. However, you must configure the Web applications on
the client computers to use the ISA Server computer as a proxy server. You can configure the Web Proxy client application manually or you can automate the configuration
using Automatic Discovery. However, before the Web Proxy clients can connect to the
ISA Server computer, you must configure the ISA Server computer to accept Web proxy
connections.
How to Configure ISA Server for Web Proxy Clients
The first step in enabling Web Proxy clients is to configure the ISA Server computer to
allow connections from these clients. By default, ISA Server allows Web Proxy client
connections, but you should confirm this setting. To do this, use the following
procedure:
1. In the console tree of ISA Server Management, expand Configuration, and click
Networks.
2. In the details pane, click the Networks tab and select the applicable network. In
this case, select the Internal network.
3. On the Tasks tab, click Edit Selected Network and then click the Web Proxy tab.
Figure 4-2 shows the interface.
4-16
Chapter 4
Installing and Managing ISA Server Clients
F04im02
Figure 4-2 Configuring ISA Server to allow Web Proxy clients
4. On the Web Proxy tab, ensure that Enable Web Proxy clients is selected. You can
also enable or disable HTTP and HTTPS connections and configure the relevant
ports and the authentication options for Web Proxy clients.
See Also
This chapter examines the client configuration to enable Web Proxy clients. Chapter 5, “Enabling Secure Internet Access with ISA Server 2004,” provides more details about
configuring the Web Proxy settings such as authentication on ISA Server 2004.
Configuring Web Proxy Clients Manually
To configure a Web Proxy client, you must configure the Web Proxy applications on
the client to use the ISA Server computer as a proxy server. Each Web Proxy application will require its own unique configuration. For example, to configure the Web
Proxy settings in Internet Explorer 6, use the following procedure:
1. Open Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings. Figure 4-3 shows the interface.
3. On the LAN Settings page, click Use A Proxy Server For Your LAN. In the Address
box, type the name or IP address of the proxy server. In the Port box, type the
port number that the client will use to connect to the proxy server. By default,
ISA Server uses Port 8080 for Web Proxy client connections.
4. Select Bypass Proxy Server For Local Addresses to configure the Web Proxy to
bypass the proxy server when accessing resources on the local network. When
this option is selected, Internet Explorer sends requests directly to Web servers
located on the same network segment as the client rather than forwarding the
request to the proxy server.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-17
F04im03
Figure 4-3
Configuring Internet Explorer 6 to use a proxy server
5. To configure additional settings, click Advanced. Figure 4-4 shows the interface.
On the Proxy Settings page, you can configure different proxy servers for various
types of servers, and specify addresses that the Web Proxy client should connect
to directly rather than through the proxy server. When you add names to the
Exceptions list, you can enter a full Uniform Resource Locator (URL), such as
www.contoso.com, or you can use wildcards as part of the address. For example, you can enter *.contoso.com to configure an exception for all hosts in the
contoso.com domain, www.*.com to configure an exception for all www sites in
the top-level .com domain, or 10.10.* to configure an exception for all sites that
are part of the 10.10.x.x network (when you try to connect to the IP address rather
than to the host name).
F04im04
Figure 4-4
Configuring advanced proxy server settings for Internet Explorer 6
4-18
Chapter 4
Installing and Managing ISA Server Clients
Configuring Web Proxy Clients Automatically
In addition to configuring Web Proxy clients manually, you can also automate the configuration of the Web Proxy clients. When you enable the Web Proxy client for automatic configuration, the client downloads a configuration script every time the
computer starts, or every six hours. By enabling the automatic configuration on the
Web Proxy client, you can modify the Web Proxy configuration on the ISA Server computer without having to reconfigure each individual Web browser.
To configure the client to download the configuration script, use the following procedure:
1. Open Internet Explorer, click the Tools menu, and then click Internet Options.
2. On the Connections tab, click LAN Settings. The interface is shown in Figure 4-3.
3. On the LAN Settings page, click the Automatically Detect Settings and Use Automatic Configuration Script options. In the Address box, type in the URL for the
configuration script. The default configuration URL is http://ISA_Server/
array.dll?Get.Routing.Script, where ISA_Server is the fully qualified domain name
(FQDN) or IP address of the ISA Server computer.
Automating the configuration of the Web Proxy clients can be useful in many situations. If you have a large number of Web Proxy clients and you need to change a Web
Proxy configuration, you can make the configuration change to the ISA Server network
properties and the change will be applied automatically to all the Web Proxy clients on
that network. For example, you may want to change the ISA Server computer and port
to which the Web Proxy clients on the Internal network connect. By changing the configuration on ISA Server, all clients will be updated automatically.
You cannot directly edit the automatic configuration script; instead, use the ISA Server
Management Console to modify the Web Proxy settings. ISA Server then changes the
configuration script, which is downloaded by the Web Proxy clients. To modify the ISA
Server settings that are sent to the Web Proxy clients, use the following procedure:
1. In the console tree of ISA Server Management, expand Configuration, and click
Networks.
2. In the details pane, click the Networks tab and select the applicable network. In
this case, you should select the Internal network.
3. On the Tasks tab, click Edit Selected Network and click the Web Browser tab. The
interface is shown in Figure 4-5.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-19
F04im05
Figure 4-5
Configuring the Web Browser settings for the Internal network
On the Web Browser tab, you can configure the following settings:
■
Bypass Proxy For Web Servers In This Network If you select this option, the
Web Proxy clients will connect directly to Web servers on the same network as the
client instead of going through the proxy server.
■
Directly Access Computers Specified In The Domains Tab This setting
applies to Firewall client computers. You can add domain names on the Domains
tab so that the Firewall clients will connect directly to the computers rather than
connecting through the proxy server.
■
Directly Access These Servers Or Domains You can add domain names or
IP address ranges for servers that Web Proxy clients and Firewall clients should
access directly. For example, if you add *.cohovineyard.com to the list, all client
requests for any server in the cohovineyard.com domain will not be sent through
the proxy server. You can also add IP addresses or IP address ranges. For example, if you have Web servers on a different subnet than the Web Proxy clients, you
can add the IP addresses for that subnet to this list so that the Web Proxy clients
can directly access the servers.
■
If ISA Server Is Unavailable, Use This Backup Route To Connect To The
Internet If you have multiple ISA Servers, or if the clients can connect directly
to the Internet without going through an ISA Server computer, you can configure
a backup route for Web proxy clients. If the original ISA Server is not available, the
clients will automatically try the backup connection to the Internet.
If you have the Firewall Client software installed on a client computer, you can also use
the Firewall Client to automate the configuration of the Web browser settings. To
4-20
Chapter 4
Installing and Managing ISA Server Clients
enable this, you modify the Firewall Client settings in the ISA Server Management Console using the following procedure:
1. In the console tree of ISA Server Management, expand Configuration, and click
Networks.
2. In the details pane, click the Networks tab and select the applicable network. In
this case, select the Internal network.
3. On the Tasks tab, click Edit Selected Network and click the Firewall Client tab. Figure 4-6 shows the interface. From this interface, you can configure which Web
proxy server the Web Proxy clients will connect to and how the Web Proxy clients
will be automatically configured.
F04im06
Figure 4-6 Configuring Web Proxy client settings using Firewall Client
When the Firewall Client software is installed, and the client connects to the ISA Server
computer, the Web browser on the client computer is configured with those settings.
How to Configure Automatic Discovery
In addition to automating the configuration of the Web Proxy client, you can also configure your environment so that the Web Proxy clients can discover the correct location
to download the configuration automatically. This also applies to Firewall clients. For
a Web Proxy client or a Firewall Client to connect to an ISA Server computer, you must
configure the browser or Firewall Client to forward Internet requests to a specific ISA
Server computer. If the ISA Server computer becomes unavailable or if you want to use
a different ISA Server computer, you must change this configuration before the client
will connect to an ISA Server computer.
When you enable Automatic Discovery, Firewall clients and Web Proxy clients can
automatically find an ISA Server computer on the network. Using Automatic Discovery
can help you minimize the time spent troubleshooting connection problems on client
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-21
computers. Web Proxy clients enable Automatic Discovery by using Web Proxy Automatic Discovery (WPAD) protocol information. Firewall clients use the Winsock Proxy
AutoDetect (WSPAD) protocol. To enable Automatic Discovery, you must configure
either a DHCP server or a DNS server with information specifying the ISA Server computer to which Web Proxy or Firewall clients should connect. The ISA Server client
computers can then retrieve the information from DHCP or DNS, connect to the appropriate ISA Server computer, and download the automatic configuration script.
Planning
Using Automatic Discovery is especially useful if your organization has multiple
locations and users that travel between the locations. If a client computer is configured to
use the ISA Server computer in one location, it will always try to access that ISA Server computer even if it is connected to the network in another location. If you configure Automatic Discovery, the client computer will automatically discover the ISA Server computer in its current
location.
How Automatic Discovery Works
The Automatic Discovery process works as follows:
1. When Automatic Discovery is enabled, the Firewall client or the Web Proxy client
requests an object from the ISA Server computer that is configured to fulfill
requests. If the ISA Server computer does not respond, and if Automatic Discovery
is enabled for the client, it starts the Automatic Discovery process.
2. A client connects to a DNS or DHCP server for the ISA Server computer location
information.
3. The client uses a WPAD entry from the DNS or DHCP server to locate an ISA
Server computer.
4. The client connects to the ISA Server computer specified in the WPAD entry to
retrieve configuration information by using the WPAD protocol or the WSPAD protocol.
5. The client configures itself by using the configuration information that it retrieved.
How to Enable Automatic Discovery To enable Automatic Discovery, complete these
steps:
1. Enable the ISA Server computer to publish automatic configuration information.
To do this, access the Auto Discovery tab in the Internet Network Properties dialog
box, and select the Publish option to publish Automatic Discovery information, as
shown in Figure 4-7.
4-22
Chapter 4
Installing and Managing ISA Server Clients
F04im07
Figure 4-7 Configuring ISA Server to publish Automatic Discovery information
2. Configure the DHCP server or DNS server to provide Automatic Discovery server
names for ISA Server clients. If you use a DHCP server, follow these steps:
a. Open DHCP from the Administrative Tools folder.
b. Expand the Servername in the left-hand pane of the Microsoft Management Console (MMC), and then right-click the server name. Click Set Predefined Options.
c. In the Predefined Options and Values dialog box, click Add.
d. In the Option Type dialog box, in the Name box, type WPAD. In the Data
type box, click String and, in the Code box, type 252. Click OK. In the Value
area, in the String box, type the URL to which the client should connect. For
example, you could use http://ISA1.cohovineyard.com:80/wpad.dat.
e. Expand the DHCP scope where you want to assign the WPAD option. Rightclick scope options and click configure options. Select the check box for 252
WPAD and click OK.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-23
Figure 4-8 shows the completed configuration.
F04im08
Figure 4-8
Configuring DHCP to support Automatic Discovery
3. If you use DNS, complete this procedure:
a. Open DNS from the Administrative Tools folder.
b. Expand Forward Lookup Zones, expand the domain in which you want to
create the resource record, right-click the domain name, and click New Alias.
c. In the New Resource Record dialog box, in the Alias name box, type WPAD.
d. In the Fully Qualified Domain Name (FQDN) box for the target host, type the
fully qualified domain name of the ISA Server computer. Figure 4-9 illustrates
the completed entry.
F04im09
Figure 4-9
Configure DNS to support Automatic Discovery
4-24
Chapter 4
Installing and Managing ISA Server Clients
Important The Automatic Discovery values must be assigned on each DHCP scope used
by ISA Server clients. With a DNS server, the DNS values are assigned to DNS zones. This
means you must configure each DNS zone, including delegated zones, which the ISA Server
clients use.
How to Troubleshoot SecureNAT and Web Proxy Clients
SecureNAT and Web Proxy clients are easy to deploy and configure. However, these
clients can also fail to connect to Internet resources. When this happens, use the following guidelines to troubleshoot the client connections.
Test for Name Resolution
One of the more common reasons why an ISA Server client cannot access resources on
the Internet is that the client cannot resolve the DNS name for the resource.
■
If you are using SecureNAT clients, you must configure the client computer network settings to use a DNS server that can resolve Internet names. So the first
detail to check is whether the DNS Server setting is correct and ensure that the client computer can connect to the DNS server. Use tools such as NSLookup to query
the DNS server to ensure that the client can connect to the server, and to ensure
that the DNS server has the correct information. If the DNS configuration appears
correct, but the SecureNAT client still cannot connect, you may need to clear that
local DNS client cache by using the Ipconfig /Flushdns command.
■
If you use Web Proxy clients, remember that the ISA Server computer can perform
Internet name resolution for the client. If you cannot connect to an Internet Web
site using a Web Proxy client, try connecting to the site from a SecureNAT client.
If the SecureNAT client can access the Web site, the Web Proxy client, or the ISA
Server DNS cache may contain the wrong IP address. Try clearing the local
DNS Client cache, and if that doesn’t work, try clearing the ISA Server DNS cache.
■
If no internal clients can access the Internet through the ISA Server computer and
you are using internal DNS servers, then ensure that the DNS servers can resolve
Internet addresses. Ensure that the forwarders or root hints on the DNS servers are
configured correctly. Ensure that there is an access rule on the ISA Server computer that allows the DNS servers to send DNS queries to the Internet.
Test for Network Connectivity
A second common reason why SecureNAT clients cannot connect to the Internet is due
to network routing configuration. SecureNAT clients must be able to connect to the
internal network interface on the ISA Server computer. If you have a single subnet on
your network, check the client default gateway configuration. If you have multiple subnets, then check the routing configuration.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-25
Review the Access Rule Configuration
If the DNS configuration is correct, and the client computer can connect to the ISA
Server computer, the next step is to check the access rule configuration on ISA Server.
By default, all access to the Internet is blocked by ISA Server, so you must enable
access before the client computers can connect.
See Also We will explore access rule configuration and issues such as access rule order in
much more detail in Chapter 5.
Remember the ISA Server Client Limitations
When troubleshooting SecureNAT and Web Proxy connection problems, remember
that these clients are limited in their functionality. Web Proxy clients can only access
resources using HTTP, HTTPS, or FTP over HTTP. SecureNAT clients do not support
authentication, so clients will not be able to use any access rule that requires authentication. SecureNAT clients also do not support all protocols.
!
Exam Tip Because SecureNAT clients do not support authentication, any access rule that
requires authentication will block access to SecureNAT clients. For example, you could have
an access rule that allows all protocol traffic from the Internal network to the Internet. If that
rule is applied to Authenticated Users, all SecureNAT clients will be blocked. If that rule is the
first rule evaluated by ISA Server, all SecureNAT client connections will be blocked.
Practice: Configuring SecureNAT and Web Proxy Clients
In this practice, you will configure logging using the ISA Server Management Console
to monitor client connections to the server. You will then configure a SecureNAT client
and a Web Proxy client and test the client connections. Because you do not have an
access rule defined on ISA Server to enable access to Web resources on other networks, you cannot actually connect to Web resources.
Exercise 1: Configuring ISA Server 2004 to Log Client Connections
1. On ISA1, open ISA Server Management, expand ISA1, and then click Monitoring.
2. On the Logging tab, in the Details pane, click Start Query. When you click Start
Query, ISA Server will show all client connections on the Logging tab.
Exercise 2: Configuring and Testing a SecureNAT Client
1. On DC1, log on to the cohovineyard.com domain as an administrator.
2. Open a Command Prompt and type IPConfig /all. Verify that the server’s default
gateway is configured to use the ISA Server internal IP address.
4-26
Chapter 4
Installing and Managing ISA Server Clients
3. Open Internet Explorer. Try connecting to http://131.107.1.200. The connection
will fail.
4. Close the open windows.
5. On ISA1, in ISA Server Management, locate the events logged that used the HTTP
protocol. Confirm that the HTTP request was denied by the Default rule.
Exercise 3: Configuring and Testing a Web Proxy Client
1. On CLIENT1, log on as an Administrator.
2. Open Internet Explorer. Click Tools, and then click Internet Options.
3. In the Internet Options dialog box, click the Connections tab.
4. Click LAN Settings. On the LAN Settings page, click Use A Proxy Server For Your
LAN. In the Address box, type ISA1. In the Port box, type 8080.
5. Select Bypass Proxy Server For Local Addresses. Click OK twice.
6. In the Address box, type 131.107.1.200. The connection will fail.
7. Review the Proxy Message.
8. Switch to the ISA1 virtual machine and locate the events logged that used the
HTTP protocol and the Destination Port of 8080. Confirm that the request was
denied by the Default rule.
9. On the Tasks tab, click Stop Query. Close all open windows.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You use ISA Server 2004 to publish a public Web site on an internal Web server.
What ISA Server client, if any, needs to be configured on the Web server?
a. Firewall client.
b. SecureNAT client.
c. Web Proxy client.
d. No client configuration is required.
Lesson 2
Configuring the SecureNAT and Web Proxy Clients
4-27
2. Your organization wants to use the Web Proxy client to allow clients access to the
Internet using Port 8888. All the client computers are located in a single Active
Directory domain. How can you automate the distribution of the client configuration? What steps must you take to implement it?
3. Your network includes multiple subnets in a routed environment. You are using
DHCP to supply IP addresses and standard TCP/IP options for all internal clients.
You have configured all clients to be SecureNAT clients. All users are connecting
to the Internet except users from one subnet. What would you do to troubleshoot
the problem?
Lesson Summary
■
SecureNAT clients can be configured manually or by using the DHCP service.
These clients do not require special software, but you must configure the default
gateway so that all traffic destined for the Internet is sent through the ISA Server
computer.
■
Web Proxy clients also do not need any special software installation. However,
you must configure the Web applications on the client computers to use the ISA
Server computer as the proxy server. You can configure the Web Proxy client settings manually or you can configure many of the Web Proxy client configurations
automatically.
■
Web Proxy and Firewall clients must be configured with the name or IP address of
an ISA Server computer. You can automate the discovery of the ISA Server computer by configuring Automatic Discovery using DHCP or DNS.
■
To troubleshoot SecureNAT and Web Proxy client connections, ensure that you
have network connectivity and that the clients can resolve Internet server names
using DNS. After that, check the client configuration and the access rule
configuration.
4-28
Chapter 4
Installing and Managing ISA Server Clients
Lesson 3: Installing and Configuring the Firewall Client
The third type of client supported by ISA Server 2004 is a Firewall client. Firewall clients provide the highest level of functionality and security, but also require a client
installation on each computer. This lesson describes how to install and configure the
Firewall Client software. It also describes the advanced Firewall client configuration
options, and the options for automating the installation of Firewall Client.
After this lesson, you will be able to
■ Install and configure the Firewall Client software
■ Identify options for automating the installation of the Firewall Client
■ Configure the Firewall Client settings on the ISA Server computer
■ Configure the advanced Firewall Client options
■ Troubleshoot Firewall Clients
Estimated lesson time: 45 minutes
How to Install Firewall Client
When you install ISA Server, you have the option of installing the Firewall Client Share
on the ISA Server computer. When you choose this option, the Firewall Client installation files are copied to the server in the C:\Program Files\Microsoft ISA Server\Clients
folder. The folder is then shared with a share name of Mspclnt. Moreover, the system
policy rule that enables access to the shared folder is enabled. To install the Firewall
Client manually, users can connect to the share and run the setup program.
Note
You can also copy the Firewall Client installation files to a shared folder on another
server on the network and then instruct the users to connect to that share to install the Firewall Client.
Important The permissions on the Mspclnt share allow the Authenticated Users group to
connect to the share and read and execute the setup program. However, you must be a member of the local Administrators group on the client computer to install the Firewall Client.
To install the Firewall Client software from a shared folder, use the following procedure:
1. Connect to the shared folder that contains the Firewall Client installation files. If
you use the shared folder on the ISA Server computer, the default share name is
ISA_Server_name/MSPClnt.
Lesson 3
Installing and Configuring the Firewall Client
4-29
2. Right-click MS_FPC.msi and click Install. Alternatively, you can double-click
Setup.exe.
3. On the Welcome To The Install Wizard For The Microsoft Firewall Client page,
click Next.
4. On the Destination Folder page, review the default installation folder location.
Click Change if you want to change the installation folder. Click Next to continue.
5. On the ISA Server Computer Select screen, you can select how the Firewall Client
will locate the ISA Server computer, as shown in Figure 4-10. To configure the
server name or IP Address manually, select Connect To This ISA Server and type
the ISA Server name or the IP address. To enable Automatic Discovery of the ISA
Server computer, select Automatically Detect The Appropriate ISA Server Computer. Click Next.
F04im10
Figure 4-10
Configuring the ISA Server selection during the Firewall Client installation
6. On the Ready to Install the Program page, click Install.
7. When the installation wizard finishes, click Finish.
Note You can install Firewall Client software on client computers that run Microsoft
Windows Server 2003, Windows 2000 Server, Windows XP, Microsoft Windows 98 Second
Edition, Microsoft Windows Millennium Edition, or Microsoft Windows NT 4.0. You cannot
install Firewall Client software on the ISA Server computer.
After the installation is complete, the Firewall Client application is enabled. The
Microsoft Firewall Client Management icon is added to the system tray. To modify the
Firewall Client configuration on the client, right-click the icon and click Configure. On
4-30
Chapter 4
Installing and Managing ISA Server Clients
the General tab (shown in Figure 4-11), you can enable or disable the Firewall Client
and configure it to detect the ISA Server computer automatically or configure the ISA
Server computer manually. On the Web Browser tab, you can enable or disable automatic configuration of the Web browser.
F04im11
Figure 4-11
Configuring the Firewall Client after installation.
How to Automate Firewall Client Installation
If you deploy the Firewall Client to a large number of clients, you may choose to automate the Firewall Client installation. You have several options for automating the installation of the Firewall Client. You can perform an unattended installation, use Group
Policy in Active Directory, or Microsoft Systems Management Server (SMS) to automate
the installation.
Tip
Before deploying Firewall Client, configure the Firewall Client settings using ISA Server
Management. By first configuring these settings, all the clients will get the desired Firewall
Client configuration when the installation completes. The next section describes how to configure the Firewall Client settings.
Performing an Unattended Installation of the Firewall Client
One option for automating the deployment of the Firewall Client is to perform an unattended installation. To perform an unattended installation, you must ensure that the
Firewall Client installation files are accessible from the client computer and then
run the setup program from a command prompt with the appropriate parameters.
Lesson 3
Installing and Configuring the Firewall Client
4-31
To complete an unattended installation of Firewall Client when running the setup
program from the command prompt, use the following syntax:
Path\Setup.exe /v" [SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={1|0}]
[REFRESH_WEB_PROXY={1|0}] /qn"
where
■
Path is the path to the shared ISA Server 2004 client installation files.
■
ISA_Server_Name is the name of the ISA Server computer to which the Firewall
Client should connect. This parameter, as well as the next two, is optional.
■
ENABLE_AUTO_DETECT=1 specifies that the Firewall Client automatically detects
to which computer the ISA Server computer should connect.
■
REFRESH_WEB_PROXY=1 indicates that the Firewall Client configuration should
be updated with the Web Proxy configuration specified on the ISA Server
computer.
■
/qn means that the application will install without showing the user interface.
For example, to complete the unattended installation from the Firewall Client share on
an ISA Server computer named ISA1 and configure the Firewall Client to use the same
ISA Server computer for Firewall Client and Web Proxy configuration, use the following
command:
\\isa1\mspclnt\Setup.exe /v"
REFRESH_WEB_PROXY=1 /qn"
SERVER_NAME_OR_IP=ISA1 ENABLE_AUTO_DETECT=0
You can use this option to install the Firewall Client in several scenarios. For example, you can provide users with a link on a Web page that will run the unattended
installation from a network location. Or you can use a command such as this in a
logon script to install the application. You can also copy the Firewall Client installation files to a CD-ROM and then launch the command when users insert the CD-ROM
into their computers.
Note Users must be logged on as local Administrators to complete an unattended installation of the Firewall Client. If the users in your organization are not local Administrators on
their computers, use one of the following options to distribute the software.
4-32
Chapter 4
Installing and Managing ISA Server Clients
Using Active Directory Group Policy to Distribute the Firewall Client
You can also use the Software Installation option in Active Directory Group Policy to
automate the installation of the Firewall Client. To distribute the Firewall Client using
this option, perform the following procedure:
1. Copy the Firewall Client installation files to a network share. You can use the Firewall Installation share on the ISA Server computer or on a file server. If you are
installing the Firewall Client on a large number of client computers, use a separate
file server.
2. Determine whether you wish to distribute the client software to users or computers. If you distribute the software to users, you can choose whether the software
will be installed the next time the user logs on or whether the user can initiate the
installation from Add/Remove Programs. If you distribute the software to computers, the software will be installed the next time the computer restarts.
3. Create a new software distribution package. Configure the software distribution
package to use the installation files on the shared folder. You can also configure
the distribution options for the software package.
4. When users log on or the client computers reboot, the Firewall Client is installed.
The Firewall Client will then automatically discover the ISA Server computer and
download the configuration information.
See Also One advantage of using Active Directory Group Policy to distribute software is
that the software installation process can run even if the logged-on user is not an Administrator. For detailed information about using Active Directory Group Policy to distribute software
installations, see the Group Policy Software Installation Extension Technical Reference at
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/
Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/
W2K3TR_gp_intro.asp.
Using Systems Management Server 2003
Organizations that have deployed SMS 2003 can use the software distribution feature of
SMS to distribute the ISA Firewall Client. Software distribution in SMS 2003 provides the
ability to deploy Microsoft Windows Installer (.msi) or Package Definition Format (.pdf,
.sms) files to any computer that is assigned to the SMS environment. To deploy the ISA
Firewall Client using SMS, perform the following procedure:
1. Create a collection that includes any computer that is to receive the ISA Firewall
Client software. A collection is a logical group of resources such as computers or
users that are gathered together to be managed within SMS. You can set specific
Lesson 3
Installing and Configuring the Firewall Client
4-33
requirements such as IP address, hardware configuration, or add clients directly by
name to group all resources that are to have the ISA Firewall Client installed.
2. Create an SMS package by importing the ISA Firewall Client Windows Installer file
(MS_FWC.msi). The Windows Installer file automatically creates attended and
unattended installation program options that can be deployed on a per-system or
per-user basis. Programs are also created to uninstall the client if the need arises.
The per-system programs are configured to install the client with administrative
rights regardless of whether the user is logged on. The per-user programs install
the client using the credentials of the logged-on user.
3. Create an SMS advertisement, which specifies the target collection and program to
install. To control deployment, you can schedule a time for the program to be
advertised to collection members.
Off the Record
If you are using a non-Microsoft application to distribute applications, you
can certainly use that application to deploy the Firewall Client. The Firewall Client includes a
Windows Installer setup information file (MS_FWC.msi) that can be distributed using any software distribution application.
How to Configure ISA Server for Firewall Clients
When you first install the Firewall Client on a client computer, it will connect to the ISA
Server computer configured during the installation to complete the Firewall Client configuration. After installation, each time a computer running the Firewall Client restarts,
the Firewall Client checks for any new client configuration settings on the server. This
means that you can modify the Firewall Client by configuring the settings using ISA
Server Management. The settings are then applied to the client when the client connects, or updated every six hours on the client computer if the client computer remains
connected.
Firewall Client Configuration Options
Almost all Firewall Client settings can be modified using ISA Server Management. The
Firewall Client settings that you can configure are summarized in Table 4-4.
4-34
Chapter 4
Installing and Managing ISA Server Clients
Table 4-4 ISA Server Firewall Configuration Settings
Firewall Client Configuration
Explanation
Enable or disable Firewall Client
support.
You can specify whether Firewall Client support is enabled
for a specific network. If Firewall Client support is enabled,
ISA Server will accept incoming requests on TCP or UDP
Port 1745.
Application settings.
These settings define how the Firewall Client connects to
ISA Server for specific applications.
Internal network and local
domains.
These settings define the set of IP addresses and domains
that the Firewall Client recognizes as local. The Firewall
Client will connect to resources in these locations directly,
without going through the ISA Server computer.
Automatic discovery.
By enabling Automatic Discovery, Firewall clients will automatically discover the appropriate ISA Server computer.
Web browser settings for the
Firewall client.
The Firewall Client application can automatically update
the Web Proxy settings on the Firewall Client computer.
These settings are obtained from ISA Server when the Firewall Client settings are updated.
Support for older versions of
Firewall Client.
ISA Server supports earlier versions of the Firewall Client
software, including Firewall Client for ISA Server 2000 and
the Winsock Proxy client (from Microsoft Proxy Server 2.0).
You can enable or disable support for these clients on the
ISA Server computer.
How to Configure Firewall Client Settings
The Firewall Client settings are configured in two different locations within ISA Server
Management. To configure which versions of the Firewall Client are supported and to
configure the application settings, use the following procedure:
1. Open ISA Server Management, expand the Configuration folder, and click General.
2. Click Define Firewall Client Settings.
3. On the Connection tab (as shown in Figure 4-12), configure whether or not earlier
versions of the Firewall Client software are supported. Because older Firewall clients do not support encryption, you must enable the Allow Non-Encrypted Firewall Client Connections option.
Lesson 3
Installing and Configuring the Firewall Client
4-35
F04im12
Figure 4-12
!
Configuring ISA Server support for earlier Firewall Client versions
Exam Tip By default, ISA Server 2004 requires encrypted Firewall client connections. If
you see an exam question in which client computers are running older Firewall Clients,
remember that you must change the default configuration to allow these clients to connect.
4. On the Application Settings tab as shown in Figure 4-13, configure the settings for
applications that run on Firewall Clients. To configure a specific application, click
the application name and then click Edit.
F04im13
Figure 4-13
Configuring Firewall Client application settings
The application settings are used to configure how the Firewall Client will respond
when specific Winsock applications are started on the client computer. Some applications require specific port number assignments. For example, the RealPlayer application from RealNetworks requires that the Firewall client use Port 7070 when connecting
4-36
Chapter 4
Installing and Managing ISA Server Clients
to RealServer streaming media servers. The streaming media server will respond on any
port between 6970 and 7170. As Figure 4-13 illustrates, the application settings for the
RealPlayer application (the application name in the interface is Realplay) configure the
LocalBindTcpPorts key with a value of 7070 and the RemoteBindUdpPorts key with a
value of 6970-7170. Other applications are disabled in the application settings. For
example, the Exchng32 application, the Mapisp32 application, and the Outlook application are all disabled by default, which means that the Firewall Client cannot establish
the RPC and MAPI connections required for Microsoft Outlook e-mail clients through
the ISA Server computer.
Note RealPlayer can also use Port 554 to connect to RealServers. ISA Server 2004
enables this connection by enabling the Real-Time Streaming Protocol (RTSP) which uses Port
554 to establish the initial client connection and the RTSP application filter to manage secondary connections.
To configure the other Firewall Client settings using ISA Server Management Console,
use the following procedure:
1. Open ISA Server Management, expand the Configuration folder, and click Networks.
2. In the details pane, click the Networks tab.
3. To edit the internal network settings, double-click Internal.
4. To configure the internal addresses, click the Addresses tab. You originally configured the IP addresses for the Internal network when you installed ISA Server, but
you can use this option to change the configuration, as shown in Figure 4-14. You
can configure the following settings for this network:
a. To add a specific range of IP addresses, click Add. Then, type the first address
of the network address range in Starting Address and the last address of the
network address range in Ending Address.
b. To add IP addresses associated with a specific adapter, click Add Adapter and
then, in Network Interfaces, select one or more adapters.
c. To add private address ranges, click Add Private and then select a range from
the list.
Lesson 3
Installing and Configuring the Firewall Client
4-37
F04im14
Figure 4-14
Configuring IP addresses for the Internal network
5. To configure the internal domains, click the Domains tab, as shown in Figure 4-15.
Click Add to add the domain names for the internal network. When a firewall
client connects to any computer with a domain name listed on the Domains tab,
the Firewall client will connect to the computer directly rather than go through
ISA Server.
F04im15
Figure 4-15
Configuring the Domains for the Internal network
6. You can use the Firewall Client to configure the Web browser settings for Web Proxy
clients. To configure the Web browser settings, click the Firewall Client tab, as
shown in Figure 4-16. You can use this interface to configure the following settings:
a. To enable Firewall Client support for this network, verify that the Enable Firewall Client Support For This Network check box is selected. When you enable
this option, ISA Server will accept incoming requests on TCP or UDP Port 1745.
4-38
Chapter 4
Installing and Managing ISA Server Clients
b. Select Automatically Detect Settings if the client computer should automatically attempt to find the ISA Server computer.
c. Select Use Automatic Configuration Script if the Web browser on the Firewall
Client computer should use configuration information that is contained in the
specified automatic configuration script. If you select this option, specify Use
Default URL or Use Custom URL.
d. To specify the name of the ISA Server computer, select Use a Web Proxy
Server and type the ISA Server name or IP Address.
F04im16
Figure 4-16 Configuring the Firewall Client settings for the Internal network
Advanced Firewall Client Configuration
In addition to the Firewall Client settings that you can configure on the ISA
Server computer for distribution to all clients, there are also advanced settings that you
can configure on the client computer running the Firewall Client. As much as possible,
use the ISA Server settings to configure the Firewall Client settings, but in some cases,
you may need a unique configuration for one or more clients.
Configuring Local Addresses
One of the advanced options that you can configure is the local address table. By
default, Firewall Client considers all addresses on its local network, as well as the
addresses specified in the local routing table on the Firewall client computer, as local.
Each time a Winsock application on that client attempts to establish a connection to an
IP address, the Firewall Client uses this information plus the Internal network information on ISA Server to determine whether the IP address is on the local network. If the
server IP address is local, the Firewall Client will connect to the server directly; if the
Lesson 3
Installing and Configuring the Firewall Client
4-39
address is not local, the Firewall Client will go through the ISA Server computer to
access the server.
You can modify this client behavior by creating a client computer–specific file that
defines local addresses for that client. Using a text editor, you can create a custom client local address table (LAT) file named Locallat.txt and place it in the \Documents and
Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder on the Firewall client computer. You can add additional IP address ranges to the file so that the
client will recognize these addresses as part of the local network. If this file exists, the
client uses its own routing table, the server-specific settings, and the Locallat.txt file to
determine the IP addresses that are part of the local network.
When you create the Locallat.txt file, enter IP address pairs in the file. Each address pair
defines either a range of IP addresses or a single IP address. The following example
shows a Locallat.txt file that has two entries. The first entry is an IP address range and
the second entry is a single IP address. Note that the second entry on each line is an
IP address and not a subnet mask.
10.51.0.0
10.51.255.255
10.52.144.103
10.52.144.103
Advanced Firewall Client Settings
For most Winsock applications, the default Firewall Client configuration that is downloaded from the ISA Server computer works with no further modification needed.
However, in some cases, you will need to add specific client configuration information.
For example, if one Firewall client computer requires an application setting that is different from all other clients, you will need to configure the application settings on that
particular computer. The configuration is done by making changes to Firewall Client
.ini files.
The Firewall Client configuration information is stored in a set of files, which are
installed on the Firewall client computer. The following files are used to configure the
local Firewall client settings:
■
Common.ini
■
Management.ini
■
Application.ini
Specifies the common configuration for all applications
Specifies Firewall Client Management configuration settings
Specifies application-specific configurations settings
The Common.ini file and the Management.ini file are created for all users logged on to
the computer and can also be created manually for each specific user on the computer.
By default, the Application.ini file is not created, so you must create it manually. The
4-40
Chapter 4
Installing and Managing ISA Server Clients
per-user settings override the general configuration settings. These files are created in
different locations, depending on the operating system. For example, on Windows XP
computers, the files may be located in one of two places:
■
\Documents and Settings\All Users\Application Data\Microsoft\Firewall Client
2004 folder
■
\Documents and Settings\user_name\Local Settings\Application Data\Microsoft\
Firewall Client 2004 folder
The settings in these files are applied as follows:
1. The .ini files in the user’s folder take precedence. Any configuration settings specified in the user’s profile are used by Firewall Client to determine how the application will function.
2. The .ini files in the All Users folder are applied next. If a specified configuration
setting contradicts the user-specific settings, it is ignored.
3. Finally, Firewall Client examines the server-level settings. Any configuration settings specified on ISA Server are applied. If a specified configuration setting contradicts the user-specific or computer-specific settings, it is ignored.
If a specific client computer requires unique Firewall Client settings, you can modify
these .ini files on the client computer to meet the requirements. For example, the Common.ini file specifies common configuration for all applications. In most cases, the
Common.ini file very simply consists of lines such as the following:
[Common]
ServerName=ISA1
Disable=0
Autodetection=0
The ServerName value is used to configure the ISA Server computer from which the
Firewall Client should download its configuration. The Disable option specifies
whether the Firewall Client is disabled, with a value of 1 indicating that it is disabled.
And the Autodetection value specifies whether the Firewall Client is configured to
detect ISA Servers automatically.
By default, the Management.ini file contains only a setting that specifies whether the
Firewall Client is enabled to modify the Web Proxy settings on the client.
The Application.ini file specifies configuration settings for specific applications and
also the file that is most often modified. For example, you may have several users on
your network running a Winsock application, but only a subset of those users should
Lesson 3
Installing and Configuring the Firewall Client
4-41
be able to use that application to access Internet resources. One way to enable this is
to configure the Application.ini files on the client computers used by the users that
should use the application to gain access to Internet resources.
The following is an example of part of an Application.ini file showing possible configuration settings for an application:
[FW_Client_App]
Disable=0
NameResolution=R
LocalBindTcpPorts=7777
RemoteBindTcpPorts=30
KillOldSession=1
Persistent=1
ForceCredentials=1
Table 4-5 defines the settings included in this Application.ini file.
Table 4-5
Application.ini File Settings
Option
Sample Value
Explanation
Disable
0
Specifies that the Firewall Client is enabled for this
application. A value of 1 means that the Firewall Client is disabled for this application.
NameResolution
R
When the value is set to R, all names are redirected to
the ISA Server computer for resolution. When the value
is set to L, all names are resolved on the local computer.
LocalBindTcpPorts
7777
Specifies the TCP port used by the application.
RemoteBindTcpPorts
30
Specifies the TCP port used on the remote server.
KillOldSession
1
Specifies that before a new session is started by the
application, any existing session will be terminated. A
setting of 0 means that old sessions are not terminated.
Persistent
1
Specifies that the server state is maintained if the
server becomes unavailable. A value of 0 means that
the server state is not maintained.
ForceCredentials
1
Forces the use of user credentials other than the credentials of the logged-on user.
4-42
Chapter 4
Installing and Managing ISA Server Clients
See Also For detailed information about all the settings that you can configure in the .ini
files, see the Advanced Firewall Client Configuration Settings topic in ISA Server Online Help.
How to Troubleshoot Firewall Clients
You can use many of the same steps when troubleshooting Firewall clients as you
would when troubleshooting any other clients. However, the Firewall client configuration is more complicated then configuring other ISA Server clients, so there are also
some specific troubleshooting steps for Firewall clients.
Check Compatibility with Older Firewall Clients and Proxy Servers T h e v e r s i o n o f
Firewall Client included with ISA Server 2004 is different from earlier Firewall and
Proxy Server clients in two ways. First, the ISA Server 2004 Firewall Client is the only
client that supports encrypting the Firewall Client control channel. Secondly, the ISA
Server 2004 Firewall Client uses only TCP Port 1745 for the client control channel,
while earlier clients also used UDP Port 1745.
The first difference can lead to compatibility problems if you have older Firewall or
Proxy Server clients deployed. To fix these problems, ensure that you allow nonencrypted client connections to the ISA Server computer.
The second difference can lead to compatibility issues if you have deployed ISA Server
2004 Firewall clients, but these clients are connecting to ISA Server 2000 or Proxy
Server computers. In this scenario, the ISA Server 2004 Firewall Client cannot connect
to a Proxy 2.0 server or to an ISA Server 2000 computer because the Firewall client cannot use UDP. You can enable UDP control channel support by defining the following
registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Firewall Client 2004\EnableUdpControlChannel = 1.
Check the Firewall Configuration Files The Firewall Client can be configured in several different locations. You can configure the client using files on the local computer
such as the .ini files or the Locallat.txt file. You can even have multiple copies of the
local files, one in the All Users profile, and one in the profile for the user who is logged
on. The Firewall Client also downloads a configuration from the ISA Server computer,
including settings such as the domain table, the local address information, and the
application settings. Because the client configuration can come from several sources,
Lesson 3
Installing and Configuring the Firewall Client
4-43
troubleshooting client connections can be quite difficult. If you are using all the different configuration options, remember that the local files are applied after the server
settings, overwriting any conflicting changes. So start by checking the local files for
configuration problems and then move on to checking the ISA Server configuration.
As a best practice, try to eliminate the local files as much as possible, and use only the
ISA Server configuration.
See Also
Microsoft provides a very useful set of tools for troubleshooting Firewall Client
connections. The tools, called Firewall Client Tools for ISA Server 2004, can be downloaded
from http://www.microsoft.com/downloads/details.aspx?familyid=f20f6267-273d-4870-b1e8799b261b4786&displaylang=en
Practice: Installing and Configuring Firewall Clients
In this practice, you will configure the Firewall Client settings on the ISA Server computer and then install the Firewall Client software from a shared folder on the ISA
Server computer.
Exercise 1: Configuring the Firewall Client Settings on ISA Server
1. On ISA1, open ISA Server Management, expand Configuration, and click General.
2. Click Define Firewall Client Settings.
3. On the Connection tab, click Allow Non-Encrypted Firewall Client Connections.
Click OK.
4. Apply the changed configuration.
5. In ISA Server Management, under Configuration, click Networks.
6. In the details pane, click the Networks tab, and then click Internal.
7. On the Tasks tab, click Edit Selected Network.
8. Click the Domains tab, and click Add to add the domain names for the internal
network. Type *.Cohovineyard.com, and then click OK.
9. Click the Firewall Client tab and verify that the Enable Firewall Client Support For
This Network check box is selected. On the Firewall Client tab, perform the following steps:
a. Clear the Automatically Detect Settings option.
b. Clear the Use Automatic Configuration Script option.
c. Ensure that Use A Web Proxy Server is selected and ISA1 is listed in the ISA
Server Name Or IP Address box.
4-44
Chapter 4
Installing and Managing ISA Server Clients
10. Click OK.
11. Apply the changed configuration.
Exercise 2: Installing the Firewall Client
1. On CLIENT1, log on as a local Administrator.
2. On the Start menu, click Run. Type \\ISA1\MSPClnt and then click OK.
3. Right-click MS_FWC.msi and click Install.
4. On the Welcome To The Install Wizard For The Microsoft Firewall Client page,
click Next.
5. On the Destination Folder page, review the default installation folder location.
Click Next to continue.
6. On the ISA Server Computer Select screen, select Connect To This ISA Server
and type ISA1. Click Next.
7. On the Ready To Install The Program page, click Install.
8. On the Install Wizard Completed page, click Finish.
9. Close all open windows.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. Your organization has deployed ISA Server 2004 and has installed the Firewall Client software on all Windows XP client computers. All users on the network are
running a Winsock application, but some of the users need a customized configuration to run the Winsock application using a server on another network protected by the ISA Server firewall. How would you provide the configuration
settings for the Winsock application?
a. Create a file named Management.ini and place it in the All Users profile.
b. Create a file named Application.ini and place it on the ISA Server computer.
c. Create a file named Management.ini on the ISA Server computer and enable
Automatic Discovery.
d. Create a file named Application.ini and place it in the specific user’s profile.
Lesson 3
Installing and Configuring the Firewall Client
4-45
2. You have recently upgraded from ISA Server 2000 to ISA Server 2004. Most of your
client computers still run the Firewall Client software from ISA Server 2000. What
must you do to enable support for this version of the Firewall Client?
3. Your client computer is located on the 172.16.0.0 network. The client computer is
configured as a Firewall client. You need to modify the configuration of the client
computer so that a single IP address, 192.168.7.1 will be considered as a local
address by the firewall client. What entry needs to be in the Locallat.txt?
a. 192.168.7.1
255.255.255.0
b. 192.168.7.1
192.168.7.254
c. 192.168.7.1
192.168.7.1
d. 192.168.7.1
255.255.255.255
Lesson Summary
■
To perform a manual installation of the Firewall Client, connect to the Firewall Client Share on the ISA Server computer or to an alternate location that contains the
Firewall Client installation files. You can then run setup using the Ms_fwc.msi file
or the Setup.exe file. You can configure the name of the ISA Server computer during the client installation.
■
You can perform an unattended installation of Firewall Client using command-line
options, Active Directory Group Policy, or SMS to automate the installation.
■
You can modify the Firewall Client by configuring the settings using ISA Server
Management. The following Firewall Client Settings can be modified: application
settings, internal network and local domains, Automatic Discovery, and Web
browser settings.
■
You can modify advanced settings for the Firewall Client to be specific for certain
clients. One of the advanced options that you can configure is the local address
table which is used by the Firewall client to determine whether to connect to the
server directly or through the ISA Server computer. You can also modify the configuration .ini files to configure unique settings for the Firewall client.
■
Troubleshooting Firewall Client computers is similar to troubleshooting other ISA
Server clients. However, you also need to be aware of compatibility issues
between the Firewall Client included with ISA Server 2004 and previous ISA Server
or Proxy Server versions. As well, you may need to review the local client configuration files when troubleshooting Firewall Client issues.
4-46
Chapter 4
Installing and Managing ISA Server Clients
Case Scenario Exercise
In this exercise, you will plan an ISA Server 2004 client deployment for a fictitious organization. Read the scenario and then answer the question that follows. If you have difficulty completing this work, review the material in this chapter before beginning the
next chapter. You can find answers to these questions in the “Questions and Answers”
section at the end of this chapter.
Scenario 1
Your organization has a single location with 2000 employees. You have a single Active
Directory domain. You have installed and configured two computers running ISA
Server 2004 to distribute the client load and provide fault tolerance. You need to ensure
that only Authenticated Users have access to Internet resources. The purchasing
department needs to run a Web-based application that is located at a partner organization, and is accessible only over the Internet. The application uses a custom port and
protocol that need to be defined. You need to decide what type of ISA Server client
you will deploy in the organization. You also need to ensure that the clients are
deployed and configured with the least amount of administrative effort.
Scenario 1 Question
1. Design the ISA Server client deployment to meet your organization’s requirements.
What clients will you deploy, and how will you configure them?
Chapter Summary
■
ISA Server supports three types of clients: Firewall clients, SecureNAT clients, and
Web Proxy clients. As you prepare to deploy ISA Server, you need to choose an
ISA Server client that best meets your organization’s requirements. Factors that you
should consider when choosing the client include protocol and operating system
support, support for authentication and the effort required to deploy the clients.
■
SecureNAT clients do not require special software, but you must configure the
default gateway and network routing so that all traffic destined for the Internet is
sent through the ISA Server computer. Web Proxy clients also do not need any
special software installation. However, you must configure the Web applications
on the client computers to use the ISA Server computer as the proxy server. You
Exam Highlights
4-47
can manually configure the Web Proxy client settings or you can automatically
configure many of the Web Proxy client configurations. To troubleshoot
SecureNAT and Web Proxy client connections, ensure that you have network connectivity and that the clients can resolve Internet server names using DNS.
■
Firewall clients require the installation of the Firewall Client application. You can
perform a manual installation of the Firewall Client or you can automate the Firewall Client installation of Firewall Client using command-line options, Active
Directory Group Policy, or Systems Management Server (SMS). You can modify
the Firewall Client by configuring the settings using ISA Server Management. You
can also modify the Firewall Client settings to be specific for certain clients by
modifying the local configuration files on the client computer.
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
Key Points
■
The ISA Server client that you choose for your organization will be based on your
security requirements and on whether you want to deploy the Firewall Client
application. Remember that for maximum security and functionality if you are
using just Windows clients, you should deploy the Firewall Client.
■
SecureNAT clients are the easiest to deploy. The two most important components
to deploying SecureNAT clients are Internet name resolution and network routing.
Understand how to configure these two options and you will be able to deploy
SecureNAT clients.
■
Web Proxy clients can be manually configured, but you also need to understand
how the client configuration can be automated. Understand how to configure the
settings on ISA Server, and then how to configure the Web Proxy clients to download this configuration from ISA Server.
■
Automatic discovery simplifies the configuration of Web Proxy and Firewall clients. Understand how to enable Automatic Discovery using DHCP and DNS, and
how the clients use Automatic Discovery.
■
Firewall clients are the most work to deploy, but you can also automate the client
installation using unattended setups, Group Policy, or a software distribution tool
such as SMS.
■
Firewall Clients get their configuration from the ISA Server computer when they
connect to the server. To configure Firewall Clients, configure the settings on the
ISA Server computer and all the clients will be updated within six hours.
4-48
Chapter 4
Installing and Managing ISA Server Clients
Key Terms
Automatic Discovery Automatic Discovery is a feature in ISA Server that enables
Firewall and Web Proxy clients to discover an ISA Server computer automatically.
Firewall clients Firewall clients are computers that have Firewall Client software
installed and enabled. Firewall clients provide the highest level of functionality
and security of the various types of clients.
SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on
other networks to the internal IP address of the computer running ISA Server.
Web Proxy clients Web Proxy clients are any computers that run HTTP 1.1 compatible Web applications such as Web browsers. The Web applications must be
configured to use the ISA Server as a proxy server.
Winsock applications Winsock applications use sockets to communicate with
services running on other computers. The Firewall Client intercepts Winsock
application requests and redirects them to the ISA Server computer.
4-49
Questions and Answers
Page
4-10
Lesson 1 Review
1. You have deployed ISA Server 2004 as your enterprise firewall solution. Your
enterprise consists of multiple operating systems, including UNIX and Novell clients. You run TCP/IP as your network protocol. The client IP addresses and
options are assigned through DHCP. All clients have HTTP 1.1–compliant Web
browsers installed. All internal employees will require the same level of access to
the Internet. You need to minimize the effort required to deploy the ISA Server clients. What ISA Server client will work best to provide simple Internet access for
your internal employees?
Although either the Web Proxy client or the SecureNAT client will work, the SecureNAT client is
the better solution because of the ease of deployment and because there is no requirement for
authentication. You only need to configure the default gateway and you can easily use DHCP to
provide the gateway address. The Firewall Client software can only be deployed to Microsoft clients and would require software installation and configuration.
2. You have deployed ISA Server 2004 as your enterprise firewall solution. You use
Active Directory and all your client computers run Microsoft operating systems.
Due to limited Internet bandwidth, you must restrict Internet access to selected
departments during business hours. Your employees also need access to a RealPlayer streaming media application on an external Web site. What ISA Server client
works best for your situation?
To restrict access to only certain employees, you must use a client that supports authentication. In this case, you must use the Firewall Client software because it provides support for
authentication and support for multiple protocols such as the RealPlayer streaming media
application. The SecureNAT client does not support authentication, and the Web Proxy client
only supports HTTP, HTTPS, and FTP over HTTP.
Page
4-26
Lesson 2 Review
1. You use ISA Server 2004 to publish a public Web site on an internal Web server.
What ISA Server client, if any, needs to be configured on the Web server?
a. Firewall client.
b. SecureNAT client.
c. Web Proxy client.
d. No client configuration is required.
B is correct. The SecureNAT client should be configured on the Web server to point to the internal network interface of your ISA Server computer.
4-50
Chapter 4
Installing and Managing ISA Server Clients
2. Your organization wants to use the Web Proxy client to allow clients access to the
Internet using Port 8888. All the client computers are located in a single Active
Directory domain. How can you automate the distribution of the client configuration? What steps must you take to implement it?
You must enable the Web Proxy client on ISA Server 2004 and configure the HTTP port on the
Internal network Web Proxy property pages. Then the client Web browser application must be
configured to detect settings and use the configuration script automatically. You can do this
manually, or by using the Firewall Client.
3. Your network includes multiple subnets in a routed environment. You are using
DHCP to supply IP addresses and standard TCP/IP options for all internal clients.
You have configured all clients to be SecureNAT clients. All users are connecting
to the Internet except users from one subnet. What would you do to troubleshoot
the problem?
Use standard TCP/IP troubleshooting techniques. Run Ipconfig and check the client settings.
Ensure that the default gateway address is correct. Check that the router options on the DHCP
server are configured properly. Test network connectivity by using a client on the affected network to ping the default gateway. If the client connections work on the local subnet, then check
the routing table on the router.
Page
4-44
Lesson 3 Review
1. Your organization has deployed ISA Server 2004 and has installed the Firewall
Client software on all Windows XP client computers. All users on the network are
running a Winsock application, but some of the users need a customized configuration to run the Winsock application using a server on another network protected by the ISA Server firewall. How would you provide the configuration
settings for the Winsock application?
a. Create a file named Management.ini and place it in the All Users profile.
b. Create a file named Application.ini and place it on the ISA Server computer.
c. Create a file named Management.ini on the ISA Server computer and enable
Automatic Discovery.
d. Create a file named Application.ini and place it in the specific user’s profile.
D is correct. A and C are incorrect because Management.ini only specifies whether the Firewall
Client can modify Web Proxy settings. B is incorrect because creating Application.ini on the
ISA Server computer will not configure the clients. The Application.ini file should be placed in
the specific users profile so that only that user will receive the settings. It will override any settings coming from ISA Server.
Questions and Answers
4-51
2. You have recently upgraded from ISA Server 2000 to ISA Server 2004. Most of your
client computers still run the Firewall Client software from ISA Server 2000. What
must you do to enable support for this version of the Firewall Client?
You must enable support for the previous version of the Firewall Client software in the ISA
Server Management Console. To do this, click the Define Firewall Client Settings link in the
General container, and check the Allow Non-Encrypted Firewall Client Connections box.
3. Your client computer is located on the 172.16.0.0 network. The client computer is
configured as a Firewall client. You need to modify the configuration of the client
computer so that a single IP address, 192.168.7.1 will be considered as a local
address by the firewall client. What entry needs to be in the Locallat.txt?
a. 192.168.7.1
255.255.255.0
b. 192.168.7.1
192.168.7.254
c. 192.168.7.1
192.168.7.1
d. 192.168.7.1
255.255.255.255
C is correct. Entries in the Locallat.txt use the first IP address and the last IP address in the
range of addresses to be considered local. To specify a single entry, the first and last number
in the range should be identical. A and D are incorrect because Locallat.txt does not use subnet mask entries. B is incorrect because is identifies the whole subnet as being local.
Case Scenario Exercise
Page
4-46
Scenario 1 Question
1. Design the ISA Server client deployment to meet your organization’s requirements.
What clients will you deploy, and how will you configure them?
You cannot use SecureNAT clients in this scenario because SecureNAT clients cannot be
authenticated and the company policy states that only Authenticated Users are allowed to
access the Internet.
Employees that need only basic Web access can be configured as Web Proxy clients. You could
automate the configuration of these clients by using a WPAD entry in DHCP to configure the
browser settings.
The purchasing department needs to run the Firewall Client software because it is using an
application that is not using a protocol supported by the Web Proxy client. You can distribute
the Firewall Client application to the users by using Group Policy.
On both ISA Server computers, you must configure the properties of the Internal network to
enable Automatic Discovery. The special port and protocol settings for the Winsock application
can be configured on the ISA Server computers.
5 Enabling Secure Internet
Access with ISA Server
2004
Exam Objectives in this Chapter:
■
■
Plan an ISA Server 2004 deployment.
❑
Analyze forward proxy and reverse proxy requirements.
❑
Analyze firewall protocol requirements.
❑
Configure dial-up settings.
❑
Configure firewall chaining.
Create policy elements, access rules, and connection limits. Policy elements
include schedule, protocols, user groups, and network objects.
Why This Chapter Matters
Well, you are finally ready to do something with Microsoft Internet and Security
Acceleration (ISA) Server 2004. Users in your organization have been clamoring
for Internet access and now you are ready to give it to them. Granting access to
the Internet using ISA Server is relatively easy, especially if you want to give all
users access to all resources on the Internet. All you have to do is to create an
access rule that says all users on the Internal network have permission to use all
protocols to connect to any resource on the Internet.
However, you may want to be more restrictive in the level of access users have to
the Internet. Or more likely, your organization has a security policy that says you
need to be more restrictive. For example, you may need to prevent employees
from using certain protocols or applications to access the Internet. You may need
to restrict which Web sites users can access, or what time of day they can access
the Internet. You may even need to apply one set of restrictions to one group of
users and another set of restrictions to another group.
Configuring all these restrictions is possible with ISA Server 2004. To do this,
however, you must understand how ISA Server access rules work — that is, what
types of objects you must configure to enable these restrictions, and how you can
put the objects together to ensure that users get the right level of access.
5-1
5-2
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Lessons in this Chapter:
■
Lesson 1: Enabling Secure Access to Internet Resources . . . . . . . . . . . . . . . . .5-3
■
Lesson 2: Configuring ISA Server as a Proxy Server. . . . . . . . . . . . . . . . . . . . 5-11
■
Lesson 3: Configuring Access Rule Elements. . . . . . . . . . . . . . . . . . . . . . . . . 5-29
■
Lesson 4: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 5-41
■
Lesson 5: Configuring Access Rules for Internet Access . . . . . . . . . . . . . . . . . 5-48
Before You Begin
This chapter presents the skills and concepts related to configuring ISA Server to
enable secure access to the Internet. If you plan to complete the practices and lab in
this chapter, you should prepare the following:
■
A server with Microsoft Windows Server 2003 (either Standard Edition or Enterprise Edition) installed as DC1 and configured as a domain controller in the
cohovineyard.com domain. DC1 must be able to resolve the Domain Name System
(DNS) names for resources located on the ISA Server external network.
■
Use Active Directory Users and Computers to create and configure the following
users and groups.
❑
Managers global group
❑
Manager1 user account. Add the account to the Managers group.
❑
Sales global group
❑
Sales1 user account. Add the account to the Sales group.
■
A second server with Windows Server 2003 installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. ISA Server Standard Edition
should be installed on this server, which should also have two network interfaces
installed. The external interface should be connected to a network that contains
one or more Web servers. If possible, the network interface should be attached to
the Internet.
■
A Microsoft Windows XP computer installed as CLIENT1. This computer should be
a member of the cohovineyard.com domain.
Lesson 1
Enabling Secure Access to Internet Resources
5-3
Lesson 1: Enabling Secure Access to Internet Resources
Before you can configure ISA Server to enable secure access to the Internet, you must
understand what secure access means. Every organization defines this concept slightly
differently because an important part of configuring secure access is defining limits to
what resources users can access on the Internet. To define secure access, the organization needs to develop an Internet usage policy that prescribes how users can use the
Internet. Then you can use this policy to design your ISA Server configuration to
ensure that users have only the required access to the Internet. This chapter provides
an overview of what is meant by secure access to the Internet, some high-level guidelines for developing an Internet usage policy and an overview of how you can use ISA
Server to enforce the policy. The other lessons in the chapter provide the details of
how to configure ISA Server to implement the policy.
After this lesson, you will be able to
■ Describe secure access to Internet resources
■ List guidelines for creating an Internet usage policy
■ Describe how ISA Server can provide secure access to Internet resources
Estimated lesson time: 15 minutes
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use
of the Internet as a source of information and e-mail as a communication tool means
that most organizations cannot afford to be without access to the Internet. At the same
time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet
access for users in an organization means the following:
■
Users can access the resources that they need. To do their jobs, users in many
organizations must be able to use a Web browser or other application to access
Internet resources.
■
The connection to the Internet is secure. Users must be reasonably sure that they
will not be attacked through the Internet connection. Ideally, the connection to
the Internet should not reveal any information about the internal system that can
be used to launch an attack against the client computer. Information about the
computer, such as the computer name, user logon name, and shared folders, as
well as details about the network configuration for the client computer, such as
the client Internet Protocol (IP) address, should be hidden.
5-4
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
■
The data that users transfer to and from the Internet is secure. In some cases, users
might send confidential personal information such as credit card information to
the Internet or they might send private or confidential organizational information
such as client data to the Internet. This data must be secured when it leaves the
organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
■
Users cannot download malicious programs from the Internet. One of the ways
attackers gain access to your network is by getting users to download malicious
content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their
client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s security or Internet usage policy. This means the following:
■
Only users who have permission to access the Internet can access the Internet.
■
These users can use only approved protocols and applications to access Internet
resources.
■
These users can gain access only to approved Internet resources, or these users
cannot gain access to denied Internet resources.
■
These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access
is permitted.
Real World
Security Trade-Offs
Implementing secure access to the Internet is rarely simple because you must
always find a balance between competing interests within the organization. The
people responsible for security want to have the most secure network possible.
Often, it seems that the only way to satisfy them would be to disconnect your network from the Internet and not allow anyone to leave or enter the building carrying a mobile computer. On the other hand, you have the employees who are
interested only in getting their jobs done (and maybe having a bit of fun on the
Internet). And these users don’t want any restrictions in place to prevent them
from doing so. These users seem remarkably adept at presenting a situation in
which almost any restriction you put in place will prevent them from doing their
work.
Obviously, this overstates the case, but I have worked with organizations in
which this was close to reality. You can never please both groups completely, but
in most cases, you can find a compromise. To do this, you must develop a plan
that balances the following key trade-offs:
Lesson 1
!
Enabling Secure Access to Internet Resources
5-5
■
The benefit versus the security risk of different types of Internet access—Applications and protocols, such as Web browsers using Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS), can provide a
great deal of benefit to an organization. Therefore, most organizations accept
the risk of enabling this type of access to the Internet. However, many organizations do not see the benefits of enabling chat-room clients or peer-to-peer
file-sharing applications, or of providing Internet access for users using the
ICQ protocol. For these companies, the risk of enabling these types of access
exceeds the benefit, so access to the Internet using these methods is denied.
■
Ease of use versus the security of the system—Systems that are the easiest to
use are often also the least secure; the most secure systems, on the other
hand, may be almost impossible to use or to administer. Balance the requirement for security with the need for usability. If getting Internet access is too
difficult, many users won’t even try, and the organization will lose the
potential benefit, while other users will spend a lot of time trying to figure
out how to get around your security restrictions.
■
The cost of providing security versus risk of loss without security—Implementing a completely secure solution can be very expensive, both in terms of
money spent on purchasing and managing the security solution, and in terms
of performance—a highly secure system might provide much slower performance. If an organization is working with highly confidential or private information, this cost is required. For other organizations, the cost of providing an
excessively high level of security may be higher than the actual loss if the
security is breached.
Exam Tip
You may see exam questions that ask you to balance security requirements and
requested functionality. For example, you may get an exam question in which users require a
certain level of access, but the security requirements set limits to the level of access. In this
situation, configure the access rules so that users get the least level of access to meet their
requirements, and you will have the most secure configuration possible. If users require
access to the Internet using a particular protocol, then enable only that protocol.
Guidelines for Designing an Internet Usage Policy
One of the first steps that an organization must take, as it prepares to grant access to
Internet resources, is to define an Internet usage policy. An Internet usage policy
defines what actions users are allowed to perform while they are connected to the
Internet. The Internet usage policy becomes the basis for configuring the ISA Server
settings to provide secure access to the Internet.
5-6
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Internet usage policies should do the following:
■
Describe the need for an Internet usage policy. At first, users may resist the
policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the
policy is being created. For many organizations, there are clear legal requirements
for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding
the rationale for a policy greatly decreases the resistance to the policy.
■
Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may
define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are
denied by the policy.
■
Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if
policy restrictions prevent users from accessing resources that they need to do
their jobs, users must have the means of resolving these issues. The easiest way to
ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
■
Define how violations are handled. The policy must define exactly what will
happen to users who violate the security policy. Many security policies include
levels of disciplinary action depending on the severity or recurrence of policy
violations.
Each organization is unique, so each Internet usage policy will be slightly different.
However, there are general guidelines that you can use to create a usage policy.
1. Identify vulnerabilities to the network that users introduce when connecting to the
Internet. What damage can users do to your network or to your organization if
allowed to connect to the Internet? This list should include damage to the network
itself; for example, what damage could users cause by downloading a virus or
malicious programs? The list should also include damage to the organization,
which may include damage related to the company’s reputation or productivity, as
well as legal or privacy issues. Your Internet usage policy will define countermeasures for mitigating these risks.
2. Determine how much access to resources you want to grant users. Users must be
able to do their jobs, and the policy should not prevent users from doing so. However, in most cases, users do not need access to all Internet resources to do their
jobs. The policy should define the access that users need to perform their jobs, but
also define the access that users do not need.
Lesson 1
Enabling Secure Access to Internet Resources
5-7
3. Create clear and concise Internet usage policies. Based on the information gained
from completing the first two steps, create policies that are plainly written and easily followed.
4. Determine how to enforce the Internet usage policy. In some cases, the policy can
be enforced using technology solutions. For example, you may use ISA Server to
enforce policies that identify the users who can access the Internet and the protocols that they can use. Using technology to enforce security policies helps prevent
employees from unwittingly violating security policies. However, technology is
not the only method of enforcement and may not be an option in some cases. You
may be able to use ISA Server to enforce an Internet usage policy while the user
is at the office, but will need to use another method to enforce the policy when
the user is working on a company laptop to connect to the Internet from a hotel
or from home.
5. Define the incentives for policy adherence and the consequences for policy violation. Create incentives for following or exceeding security policies. For example,
consider making a portion of an employee’s bonus contingent on following security polices. At the same time, ensure that the consequences of violating the policy
are consistent with the severity of the violation and with your organization’s culture. Ensure that managers are empowered to enforce the consequences of violating security policy.
6. Gather feedback from users, managers, and human resources and legal departments about proposed policies. To ensure that the policies are appropriate,
enforceable, and do not violate employee rights, have management, human
resources, and legal departments review and approve acceptable use policies.
Involving the senior management in the development of the policy is essential for
the implementation and enforcement of security policies. To ensure that the policies do not disrupt business processes, and to obtain backing from employees,
gather feedback from users about proposed policies.
7. Revise policies based on feedback and create detailed procedures before implementing the policies. After incorporating the feedback from all stakeholders,
work with human resources personnel to create and implement the policies.
Whenever possible, write simple procedures that demonstrate how to comply
with the policies.
8. Implement the policies. Distribute your security policies so that employees can
refer to them easily. For example, give employees printed copies of policies or
post the policies to convenient internal Web sites, and update the policies
regularly.
5-8
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
See Also
There are many resources available to guide you in your policy development, including the SANS Institute Security Policy Project located at http://www.sans.org/resources/policies,
and the Site Security Handbook located at http://ietf.org/rfc/rfc2196.txt? number=2196.
How ISA Server Enables Secure Access to Internet Resources
Now that you have developed the Internet usage policy, you are ready to implement
that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
■
Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures
access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
■
Implementing ISA Server as a proxy server When Firewall clients and Web
Proxy clients connect to the ISA Server to gain access to Internet resources, ISA
Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server
hides the details of the internal network from the Internet. Only the ISA Server’s
external IP address is transmitted on the Internet.
■
Using ISA Server to implement the organization’s Internet usage policy
ISA Server can be used to implement many Internet-use restrictions. Table 5-1 lists
some of the restrictions you can implement using ISA Server.
Table 5-1 ISA Server Internet Access Restrictions
Options for Restricting Access
Explanation
Restrictions based on users and
groups
ISA Server can limit access to the Internet based on users
and groups. These user or group accounts can be defined
in Active Directory directory service or on the ISA Server
computer.
Restrictions based on computers
ISA Server can limit access to specific computers, a group
of computers, or all computers on a particular network. For
example, you can set restrictions for Internet access from
servers on the network, or for computers located in a public location.
Restrictions based on protocols
ISA Server can enable or disable access to the Internet
based on the protocols used to access the Internet. For
example, you can enable access only for HTTP or HTTPS
and disable all other protocols. Or you can enable all protocols, and define the protocols that will not be allowed.
Lesson 1
Table 5-1
Enabling Secure Access to Internet Resources
5-9
ISA Server Internet Access Restrictions
Options for Restricting Access
Explanation
Restrictions based on Internet
destinations
ISA Server can limit access based on Internet destinations.
You can block or enable destinations based on domain
names or Uniform Resource Locators (URLs).
Restrictions based on content
being downloaded from the
Internet
ISA Server can also scan all network packets coming from
the Internet to ensure that users are not downloading inappropriate or dangerous content.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. What is the purpose of an Internet usage policy?
2. You are the network administrator for your organization. The organization is using
a packet-filtering firewall with limited functionality to provide access to the Internet. The organization is planning an ISA Server 2004 implementation and wants to
exploit some of its advanced filtering options to limit the access users have to the
Internet. What should be the first step for implementing ISA Server 2004?
a. Install ISA Server 2004.
b. Design the access rules that will enable access to the Internet.
c. Create an Internet usage policy that defines the organization’s security
requirements.
d. Design a server publishing strategy.
3. How can an Internet usage policy be enforced by ISA Server 2004?
5-10
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Lesson Summary
■
Providing secure Internet access for users in an organization means that users can
gain access to the resources they need, the connection to the Internet is secure,
the data that users transfer to and from the Internet is secure, and users cannot
download malicious programs from the Internet.
■
Internet usage policies should explain the need for an Internet usage policy and
describe what the policy addresses. It should also identify the people within the
organization who are in charge of creating and maintaining the policy. Finally, an
Internet usage policy should clearly define how violations of the policy will be
handled.
■
ISA Server can be used to provide secure Internet access for internal clients. ISA
Server provides several options for enabling this secure access. These options
include using ISA Server as a firewall, using ISA Server as a proxy server, and
using ISA Server to implement the organization’s Internet usage policy.
Lesson 2
Configuring ISA Server as a Proxy Server
5-11
Lesson 2: Configuring ISA Server as a Proxy Server
One of the primary deployment scenarios for ISA Server 2004 is as a proxy server that
enables secure access to Internet resources. ISA Server operates as a proxy server for
both Web proxy and Firewall clients. This lesson provides an overview of how a proxy
server works and how to configure ISA Server 2004 to operate as a proxy server. The
lesson also considers two specialized configurations that you might use in an Internet
access scenario: configuring multiple ISA Servers in a Web chain, and configuring ISA
Server to use a dial-up connection for Internet access.
After this lesson, you will be able to
■ Describe how a proxy server works
■ Configure ISA Server 2004 as a proxy server
■ Configure Web chaining
■ Configure dial-up connections
Estimated lesson time: 30 minutes
What Is a Proxy Server?
A proxy server is a server that is situated between a client application, such as a Web
browser or a Winsock application, and a server to which the client connects. All client
requests are sent to the proxy server. The proxy server creates a new request and sends
the request to the specified server. The server response is sent back to the proxy server,
which then replies to the client application. A proxy server can provide enhanced
security and performance for Internet connections.
The most important reason for using a proxy server is to make the user’s connection to
the Internet more secure. Proxy servers make the Internet connection more secure in
the following ways:
■
User authentication When a user requests a connection to an Internet
resource, the proxy server can require that the user authenticate, either by forcing
the user to enter a user name and password or by using the cached credentials
stored on the client computer. The proxy server can then grant or deny access to
the Internet resource, based on the authenticated user.
■
Filtering client requests The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user making the
request, the proxy server can filter requests based on the IP address, the protocol
or application that is being used to access the Internet, the time of day, and the
Web site the user requests.
5-12
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
■
Content inspection Proxy servers can inspect all traffic to and from the Internet connection and determine if there is any traffic that should be denied. This
may include examining the traffic content for inappropriate words, scanning for
viruses, or scanning for file extensions.
■
Logging user access Because all traffic flows through the proxy server, the
server can log whatever the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with
the organization’s Internet usage policies.
■
Hiding the internal network details Because all requests for Internet
resources come from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all
cases, no client computer information, such as computer name or IP address, is
sent to the Internet resource. In some cases, such as when creating a Remote
Desktop Protocol connection to a server on the Internet, the client computer name
is transmitted on the Internet.
Another benefit of using a proxy server is to improve Internet access performance. The
Web proxy server improves performance by caching requested Internet pages on the
Web proxy server’s hard disk. When another user requests the same information, the
proxy server provides the page from the cache rather than retrieving it from the Internet.
Note
For more information about configuring proxy server caching on ISA Server, see Chapter 6, “Implementing ISA Server Caching.”
How Proxy Servers Work
Proxy servers can be used to secure both inbound and outbound Internet access.
When a proxy server is used to secure outbound Internet access, it is configured as a
forwarding proxy server. When a proxy server is used to secure inbound Internet
access, it is configured as a reverse proxy server.
How Does a Forward Proxy Server Work?
Forward proxy servers are usually located between a Web or Winsock application running on a client computer on the internal network and an application server located on
the Internet. The proxy server may be running at the connection point between the
Internet and the internal network. In this case, the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a
firewall may be deployed between the Internet and the proxy server, but all client computers will still be configured to use the proxy server.
Lesson 2
Configuring ISA Server as a Proxy Server
5-13
Note As described in Chapter 4, “Installing and Managing ISA Server Clients,” when you
install Firewall Client software on a client computer, the Firewall Client intercepts all Winsock
application calls and forwards them to the ISA Server computer if the destination server is on
a remote network. When connecting to a proxy server, the Firewall Client acts just like any
other Winsock application. The only difference is that the Firewall Client can handle all connections from all Winsock applications, so you do not need to modify the application to use
the proxy server.
Figure 5-1 illustrates how a forward proxy server works.
Web Server
ISA Server
3
4
1
2
5
Internet
6
F05im01
Figure 5-1
How a forward proxy server works
The following steps outline how a forward Web Proxy server works for a Web
application:
1. A client application, such as a Web browser, makes a request for an object located
on a Web server. The client application checks its Web proxy configuration to
determine whether the request destination is on the local network or on an external network.
2. If the requested Web server is not on the local network, the request is sent to the
proxy server.
3. The proxy server checks the request to confirm that there is no policy in place that
blocks access to the requested content.
4. If caching is enabled, the proxy server also checks if the requested object exists in
its local cache. If the object is stored in the local cache and it is current, the proxy
server sends the object to the client from the cache. If the page is not in the cache
or if the page is out of date, the proxy server sends the request to the appropriate
server on the Internet.
5-14
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
5. The Web server response is sent back to the proxy server. The proxy server filters
the response based on the filtering rules configured on the server.
6. If the content is not blocked and it is cacheable, ISA Server saves a copy of the
content in its cache and the object is then returned to the client application that
made the original request.
Important
When the proxy server accepts a request from the client application, it does not
just forward the client request to the destination server. Instead, it creates a completely new
request. When the destination server responds to the proxy server, the proxy server responds
to the original client request. Because the request to the destination server comes from the
proxy server, and not the original client, client configuration information is not sent to the
Internet.
How Does a Reverse Web Proxy Server Work?
A reverse Web proxy server operates in much the same way as a forward Web proxy
server. However, instead of making Internet resources accessible to internal clients,
reverse proxy makes internal resources accessible to external clients.
Figure 5-2 illustrates how a reverse proxy server works.
Web Server
DNS Server
3
1
5
6
4
2
ISA Server
Internet
F05im02
Figure 5-2 How a reverse proxy server works
The following steps outline how a reverse Web proxy server works:
1. A user on the Internet makes a request for an object located on a Web server that
is on an internal network protected by a reverse proxy server. The client computer
performs a DNS lookup using the fully qualified domain name (FQDN) of the
hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server.
Lesson 2
Configuring ISA Server as a Proxy Server
5-15
2. The client application sends the request for the object to the external address of
the proxy server.
3. The proxy server checks the request to confirm that the URL is valid and to ensure
that there is a policy in place that allows access to the requested content.
4. The proxy server also checks whether the requested object already exists in its
local cache. If the object is stored in the local cache and it is current, the proxy
server sends the object to the client from the cache. If the object is not in the
cache, the proxy server sends the request to the appropriate server on the internal
network.
5. The Web server response is sent back to the proxy server.
6. The object is returned to the client application that made the original request.
Note Before ISA Server 2004 will operate as a reverse proxy server, you must configure
Web publishing rules. Web publishing is discussed in detail in Chapter 8, “Implementing ISA
Server Publishing.”
How to Configure ISA Server as a Proxy Server
You can deploy ISA Server 2004 as a Web proxy and a Winsock proxy server. In fact,
as soon as you enable access to Internet resources for internal clients, ISA Server
begins to operate as a Web proxy server. However, there are also several Web proxy
server settings that you can modify on ISA Server.
You can configure several Web proxy settings on ISA Server. To do so, perform the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and select Networks.
2. Click the network whose Web access properties you want to configure. If you are
configuring access to the Internet for internal clients, select the Internal network.
Click Edit Selected Network.
3. Click the Web Proxy tab to configure the Web Proxy settings for ISA Server. The
interface is shown in Figure 5-3. First, ensure that Enable Web Proxy Clients is
selected. This is selected by default.
5-16
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
F05im03
Figure 5-3 Configuring ISA Server as a proxy server
On the Web Proxy tab, you can choose to enable or disable HTTP connections on
the specified port number. You can also enable or disable Secure Sockets Layer
(SSL) connections. If you select this option, ISA Server will listen for HTTPS connections on the port specified. If you enable SSL, you must also configure a certificate that will be used for SSL authentication and encryption. Web browsers cannot
use this setting for Internet access, but it can be used for Web chaining scenarios.
4. To configure the Advanced Settings, click Advanced. The interface is shown in
Figure 5-4. On this tab, you can configure the number of connections, which will
limit the number of users that can connect to the ISA Server at one time. You can
also specify a connection timeout value, which sets a timeout limit for idle
connections.
F05im04
Figure 5-4 Configuring advanced proxy server settings
Lesson 2
!
Configuring ISA Server as a Proxy Server
5-17
Exam Tip Notice that one of the advanced configuration options limits the number of connections that the ISA Server computer will accept. If you get an exam question that includes
information about the number of users, and some of those users cannot connect, check to
see if you are given any information about this setting. However, by default, ISA Server is configured to accept an unlimited number of connections, so if you are not given any information
about the number of connections allowed, assume that this setting is not the problem.
5. To configure ISA Server as a Winsock proxy server, you must configure the Internal network properties so that Firewall clients are supported. To configure this,
click the Firewall Client tab on the Internal network properties and ensure that
Enable Firewall Client Support For This Network is selected. The configuration
options for Firewall Clients were discussed in Chapter 4.
Note Configuring authentication for Internet access requests will be discussed later in this
chapter in Lesson 4, “Configuring ISA Server Authentication.”
How to Configure Web and Firewall Chaining
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA
Server together to provide flexible Web proxy services. These servers can be chained
in a hierarchical manner so that one ISA Server computer routes Internet requests to
another ISA Server computer, rather than routing the request directly to the Internet.
ISA Server also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer.
Tip With ISA Server Standard Edition, you can use Web chaining to define how Web
requests will be routed to the Internet from one ISA Server computer to another. However,
each individual ISA Server still has to be configured, and the ISA Servers have no way of sharing the Web cache across multiple computers. The advantage of deploying ISA Server Enterprise Edition is that you can configure arrays so that groups of ISA Servers can be managed
by one set of policies, and so that the ISA Servers can distribute the Web cache across
multiple computers.
5-18
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Why Use Web Chaining?
Web chaining is useful if your organization has multiple branch office locations, but all
Internet requests are routed through one location at the head office. In this scenario,
you can install ISA Server in each office and then configure ISA Server at the branch
offices to route all Internet requests to the server running ISA Server at the head office.
Figure 5-5 shows an example of this configuration.
Internet
ISA Server
Corporate
Head Office
Optionally, Web requests
for resources close
to the branch
office can be routed
directly to the
Internet
Web requests from
the branch office
are routed to the
head-office ISA Server
ISA Server
ISA Server
Branch Office
Network
Branch Office
Network
F05im05
Figure 5-5 Configuring Web Proxy chaining in a branch office
Note
In this configuration, the ISA Server computers at the branch offices are identified as
downstream servers, while the ISA Server computer at the head office is the upstream
server. Think of it as having to swim upstream to access the Internet.
You can also configure Web chaining so that not all Web requests are sent to the
upstream server. For example, you can configure rules for conditionally routing Internet requests, depending on the destination Web server. This is useful if the head office
and the branch offices are in different countries. If one of the branch offices has a
direct Internet connection and many of the Web sites used by users in that branch
office are in the same country as the branch office, you may choose to have the branch
Lesson 2
Configuring ISA Server as a Proxy Server
5-19
office ISA Server computer route all requests for specific domain names directly to the
Internet. You can still have the branch office server route all other requests to the headoffice ISA server.
One of the benefits of using Web chaining is the accumulated caching on ISA Server.
If all the servers running ISA Server in the branch offices are configured to forward
their requests to the head-office ISA Server, the head-office ISA Server will develop a
large cache that contains many requested items. The combination of caching at the
local branch office and at head office increases the chances that the Internet content
can be delivered to the client with the least use of network bandwidth.
Tip Another scenario in which Web chaining is useful is for configuring a test lab. Many
organizations run a test lab that needs to be isolated from the production environment but
may also need access to the Internet. By configuring ISA Server at the edge of the test lab
network, and configuring it to forward all Internet requests to the production ISA Server, you
can accomplish both goals.
Configuring Web Chaining Rules
To configure Web chaining rules, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node, select Networks, and then click the Web Chaining tab.
Note Notice the Web chaining rule named Last Default that was created when ISA Server
was installed. This rule specifies that the ISA Server will route all requests directly to all networks. In other words, it will not use Web chaining unless you create a new rule.
2. To create a new Web chaining rule, on the Tasks tab, click Create New Web Chaining Rule.
3. On the Welcome To The New Web Chaining Rule Wizard page, in the Web
Chaining Rule Name box, type a name for the Web chaining rule. Click Next.
4. On the Web Chaining Rule Destination page, as shown in Figure 5-6, click Add to
specify the destinations that will be affected by this rule.
5-20
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
F05im06
Figure 5-6 Configuring the Web chaining destination rules
5. In the Add Network Entities dialog box, select the destinations that this rule will
apply to. For example, if the rule should apply to all Internet requests, expand
Networks, then click External. Click Close.
6. On the Web Chaining Rule Destination page, click Next.
7. On the Request Action page, shown in Figure 5-7, select how the request should
be processed. You have three options:
❑
Retrieve Requests Directly From The Specified Destination—In this case, the
Web request is routed directly to the Internet.
❑
Redirect Requests To A Specified Upstream Server—In this case, the Web
request is routed to the server that you specify.
❑
Redirect Requests To—In this case, the request is routed to the specified Web
site.
Note When configuring Web chaining, you can also configure chained authentication by
selecting Allow Delegation Of Basic Authentication Credentials. By default, if both the downstream and upstream proxy servers require authentication, users with Web Proxy clients will
be prompted for credentials by both ISA Server computers. If you use basic authentication for
user authentication, you can configure the downstream server to pass the credentials to the
upstream server by enabling basic authentication delegation.
Lesson 2
Configuring ISA Server as a Proxy Server
5-21
F05im07
Figure 5-7
Configuring the Web chaining action
To configure Web chaining, select Redirect Requests To A Specified Upstream
Server and then click Next.
8. On the Primary Routing page, shown in Figure 5-8, in the Server box, type the
name of the server to which this server will send the requests. You can also specify
the port numbers for HTTP and SSL and configure an account that will be used to
authenticate at the upstream ISA Server. Click Next.
F05im08
Figure 5-8
Configuring the primary Web chaining route
5-22
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
9. On the Backup Action page shown in Figure 5-9, configure what ISA Server
should do if the upstream ISA Server is unavailable. You have three choices:
❑
Ignore Requests—In this case, ISA Server will not respond to client requests.
❑
Retrieve Requests Directly From The Specified Destination—In this case, ISA
Server will route the request to the Internet.
❑
Route Requests To An Upstream Server—In this case, you can specify an alternative upstream server.
Select the option you require and then click Next.
F05im09
Figure 5-9 Configuring the backup action for Web chaining
10. On the Completing The New Web Chaining Rule Wizard page, review the configuration and then click Finish.
11. After creating the Web Chaining rule, you can configure how the ISA Server computer will bridge HTTP and HTTPS requests when using the Web chaining rule. To
configure bridging, click the Web chaining rule and then, on the Tasks tab, click
Define SSL Bridging For Selected Rule. The interface is shown in Figure 5-10. On
this page, you can configure how to redirect HTTP and SSL requests when sending
the requests to the upstream server.
Lesson 2
Configuring ISA Server as a Proxy Server
5-23
F05im10
Figure 5-10
Configuring SSL bridging for a Web chaining rule
How to Configure Firewall Chaining
ISA Server 2004 also supports firewall chaining for SecureNAT and Firewall clients. To
enable firewall chaining, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node, and then click Configure Firewall Chaining.
2. On the Firewall Chaining dialog box shown in Figure 5-11, you can configure the
firewall chaining. If you select Use The Primary Connection, ISA Server will try to
route client requests directly to the Internet. If you select Chain To This Computer,
you can specify the upstream server to which the firewall requests will be sent. If
the upstream ISA Server server requires authentication, you must configure a user
account that the downstream server will use to authenticate to the upstream
server.
5-24
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
F05im11
Figure 5-11 Configuring firewall chaining
How to Configure Dial-Up Connections
ISA Server 2004 also supports the use of a dial-up connection to another network. For
example, if you do not have a dedicated Internet connection that is always available,
you can configure a dial-up connection so that when a user makes a request for a
resource on the Internet, the ISA Server computer can dial an Internet connection automatically. You can also configure the dial-up connection as a backup route, so that the
dial-up connection is used only if the primary Internet connection is not available. In a
Web chaining scenario, either the primary or backup route can be a dial-up connection.
How to Configure Dial-Up Connections
To configure an automatic dial-up connection, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and select General.
2. In the details pane, select Specify Dial-Up Preferences. The Dialing Configuration
dialog box is shown in Figure 5-12.
Lesson 2
Configuring ISA Server as a Proxy Server
5-25
F05im12
Figure 5-12
Configuring dial-up preferences
Note
Before you can configure ISA Server to use a dial-up connection, you need to configure the dial-up connection using the Network Connections Control Panel. You can then configure ISA Server to dial the connection automatically as required.
Table 5-2 describes dial-up configuration settings.
Table 5-2
Configuring Dial-Up Preferences
Choose This Setting
To Do This
Allow Automatic Dialing To This Network
Configure ISA Server to use the dial-up connection automatically for connecting to the specified network.
Configure This Dial-Up Connection To Be
The Default Gateway
Configure this connection as the primary way to
connect to the Internet. If you choose this
option, all ISA Server traffic intended for the
external network is sent on the connection.
Use The Following Dial-Up Connection
Specify the name of the dial-up connection.
Use This Account
Specify the name and password used to authenticate the dial-up connection. Normally, this is a
dial-up account assigned by an Internet service
provider (ISP).
After you configure the dial-up connection, you can specify this connection when configuring Web chaining rules.
5-26
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Practice: Configuring ISA Server as a Proxy Server
In this practice, you will modify the default Web proxy server settings on ISA Server.
You will also configure a new Web chaining rule.
Exercise 1: Configuring ISA Server Proxy Server Settings
1. In the Microsoft ISA Server Management Console tree, expand ISA1, then expand
the Configuration node and select Networks.
2. On the Networks tab, click the Internal network. On the Tasks pane, click Edit
Selected Network.
3. On the Web Proxy tab, ensure that Enable Web Proxy Clients and Enable HTTP
are selected. Ensure that the HTTP port is 8080.
4. To configure the advanced options, click Advanced.
5. In the Advanced Settings dialog box, under Number Of Connections, click Maximum. In the Maximum text box, type 10.
6. Click OK to close the Advanced Settings dialog box. Click OK to close the Internal
Properties dialog box.
7. Click Apply to apply the changes.
Exercise 2: Configuring Web Chaining
1. In the ISA Server Management Console tree, expand the Configuration node,
select Networks, and then click the Web Chaining tab.
Note In this exercise, you will complete the configuration of a new Web chaining rule, and
then discard the changes you make to the ISA Server configuration. One of the new features
in ISA Server 2004 is that no changes are applied to the configuration until you commit the
changes.
2. To create a new Web chaining rule, on the Tasks tab, click Create New Web Chaining Rule.
3. On the Welcome To The New Web Chaining Rule Wizard page, in the Web Chaining Rule Name box, type a name for the Web chaining rule. Click Next.
4. On the Web Chaining Rule Destination page, click Add to specify the destinations
that will be affected by this rule.
5. In the Add Network Entities dialog box, expand Networks, click External, and
then click Add. Click Close.
6. On the Web Chaining Rule Destination page, click Next.
Lesson 2
Configuring ISA Server as a Proxy Server
5-27
7. On the Request Action page, select Redirect Requests To A Specified Upstream
Server and click Next.
8. On the Primary Routing page, in the Server box, type ISA2 as the name of the
server to which this server will send the requests. Accept the default port numbers
for HTTP and SSL. Click Next.
9. On the Backup Action page, click Retrieve Requests Directly From The Specified
Destination.
10. On the Completing The New Web Chaining Rule Wizard page, review the configuration and click Finish.
11. Click Discard to discard the changes you made. Click Yes in the Microsoft ISA
Server dialog box.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Your organization has a high-speed Internet connection as your main method of
access to the Internet. You also have a dial-up account with your ISP to provide a
backup route. How should you configure ISA Server to use the dial-up connection
in case the primary route fails?
a. Configure the Dial-Up Preferences to specify the dial-up connection as the
backup route.
b. Create a network for the dial-up connection and designate it as the backup
route.
c. Configure a Web Chaining rule to specify the dial-up connection as the
backup route.
d. Modify the Web Browser properties of the Internal network to designate the
dial-up connection as the alternate route.
2. All the Web browser applications in your organization are configured to be Web
Proxy clients. You are the network administrator and you have received reports
that some employees are viewing and downloading information from inappropriate Web sites. How could you identify the employees responsible and prevent further infractions?
5-28
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
3. Your company has seven branch offices that have no direct Internet connection.
All Internet requests are routed to the ISA Server at the head office over a 128-kilobyte-per-second (Kbps) Integrated Services Digital Network (ISDN) link. The
ISDN link is heavily used during business hours. What can you do to minimize the
bandwidth usage for Internet requests?
Lesson Summary
■
A proxy server is a server that is situated between a client application, such as a
Web browser, and a server that the client is connecting to. Forward proxy servers
accept requests for resources from clients on the internal network and forward the
requests to servers located on the Internet. A reverse Web proxy server makes
internal resources accessible to external clients.
■
By default, ISA Server is configured to operate as a proxy server for Web proxy
and Firewall client computers. You can modify the proxy server settings to enable
or disable HTTP, enable or disable SSL, define the authentication method you wish
to use and define the connection settings.
■
ISA Server 2004 supports chaining multiple ISA Server computers together so that
Internet requests are passed from one computer to another computer. You can use
Web chaining when your organization has multiple branch office locations, but all
Internet requests are routed through one location at the head office. One of the
benefits of using Web chaining is the accumulated caching on ISA Server.
■
ISA Server 2004 also supports the use of a dial-up connection to another network.
If you do not have an Internet connection that is always available, ISA Server can
automatically dial up when a user makes a request for a resource from the
Internet.
Lesson 3
Configuring Access Rule Elements
5-29
Lesson 3: Configuring Access Rule Elements
By default, ISA Server 2004 denies all network traffic between networks connected to
the ISA Server computer. Configuring an access rule is the only way to configure ISA
Server so that it will allow traffic to flow between networks. An access rule defines the
conditions for when traffic will be allowed or denied between networks. ISA Server
enables a great deal of flexibility when creating access rules. You can define the protocols allowed, which users can use those protocols, what resources users can access,
and what time of day users can do all this. Each option is defined by creating access
rule elements, and then combining the elements into access rules. This lesson
describes the access rule elements that you can create in ISA Server 2004.
After this lesson, you will be able to
■ Describe the access rule elements available in ISA Server 2004
■ Configure access rule elements
Estimated lesson time: 30 minutes
What Are Access Rule Elements?
Access rule elements are configuration objects in ISA Server that you use to create
access rules. For example, you may want to create an access rule that allows only
HTTP traffic. To do this, ISA Server provides an HTTP protocol access rule element that
you can use when creating the access rule. Or you may want to limit access to the
Internet to certain users or computers. To enable this, you can create a subnet or user
set access rule element, and then use this element in an access rule to limit access to
the Internet to only computers on the specified subnet, or to only the specified users.
Access Rule Element Types
Table 5-3 describes the five types of access rule elements:
Table 5-3
Access Rule Element Types
Access Rule
Element
Protocols
Description
This rule element defines protocols that you can use in an access rule. You
can allow or deny access on one or more protocols.
5-30
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Table 5-3 Access Rule Element Types
Access Rule
Element
Description
User Sets
This rule element defines a group of one or more users to which a rule will
be explicitly applied, or which can be excluded from a rule. For example,
you may want to create a rule that enables Internet access to all users
within an organization with the exception of all temporary staff. By using an
Active Directory domain or Remote Authentication Dial-In User Service
(RADIUS) server for authentication, you can configure an access rule that
grants the Domain Users group access to the Internet, but denies access to
the TempEmployees group.
Content Types
This rule element provides common content types to which you may want
to apply a rule. For example, you can use a content type rule element to
block all content downloads that include .exe or .vbs file extensions.
Schedules
This rule element allows you to designate hours of the week during which
the rule applies. If you need to define an access rule that allows access to
the Internet only during specified hours, you can create a schedule rule element that defines those hours, and then use this schedule rule element
when creating the access rule.
Network Objects
This rule element allows you to create sets of computers to which a rule
will apply, or which will be excluded from a rule. You can also configure
URL sets and domain name sets that you can use to allow or deny access to
specific URLs or domains.
How to Configure Access Rule Elements
ISA Server includes several default access rule elements. For example, ISA Server
includes a large number of protocol elements that you can use when creating an access
rule. However, in some cases, you must create new access rule elements or modify
existing elements.
How to Configure Protocol Elements
In some cases, you may want to create an access rule that allows or denies access to
the Internet, depending on which protocol the client uses. To do this, you can use
one of the protocol elements provided with ISA Server or create your own protocol
definition.
In almost all cases, the preconfigured protocols defined by the ISA Server configuration
provide all the flexibility you need when configuring access rules. The protocols
included with ISA Server cannot be deleted. You can modify which application filters
are applied to the preconfigured protocols, but you cannot modify any other settings.
Lesson 3
Configuring Access Rule Elements
5-31
You can also create new protocols by using the ISA Server Management Console. For
example, you may be using a custom application that requires a specific port. You can
create a protocol element that uses this port number and then use the protocol in an
access rule. User-defined protocols can be edited or deleted.
To create a protocol object, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Protocols.
3. Click New, and then click Protocol or RPC Protocol. The New Protocol Definition
Wizard starts. When you create a protocol, you specify settings listed in Table 5-4.
Table 5-4
Protocol Element Configuration Options
Options
Explanation
Protocol Type
This includes protocol types for Transmission Control Protocol (TCP),
User Datagram Protocol (UDP), Internet Control Message Protocol
(ICMP), or IP levels.
Direction
For UDP, this includes Send, Receive, Send Receive, or Receive Send. For
TCP, this includes Inbound and Outbound. For ICMP and IP, this
includes Send and Receive.
Port Range
For TCP and UDP protocols, this is a range of ports between 1 and 65535
that is used for the initial connection.
Protocol Number
For IP-level protocols, this is the protocol number.
ICMP Properties
For ICMP, this is the ICMP code and type.
Secondary
Connections
This setting is optional; it is the range of ports, protocol types, and direction used for additional connections or packets that follow the initial
connection. You can configure one or more secondary connections.
To modify an existing protocol definition, click the protocol in the Protocols box, and
then click Edit.
How to Configure User Set Elements
The second criterion that you may want to apply to an access rule specifies which
users will be allowed or denied access by the access rule. To limit access to Internet
resources based on users or groups, you must create a user set element. When you
limit an access rule to specific users, users must authenticate before they are granted
access. For each group of users, you can define the type of authentication required.
You can mix different types of authentication within a user set. For example, a user set
might include a Windows user or group based on domain membership, a user from a
RADIUS namespace, and another user from the SecurID namespace.
5-32
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
ISA Server is preconfigured with the following user sets:
■
All Authenticated Users This set includes all users who have authenticated
using any type of authentication. SecureNAT clients are not authenticated unless
they connect through a virtual private network (VPN). This means that this group
does not include non-VPN SecureNAT clients.
■
All Users This set includes all users, both authenticated and unauthenticated. If
you want to allow access for SecureNAT clients, you should use this user set.
■
System and Network Service This user set includes the Local System service
and the Network service on the computer running ISA Server. This user set is used
in some system policy rules.
To create a new user set, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Users.
3. Click New. On the Welcome To The New User Sets Wizard, in the User Set Name
box, type the user set name. Click Next.
4. On the Users page, click Add, and then click the type of user that you are adding
to the set. The interface is shown in Figure 5-13. There are three options:
❑
Windows Users And Groups—Use this option to add users and groups from a
Windows domain or from the local accounts on the computer running ISA Server.
❑
RADIUS—Use this option to add specific users or all users from a specific
RADIUS namespace.
❑
SecurID—Use this option to add specific users or all users from a specific
SecurID namespace.
F05im13
Figure 5-13 Configuring a user set
To modify an existing user set, click the user set in the Users box, and click Edit.
Lesson 3
Configuring Access Rule Elements
5-33
How to Configure Content Type Elements
You may also want to limit the types of content that users can access on the Internet.
To do this, create a new content type element, or use one of the existing content type
elements when you create an access rule. Content type elements define Multipurpose
Internet Mail Extensions (MIME) types and file name extensions. When a client such as
Microsoft Internet Explorer downloads information from the Internet using HTTP or
File Transfer Protocol (FTP), the content is downloaded in either MIME format or as a
file with a specified file name extension.
Content type elements apply only to HTTP and FTP traffic that is tunneled in an HTTP
header. When a client requests HTTP content, ISA Server sends the request to the Web
server. When the Web server returns the object, ISA Server checks the object’s MIME
type or its file name extension, depending on the header information returned by the
Web server. ISA Server determines if a rule applies to a content type that includes the
requested filename extension, and processes the rule accordingly. FTP traffic is tunneled in an HTTP header when a client is configured as a Web Proxy client. When a client requests FTP content, ISA Server checks the filename extension of the requested
object. ISA Server determines if a content type that includes the file extension is linked
to the access rule. If a content type applies, ISA Server applies the rule.
ISA Server is preconfigured with the following content types: Application, Application
data files, Audio, Compressed files, Documents, Hypertext Markup Language (HTML)
documents, Images, Macro documents, Text, Video, and Virtual Reality Modeling
Language (VRML). In most cases, you need not configure additional content types, and
can merely apply the existing types.
To create a new content type object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Content Types.
3. Click New.
4. In the New Content Type Set dialog box, shown in Figure 5-14, fill in the following
information:
❑
Name—Type the content type set name.
❑
Available Types—Select the appropriate content types from the drop-down
list. You can choose either MIME types or application extensions. Click Add.
5-34
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
F05im14
Figure 5-14 Configuring a content type set
Note When you configure a content type and specify the MIME type, you can use an asterisk (*) as a wildcard character. For example, to include all application types, enter application/*. The asterisk wildcard character can be used only with MIME types and not with file
extensions. The asterisk can be specified only once, at the end of the MIME type after the
slash mark (/).
To modify an existing content type set, click the content type set in the Content Types
box, and then click Edit.
How to Configure Schedule Elements
In some cases, you may also want to configure access to the Internet based on the time
of day. To do this, configure a schedule element and apply it or one of the existing
schedules to an access rule. Schedule elements define a schedule that you can use to
grant or deny Internet access as part of an access rule.
ISA Server 2004 is preconfigured with the following two schedules:
■
Weekends Defines a schedule that includes all times on Saturday and Sunday
■
Work Hours Defines a schedule that includes the hours between 09:00 (9:00 A.M.)
and 17:00 (5:00 P.M.) on Monday through Friday
To create a new schedule element, use the following procedure.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
Lesson 3
Configuring Access Rule Elements
5-35
2. On the Toolbox tab, click Schedules.
3. Click New. In the New Schedule dialog box, as shown in Figure 5-15, fill in the following information:
❑
Type the content type set name in the Name box.
❑
Configure the schedule by selecting the times when the rule will be active or
inactive and then clicking Active or Inactive.
F05im15
Figure 5-15
Configuring a new schedule
To modify an existing schedule element, click the schedule element in the Content
Types box, and then click Edit.
How to Configure Network Objects
You may also want to define which Web sites or servers users can or cannot access.
You can configure this by creating either a domain name set or a URL set and then
applying these sets to an access rule. Moreover, you can create groups of computers
that you can use when creating access rules. For example, you may want to allow
access to specific Internet resources only to certain computers. You can create computer objects, computer sets, address ranges, or subnets to define groups of one or
more computers, and then use these objects to allow or deny access to Internet
resources. These computer objects can be used both as the source object and the destination object when defining access rules.
Table 5-5 describes the types of network objects available in ISA Server 2004 when creating access rules.
5-36
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Table 5-5 Network Object Access Rule Elements
Network Object
Description
Examples
Networks
A network rule element represents a Internal, External, Branch Office.
network, which is all the computers
connected (directly or through one or
more routers) to a single ISA Server
computer network adapter.
Network Sets
A network-set rule element represents All Protected Networks.
a grouping of one or more networks.
You can use this rule element to apply
rules to more than one network.
Computer
A computer rule element represents a DC1 (IP Address: 192.168.1.10).
single computer, identified by its IP
address.
Address Ranges
An address range is a set of computers represented by a continuous
range of IP addresses.
All DCs (IP Address Range:
192.168.1.10 – 192.168.1.20).
Subnets
A subnet represents a network subnet, specified by a network address
and a mask.
Branch Office Network (IP
Addresses 192.168.2.0/24).
Computer Sets
A computer set includes a collection
of computers identified by their IP
addresses, a subnet object, or an
address-range object.
All DCs and Exchange Servers.
URL Sets
URL sets specify one or more URLs
grouped together to form a set.
Microsoft Web Site (http://
www.microsoft.com/*)
Domain Name Sets
Domain name sets define one or
more domain names as a single set,
so that you can apply access rules to
the specified domains.
Microsoft Domain
(*.microsoft.com)
Microsoft Error Reporting Sites - A
predefined domain name set used
to allow error reporting.
System Policy Allowed Sites - A
predefined domain name set used
to allow access to trusted sites for
maintenance and management.
Note
For more information about configuring networks and network sets, see Chapter 7,
“Configuring ISA Server as a Firewall.”
You can use any of these access rule elements when defining access rules. Note the following configuration restrictions:
Lesson 3
Configuring Access Rule Elements
5-37
■
When specifying the domain name, you can use an asterisk (*) to specify a set of
computers. For example, to specify all computers in the cohovineyard.com
domain, type the domain name as *.cohovineyard.com. The asterisk can appear
only at the start of the domain name, and can be specified only once in the name.
You must use the FQDN when specifying a domain name.
■
When you create a URL set, you can specify one or more URLs in URL format. For
example, you specify a URL such as http://www.cohovineyard.com. You can also
specify a path and use wildcard characters in the path, but only at the end. For example, www.cohovineyard.com/* is acceptable. However, www.cohovineyard.com/*/
sales is not.
Tip
ISA Server processes rules that apply to URL sets only for client requests for HTTP or
FTP over HTTP. When a client uses any other protocol, ISA Server does not process rules that
apply only to a URL set.
To create a new Network Object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Click New, and then click the type of object that you want to create. All the network objects have a similar configuration interface. The configuration interface for
creating a domain set is shown in Figure 5-16.
F05im16
Figure 5-16
Configuring a domain set
To modify an existing network object, click the object in the Network Objects box, and
then click Edit.
5-38
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Practice: Configuring Access Rule Elements
In this practice, you will configure several access rule elements. You will be using these
access rule elements in a later practice to create access rules to grant and deny access
to Internet resources.
Exercise 1: Configuring a New User Set
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, click Users.
3. Click New. On the Welcome To The New User Sets Wizard, in the User Set Name
box, type Managers. Click Next.
4. On the Users page, click Add, and then click Windows Users And Groups.
5. In the Select Users And Groups dialog box, click Locations. In the Locations dialog
box, expand Entire Directory, then click Cohovineyard.com and then click OK.
6. In the Select Users And Groups dialog box, in the Enter The Object Names To
Select box, type Managers.
7. Click OK, and then click Next.
8. On the Completing The New User Set Wizard, review the configuration and click
Finish.
Exercise 2: Configuring a New Content Type Element
1. On the Toolbox tab, click Content Types.
2. Click New.
3. In the New Content Type Set dialog box, in the Name box, type Powerpoint
Content Type. In the Available Types drop-down list, click .ppt. Click Add.
Repeat for the following available types: application/vnd.ms-powerpoint, application/x-mspowerpoint, .pot, .pps.
4. Click OK.
Exercise 3: Configuring a New Schedule Element
1. On the Toolbox tab, click Schedules.
2. Click New.
3. In the New Schedule dialog box, in the Name box, type Night Shift Schedule.
Configure the Active time on the schedule to be from midnight to 8 A.M. every
weekday.
4. Click OK.
Lesson 3
Configuring Access Rule Elements
5-39
Note In the following two exercises, you will create a URL set and a domain name set. To
test the access rules that you will create later in this chapter, the Web sites listed in the URL
set and domain name set must be accessible on the external network of the ISA Server computer. The following exercises assume that the Internet is accessible from the ISA Server
computer. If you are using a test environment where the Internet is not accessible, configure
the URL set and the domain set to use a Web address that is accessible from the ISA Server
computer.
Exercise 4: Configuring a New URL Set
1. On the Toolbox tab, click Network Objects.
2. To create a new URL set, click New, and then click URL Set.
3. In the New URL Set Rule Element dialog box, in the Name box, type Microsoft
URL. Click New and then, in the URLs Included In This URL Set box, type http:/
/www.microsoft.com/*.
4. Click OK.
Exercise 5: Configuring a New Domain Name Set
1. On the Toolbox tab, click Network Objects.
2. To create a new domain name set, click New, and then click Domain Name Set.
3. In the New Domain Set Policy Element dialog box, in the Name box, type
Microsoft Domain. Click New and then, in the Domain Names Included In This
Set box, type *.microsoft.com.
4. Click OK.
Exercise 6: Configuring a New Computer Set
1. On the Toolbox tab, click Network Objects.
2. Click New, and then click Computer.
3. In the New Computer Rule Element dialog box, in the Name box, type DC1. In the
Computer IP Address box, type 10.10.1.10.
4. Click OK.
5. Click Apply to apply all the changes made in this practice.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
5-40
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Your organization has an Internet usage policy specifying that only managers and
executives have unrestricted Internet access. All other employees are allowed
Internet access during the lunch hour and after business hours with restrictions on
the type of content that should be accessible. How can you enforce this policy?
2. Your organization has limited bandwidth available for Internet connections. The
users who require Internet access to do their jobs are complaining about the
speed of the connection. After reviewing the logs you discover that many employees are downloading large image libraries for their desktop wallpaper on a daily
basis from a specific Web site. What can you do to prevent this?
3. Your organization has a single domain running Active Directory. Your organization has four branch offices, all of which use ISA Server 2004 as their Internet edge
firewall and proxy server. All branch offices require the same access rules. Managers at the branch offices must be able to connect to a custom Web application
at your head office using a specific TCP port. No other users should be able to
access the application. How would you configure all the ISA Server 2004 servers
in the most efficient manner?
Lesson Summary
■
An access rule defines the conditions for when traffic will be allowed or denied
between networks. An access rule element is one of the configuration options in
an access rule. You use access rule elements to configure the access rule
■
ISA Server 2004 supports the following access rule elements for enabling Internet
access: protocol, user set, content type, schedule, and network objects. ISA Server
provides several default access rule elements, but you can also create and configure new elements.
Lesson 4
Configuring ISA Server Authentication
5-41
Lesson 4: Configuring ISA Server Authentication
Many organizations need to limit access to Internet resources based on users or groups.
To configure access rules based on users, you must configure ISA Server to require
authentication. You have several options when configuring authentication on ISA
Server 2004.
After this lesson, you will be able to
■ Describe the ISA Server authentication options
■ Choose the correct type of authentication based on the Internet client you are using
■ Configure authentication for Internet access
Estimated lesson time: 20 minutes
ISA Server Authentication Options
You can configure which authentication method ISA Server will use to authenticate
users that connect using Web Proxy clients. ISA Server supports the following authentication methods:
■
Basic authentication Basic authentication sends and receives user information
as plaintext and does not use encryption. Basic authentication is the least secure
authentication method that ISA Server supports. However, because basic authentication is part of the HTTP specification, most browsers support it.
■
Digest authentication Digest authentication passes authentication credentials
through a process called hashing. Hashing creates a string of characters based on
the password but does not send the actual password across the network, ensuring
that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all
the domain controllers are running Microsoft Windows 2000 or Windows Server
2003 and client computers are running Internet Explorer 5 or later. Digest authentication also works only if the domain controller has a reversibly encrypted copy
of the requesting user’s password stored in Active Directory. This is not the default
configuration, and so you must enable this. Storing a password in reversible
encryption is significantly less secure than the Active Directory default, in which
the password is stored in a one-way hash.
Note
ISA Server 2004 also supports a new version of Digest authentication named WDigest authentication. WDigest does not require that passwords be stored in reversible encryption. WDigest is supported only for ISA Server computers running on Windows Server 2003.
When both ISA Server and the domain controllers are running Windows Server 2003, the
default authentication is WDigest. This means that when you select Digest authentication in a
Windows Server 2003 environment, you are actually selecting WDigest.
5-42
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
■
Integrated Windows authentication
Uses either the Kerberos version 5
authentication protocol or NTLM protocol, both of which do not send the user
name and password across the network. Integrated Windows authentication
works with Internet Explorer 2.0 or later. Use Integrated Windows authentication
when all the client computers use Internet Explorer. Integrated Windows authentication is the default authentication method used by members of the Windows
2000 Server and Windows Server 2003 families.
■
Digital certificates authentication Requests a client certificate from the client
before allowing the request to be processed. Users obtain client certificates from a
certification authority that can be internal to your organization or a trusted external
organization. Client certificates usually contain identifying information about the user
and the organization that issued the client certificate. Client certificates are more commonly used to authenticate Internet users rather than internal users trying to access
the Internet. Web Proxy clients do not support client certificate authentication.
■
Remote Authentication Dial-In User Service RADIUS is an industry-standard
authentication protocol. A RADIUS client (typically a dial-up server, VPN server, or
wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server
authenticates the RADIUS client request, and sends back a RADIUS message
response. RADIUS authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet.
ISA Server Clients and Authentication
The ISA Server authentication that you choose depends on the type of ISA Server client
you have deployed in your organization.
SecureNAT Clients For SecureNAT clients, there is no user-based authentication. You
can restrict access to the Internet based only on network rules and other access rules.
If an access rule requires authentication, SecureNAT clients will be blocked from
accessing the resources defined by the rule.
!
Exam Tip Keep this SecureNAT client restriction in mind when you write the exam. Any
access rule that requires authentication, or any requirement that states that you must limit
access based on users or groups, cannot be applied to SecureNAT clients.
Firewall Clients When ISA Server authenticates a Firewall client, it uses the credentials of the user making the request on the computer running the Firewall client.
Because ISA Server requests credentials when a session is established, no client configuration is required to enable authentication of users who gain access to ISA Server by
using a Firewall client. When the Firewall client requests an object, ISA Server does not
ask the client to authenticate, because the session already has an identity.
Lesson 4
Configuring ISA Server Authentication
5-43
Web Proxy Clients Web Proxy clients do not automatically send authentication information to the ISA Server computer. By default, ISA Server requests credentials from a
Web Proxy client only when processing a rule that restricts access based on a user set element. You can configure which method the client and ISA Server use for authentication.
You can also configure ISA Server to require authentication for all Web requests. When
a Web Proxy client requests HTTP content and all users are required to authenticate,
ISA Server will always ask for user credentials before checking the firewall policy. Otherwise, ISA Server will try to determine if the first rule (of the ordered firewall policy)
matches the client request. If the rule seems to match, but ISA Server requires client
authentication to validate the match, ISA Server will request that the client authenticate.
Otherwise, if the rule applies to the All Users user set, or the rule applies to the IP
address of the specific client, ISA Server will not request user credentials and will try to
apply the firewall policy.
Real World
What Type of Authentication Should You Use?
By default, ISA Server 2004 enables only Integrated authentication for Internet
access authentication. Most organizations never need to change that setting. Integrated authentication is the most secure and the most flexible authentication
option available, with two very important restrictions.
The first restriction is that all your clients must be using Internet Explorer. All versions of Internet Explorer currently in use support Integrated authentication but
no other Web browsers support it.
The second important restriction is that the ISA Server computer must be a member of the internal domain to use Integrated authentication. As discussed in the
last chapter, this is often a controversial decision, but the easiest way to enable
authentication for Internet access is to use an ISA Server computer that is a member of the same domain, or in a trusting domain. If the ISA Server computer is a
member of the internal domain, you can use the domain users and groups to
define user sets to limit access.
So if you are using Internet Explorer as your Web browser, and your ISA Server
computer is a member of your internal domain, then just leave the default configuration. If you are not using Internet Explorer as your Web browser, then your
most feasible options are to use Basic authentication or Digest authentication.
Basic authentication is supported by virtually all Web browsers, so implementing
Basic authentication is a matter of enabling the option on ISA Server. However,
Basic authentication is not secure, because all user logon traffic is passed in clear
text. Digest authentication is supported by most recent Web browsers and it does
not pass the user name in clear text, but storing user passwords in reversible
encryption is not secure either.
5-44
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
If your organization is using a Web browser other than Internet Explorer, you
might want to consider deploying the Firewall Client to all client computers.
When a Firewall client connects to the ISA Server computer, the user is authenticated using the encrypted control channel. Then you can use any browser to
access Internet resources without requiring additional authentication.
!
Exam Tip
It is always a good idea to keep the default setting for any configuration item in
mind when writing the exam. For example, the fact that the default authentication method for
Internet access is Integrated authentication means that, by default, only Internet Explorer
Web browsers can be used if authentication is required.
How to Configure Authentication
When access rules that apply to Web Proxy clients are configured to apply to users
(and not to IP addresses), at least one authentication mechanism must be specified so
that the users making the requests can be authenticated. If no authentication mechanism is specified, then all requests will be denied.
To configure authentication for Internet requests, complete the following steps:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and select Networks.
2. On the Networks tab, click Internal. Click Edit Selected Network.
3. Click the Web Proxy tab, and then click Authentication to access the Authentication dialog box, shown in Figure 5-17. The configuration options are described in
Table 5-6.
Lesson 4
Configuring ISA Server Authentication
5-45
F05im17
Figure 5-17
Table 5-6
Configuring authentication for Internet requests
Authentication Configuration Options
Configuration Option
Explanation
Authentication Method
Configure the method or methods of authentication supported by
the ISA Server computer.
Require All Users To
Authenticate
Configure ISA Server to allow only authenticated users to access
other networks. If you choose this option, SecureNAT clients will
not be able to access the Internet using this ISA Server.
Authentication Domain
Configure the default domain that will be used for authentication
when using Basic, Digest, or RADIUS authentication.
RADIUS Servers
Configure the RADIUS server that will be used for authentication.
Practice: Configuring ISA Server Authentication
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and select Networks.
2. On the Networks tab, click Internal. Click Edit Selected Network.
3. Click the Web Proxy tab, and then click Authentication.
4. Select the check box beside Require All Users To Authenticate.
5. Click Basic. Click OK to accept the warning message.
6. Click Select Domain. In the Select Domain dialog box, in the Domain Name text
box, type cohovineyard.com. Click OK.
5-46
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
7. Click OK to close the Authentication dialog box, and then click OK to close the
Internal Properties dialog box.
8. Click Apply to apply the changes.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Your organization has a mixture of Windows 2000 and Windows 2003 domain
controllers. You have deployed ISA Server 2004 as your firewall solution. Your
Internet usage policy states that all users accessing the Internet will be authenticated using Digest authentication. You have configured the properties of the Internal network to require Digest authentication. Now none of your users can access
the Internet. How can you correct this problem?
2. All the clients in your organization are configured as SecureNAT clients. You have
created content type elements to prevent users from downloading executables,
MP3 and video file types. You use those elements in an access rule and assign it
to the All Authenticated Users group. After applying the access rule, you discover
that all your clients still have unrestricted access to download the content types.
Why can users still download the content types that you are trying to block? What
should you do to prevent this?
Lesson 4
Configuring ISA Server Authentication
5-47
3. Your organization has a multiple-domain forest running Active Directory. You support various browser applications including Internet Explorer and Netscape Navigator. All browsing software is configured to use an ISA Server computer as a
proxy server. You have configured access rules to allow HTTP and HTTPS traffic
for all internal clients, but have not changed any other settings on the ISA Server.
Some of your users have Internet access while others are always denied connections. How can you resolve this problem?
Lesson Summary
■
ISA Server supports five authentication methods for restricting Internet access:
Basic authentication, Digest authentication, Integrated Windows authentication,
Digital Certificates authentication, and RADIUS authentication.
■
SecureNAT clients do not support user-based authentication. You can only restrict
access to the Internet based on network rules and other access rules. Firewall client authentication is performed when the client connects to the ISA Server computer. Web Proxy clients do not automatically send authentication information to
ISA Server. ISA Server requests credentials from a Web Proxy client to identify a
user only when processing a rule that restricts access based on a user element.
■
If you want to restrict access to the Internet based on users and groups, you must
configure ISA Server authentication to meet your organization’s needs.
5-48
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Lesson 5: Configuring Access Rules for Internet Access
Now that you understand how to configure the access rule elements and how to configure authentication, you are ready to put the elements together to create access
rules to enable Internet access. Access rules are used to configure all network traffic
on ISA Server. Access rules define whether clients on the source network will be able
to access resources on the destination network. This lesson describes how to implement access rules.
After this lesson, you will be able to
■ Describe what access rules are
■ Configure access rules that enable Internet access
Estimated lesson time: 30 minutes
What Are Access Rules?
Access rules are used to configure all traffic flowing through ISA Server, including all
traffic from the internal network to the Internet, and from the Internet to the internal
network. An access rule is graphically represented in Figure 5-18.
Access rules always define:
Allow
Or
Deny
Destination network,
IP address, URL,
or domain
User Set
An action on traffic from a user from a source computer to a destination with conditions
Protocol
Source
Network or
IP address
Schedule,
content type, or
application filter
condition
F05im18
Figure 5-18
All access rules have the same structure.
All access rules have the same overall structure, as described in Table 5-7.
Lesson 5
Table 5-7
Configuring Access Rules for Internet Access
5-49
Access Rule Format
Access Rules Define
Explanation
An action
Access rules are always configured to either allow or deny
access.
To be performed on specified
traffic
Access rules can be applied to all protocols, to specified protocols, or to all protocols except specified protocols.
From a particular user
Access rules can be applied to specific users or all users,
whether they have authenticated or not.
Coming from a particular com- Access rules can be applied to computers based on their netputer
work locations or IP addresses.
Going to a particular
destination
Access rules can be applied to specific destinations, including
networks, destination IP addresses, and domain names or
URLs.
Based on particular conditions Access rules can set additional conditions, including schedules,
content-type filtering, or application layer filtering
How to Configure Access Rules
To enable access for internal clients to access the Internet, you must configure an
access rule that grants this type of access. You can configure the access rule using the
access rule elements.
Configuring a New Access Rule
To configure a new access rule that grants access to the Internet, use the following procedure:
1. In the ISA Server Management Console tree, select Firewall Policy.
2. In the task pane, on the Tasks tab, select Create New Access Rule.
3. On the Welcome To The New Access Rule page, in Access Rule Name, enter the
name for the access rule; then click Next.
4. On the Rule Action page, shown in Figure 5-19, click Allow, and then click Next.
5-50
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
f05im19
Figure 5-19 Configuring the access rule action
5. On the Protocols page, shown in Figure 5-20, configure the protocols to which
this access rule applies. You have three options that you can allow:
❑
All Outbound Protocols—If you choose this option, the access rule applies to
all protocols coming from the source network to the destination network.
❑
Selected Protocols—Click Add to add the specific protocol elements from the
Add Protocols dialog box. With this option, you can specify which protocols
will be allowed by this access rule.
❑
All Outbound Protocols Except Selected—Click Add to add the specific protocol
elements from the Add Protocols dialog box. With this option, all protocols
will allowed except for the protocols that you specify.
When you have made these selections, click Next.
Lesson 5
Configuring Access Rules for Internet Access
5-51
f05im20
Figure 5-20
Configuring the access rule protocols
6. On the Access Rule Sources page, shown in Figure 5-21, click Add to open the
Add Network Entities dialog box. You can choose from any of the network objects
defined on ISA Server. Select the network object or objects that you want, click
Add, and then click Close. On the Access Rule Sources page, click Next.
f05im21
Figure 5-21
Configuring the access rule source
7. On the Access Rule Destinations page, shown in Figure 5-22, click Add to open
the Add Network Entities dialog box, click Networks, select the External network
(representing the Internet), click Add, and then click Close. On the Access Rule
Destinations page, click Next.
5-52
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
f05im22
Figure 5-22 Configuring the access rule destination
8. On the User Sets page, shown in Figure 5-23, you configure which users will be
able to use the access rule. If you want to grant access to the Internet for all users,
you can leave the user set All Users in place and proceed to the next page of the
wizard. If the rule applies to specific users, select All Users, and then click
Remove. Then, click Add to open the Add Users dialog box, from which you can
add the user set to which the rule applies. When you have completed the user set
selection, click Next.
f05im23
Figure 5-23 Configuring the access rule users
Lesson 5
Configuring Access Rules for Internet Access
5-53
9. On the Completing The New Access Rule Wizard page, review the information in
the wizard summary, and then click Finish.
10. To configure the content types for the access rule, double-click the access rule.
On the Content Types tab, shown in Figure 5-24, either accept the default setting
that applies the rule to all content types or select the content types that the rule
applies to.
f05im24
Figure 5-24
Configuring the access rule content types
11. To configure the schedule, on the Schedule tab, select the appropriate schedule
from the Schedule list or click New to configure a new schedule element. Click
OK.
12. To change the order of your access rules, select the access rule on the Firewall
Policy tab and click Move Selected Rules Up or Move Selected Rules Down.
13. In the Firewall Policy details pane, click Apply to apply the new access rule.
See Also
For detailed walk-throughs of a variety of Internet access scenarios, see the article
“Controlling Secure Internet Access Using ISA Server 2004,” located at http://www.microsoft.
com/technet/prodtechnol/isa/2004/plan/controllingsecureinternetaccess.mspx.
How to Assign Access Rule Priorities
Because access rules are evaluated in order based on the priority assigned in the ISA
Server Management Console interface, it is important that you assign these priorities
correctly.
5-54
!
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Exam Tip
One of the more common reasons why access rules do not operate as expected
is because of the access rule priorities. ISA Server evaluates the access rules listed in the
ISA Server Management Firewall Policy from the top down. As soon as ISA Server encounters
a rule that corresponds with the client request, ISA Server evaluates that rule and grants or
denies access. When you get an exam question in which users cannot access resources on
another network, examine the access rule properties and examine the access rule order. If an
access rule that denies access is evaluated before an access rule that enables access, the
client connection will be denied.
In general, you should apply deny rules first, followed by the more specific rules, followed by general rules. For example, you may have the following requirements when
configuring Internet access:
■
All computers should be able to access the Internet except for selected file servers.
■
All users should be able to access the Internet except temporary employees.
■
Users who access the Internet from a public kiosk computer located in the organization’s reception area should be able to use only HTTP and HTTPS to access
the Internet.
■
Users should be able to access the Internet using all protocols.
Tip If you have worked as a Windows server administrator for a while and configured permissions using NTFS permissions, you are used to the idea that Windows always applies the
deny permissions first, and then evaluates the allow permissions. This is not the case with
ISA Server 2004. ISA Server evaluates all the access rules in order, regardless of whether the
access rule allows or denies access.
To configure the access rules in this scenario, you could configure the rules with the
following priorities:
1. Create an access rule that blocks Internet access to a computer set that includes all
the file servers.
2. Create an access rule that blocks Internet access to the domain group that contains
all temporary employees.
3. Create an access rule that allows only HTTP or HTTPS traffic from the public kiosk
computer to access the Internet.
4. Create an access rule that allows all users to access the Internet using any protocol.
Lesson 5
Configuring Access Rules for Internet Access
5-55
Important ISA Server includes one default access rule that denies access to all protocols
going to any network. This rule cannot be modified, and it is always the last rule to be
applied.
Troubleshooting Internet Access
ISA Server uses access rules to grant internal users access to Internet resources. In
some cases, you may need to troubleshoot these access rules to ensure that a user can
access the required resources. Use the following guidelines to troubleshoot Internet
access issues:
■
Check DNS name resolution If the client cannot resolve the DNS name of the
Internet resource, the client will not be able to connect to the resource. To check
if the client can resolve the DNS name, ping the FQDN of the Internet resource.
Even if you can not ping the server, you can use the ping to determine if the client
resolved the FQDN to the correct IP address. If the client did not resolve the DNS
name correctly, then check the client DNS configuration and the DNS server used
by the client. Also check the access rules on ISA Server to ensure that DNS queries
from the internal network can be forwarded to the Internet DNS servers.
■
Determine the extent of the problem An important troubleshooting step is to
attempt to identify the cause of the problem by isolating who is affected by the
problem. For example, if only one user or group of users is affected then the issue
is likely a configuration error on an ISA Server access rule. If only one Web site is
inaccessible, then the problem may be with an access rule configuration, or the
Web site may be unavailable. If all computers are affected, then you must check
the ISA Server configuration and network connectivity. If only one computer is
affected, then check the network connectivity and client configuration on that one
computer.
■
Review access rule objects and access rule configuration After determining
the extent of the problem, review the access rule configurations that specifically
relate to the affected users. For example, if a group of users is affected, then look
for access rules or access rule elements that apply specifically to that group.
■
Review access rule order ISA Server evaluates access rules in the order listed
in ISA Server Management. The first rule that matches the client request is applied
to the request. For example, if an access rule that allows access to all Web sites
using HTTP is listed first, other access rules that set restrictions on which Web sites
can be accessed will not be evaluated.
■
Check access rule authentication If an access rule requires authentication,
then ensure that the ISA Server clients support the authentication protocol configured for the access rule. Also ensure that all users are using Web Proxy or Firewall
5-56
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
clients because SecureNAT clients do not support authentication. The access rule
order is also important when using access rules that require authentication. For
example, if an access rule that allows Internet access using all protocols but only
for members of a particular group is evaluated first, all users that are not members
of that group will not be able to access the Internet.
Planning Configuring access rules can be quite difficult if you have complicated requirements. The only way to ensure that the access rules will work as expected is to thoroughly
test the access rule configuration. As you work on your ISA Server deployment project plan,
make sure to include lots of time for testing.
One of the useful tools provided with ISA Server for troubleshooting access to
resources on other networks is the logging feature. By default, ISA Server logs all Web
Proxy and Firewall client connections to the Internet. You can use these logs to determine which access rules are allowing or blocking access.
To view the information logged by ISA Server, complete the following steps:
1. In ISA Server Management, click Monitoring.
2. Click the Logging tab.
3. To view the information being logged at the current time, click Start Query. To use
this option, start the query and then attempt to access the Internet resource from
the client computer. You can view the client connection attempts in the log
viewer.
4. To view archived information or to limit the number of entries in the log viewer,
configure a filter to view specific information contained within the log files. For
example, you could configure a filter that allowed you to view all the client connection attempts from a specific client computer over a specified period.
Note For more details about configuring and using ISA Server monitoring tools including
logging, see Chapter 11, “Implementing Monitoring and Reporting.”
Practice: Configuring Access Rules for Internet Access
In this practice, you will configure access rules that allow internal users at Coho Vineyard to access Internet resources.
Exercise 1: Creating a DNS Lookup Rule
All clients on the Coho Vineyard network are configured to use DC1 as a DNS server.
For these clients to be able to access resources on the Internet, DC1 must be able to
Lesson 5
Configuring Access Rules for Internet Access
5-57
resolve DNS requests for Internet resources. To enable this, you must enable an access
rule that enables DNS lookups to the Internet from DC1.
1. In the Microsoft ISA Server Management Console tree, click Firewall Policy.
2. In the Firewall Policy list, click Last Default rule. In the task pane, on the Tasks
tab, click Create New Access Rule.
Tip
When you create an access rule, ISA Server always places the new rule just above the
rule that is selected when you create the new rule.
3. On the Welcome To The New Access Rule Wizard, type DNS Lookup Policy as
the Access rule name, and then click Next.
4. On the Rule Action page, click Allow, and then click Next.
5. On the Protocols page, in the This Rule Applies To drop-down box, click Selected
Protocols, and then click Add.
6. In the Add Protocols dialog box, expand Common Protocols, click DNS, and then
click Add. Click Close.
7. On the Protocols page, click Next.
8. On the Access Rule Sources page, click Add.
9. In the Add Network Entities dialog box, expand Computers, click DC1, and then
click Add. Click Close. Click Next.
10. On the Access Rule Destinations page, click Add.
11. In the Add Network Entities dialog box, expand Networks, click External, and
then click Add. Click Close. Click Next twice.
12. On the Completing The New User Sets Wizard page, review the settings and click
Finish.
Exercise 2: Creating a Managers Access Rule
The Internet usage policy at Coho Vineyard states that managers must have access to
all Internet resources using any protocols.
1. In the task pane, on the Tasks tab, click Create New Access Rule.
2. On the Welcome To The New Access Rule Wizard, type Managers Access Policy
as the Access rule name, and then click Next.
3. On the Rule Action page, click Allow, and then click Next.
4. On the Protocols page, ensure that the rule applies to All outbound traffic. Click
Next.
5-58
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
5. On the Access Rule Sources page, click Add.
6. In the Add Network Entities dialog box, expand Networks, click Internal, and then
click Add. Click Close. Click Next.
7. On the Access Rule Destinations page, click Add.
8. In the Add Network Entities dialog box, expand Networks, click External, and
then click Add. Click Close. Click Next.
9. On the User Sets page, click All Users, and then click Remove.
10. Click Add and click Managers, and then click Add. Click Close. Click Next.
11. On the Completing The New Access Rule Wizard page, review the settings and
click Finish.
12. Ensure that the Mangers Access Policy is listed after than the DNS Lookup Policy.
If it is not, right-click the Managers Access Policy, and then click Move Down.
13. Click Apply to apply the changes.
Exercise 3: Configure an All Employees Access Rule
All employees other than Managers should be able to use only HTTP and HTTPS to
access the Internet. All users should be required to authenticate to access the Internet.
1. In the task pane, on the Tasks tab, click Create New Access Rule.
2. On the Welcome To The New Access Rule Wizard, type All Employees Access
Policy as the Access rule name, and then click Next.
3. On the Rule Action page, click Allow, and then click Next.
4. On the Protocols page, in the This Rule Applies To drop-down box, click Selected
Protocols, and then click Add.
5. In the Add Protocols dialog box, expand Common Protocols, click HTTP, and then
click Add. Click HTTPS, and then click Add. Click Close.
6. On the Protocols page, click Next.
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, expand Networks, click Internal, and then
click Add. Click Close. Click Next.
9. On the Access Rule Destinations page, click Add.
10. In the Add Network Entities dialog box, expand Networks, click External, and
then click Add. Click Close. Click Next.
11. On the User Sets page, click All Users, and then click Remove.
Lesson 5
Configuring Access Rules for Internet Access
5-59
12. Click Add and click All Authenticated Users, and then click Add. Click Close. Click
Next.
13. On the Completing The New Access Rule Wizard page, review the settings and
click Finish.
14. Click Apply to apply the changes.
Exercise 4: Testing Internet Access
Manager1 is a member of the Managers group. Use this account to test the Managers
access rules that you have configured. Sales1 is a member of the Sales group. Use this
account to test Internet access for other employees.
1. On the CLIENT1 computer, log on to the cohovineyard.com domain as Manager1.
2. Open Internet Explorer and attempt to connect to www.microsoft.com. The connection should be successful.
3. Attempt to connect to ftp://ftp.microsoft.com. To view the contents of the ftp site,
click Internet Options on the Tools menu. On the Advanced tab, clear the check
box for Enable folder view for FTP sites. The connection should be successful.
4. Log off and log on to the CLIENT1 computer as Sales1.
5. Open Internet Explorer and attempt to connect to www.microsoft.com. The connection should be successful.
6. Attempt to connect to ftp://ftp.microsoft.com. The connection should not be successful. Why can Manager1 connect to the FTP site, while Sales1 cannot?
Manager1 is a member of the Managers user set, which is allowed to use all protocols
to connect to Internet resources. Sales1 is not a member of any specific user set, so the
All Employees Access Policy applies to this user. This access policy allows only HTTP
and HTTPS access.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Your Internet usage policy specifies that all users will be allowed full Internet
access except that users are not allowed to download any executable files or
Visual Basic script files. The IT Administration group is exempted from this restriction. You configure an access rule to prevent the All Users user set from downloading .exe and .vbs file types. Then you create a access rule that allows the IT
Administration group to download these files. Then you configure an access rule
5-60
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
that allows Internet access for All Users. You soon discover that any user is able to
download executable files from the Internet. Why is this happening and how can
you change the configuration to meet the company requirements?
2. Your Internet usage policy states that all employees should have full Internet
access except that users should not be able to use the ICQ protocol to connect to
the Internet. How will you accomplish this?
3. Your organization has bought a new building and set up new offices in that building. The network in the new building is directly connected to the current network,
but all the computers in the new building are on a different subnet, and all the
offices in the new building are assigned to one company department that has
Internet access requirements different from any other department. You install a
new network card on the ISA Server computer and connect it to the network from
the new office. You configure a new network on ISA Server for the new network.
However, when you test Internet access from the new office, you cannot get
access. What do you need to do?
Lesson Summary
■
Access rules determine how clients on a source network can access resources on
a destination network. Access rules are used to configure all traffic flowing
through ISA Server, including all traffic from the internal network to the Internet,
and from the Internet to the internal network.
■
In order to allow internal clients to access the Internet, you must configure an
access rule that allows Internet access. To configure restrictions to Internet access,
use access rule elements to create the required rules.
■
To troubleshoot access rules for Internet access, check for DNS name resolution,
and then check the access rule and access rule elements configuration. Another
common problem with access rules is access rule order. ISA Server always evaluates the access rules based the access rules priorities.
Lesson 5
Configuring Access Rules for Internet Access
5-61
Case Scenario Exercises
In this exercise, you will read two scenarios about installing ISA Server 2004, and then
answer the questions that follow. If you have difficulty completing this work, review
the material in this chapter before beginning the next chapter. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
Scenario 1
Your organization’s network includes a single Active Directory domain. Clients in your
organization use Web browser applications from multiple vendors. You have implemented ISA Server 2004 as your proxy and firewall solution. Your organization’s Internet usage policy states the following:
■
All users will have Internet access from 12:00 noon to 1:00 P.M. and after regular
business hours. Users should be able to use all protocols to access the Internet
during these times.
■
Managers and Executives and Domain Admins will have Internet access at all
times.
■
Two computers in the cafeteria area and two in the front lobby are set up for public access. These computers will only be able to use HTTP and HTTPS to access
the Internet.
■
MP3 file types will be blocked for all users at all times.
■
Executable files will be blocked for all users except for the Domain Admins group.
Scenario 1 Question
1. How must you configure ISA Server 2004 to meet these requirements?
Scenario 2
Your organization has three branch offices, all of which are connected to the head
office with dedicated high-speed links. Moreover, all ISA Server computers have a
128-Kbps ISDN connection available that is used as a backup connection to the head
office. The head office has a high-speed Internet connection. All access to the Internet from all offices must use this head-office Internet connection. You have implemented ISA Server 2004 as your proxy and firewall solution in all offices. All users in
5-62
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
the organization require Internet access, but they should be required to authenticate
before getting access to the Internet. All users use a recent version of Internet
Explorer as their Web browser. You want the branch offices to be able to take full
advantage of ISA Server’s caching ability. The ISDN connection will be implemented
as a backup route.
Scenario 2 Question
1. How will you configure the ISA Server computers at all locations?
Troubleshooting Lab
In this lab, you will troubleshoot an Internet access issue. This issue is related to Internet access requirements for users at Coho Vineyards. Domain administrators have
reported that they cannot access any Internet resources when they are logged on to
DC1. They need to be able to access resources on the Internet. However, the Internet
usage policy states that the administrators should only be able to access resources on
the Microsoft Web site. The DC1 computer cannot be configured as a Web Proxy client.
Exercise 1: Testing the Configuration
1. Log in to DC1 as an Administrator.
2. Open Internet Explorer and try to access www.microsoft.com. The connection will
fail. Why? How would you fix this problem?
Exercise 2: Enabling Internet Access on DC1
1. On ISA1, open ISA Server Management. Click Firewall Policy, and then click Managers Access Policy.
2. On the Tasks tab, click Create New Access Rule.
3. In the task pane, on the Tasks tab, click Create New Access Rule.
4. On the Welcome To The New Access Rule Wizard, type DC Access Policy as the
Access rule name, and then click Next.
5. On the Rule Action page, click Allow, and then click Next.
6. On the Protocols page, ensure that the rule applies to All outbound traffic. Click
Next.
Lesson 5
Configuring Access Rules for Internet Access
5-63
7. On the Access Rule Sources page, click Add.
8. In the Add Network Entities dialog box, expand Networks, expand Computers,
click DC1, and then click Add. Click Close. Click Next.
9. On the Access Rule Destinations page, click Add.
10. In the Add Network Entities dialog box, expand Networks, expand Domain Name
Sets, click Microsoft Domain, and then click Add. Click Close. Click Next.
11. On the User Sets page, click All Users, and then click Next.
12. On the Completing The New Access Rule Wizard page, review the settings and
click Finish.
13. Click Apply to apply the changes.
14. On DC1, open Internet Explorer and try to access www.microsoft.com. The connection should fail. Why can you not connect to the Web site?
15. On ISA1, in ISA Server Management, move the DC Access Policy so that it is listed
before the All Employees Access Policy.
16. Click Apply to apply the changes.
17. On DC1, open Internet Explorer and try to access www.microsoft.com. The connection should fail. Why can you not connect to the Web site?
18. On ISA1, in ISA Server Management, expand Configuration, then click Networks.
On the Networks tab, double click Internal.
19. On the Web Proxy tab, click Authentication. Clear the check box for Require All
Users To Authenticate. Click OK twice.
20. Click Apply to apply the changes.
21. On DC1, open Internet Explorer and try to access www.microsoft.com. The connection should succeed. Try to access msdn.microsoft.com. Again the connection
should succeed. Try to access www.msn.com. In this case, the connection should
fail because the Microsoft Domain domain name set only enables access to the
microsoft.com domain.
Chapter Summary
■
Providing secure Internet access for users in an organization means that users can
gain access to the resources they need, the connection to the Internet is secure,
the data that users transfer to and from the Internet is secure, and users cannot
download malicious programs from the Internet. ISA Server can be used to provide secure Internet access for internal clients and to implement the organization’s
Internet usage policy.
5-64
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
■
A proxy server is a server that is situated between a client application, such as a
Web browser, and a server that the client is connecting to. By default, ISA Server
is configured to operate as a proxy server for Web Proxy and Firewall client computers. ISA Server 2004 supports chaining multiple ISA Server computers together
so that Internet requests are passed from one computer to another computer. ISA
Server 2004 also supports the use of a dial-up connection to another network.
■
Access rule elements are used to configure access rules. ISA Server 2004 supports
the following access rule elements for enabling Internet access: protocol, user set,
content type, schedule, and network objects. ISA Server provides several default
access rule elements, but you can also create and configure new elements.
■
ISA Server supports five authentication methods for restricting Internet access.
They are: Basic authentication, Digest authentication, Integrated Windows authentication, digital certificates authentication, and RADIUS authentication. If you
want to restrict access to the Internet based on users and groups, you must configure ISA Server authentication to meet your organization’s needs and the types of
ISA Server clients used by your organization.
■
Access rules determine how clients on a source network can access resources on
a destination network. In order to allow internal clients to access the Internet, you
must configure an access rule that allows Internet access. To configure restrictions
to Internet access, use access rule elements to create the required rules.
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
Key Points
■
An organization’s Internet usage policy is based on the organization’s security
requirements and the level of access required for employees to do their work. ISA
Server 2004 can be used to implement many of the usage policy requirements.
■
By default, ISA Server is configured as a proxy server for Web Proxy and Firewall
clients.
■
By default, ISA Server enables only integrated authentication. This means that if
you want to use any Web browser clients other than Internet Explorer without
deploying the Firewall client, you must enable additional authentication options.
■
Access rules are built using access rule elements. Creating access rules is like
building a puzzle. First you have to create puzzle pieces (the access rule elements), then you put the pieces together to create an access rule.
Key Points and Key Terms
■
5-65
Configuring access rules can be difficult if you have complicated requirements.
You have to consider not only the rule elements but also rule order. The access
rule order is most critical when troubleshooting access rule problems.
Key Terms
access rule Defines the conditions for when traffic will be allowed or denied
between networks.
access rule element An ISA Server configuration object that you can use when creating an access rule. Access rule elements include protocols, user sets, network objects,
and schedules.
Internet usage policy A policy defined by an organization that sets restrictions on
the types of activities users at the organization can perform on the Internet.
5-66
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
Questions and Answers
Page
5-9
Lesson 1 Review
1. What is the purpose of an Internet usage policy?
The Internet usage policy defines what constitutes acceptable usage of Internet resources. The
policy must be clear and concise, describing who can use the Internet and what applications
are allowed or not allowed. It must also explain how violations of the policy will be handled and
who is responsible for enforcing the policy.
2. You are the network administrator for your organization. The organization is using
a packet-filtering firewall with limited functionality to provide access to the Internet. The organization is planning an ISA Server 2004 implementation and wants to
exploit some of its advanced filtering options to limit the access users have to the
Internet. What should be the first step for implementing ISA Server 2004?
a. Install ISA Server 2004.
b. Design the access rules that will enable access to the Internet.
c. Create an Internet usage policy that defines the organization’s security
requirements.
d. Design a server publishing strategy.
C is correct. The first step in implementing ISA Server 2004 is to create an Internet usage policy that defines the organization’s security requirements. This policy becomes the basis for
designing the access rules and for designing the server publishing strategy. ISA Server should
be deployed only after the policy has been created and the Internet access and server publishing design have been completed.
3. How can an Internet usage policy be enforced by ISA Server 2004?
ISA Server 2004 can be used to implement restrictions based on many different criteria including users, computers, content, URLs and protocols that are allowed or disallowed.
Page
5-27
Lesson 2 Review
1. Your organization has a high-speed Internet connection as your main method of
access to the Internet. You also have a dial-up account with your ISP to provide a
backup route. How should you configure ISA Server to use the dial-up connection
in case the primary route fails?
a. Configure the Dial-Up Preferences to specify the dial-up connection as the
backup route.
b. Create a network for the dial-up connection and designate it as the backup
route.
Questions and Answers
5-67
c. Configure a Web Chaining rule to specify the dial-up connection as the
backup route.
d. Modify the Web Browser properties of the Internal network to designate the
dial-up connection as the alternate route.
C is correct. Web chaining rules allow you to specify that a dial-up connection should be used
if the primary route is not available. A is incorrect because Dial-Up Preferences only specify
what dial-up connections are available to ISA Server and what credentials to use. B is incorrect
because you cannot create a network for a dial-up connection. D is incorrect because the Web
Browser properties can only specify an alternate ISA Server computer.
2. All the Web browser applications in your organization are configured to be Web
Proxy clients. You are the network administrator and you have received reports
that some employees are viewing and downloading information from inappropriate Web sites. How could you identify the employees responsible and prevent further infractions?
ISA Server can log all HTTP requests and provide information on the user and the Web sites visited. You can use the log files to determine which users accessed the inappropriate Web sites
and take any further action as prescribed by your Internet usage policy. You can also configure
ISA Server to block access to those Web sites and to filter content to prevent the downloading
of inappropriate material.
3. Your company has seven branch offices that have no direct Internet connection.
All Internet requests are routed to the ISA Server at the head office over a 128-kilobyte-per-second (Kbps) Integrated Services Digital Network (ISDN) link. The
ISDN link is heavily used during business hours. What can you do to minimize the
bandwidth usage for Internet requests?
Install an ISA Server in each branch office and configure a Web chaining rule to pass Internet
requests to the head office ISA Server. Over time, the cache of objects on the branch office ISA
Server computer will build up and reduce the need to use the ISDN connection to access Internet resources.
Lesson 3 Review
Page
5-39
1. Your organization has an Internet usage policy specifying that only managers and
executives have unrestricted Internet access. All other employees are allowed
Internet access during the lunch hour and after business hours with restrictions on
the type of content that should be accessible. How can you enforce this policy?
Create a user set that contains the Managers and Executives groups and create an access rule
that allows them unrestricted Internet access. Create schedule and content type elements to
define the time of day and the prohibited content that will apply to all other employees. Use
those elements in an access rule to restrict their Internet access according to your Internet
usage policy.
5-68
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
2. Your organization has limited bandwidth available for Internet connections. The
users who require Internet access to do their jobs are complaining about the
speed of the connection. After reviewing the logs, you discover that many
employees are downloading large image libraries for their desktop wallpaper on a
daily basis from a specific Web site. What can you do to prevent this?
Create a URL Set for the specific Web site and create an access rule to deny this URL Set to
the All Users group.
3. Your organization has a single domain running Active Directory. Your organization has four branch offices, all of which use ISA Server 2004 as their Internet edge
firewall and proxy server. All branch offices require the same access rules. Managers at the branch offices must be able to connect to a custom Web application
at your head office using a specific TCP port. No other users should be able to
access the application. How would you configure all the ISA Server 2004 servers
in the most efficient manner?
On one of the branch office ISA Server computers, create a user set to represent the Managers
group. Then create a protocol element that defines outbound TCP connections to the specified
port. Then create an access rule to allow access to the application using the access rule elements. The most efficient way to distribute the configuration is to export the configuration on
one server and import it to the other three ISA Server computers.
Page
5-46
Lesson 4 Review
1. Your organization has a mixture of Windows 2000 and Windows Server 2003
domain controllers. You have deployed ISA Server 2004 as your firewall solution.
Your Internet usage policy states that all users accessing the Internet will be
authenticated using Digest authentication. You have configured the properties of
the Internal network to require Digest authentication. Now none of your users can
access the Internet. How can you correct this problem?
Because you have domain controllers running on both Windows 2000 and Windows Server
2003 servers, your domain cannot be running in Windows Server 2003 mode. Therefore, you
must configure the user properties in Active Directory to store the user’s password using
reversible encryption.
2. All the clients in your organization are configured as SecureNAT clients. You have
created content type elements to prevent users from downloading executables,
MP3 and video file types. You use those elements in an access rule and assign it
to the All Authenticated Users group. After applying the access rule, you discover
that all your clients still have unrestricted access to download the content types.
Why can users still download the content types that you are trying to block? What
should you do to prevent this?
SecureNAT clients cannot be authenticated and therefore the rule will not be applied to anyone.
You must assign the rule to the All Users group. The All Users group includes everyone, whether
they are authenticated or not.
Questions and Answers
5-69
3. Your organization has a multiple-domain forest running Active Directory. You support various browser applications including Internet Explorer and Netscape Navigator. All browsing software is configured to use an ISA Server computer as a
proxy server. You have configured access rules to allow HTTP and HTTPS traffic
for all internal clients, but have not changed any other settings on the ISA Server.
Some of your users have Internet access while others are always denied connections. How can you resolve this problem?
Only Internet Explorer can support Integrated Windows authentication. To support Netscape
Navigator and other browsing software, you must select a different authentication method,
such as Basic or Digest.
Page
5-59
Lesson 5 Review
1. Your Internet usage policy specifies that all users will be allowed full Internet
access except that users are not allowed to download any executable files or
Visual Basic script files. The IT Administration group is exempted from this restriction. You configure an access rule to prevent the All Users user set from downloading .exe and .vbs file types. Then you create a access rule that allows the IT
Administration group to download these files. Then you configure an access rule
that allows Internet access for All Users. You soon discover that any user is able to
download executable files from the Internet. Why is this happening and how can
you change the configuration to meet the company requirements?
The problem is in the priority of the rules. If the allow rule for Internet access to All Users is at
the top of the list then no other rules will be evaluated and users will have full access. Deny
rules or specific allow rules need to be first. The most general rules should be just before the
default deny rule. You need to put the allow rule for IT Administration at the top, then the deny
rule for .vbs and .exe extensions next, and then the general allow rule for All Users.
2. Your Internet usage policy states that all employees should have full Internet
access except that users should not be able to use the ICQ protocol to connect to
the Internet. How will you accomplish this?
Create an access rule that denies access for All Users from the Internal network to the External
network for the ICQ protocol. Then create an access rule that allows full access to the Internet
using any protocol. Place the rule blocking the ICQ protocol at the top of the priority list.
3. Your organization has bought a new building and set up new offices in that building. The network in the new building is directly connected to the current network,
but all the computers in the new building are on a different subnet, and all the
offices in the new building are assigned to one company department that has
Internet access requirements different from any other department. You install a
new network card on the ISA Server computer and connect it to the network from
5-70
Chapter 5
Enabling Secure Internet Access with ISA Server 2004
the new office. You configure a new network on ISA Server for the new network.
However, when you test Internet access from the new office, you cannot get
access. What do you need to do?
You must configure a new access rule that meets the new office requirements. By default, ISA
Server will not allow any network traffic from the new network to the Internet until you configure
an access rule.
Case Scenario Exercises
Page
5-61
Scenario 1 Question
1. How must you configure ISA Server 2004 to meet these requirements?
Configure all Web browsers to be Web Proxy clients of ISA Server. Because of the need to support multiple browser types, configure the Internal Network Web proxy settings to use Basic
authentication.
Create access rule elements to define the schedule for 12:00 noon to 1:00 P.M. and after business hours. Create user sets to define the Managers and Executives and Domain Admins
groups. Create an access rule element to define MP3 file extensions and one to define executable file types. Create a computer set network object that includes the IP addresses of the public computers.
Create access rules as follows:
a. Deny access to MP3 files to All Users.
b. Allow access to Domain Admins to executable files.
c. Deny access to All Users to executable files.
d. Allow access to HTTP and HTTPS only for the public computers.
e. Allow Internet access to Managers and Executives and Domain Admins at any time.
f. Allow Internet access to All Users for the scheduled times.
Page
5-61
Scenario 2 Question
1. How will you configure the ISA Server computers at all locations?
Configure all users in all domains as Web Proxy clients for Internet access. On all ISA Server
computers, create a rule that allows access to the External Network to the All Authenticated
Users user set. Accept the default of using Integrated Windows authentication. At the branch
offices, create a Web chaining rule to direct all Internet requests to the head office ISA Server
computer; and in that rule, configure the ISDN connection as the backup route.
Questions and Answers
5-71
Troubleshooting Lab
Page
5-62
Exercise 1
1. Open Internet Explorer and try to access www.microsoft.com. The connection will
fail. Why? How would you fix this problem?
The DNS Lookup Policy, which applies to the DC1 computer, only allows DNS lookups to the
Internet. The All Employees Access Policy which allows access to the Internet using the HTTP
and HTTPS protocol applies to All Authenticated Users. Because DC1 is a SecureNAT client, the
user cannot be authenticated to gain access to the Internet. To fix this, you will need to create
an access rule that does not require authentication that allows access from DC1 to the
Microsoft.com Web sites.
Page
5-62
Exercise 2
1. On DC1, open Internet Explorer and try to access www.microsoft.com. The connection should fail. Why can you not connect to the Web site?
One problem is with rule order. When ISA Server evaluates the access rules, it evaluates the All
Employees Access Policy before it evaluates the DC Access Policy. The All Employees Access
Policy enables access for HTTP, but requires authentication. Because DC1 does not support
authentication, access is blocked.
2. On DC1, open Internet Explorer and try to access www.microsoft.com. The connection should fail. Why can you not connect to the Web site?
In an earlier exercise, you configured the Internal network properties to require all users to
authenticate. When you try to access an Internet resource using HTTP, access will be blocked.
You need to remove this configuration before you can access the Internet using HTTP.
6 Implementing ISA Server
Caching
Exam Objectives in this Chapter:
■
■
■
Configure forward and reverse caching
❑
Configure cache size and location
❑
Configure cache rules
❑
Configure content download jobs
Optimize performance of the ISA Server 2004 cache
❑
Configure active caching
❑
Configure cache settings
Diagnose and resolve caching issues
Why This Chapter Matters
So far, this book has focused primarily on the security features provided by
Microsoft Internet Security and Acceleration (ISA) Server 2004. ISA Server, however,
is not only a firewall but can also be configured to accelerate Internet access by
providing caching functionality. One benefit of using ISA Server 2004 as a Web
proxy server is that ISA Server can cache much of the Internet content that clients
request. ISA Server stores frequently accessed Web objects in memory and in a
cache file on the ISA Server computer’s hard disk. Much of the content on the Internet is dynamic content that cannot be efficiently cached. This has reduced the
importance of using caching, but there are still several scenarios in which ISA
Server caching can improve Internet access performance.
Lessons in this Chapter:
■
Lesson 1: Caching Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3
■
Lesson 2: Configuring Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13
■
Lesson 3: Configuring Content Download Jobs . . . . . . . . . . . . . . . . . . . . . . .6-31
6-1
6-2
Chapter 6
Implementing ISA Server Caching
Before You Begin
This chapter presents the skills and concepts related to configuring ISA Server to
cache Web content. If you plan to complete the practices and lab in this chapter, you
should prepare the following:
■
A server with Microsoft Windows Server 2003 (either Standard Edition or Enterprise
Edition) installed as DC1 and configured as a domain controller in the domain
cohovineyard.com. DC1 must be able to resolve the Domain Names System (DNS)
names for resources located on the ISA Server External network.
■
A second server with Windows Server 2003 installed as ISA1 and configured as a
domain member in the domain cohovineyard.com. This server should have ISA
Server, Standard Edition as well as two network interfaces installed. The external
interface should be connected to a network that contains one or more Web
servers. If possible, the network interface should be attached to the Internet.
■
A Microsoft Windows XP computer installed as CLIENT1. This computer should be
a member of the cohovineyard.com domain.
Lesson 1
Caching Overview
6-3
Lesson 1: Caching Overview
ISA Server supports caching as a way to improve the speed of retrieving information
from the Internet. From the internal user’s point of view, caching improves Internet
access performance. From the network administrator’s point of view, caching provides
the added benefit of reducing the use of network bandwidth. ISA Server extends the
benefits of caching by enabling scheduled content download jobs in which ISA Server
downloads Internet content to the cache before any user requests the object. You can
also combine Web caching with Web proxy chaining to optimize performance further
if your organization has multiple locations. This lesson provides an overview of how
caching works and how ISA Server 2004 implements caching.
After this lesson, you will be able to
■ Describe what caching is
■ Describe how content download jobs work
■ Describe how caching is implemented with ISA Server 2004
■ Describe how Web chaining and caching work together
Estimated lesson time: 20 minutes
What Is Caching?
One of the primary deployment scenarios for ISA Server 2004 is as a Web proxy server
in which ISA Server retrieves information from the Internet for internal clients. ISA Server
supports Web caching as a way to improve the speed with which this information is
returned to Web clients.
Caching stores Web content on the ISA Server computer in memory or on the server’s hard
disk. When a user requests Web information that is in the cache, ISA Server provides the
information from the cache, enabling a quicker response to the client. ISA Server 2004 can
be configured to enable the caching of Hypertext Transfer Protocol (HTTP) and File
Transfer Protocol (FTP) objects.
ISA Server 2004 caching provides the following benefits:
■
Improved performance Web caching speeds client response for Internet
access by bringing the Web content closer to the user. When a user behind the ISA
Server 2004 firewall requests Web content, ISA Server checks to see whether the
content is contained in its cache. If it is, the cached content is returned to the user.
Accessing Web content from a cache on the corporate network is faster than
requiring a connection to a remote Web server located on the Internet. Recently
accessed information is stored in the cache and remains in the cache as long as
that content continues to be accessed by users.
6-4
Chapter 6
■
Implementing ISA Server Caching
Reduced bandwidth usage Web caching can help reduce the overall bandwidth usage on the organization’s Internet connection. When users request Web
content already contained in cache, that content is returned to the user immediately from the cache without requesting the content again from the Internet.
How Caching Works
When a user requests an HTTP or FTP object, the Web proxy client sends the request
to the Web proxy filter on ISA Server, as illustrated in Figure 6-1.
Internet
4
RAM
6
2
1
3
5
ISA Server
F06im01
Figure 6-1 Forward caching caches Internet content for internal clients
In a forward caching scenario, the following actions occur to complete the client request:
1. The Web proxy client sends a request for content located on an Internet Web
server. The Web request is intercepted by ISA Server 2004 and forwarded to the
Web proxy filter.
Note By default, the Microsoft Firewall service forwards HTTP requests from Firewall clients
and secure network address translation (SecureNAT) clients to the Web proxy service. This
means that, when caching is enabled, Web content from all ISA Server clients can be cached.
2. ISA Server checks whether the requested content is contained in its cache. If the
content is not in the cache, or if the content has expired (that is, the header information in the content indicates that it should no longer be served from a cache),
ISA Server 2004 forwards the request to the Web server on the Internet.
3. The Web server on the Internet returns the information requested.
4. The ISA Server Web proxy filter places the Web content in its in-memory cache.
ISA Server 2004 uses an in-memory cache to store the most frequently requested
content.
5. After placing the Web content in the in-memory cache, ISA Server 2004 Web caching server returns the content to the requesting user.
Lesson 1
Caching Overview
6-5
6. After a time, the ISA Server 2004 Web proxy filter will copy the contents of the inmemory cache to the disk-based cache. If the content is not frequently accessed,
the in-memory cache will flush the content and the only copy of the content on
ISA server will reside in the disk-based cache.
Note The time for an object to remain in the cache is called Time-to-Live (TTL). When ISA
Server places an object into its cache, it sets a TTL for the object. ISA Server returns the HTTP
object that is stored in its cache to clients until the TTL has expired. ISA Server can set the TTL
based on the creation date and the modification date of the object or by using the settings
that you configure when you enable Web caching or configure caching rules. Many Web pages
use metatags to set expiration dates for content. When a Web page has an expiration date,
ISA Server sets the TTL of the object to match the Web page’s expiration date.
Caching Scenarios
ISA Server supports both forward and reverse caching.
■
Forward caching occurs when a user on the corporate network makes a request
for Web content located on an Internet Web server. The user initiates an HTTP,
Hypertext Transfer Protocol Secure (HTTPS), or FTP request to an Internet Web
server and the request is intercepted by ISA Server. ISA Server retrieves the content
from the Internet Web server, stores that content in its cache, and returns the content to the user.
■
Reverse caching occurs when users on the Internet request Web content located
on a server on the corporate network that is accessible through a Web publishing
rule. When an Internet user requests content from the internal server, ISA Server
forwards the request to the Web server. The Web server sends the requested content to ISA Server, which then returns the content to the Internet user who made
the request. In this scenario, ISA Server will cache a copy of the requested information so that the next request for the same information can be provided from the
ISA Server cache rather than again accessing the internal Web server.
Note When caching is enabled, both forward and reverse caching are enabled. There is no
way to disable either forward or reverse caching specifically. If you want to disable the caching
of content from a particular Web site, then you must create a caching rule that prohibits it.
What Are Content Download Jobs?
ISA Server extends caching performance by enabling content download jobs. By monitoring and analyzing Internet access, you can determine which Web content is most
likely to be requested by internal clients. You can then create a content download job
6-6
Chapter 6
Implementing ISA Server Caching
to download the Web content to the ISA Server cache before any client requests the
object. Content download jobs allow you to schedule content for download at a specific
time or at recurring times.
Benefits of Using Content Download Jobs
The main reasons for using content download jobs are to improve Internet access performance and decrease the use of bandwidth to the Internet. There are several possible
scenarios in which content download jobs can provide this functionality. For example,
you can create a content download job at a branch office ISA Server so that the entire
main-office intranet site is downloaded from the main office Web server. The content
download job can be configured to take place during non-working hours so that the
branch-office link to the main office is not used for the download during working
hours. When branch-office users arrive at the office, the main-office Web site’s content
is stored in the branch-office cache. Branch office users can quickly download even
large files from cache, while freeing the branch-office link to the main office during
work hours for other business-related network activity.
You can also use content download jobs to update information from Internet Web sites.
For example, users may frequently request a price list from the Web site of a business
partner. You can configure a scheduled content download so that ISA Server retrieves
the price list each night. By using a scheduled content download, the most recent
version of the price list will be in the cache each morning.
You can also use scheduled content downloads to ensure that Web content is always
available to users, even when they cannot connect to the Internet. For example, users
may need constant access to a particular Web site, and any disruption in that access
may disrupt business processes. In this case, you can configure ISA Server to download
the content and provide that content for users even when the Internet connection is
not available.
Scheduled download jobs can also be useful in reverse proxy scenarios. For example,
if you are publishing an internal Web site that is modified every night, you can schedule
a content download job every morning so that the new Web content is stored in the ISA
Server cache. The ISA Server computer then does not need to access the internal Web
site to provide the content to clients.
How Content Download Jobs Work
When you enable content download jobs, the actions listed in Figure 6-2 occur:
1. You create a content download job that specifies Web content to be retrieved from
the Internet and when content retrieval occurs.
Lesson 1
Caching Overview
6-7
2. At the scheduled time, ISA Server uses a background process to retrieve the content from the Web server. The content is stored in the ISA Server cache based on
the settings specified by the content download job.
3. A user on the internal network sends a request for the Web content to the ISA
Server computer. The Firewall service passes the request to the Web proxy filter.
4. The ISA Server Web proxy filter determines that the content is in the Web cache,
so ISA Server retrieves the content from the cache.
5. Content retrieved from cache is returned to the requesting user.
Internet
Web Server
Cache File
Cached Web Object 1
Cached Web Object 2
Cached Web Object 3
4
2
3
5
1
ISA Server
F06im02
Figure 6-2
Content download job
How Caching Is Implemented in ISA Server 2004
When you enable Web caching, you configure ISA Server to store Web objects in its
cache. ISA Server includes the following features that optimize cache performance:
■
RAM and disk caching ISA Server allocates RAM for caching popular objects
and caches other objects on disk. When caching an object, ISA Server first places
an object into the RAM cache and then writes objects to disk. RAM and disk caching help to improve users’ access speed to popular Web sites. By default, ISA
Server 2004 uses 10 percent of the RAM on the server to cache Web content.
■
Maintaining the RAM cache in physical memory ISA Server never writes the
cached information stored in RAM to the operating system paging file. This optimizes access to the cache stored in RAM.
■
Directory of cached object ISA Server maintains a directory of cached objects
in RAM to optimize the process of determining whether the server has an object in
its cache.
■
Single cache file ISA Server maintains a single cache file per disk partition to
retain cached objects so that gaining access to objects does not use additional system resources that are needed for opening and closing multiple files. The cache
6-8
Chapter 6
Implementing ISA Server Caching
file size can be configured for each disk partition. The maximum size of a single
cache file is 64 gigabytes (GB). If you require a larger cache store, you can distribute it over different drives.
■
Quick recovery ISA Server quickly rebuilds the directory of cached objects at
startup, even after an abnormal termination.
■
Efficient cache updates ISA Server automatically determines which objects to
retain in the RAM cache. This decision is based on the likelihood of a user’s again
requesting the same object, which is determined by how recently and how frequently an object is accessed.
■
Automatic cleanup ISA Server removes objects that have not been accessed
recently or frequently when the disk space that is allocated to the cache
approaches capacity.
See Also
ISA Server Enterprise Edition uses Cache Array Routing Protocol (CARP) to distribute the cache efficiently across multiple ISA Server computers. ISA Server Enterprise Edition
is discussed in detail in Chapter 12, “Implementing ISA Server 2004, Enterprise Edition.”
How ISA Server Restricts Content
ISA Server does not cache all content that is requested by Web clients. Table 6-1
describes how ISA Server restricts the content that it caches.
!
Exam Tip
As you write the exam, remember that ISA Server does not cache all content. If
you see an exam question in which some content is not being cached, one possible reason is
that the content is not cacheable. You can modify which types of content are cached.
Table 6-1 ISA Server Caching Restrictions
Restriction
Description
ISA Server does not cache responses to
requests that contain the following HTTP
response headers.
Cache-control: no-cache
Cache-control: private
Pragma: no-cache
www-authenticate
Set-cookie
ISA Server does not cache responses to
requests that contain the following HTTP
request headers.
Authorization, unless the origin server explicitly
allows this by including the “cache-control:
public” header in the response Cache-control:
no-store.
Lesson 1
Caching Overview
6-9
Note For more information about Web pages and caching, see the article “HOW TO: Prevent
Caching in Internet Explorer,” in the Microsoft Knowledge Base at http://support.microsoft.com/
support/kb/articles/Q234/0/67.asp.
What Is Web Chaining and Caching?
Some organizations include multiple locations with computers running ISA Server
deployed in each location. In this scenario, you can combine caching with Web proxy
chaining to optimize caching performance. Web proxy chaining is useful when your
organization has multiple branch-office locations, but all Internet requests are routed
through one location at the head office. In this scenario, you can install ISA Server in
each office and then configure ISA Server at the branch offices to route all Internet
requests to the ISA Server computer at the head office.
One of the benefits of using Web chaining is the accumulated caching on ISA Server.
If all the servers running ISA Server in the branch offices are configured to forward
their requests to the head-office ISA Server, the head-office ISA Server will develop a
large cache that contains many requested items. Moreover, the local ISA Server will
build up a cache of the most requested items from the branch office. The combination
of caching at the local branch office and at the head office increases the chances that
the Internet content can be delivered to the client without downloading it again from
the Internet.
The following steps and Figure 6-3 describe how Web proxy chaining works in this
branch-office/main-office scenario:
1. The client sends a request for Web content to the Web caching server at the branch
office. If the Web caching server at the branch office contains a valid version of the
Web content in its cache, it will return the content to the requesting user.
2. If the content requested by the branch-office user is not contained in the branchoffice server’s cache, the request is forwarded to an upstream Web caching
server in the Web proxy chain.
3. If the upstream Web caching server has a valid copy of the requested content in
cache, the content is returned to the branch-office Web caching server. The
branch-office Web caching server places the content in its own Web cache and
then returns the content to the branch-office user who requested the content.
4. If the upstream Web caching server at the main office does not contain the
requested content in its cache, it will forward the request to the Web server on the
Internet. The Internet Web server returns the requested content to the main-office
Web caching server. The Web caching server at the main office places the content
in cache.
6-10
Chapter 6
Implementing ISA Server Caching
5. The main office returns the content to the branch-office Web caching server. The
branch-office Web caching server places the content in its cache.
6. The branch-office Web caching server returns the content from its cache to the
requesting user.
Cache File
Cached Web Object 1
Cached Web Object 2
Cached Web Object 3
Internet
ISA Server
Corporate
Head Office
3
4
5
2
ISA Server
1
6
Branch Office
Network
Cache File
Cached Web Object 1
Cached Web Object 2
Cached Web Object 3
F06im03
Figure 6-3 Web chaining and caching for branch offices
Planning
One of the common deployment scenarios for ISA Server in organizations with
multiple locations is the Web chaining and caching scenario. Often the branch offices are connected to central offices using fairly slow wide area network (WAN) connections. By deploying
an ISA Server in each branch office and enabling caching on the server, these organizations
can reduce the use of the WAN bandwidth. You have several options when deploying this configuration. One option is to deploy the ISA Server computer with a single network interface. If
you already have a router at the branch office, and you don’t require ISA Server to filter network traffic, you can configure the ISA Server computer with a single network interface and
then configure all the clients in the branch offices to use the ISA Server computer as a proxy
server. You can also take advantage of content download jobs in this scenario. If you have an
Intranet Web site to which all users need access, you can download the content to the local
ISA Server overnight. If you are deploying ISA Server Enterprise Edition, you can also
configure an array of multiple ISA Server computers at the head office and use CARP to
ensure that as much content as possible is cached.
Lesson 1
Caching Overview
6-11
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed ISA Server 20004 in a large office with a relatively slow Internet connection. The ISA Server computer is to be used only for caching content.
What can you do to maximize cache response time?
2. You have deployed ISA Server 2004 and configured the server as a Web proxy
server. All internal client computers are configured as Web proxy clients. You have
limited bandwidth to the Internet, so you enable caching on ISA Server, using the
default caching configuration. Many users in your organization, you notice, access
a partner organization’s Web site several times a day. The Web site contains many
large files that are changed every few days; when users download the files, much
of the available bandwidth to the Internet is used. You need to make sure that
users have access to the partner Web site, yet you must limit the amount of bandwidth used to access the Web site as much as possible during working hours.
What should you do?
a. Install the Firewall client on each client computer.
b. Configure caching to cache only small files from the partner Web site.
c. Configure a content download job to download the partner Web site every
night.
d. Configure the ISA Server to cache content with a TTL of one day.
3. Users in your organization must download files from an FTP site on the Internet
twice a day. Your users report that they frequently download outdated versions of
the file. What is happening and how will you fix it?
6-12
Chapter 6
Implementing ISA Server Caching
Lesson Summary
■
ISA Server 2004 uses caching to retrieve and store cacheable Web content so that the
next time a client requests the same content it can be retrieved from the cache file
to provide faster response and reduce bandwidth consumption. Forward caching
stores Web content from the Internet for internal clients. Reverse caching stores Web
content from an internal published Web site for Internet clients.
■
Content download jobs allow you to retrieve in advance Web content based on
your analysis of usage. Jobs can be scheduled to run at off-peak hours to populate
the ISA Server cache content prior to a user’s requesting the data.
■
When caching is enabled on ISA Server, it stores the cache both in the server
memory and on the server hard disk. ISA Server optimizes the use of the cache.
■
Web proxy chaining can allow branch offices to take advantage of a larger cache
maintained at head office and use it to build up cached content at the branch office.
Lesson 2
Configuring Caching
6-13
Lesson 2: Configuring Caching
By default, caching is disabled on ISA Server 2004. To enable caching, you must
configure a cache drive. You can also optimize caching by creating and modifying
cache rules. This lesson explains how to enable and optimize caching and provides
guidelines for how to troubleshoot caching.
After this lesson, you will be able to
■ Enable caching and configure cache drives
■ Configure cache rule settings
■ Create and manage cache rules
■ Troubleshoot caching
Estimated lesson time: 20 minutes
How to Enable Caching and Configure Cache Drives
By default, a new installation of ISA Server is configured with a maximum cache size of
0 megabytes (MB), which means that ISA Server will not cache any content. To enable
caching, you must define a cache drive. To define a cache drive, complete the following
procedure:
1. Open ISA Server Management, expand Configuration, and then click Cache.
2. In the details pane, click the Cache Rules tab.
3. On the Tasks tab, click Define Cache Drives, as shown in Figure 6-4.
6-14
Chapter 6
Implementing ISA Server Caching
F06im04
Figure 6-4 Configuring a cache drive
4. In the Define Cache Drives dialog box, select one of the drives listed in the list box.
5. In Maximum cache size, type the amount of space on the selected drive to allocate
for caching.
6. Click Set to configure the cache drive.
Note The drive you use for caching must be a local drive that is formatted using NTFS. To
optimize performance, use a drive different from the one on which the main ISA Server system, the operating system, and the page file are installed.
When you configure a drive to be used for caching, ISA Server creates a file with a .cdat
extension in the \Urlcache folder on that drive. The .cdat file is as large as the amount
of space you dedicated for caching on that drive. As ISA Server caches the objects, it
places the objects into the .cdat file. If the .cdat file is too full to hold a new object, ISA
Server removes older objects from the cache by using a formula that evaluates age,
popularity, and size. The .cdat file can be accessed only by the Web proxy service.
How to Configure Cache Settings
After you define the cache drives, ISA Server will begin caching Web content based on
the default caching configuration. This default configuration can be modified to meet
your organization’s requirements. You can modify how ISA Server caches specific types
of HTTP objects. By limiting certain types of content, you can improve the efficiency of
Lesson 2
Configuring Caching
6-15
the caching process. For example, you can configure ISA Server to limit the size of
cached objects to reserve cache space for additional smaller objects.
Important The ISA Server Management Console interface provides the option to configure
active caching, but the functionality has been disabled in ISA Server 2004. Active caching,
which was available in ISA Server 2000, is used by ISA Server to download popular content
from the Internet before the TTL expired. This feature is not available in ISA Server 2004,
even though the feature still appears in the interface.
To configure content settings for caching:
1. In ISA Server Management Console, in the console tree, click Cache, and then, in
the details pane, click Configure Cache Settings.
2. In the Cache Settings dialog box, on the Advanced tab, shown in Figure 6-5,
configure the settings listed in Table 6-2.
F06im05
Figure 6-5
Configuring advanced cache settings
6-16
Chapter 6
Implementing ISA Server Caching
Table 6-2 Advanced Caching Configuration Options
Configuration Option
Use This Option To
Cache Objects That Have
An Unspecified Last
Modification Time
Configure ISA Server to cache objects that do not have a TTL
defined in the page header. If you select this option, ISA Server
will cache these objects and clean them up based on the parameters defined by the cache rule that applies to content retrieved
from the specific Web site.
Cache Objects Even If
They Do Not Have An
HTTP Status Code Of 200
Configure responses by ISA Server to requests that failed to
return an object. This type of caching is referred to as negative
caching. When you configure negative caching, ISA Server
returns error messages to clients and caches the negative results,
even if the Web site is only temporarily unavailable. Until the TTL
for the negative response expires, clients may receive an error
message from ISA Server even if the object is actually available
again. When you configure negative caching, HTTP objects with
the following status codes are cached:
203 Partial information
300 Redirection
301 Object has moved permanently
410 Object is gone
Maximum Size Of URL
Cached In Memory (Bytes)
Configure the Uniform Resource Locators (URLs) that ISA Server
will store in memory. When you increase the amount of memory
that a single object may occupy, ISA Server will store fewer Web
objects. ISA Server will cache objects larger than this limit on
disk.
If Web Site Of Expired
Object Cannot Be Reached:
Do Not Return The Expired
Object (Return An
Error Page)
Configure ISA Server to never return an expired item to a user. For
example, ISA Server may have a cached copy of a Web page that
has expired. If the Web server is available when a user requests
the same page, ISA Server would retrieve a fresh page from the
Internet Web server. However, if the Internet Web server is not
available and this option is selected, ISA Server will return an error
message to the user. If this option is not selected, then ISA Server
will return the expired content to the user.
At Less Than This
Percentage Of Original
Time-To-Live
Configure the time period for when ISA Server will return an
expired object based on the original TTL. For example, if a Web
page has a TTL of 100 minutes and this option is set at 50 percent, ISA Server will return the page for 50 minutes after it
expires.
Lesson 2
Table 6-2
!
Configuring Caching
6-17
Advanced Caching Configuration Options
Configuration Option
Use This Option To
But No More Than
(Minutes)
Configure the maximum time period for when ISA Server will
return an expired object. For example, if a page has a TTL of 24
hours, and the percentage value is set at 50 percent, but this
value is set at 60 minutes, ISA Server will respond with an error
message to all requests for objects that have been expired for
more than 60 minutes.
Percentage Of Free
Memory To Use For
Caching
Configure the amount of RAM the computer running ISA Server
will use for caching. If this server is used primarily as a caching
server, you should increase this number. If you are using ISA
Server for reverse caching, you should configure the RAM cache
to be equal to your internal Web site size so that all client
requests can be provided from the RAM cache.
Exam Tip If you get an exam question in which users cannot access a Web site, even
though the Web site is available from a client that is not using the ISA Server computer as a
Web proxy server, the reason may be negative caching. If negative caching is enabled, ISA
Server caches the fact that the Web site is not available until the TTL expires. To avoid this,
you must disable negative caching.
What Are Cache Rules?
In some cases, you may have different caching requirements for specific Web content.
You can use cache rules to define the types of Web content that is stored in the cache
and how Web content is stored and returned to users from the cache.
Why Use Cache Rules?
The default caching configuration, including the cache settings and the default cache
rule, is sufficient for many organizations. If these settings are not modified, the default
settings apply to all Web content cached in the ISA Server cache for both forward and
reverse caching scenarios.
However, in some cases, you may need to configure a more specific caching configuration. For example, users in your organization may frequently access a Web site, so you
may want to configure the cache so that all content from that Web site is cached on the
computer running ISA Server. If the Web site contains critical information that changes
frequently, you may need to implement the opposite solution, that is, configure the Web
site to never be cached.
6-18
Chapter 6
Implementing ISA Server Caching
Cache Rule Settings
When you enable caching on ISA Server, a default cache rule is enabled. You can also
configure a wide variety of settings that enable you to fine-tune caching performance
on ISA Server. Table 6-3 describes how you can change options to fine-tune caching
performance and how the default cache rule is configured.
Table 6-3 Cache Rule Options and the Default Cache Rule
Cache Rule Options
The Default Cache Rule
Apply to content retrieved from all Internet
Applies to content requested from all network
locations, or limit the rule to apply to specific
locations
destination sets. You can also configure the rule
to apply to all Internet content except specific
destination sets.
Define how Web content is returned to the user.
For example, you can define a cache rule that
will always return the content from the cache,
whether the information has expired or not.
Will return unexpired content to a Web user
who requests the content. If the content has
expired, ISA Server will route the request to
the Web server.
Define whether Web content is stored in the
Will cache the default cacheable objects.
cache. You can configure the cache rule so
that the Web content is never cached, or so that
specific parameters are applied defining what
type of content is cached.
Define whether HTTP content, FTP content, or Enables both HTTP and FTP caching with a
both types of content are cached and configure default TTL setting. You can enable or disable
the caching configuration for each protocol.
HTTP or FTP caching on the default rule, or
modify the default TTL settings. These settings
are the only settings that you can modify on
the default cache rule.
!
Define the maximum size for cached objects.
Does not set limits on the maximum size of
cached objects.
Define whether Secure Sockets Layer (SSL)
content will be cached.
Caches SSL responses.
Exam Tip Remember that the default cache rule applies to all cached content on the ISA
Server computer. The only way that you can change this default behavior for a specific Web
site is by configuring a cache rule for that site. So if you see an exam question that defines
different caching requirements for a particular Web site, you must create a caching rule. If you
want to enable caching, yet need to ensure that users always get the most recent data from a
particular Web site, configure a cache rule that prevents caching for that Web site.
Lesson 2
Configuring Caching
6-19
How to Create and Manage Cache Rules
To create a caching rule, complete the following procedure:
1. In ISA Server Management Console, click Cache, and then choose the option to
Create a Cache Rule.
2. The New Cache Rule Wizard starts. All the cache rule settings can be configured
using the wizard.
3. The first option is to define the Cache Rule Destination, as shown in Figure 6-6.
The cache rule destination uses destination sets defining to which Web content
this rule applies. You can use any destination set that is available on ISA Server, or
create a new destination set. For example, if you want to apply this rule to a
specific Web site, you can use or create a URL set or a domain name set and apply
the rule only to that destination set.
F06im06
Figure 6-6
Configuring cache rule destinations
4. The second option you must define is the content retrieval settings, as shown in
Figure 6-7. The settings are described in Table 6-4.
6-20
Chapter 6
Implementing ISA Server Caching
F06im07
Figure 6-7 Configuring cache rule content retrieval settings
Table 6-4 Configuring Content Retrieval Settings
Content Retrieval Options
Choose This Option To
Only If A Valid Version Of The Object
Exists In The Cache. If No Valid Version
Exists, Route The Request To The
Server
Configure ISA Server to retrieve the requested object
from the cache if it has not expired. If the object has
expired, ISA Server will retrieve the content from the
Internet.
If Any Version Of The Object Exists In
The Cache. If None Exists, Route The
Request To The Server
Configure ISA Server to retrieve the requested object
from its cache if any version exists, even if the version is expired. If no version exists, ISA Server will
retrieve the content from the Internet.
If Any Version Of The Object Exists In
The Cache. If None Exists, Drop The
Request (Never Route The Request To
The Server)
Configure ISA Server to retrieve the requested object
from its cache if any version exists, even if the version is expired. If no version exists, ISA Server will
return an error to the client.
5. You can also configure what content will be stored in the cache on the Cache Content page, as shown in Figure 6-8. The options are listed in Table 6-5.
Lesson 2
Configuring Caching
6-21
F06im08
Figure 6-8
Table 6-5
Configuring cache rule content caching settings
Configuring Content Caching
Cache Content Options
Choose This Option To
Never, No Content Will Ever
Be Cached
Configure ISA Server to not cache any of the requested content
but to always retrieve it from the Internet.
If Source And Request
Headers Indicate To Cache
Configure ISA Server to cache all content that is marked as
cacheable.
In Addition, Also Cache:
Dynamic Content
Configure ISA Server to also cache dynamic content that would
normally not be cached.
In Addition, Also Cache:
Content For Offline Browsing
(302, 307 Responses)
Configure ISA Server to cache content with 302 and 307
response codes. These response codes indicate that the content
has been temporarily relocated or the client has been temporarily redirected.
In Addition, Also Cache:
Content Requiring User
Authentication For Retrieval
Configure ISA Server to cache content that may require authentication to be accessed.
6. On the Cache Advanced Configuration page shown in Figure 6-9, you can configure the settings listed in Table 6-6.
6-22
Chapter 6
Implementing ISA Server Caching
F06im09
Figure 6-9 Configuring cache rule advanced configuration
Table 6-6
Configuring the Advanced Caching Settings
Advanced Caching Options
Choose This Option To
Do Not Cache Objects Larger Than:
Limit the size of objects that ISA Server will cache.
Cache SSL Responses
Configure ISA Server to cache SSL content. ISA
Server can only cache SSL content in an SSL
bridging configuration.
7. On the HTTP Caching page, as shown in Figure 6-10, you can configure the settings listed in Table 6-7.
F06im10
Figure 6-10 Configuring cache rule HTTP caching
Lesson 2
Table 6-7
Configuring Caching
6-23
Configuring HTTP Caching
HTTP Caching Options
Choose This Option To
Enable HTTP Caching
Enable or disable the caching of HTTP content.
Set TTL Of Objects (Percent Of The
Content Age)
Configure the TTL for HTTP content. The time is
expressed as a percentage of the TTL provided by the
content.
TTL Time Boundaries
Configure the minimum and maximum amount of time
that the content should be cached.
Also Apply These TTL Boundaries
To Sources That Specify Expiration
Configure the ISA Server TTL settings to override the
expiration data included with the content.
8. On the FTP Caching page, as shown in Figure 6-11, you can configure the settings
listed in Table 6-8.
F06im11
Figure 6-11
Table 6-8
Configuring cache rule FTP caching
Configuring FTP Caching
FTP Caching Options
Choose This Option To
Enable FTP Caching
Enable or disable the caching of FTP content.
TTL For FTP Objects
Configure how long the TTL is for FTP content.
6-24
Chapter 6
Implementing ISA Server Caching
Managing Cache Rules
After you configure caching rules, you may need to modify the cache rule settings or
manage the cache rules. There are several actions that you may need to perform to
manage cache rules. These include the following:
■
Modifying settings You may need to modify a cache rule after creating it. To
modify the cache rule settings, open ISA Server Management, expand the Cache
container, and click the cache rule on the Cache Rules tab. Then click Edit Selected
Rule, as shown in Figure 6-12. The configuration options when modifying the rule
are the same as the options when creating the rule, with one additional option.
When you modify the cache rule properties, you can use destination sets to configure exceptions to the network entities that the rule applies to. For example, if you
need to configure a rule that applies to all Web sites except one, you can configure
a destination set for the Web site’s URL and add it to the Exceptions list.
F06im12
Figure 6-12 Adding exceptions to a cache rule
■
Managing rule order Just like firewall access rules, you may need to modify
the cache rule order to achieve a desired result. When ISA Server receives a Web
request, it evaluates the cache rules in order. The first cache rule that matches the
client request is applied. For example, you may have a cache rule that specifies
the caching criteria for all Internet Web sites and another rule that specifies different caching requirements for a specific Web site. If the caching rule controlling
caching for all Web sites is listed before the more specific rule, the more specific
rule will never be applied. In general, you should configure the more specific
Lesson 2
Configuring Caching
6-25
rules so that they are evaluated first. The default caching rule will always be the
last rule to be applied. To modify the rule order, click the rule you want to reorder
and click either Move Selected Rules Up or Move Selected Rules Down.
■
Disabling or deleting cache rules If a cache rule is no longer required, you
can disable or delete the rule. To do this, click the rule you want to modify and
then click Disable Selected Rules or Delete Selected Rules.
■
Export and import cache rules Just as with any other ISA Server configuration
setting, you can export the cache rule configuration to an .xml file and import
cache rule settings. Use this option to create a backup copy of your cache rules
before modifying the configuration.
Guidelines for Troubleshooting Caching
Caching is an important feature of ISA Server 2004 and, if configured correctly, caching
can provide benefits in speed of response and in reduction of bandwidth usage. At the
same time, ISA Server caching there are also situations in which you may need to troubleshoot caching on ISA Server. Use the following guidelines when troubleshooting
ISA Server caching:
■
If users are accessing the Internet to retrieve objects rather than retrieving the
objects from the ISA Server cache, check to see if caching is enabled. To do this,
check the cache configuration to ensure that a cache drive has been created. And
confirm that the client computers are configured to use the ISA Server computer as
a Web proxy server.
■
If only some objects are cached and the cache contents are deleted frequently,
ensure that the cache drive is large enough. Cached content may be being discarded
due to lack of space. You can use Performance Monitor to check the Total URLs
Cached and Total Memory URLs Retrieved. A low number could indicate a cache
drive that is too small.
■
If some Web sites are not being cached at all and you have caching rules configured,
ensure that the caching rule order is correct. Check to see that one rule is not
blocking another rule from being evaluated. Rules are evaluated in the order that
they are listed in the ISA Server Management interface.
■
If users cannot retrieve content from specific Web sites, check to see if negative
caching is enabled. Intermittent network problems may have caused one negative
response to be cached, thereby affecting all subsequent users.
■
If users are receiving outdated content from a particular Web site that is included
in a cache rule, decrease the TTL for the caching rule.
6-26
Chapter 6
■
Implementing ISA Server Caching
If objects are being cached but not returned to clients from the cache, check to see
if the cache has become corrupted. Use Performance Monitor to check caching
statistics. If Performance Monitor indicates that Web content is being cached, but
no content is being retrieved from the cache, you may need to clear the ISA Server
cache. You can clear the cache by disabling caching and enabling it again.
See Also
You can also download a script from Microsoft TechNet that you can use to
clear the contents of the cache file. The file is available as part of the Deleting Cache Contents article located at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/
deletecachecontents.mspx.
Practice: Configuring Caching and Cache Rules
In this practice, you will configure ISA Serve caching and then configure a cache rule.
You will use Microsoft Internet Explorer, ISA Server logging, and the Performance
Microsoft Management Console (MMC) to monitor caching.
Exercise 1: Enabling and Configuring Caching
1. Log on to ISA1 as an ISA Server Administrator. Open ISA Server Management.
Expand ISA1, expand Configuration, and then click Cache.
2. In the details pane, click Cache Rules tab.
3. On the Tasks tab, click Define Cache Drives.
4. In the Define Cache Drives dialog box, ensure that the C drive is selected.
5. In Maximum cache size, type 50. Click Set to configure the cache drive.
6. Click OK, and then click Apply. In the ISA Server Warning dialog box, click Save
The Changes And Restart The Services, and then click OK.
7. After the changes are applied, click OK.
8. Click Configure Cache Settings.
9. In the Cache Settings dialog box, on the Advanced tab, clear the check box for
Cache Objects even if they do not have an HTTP status code of 200. Click OK.
10. Click Apply to apply the changes.
Exercise 2: Configuring Cache Rules on ISA Server
1. In the ISA Server Management Console, click the Cache Rules tab.
2. On the Tasks tab, click Create a Cache Rule.
Lesson 2
Configuring Caching
6-27
3. On the Welcome To The New Cache Rule Wizard page, type Microsoft Site
Cache Rule as the name for the rule, and then click Next.
4. On the Cache Rule Destination page, click Add to open the Add Network Entities
dialog box. Expand URL Sets, and then click Microsoft URL. Click Add, and then
click Close.
5. On the Cache Rule Destination page, click Next.
6. On the Content Retrieval page, click Next.
7. On the Cache Content page, click Next.
8. On the Cache Advanced Configuration page, click Next.
9. On the HTTP Caching page, ensure that HTTP caching is enabled, and then click
Next.
10. On the FTP Caching page, disable FTP caching, and then click Next.
11. On the Completing The New Cache Rule Wizard page, review the settings, and
then click Finish.
12. Click Apply to apply the changes.
Exercise 3: Monitoring ISA Server Caching
1. On CLIENT1, log on as a domain user.
2. Click Start and then right-click Internet. Click Internet Properties.
3. On the Advanced tab, under Security, select the check box for Empty Temporary
Internet Files When Browser Is Closed. Click OK.
4. On ISA1, in ISA Server Management, click Monitoring.
5. Click the Logging tab. On the Tasks tab, click Configure Web Proxy Logging.
6. In the Web Proxy Logging Properties dialog box, on the Fields tab, select the
check box for Cache Information. Click OK.
7. Click Apply to apply the changes.
8. On the Logging tab, click Start Query.
9. Right-click Log Time and click Add/Remove Columns.
10. In the Add/Remove Columns dialog box, click Cache Information, and then click
Add to add the column to the Displayed Columns list.
11. Click Cache Information in the Displayed Columns list and move it up so that it is
second in the list.
6-28
Chapter 6
Implementing ISA Server Caching
12. Click URL in the Displayed Columns list and move it up so that it is third in the list.
13. Click OK.
14. On ISA1, open the Performance Console from the Administrative Tools folder.
15. Ensure that the Pages/Sec counter is selected and press DELETE. Press DELETE
two more times, deleting all the performance counters.
16. Click Add (+) on the Performance Console toolbar.
17. In the Add Counters dialog box, in the Performance Object list, click ISA Server
Cache.
18. Click All counters, and then click Add.
19. Click Close to close the Add Counters dialog box.
20. Press CTRL-R to switch the performance view to a report view.
21. On CLIENT1, open Internet Explorer and access http://www.microsoft.com.
22. Close Internet Explorer.
23. On ISA1, in ISA Server Management, click Stop Query.
24. Review information in the Cache Information and Destination IP columns. A cache
information value of 800000 means that the content was retrieved from the Internet,
but that the content is cacheable and that the response included the Last-Modified
header. A destination Internet Protocol (IP) that is the actual IP address of the server
on the Internet also indicates that the page was retrieved from the Internet. A value
of 40840000 indicates that this content should not be cached because it contains the
Cache-Control: No-Cache header or the Pragma: No-Cache header. A value of
a00000 indicates that this content should be cached but it has a time limit defined.
25. Switch to the Performance Console. Notice that ISA Server has cached several URLs.
26. In ISA Server Management, click Start Query.
27. On CLIENT1, open Internet Explorer and access http://www.microsoft.com.
28. Close Internet Explorer.
29. On ISA1, click Stop Query.
30. Review information in the Cache Information and Destination IP columns for each
of the Tailspin Toys URLs. A cache information value of 0 means that the content
was retrieved from the ISA Server cache. A destination IP of 0.0.0.0 also indicates
that the page was retrieved from the ISA Server cache.
Lesson 2
Configuring Caching
6-29
31. Switch to the Performance Console. Notice that the Total URLs Retrieved from
Memory Cache and the Total Bytes Retrieved from Memory Cache (KB) counters
show that ISA Server retrieved the cached content from the memory cache.
32. Close the Performance Console.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed ISA Server 2004 and configured the server as a Web proxy
server. All internal client computers are configured as Firewall clients. You enable
caching on ISA Server, using the default caching configuration. After you enable
caching, users report that they are getting more error messages when they try to
access some Web sites. You investigate and determine that the error messages
appear when a Web site is temporarily unavailable. Users continue to get the error
messages for some time after the Web site is available. You need to ensure that the
users can access the Web sites as soon as they are available on the Internet. How
can you do this?
2. You have deployed ISA Server and configured the server as a Web proxy server.
After you enable caching, some users report that they get out-of-date information
from a partner Web site. The Web site contains information that changes frequently,
sometimes several times a day. The users say that the information from the Web site
that they see is sometimes more than a day old. You must ensure that users always
get the most recent information from the partner Web site, but you do not want to
affect the caching configuration for other Web sites. What should you do?
a. Modify the cache settings so that data that has expired for more than 30 minutes
will not be returned to the client.
b. Create a cache rule for this Web site. Configure the cache rule to never cache
content from the Web site.
c. Create a cache rule for this Web site. Configure the cache rule to cache
dynamic content.
d. Create a cache rule that will apply to all Web sites except this Web site. Configure the cache rule to not cache dynamic content.
6-30
Chapter 6
Implementing ISA Server Caching
3. You have configured ISA Server to cache content from a Web site that is updated
regularly. You want to ensure that your users never receive an outdated page from
cache if the Web site is unavailable. You also want them to be informed if the Web
site is unavailable. What settings should you configure?
Lesson Summary
■
Caching is not enabled by default on ISA Server 2004. To enable caching, you
must configure a cache drive. You can then configure additional cache settings for
Web content.
■
The default caching rule is in effect as soon as caching is enabled. If you need different caching configurations for specific Web sites, you can configure cache rules
to define the types of Web content that will be cached and how it is stored and
returned to users.
■
Cache rules can be modified, disabled, or deleted as requirements and conditions
change.
■
When troubleshooting ISA Server caching, determine the extent of the problem
and then check the caching and cache rule configurations.
Lesson 2
Configuring Caching
6-31
Lesson 3: Configuring Content Download Jobs
In addition to managing caching and configuring cache rules, you may also need to configure and manage content download jobs. As described earlier, content download jobs
are used to populate the ISA Server cache with content before any user requests the
information. This lesson describes how to configure and manage content download jobs.
After this lesson, you will be able to
■ Configure content download jobs
■ Manage content download jobs
Estimated lesson time: 15 minutes
How to Configure Content Download Jobs
By default, no content download jobs are configured on ISA Server when you enable
caching. You can configure a content download job to download all content or some
of the content from a specific Web site. To configure a content download job, complete
the following procedure:
1. In ISA Server Management, expand Configuration, click Cache and then select the
Content Download Jobs tab.
2. Click Schedule A Content Download Job. If this is the first time you are
enabling a content download job, you will receive a message stating the
requirements for enabling schedule download jobs. The following two requirements must be met to enable content download jobs:
❑
The Local Host network must be configured to listen for Web proxy client
requests. This option is enabled by default.
❑
The Scheduled Download Job configuration group must be enabled. This
option is not enabled by default but can be enabled from the warning screen
or by editing system policy.
3. After applying the change, click Schedule A Content Download Job again. The
New Scheduled Content Download Job Wizard starts.
6-32
Chapter 6
Implementing ISA Server Caching
4. The first configuration option is to configure the download frequency, as shown in
Figure 6-13. The options are described in Table 6-9.
F06im13
Figure 6-13 Configuring download frequency for a content download job
Table 6-9 Configuring Download Frequency
Download Frequency Options Choose This Option To
One Time Only, On The
Completion Of This Wizard
Configure ISA Server to download the content once, immediately after you apply the changes made by the wizard.
One Time Only, Scheduled
Configure ISA Server to download the content once, based
on a schedule that you configure.
Daily
Configure ISA Server to download the content every day at a
configured time.
Weekly
Configure ISA Server to download the content on a weekly
schedule. You can configure the schedule to download on
specific days during the week and at particular times.
5. The next page in the wizard depends on the choice you made in the previous
step. If you chose any option other than the first option, you will be asked to
configure the download schedule, as shown in Figure 6-14.
Lesson 3
Configuring Content Download Jobs
6-33
F06im14
Figure 6-14
Configuring a content download schedule
6. Next, on the Content Download page, as shown in Figure 6-15, you configure the
content download job details. You can configure the options listed in Table 6-10.
F06im15
Figure 6-15
Configuring Content Download Job details
6-34
Chapter 6
Implementing ISA Server Caching
Table 6-10 Configuring Content Download Job Details
Content Download Options
Choose This Option To
Download Content From This URL
Specify the URL that will be downloaded to the ISA Server
cache.
Do Not Follow Link Outside The
Specified URL Domain Name
Specify that only content from the domain name in the
URL will be downloaded. If this option is not selected, ISA
Server will download content from all links up to the maximum depth-of-links setting.
Maximum Depth Of Links Per Page Specify the number of links ISA Server will follow to
download content.
Limit Number Of Objects Retrieved Specify the maximum number of Web objects that will be
To Maximum Of
downloaded by this job.
Maximum Number Of Concurrent
TCP Connections To Create For
This Job
Specify the maximum number of connections that will be
used to download content at the same time.
7. On the Content Caching page, you can choose how the content is cached on ISA
Server, as shown in Figure 6-16. You can configure the options listed in Table 6-11.
F06im16
Figure 6-16 Configuring Content Download Job caching
Lesson 3
Table 6-11
!
Configuring Content Download Jobs
6-35
Configure Content Download Job Caching
Content Caching Options
Choose This Option To
Cache All Content
Specify that all content will be cached even if the source and
request headers indicate that the content is not cacheable.
If Source And Request
Headers Indicate To Cache,
Or If Content Is Dynamic,
Then The Content Will Be
Cached
Specify that all content will be cached if the source and request
headers indicate that the content is cacheable, or if the content
is dynamic.
If Source And Request
Headers Indicate To Cache,
Then The Content Will Be
Cached
Specify that all content will be cached if the source and request
headers indicate that the content is cacheable.
Expire Content According To
The Cache Rule
Specify that the content will expire based on the cache rule
that applies to this content.
Set TTL If Not Defined In
Response
Specify that the content will expire based on the TTL defined
in the response header and the associated cache rule. If there
is no TTL defined in the response header, configure the TTL
based on the value configured in the Mark downloaded objects
with a new TTL (minutes) text box.
Override Object’s TTL
Specify that the content will expire based on the TTL value
configured in the Mark downloaded objects with a new TTL
(minutes) text box.
Exam Tip
If an exam question deals with a content download job that does not work as
expected, look for details that will help you to locate the problem. If none of the expected
content is cached, then check the job schedule or the URL specified in the job configuration.
If some of, but not all, the content is cached, then check the job configuration to ensure that
it is downloading the expected content.
How to Manage Content Download Jobs
After you configure content download jobs, you may need to modify the job setting or
configure other content download job settings. There are several actions that you may
need to perform to manage content download jobs. These include the following:
■
Modifying settings You may need to modify a content download job after creating it. To modify the cache rule settings, open ISA Server Management, expand
the Cache container, and click the content download job on the Content Download Jobs tab. Then click Edit The Selected Job. The configuration options when
modifying the job are the same as the options when creating the job.
6-36
Chapter 6
Implementing ISA Server Caching
■
Starting and stopping content download jobs Regardless of the schedule
configured for the content download job, you can force the job to start immediately or stop a job that’s running. To start a content download job, click the job
you want to start and click Start the Selected Job. To stop a currently running job,
click the job you want to stop and click Stop the Selected Job.
■
Disabling or deleting content download jobs If a content download job is no
longer required, you can disable or delete the job. To do this, click the job you
want to modify, and then click Disable the Selected Jobs or Delete the Selected
Jobs.
Practice: Configuring Content Download Jobs
In this practice, you will configure a content download job and then you will use
Internet Explorer and ISA Server logging to confirm that the content download job was
successful.
Exercise 1: Creating a Content Download Job
1. On ISA1, In the ISA Server Management Console, click Cache, and then click the
Content Download Jobs tab.
2. On the Tasks tab, click Schedule A Content Download Job.
3. On the Enable Schedule Content Download Jobs dialog box, click Yes.
4. Click Apply to apply the changes.
5. On the Content Download Jobs tab, click the Tasks tab, and then click Schedule
A Content Download Job.
6. On the Welcome To The New Scheduled Content Download Job Wizard page,
type Download MSN.com as the name of the rule, and then click Next.
7. On the Download Frequency page, click One Time Only, Scheduled, and then
click Next.
8. On the Daily Frequency page, configure a Job Start Date with today’s date, and a
Job Start Time of five minutes from now. Click Next.
9. On the Content Download page, in the Download content from this URL text box,
type http://www.msn.com. Click Do Not Follow Link Outside The Specified
URL Domain Name, and click Maximum Depth Of Links Per Page. Type 1 as the
maximum depth of links per page. Click Next.
10. On the Content Caching page, click Next.
11. On the Completing The New Scheduled Content Download Job Wizard page,
review the configuration and click Finish.
Lesson 3
Configuring Content Download Jobs
6-37
Exercise 2: Testing the Content Download Job
1. On ISA1, in the ISA Server Management Console, click Cache Monitoring and, on the
Logging tab, click Start Query.
2. On CLIENT1, open Internet Explorer and access www.msn.com.
3. Click several links listed on the page.
4. Close Internet Explorer.
5. On ISA1, click Stop Query.
6. Review information in the Cache Information and Destination IP columns for each
of the MSN.com URLs. Notice that most of the pages for www.msn.com were
retrieved from the ISA Server cache while pages from URLs outside of
www.msn.com were retrieved from the Internet.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Users need to access a price list that is published at a public Web site. Bandwidth
usage from your office is tightly restricted during business hours. The page is
dynamic content and not normally cacheable material. The site is updated once
every 24 hours. How can you force ISA Server to download and cache dynamic
content and minimize the use of network bandwidth during business hours?
2. You have many branch offices with slow connections to the Internet and no direct
connection to head office. You have implemented ISA Server 2004 as a firewall
solution at all branch offices. You also want to take advantage of the caching
ability of ISA Server to allow branch office ISA Server computers to update content
from the corporate Web site twice a day during business hours. Due to hardware
restrictions, you want the branches to cache only content from your corporate
Web site. How would you configure that?
6-38
Chapter 6
Implementing ISA Server Caching
3. Many users in your organization need access to a partner organization’s Web site,
so you create a content download job for that Web site. Because the content on
the Web site changes daily, you configure the content download job to run every
night. After the first time the content download job runs, you notice that the job
included much more content than you expected. You notice that many Web sites
that are not part of the partner Web site were included in the content download
job. You need to ensure that only content from the partner Web site is included in
the content download job. How can you do this?
a. Configure the content download job to use a maximum depth of links per
page of 1.
b. Configure the content download job to limit the number of objects retrieved
to a low number.
c. Configure the content download job to not follow links outside the partner
organization’s Web site URL.
d. Configure the content download job to cache only the content that is configured as cacheable.
Lesson Summary
■
Content download jobs are used to populate the ISA Server cache with content
before any user requests the information. Content download jobs are configured on
a site-by-site basis and include several configuration options such as scheduling the
download, and configuring what types of data are cached and how long the data is
kept stored in the cache.
■
After you configure content download jobs, you can modify the job setting or configure other content download job settings.
Real World
What Is the Future of Caching?
Caching is a valuable function of ISA Server 2004. However, as the Internet
becomes more dynamic and interactive, the amount of cacheable content will
decrease and with it, the value of caching Web content. The use of Active Server
Pages, .NET programming technologies, and more user-friendly programming
languages means that there is less static content on public Web sites. Software
packages such as Microsoft FrontPage 2003 have made sophisticated Web site
development available to almost everyone. No longer do you need to be a
programming wizard to include dynamic content on your site. Often, the only
cacheable content on a public Web site is a home page that merely provides
links to dynamic content.
Lesson 3
Configuring Content Download Jobs
6-39
Perhaps the most useful feature of caching today, and the long-term future of
caching, may be between business partners or for internal use. The branch-office
scenarios, in which branch offices with slow links make use of content download
jobs to download head-office Web content to their local ISA Server computer, will
always have value. Reports and other types of information can be generated at
the head office and published to an internal site to be downloaded to branch
offices on a regular schedule to give employees access to up to date information
without many individuals using bandwidth during the day to access the same
content. Similar situations can exist between clients and vendors in which
updated price lists or other information can be downloaded to clients on a regular
basis.
Case Scenario Exercises
In this exercise, you will read two scenarios about configuring caching on ISA Server
2004, and then answer the questions that follow. If you have difficulty completing this
work, review the material in this chapter before beginning the next chapter. You can
find answers to these questions in the “Questions and Answers” section at the end of
this chapter.
Scenario 1
You work for an organization with branch offices located across the country. Some of
those offices are in remote areas and are connected to the Internet by a dial-up connection with expensive daytime rates. Users in all branch offices need to access a number of
public and partner Web sites to do their jobs. These users report that they must wait for
extended periods to access those sites. Some of those sites contain dynamic content.
Scenario 1 Question
1. You want to increase response times for users at the branch offices and reduce the
costs for the Internet connections. What steps should you take?
6-40
Chapter 6
Implementing ISA Server Caching
Scenario 2
You publish a Web site in your perimeter network using a Web publishing rule. The content on the Web site is updated frequently throughout the day as you perform random
updates of your page as new data becomes available. The content is accessed and used
by your business partners.
Scenario 2 Question
1. Because you perform unscheduled updates of the data, you must ensure that the
content cannot be cached by your business partners so that they always get the
most up-to-date information. What steps must you take?
Chapter Summary
■
Caching is the ability of the ISA Server 2004 to retrieve and store cacheable Web
content so that, the next time a client requests the same content, it can be retrieved
from the cache file to provide faster response and reduce bandwidth consumption.
Content download jobs allow you to prepopulate the ISA Server cache content. ISA
Server also enables Web proxy chaining that can allow branch offices to take advantage of a larger cache maintained at head office and use it to build up cached content at the branch office.
■
Caching is not enabled by default on ISA Server 2004. To enable caching, you need
to configure a cache drive. You can also configure cache rules to specify custom
rules for how content is downloaded from a specific Web site.
■
Content download jobs are configured on a site-by-site basis. When you configure
content download jobs, you can specify what Web sites are downloaded as well as
configure settings for how the content is cached.
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
Chapter Summary
6-41
Key Points
■
By default, caching is disabled on ISA Server 2004.
■
The only way to configure caching for one Web site so that it is different from
other Web sites is to create a cache rule for the Web site. The default cache rule is
applied to all Web sites that are not specified in another cache rule.
■
ISA Server does not cache all content. For example, dynamic content, SSL
encrypted content or content that requires authentication may not be cached. You
can modify how ISA Server caches all of these types of content.
■
You can use ISA Server logging or the Performance MMC to monitor ISA Server
caching. Use these tools to optimize and troubleshoot caching.
■
Content download jobs are used to retrieve Web content in advance. If content
download jobs do not work as expected, check when the job is scheduled to run,
and check the job configuration to ensure that it is downloading and caching the
expected content.
Key Terms
cache rule Define the types of Web content that is stored in the cache and how Web
content is stored and returned to users from the cache. Rules can be configured to
allow or deny caching from particular sites.
content download jobs Are used to retrieve Web content from selected Web sites in
advance to provide faster response for internal clients. Jobs can be configured to
download any content on a flexible schedule.
forward caching Forward caching occurs when a user on the corporate network
makes a request for Web content located on an Internet Web server and the
request is intercepted by ISA Server. ISA Server retrieves the content from the
Internet Web server, stores it in its cache, and returns the content to the user.
reverse caching Reverse caching occurs when users on the Internet request Web
content located on the corporate network. When an Internet user requests content
from the internal server, ISA Server forwards the request to the Web server. ISA
Server will cache a copy of the requested information so that the next request for
the same information can be provided from the ISA Server cache rather than
accessing the internal Web server again.
6-42
Chapter 6
Implementing ISA Server Caching
Questions and Answers
Page
6-11
Lesson 1 Review
1. You have deployed ISA Server 2004 in a large office with a relatively slow Internet
connection. The ISA Server computer is to be used only for caching content. What
can you do to maximize cache response time?
You can allocate as much disk space as possible on the ISA Server computer for caching. You
can also assign a higher percentage of RAM on the server to cache Web contents.
2. You have deployed ISA Server 2004 and configured the server as a Web proxy
server. All internal client computers are configured as Web proxy clients. You have
limited bandwidth to the Internet, so you enable caching on ISA Server, using the
default caching configuration. Many users in your organization, you notice, access
a partner organization’s Web site several times a day. The Web site contains many
large files that are changed every few days; when users download the files, much
of the available bandwidth to the Internet is used. You need to make sure that
users have access to the partner Web site, yet you must limit the amount of bandwidth used to access the Web site as much as possible during working hours.
What should you do?
a. Install the Firewall client on each client computer.
b. Configure caching to cache only small files from the partner Web site.
c. Configure a content download job to download the partner Web site every
night.
d. Configure the ISA Server to cache content with a TTL of one day.
C is correct. To minimize the effect of accessing the partner Web site during working hours, you
must configure a content download job that will download the Web site at night. A is incorrect
because Web proxy client requests are also cached, so installing the Firewall client will not
improve performance. B is incorrect; in fact, this option would decrease Internet performance
because none of the large files would be cached. D is incorrect. It will not improve performance
because the clients still need to access the Web site to download the files every time the files
change.
3. Users in your organization must download files from an FTP site on the Internet
twice a day. Your users report that they frequently download outdated versions of
the file. What is happening and how will you fix it?
By default, when you enable caching on ISA Server, it will cache FTP content for one day. This
means that the users are retrieving the content from the ISA Server cache. You can solve the
problem by reducing the TTL for FTP objects so that content is updated more often or by disabling
FTP caching.
Questions and Answers
Page
6-29
6-43
Lesson 2 Review
1. You have deployed ISA Server 2004 and configured the server as a Web proxy
server. All internal client computers are configured as Firewall clients. You enable
caching on ISA Server, using the default caching configuration. After you enable
caching, users report that they are getting more error messages when they try to
access some Web sites. You investigate and determine that the error messages
appear when a Web site is temporarily unavailable. Users continue to get the error
messages for some time after the Web site is available. You need to ensure that the
users can access the Web sites as soon as they are available on the Internet. How
can you do this?
By default, ISA Server enables negative caching, which means that it will cache error messages
from the Internet and return these responses to clients even after the Web site is available. To
disable this, you must configure ISA Server to not cache objects that do not have a status code
of 200.
2. You have deployed ISA Server and configured the server as a Web proxy server.
After you enable caching, some users report that they get out-of-date information
from a partner Web site. The Web site contains information that changes
frequently, sometimes several times a day. The users say that the information from
the Web site that they see is sometimes more than a day old. You must ensure that
users always get the most recent information from the partner Web site, but you
do not want to affect the caching configuration for other Web sites. What should
you do?
a. Modify the cache settings so that data that has expired for more than 30 minutes
will not be returned to the client.
b. Create a cache rule for this Web site. Configure the cache rule to never cache
content from the Web site.
c. Create a cache rule for this Web site. Configure the cache rule to cache
dynamic content.
d. Create a cache rule that will apply to all Web sites except this Web site. Configure the cache rule to not cache dynamic content.
B is correct. In this case, there is likely a problem with the partner Web site, in that it contains
information that changes frequently yet the data is still being cached. This can happen if the
Web pages do not contain TTL information. To ensure that this data is not cached, configure a
cache rule for this Web site. A is incorrect; this option only configures ISA Server’s response to
expired content when the Internet Web server is not available. C and D will not change the
caching behavior in this scenario.
3. You have configured ISA Server to cache content from a Web site that is updated
regularly. You want to ensure that your users never receive an outdated page from
cache if the Web site is unavailable. You also want them to be informed if the Web
site is unavailable. What settings should you configure?
6-44
Chapter 6
Implementing ISA Server Caching
On the Cache Settings, Advanced tab under the heading If Website of Expired Object Cannot be
Reached select Do Not Return the Expired Object (Return an Error Page).
Page
6-37
Lesson 3 Review
1. Users need to access a price list that is published at a public Web site. Bandwidth
usage from your office is tightly restricted during business hours. The page is
dynamic content and not normally cacheable material. The site is updated once
every 24 hours. How can you force ISA Server to download and cache dynamic
content and minimize the use of network bandwidth during business hours?
Schedule a Content Download job to retrieve the material from the partner’s site in advance
during non-business hours after it has been updated. It will be available for your users by
configuring the download job to Cache if Content is Dynamic in the properties of the job.
2. You have many branch offices with slow connections to the Internet and no direct
connection to head office. You have implemented ISA Server 2004 as a firewall
solution at all branch offices. You also want to take advantage of the caching ability
of ISA Server to allow branch office ISA Server computers to update content from
the corporate Web site twice a day during business hours. Due to hardware restrictions, you want the branches to cache only content from your corporate Web site.
How would you configure that?
Create a Content Download Job for your corporate Web site. Then create a Cache Rule to cache
content from your corporate Web site. Create another cache rule to block content caching for all
other Web sites. Ensure that the corporate cache rule is listed first.
3. Many users in your organization need access to a partner organization’s Web site,
so you create a content download job for that Web site. Because the content on
the Web site changes daily, you configure the content download job to run every
night. After the first time the content download job runs, you notice that the job
included much more content than you expected. You notice that many Web sites
that are not part of the partner Web site were included in the content download
job. You need to ensure that only content from the partner Web site is included in
the content download job. How can you do this?
a. Configure the content download job to use a maximum depth of links per
page of 1.
b. Configure the content download job to limit the number of objects retrieved
to a low number.
c. Configure the content download job to not follow links outside the partner
organization’s Web site URL.
d. Configure the content download job to cache only the content that is
configured as cacheable.
C is correct. To ensure that only pages from the partner Web site are downloaded, you must configure the job to not download any links outside the Web site URL. A is incorrect because this
Questions and Answers
6-45
option would limit the amount of content downloaded from the partner site, and if a link on the
first page pointed to an outside Web site, that link would still be downloaded. B is incorrect
because this option would limit the amount of content downloaded from the partner site, and
would not prevent pages from an outside Web site from being downloaded. D is incorrect because
most content is configured as downloadable.
Case Scenario Exercises
Page
6-39
Scenario 1 Question
1. You want to increase response times for users at the branch offices and reduce the
costs for the Internet connections. What steps should you take?
Install ISA Server 2004 at each branch office and enable caching. Create caching rules as
required to cache dynamic content from particular sites. Analyze the ISA Server usage reports
to determine which sites are most frequently used and then create Content Download jobs for
those sites to download content overnight to take advantage of lower telephone rates.
Page
6-40
Scenario 2 Question
1. Because you perform unscheduled updates of the data, you must ensure that the
content cannot be cached by your business partners so that they always get the
most up-to-date information. What steps must you take?
Create a cache rule to ensure that nothing is cached for requests for the published Web site
from outside your enterprise.
7 Configuring ISA Server
as a Firewall
Exam Objectives in this Chapter:
■
■
■
Configure firewall settings
❑
Configure intrusion detection
❑
Configure IP options filtering
❑
Configure IP fragmentation settings
Configure ISA Server 2004 to support a network topology
❑
Select appropriate templates
❑
Define networks
❑
Configure route relationships between networks
Create policy rules for Web publishing
❑
Configure HTTP filtering for Web publishing
Why This Chapter Matters
For much of its development cycle, Microsoft Internet Security and Acceleration
(ISA) Server 2004 was called Microsoft Firewall Server 2004. This name reflects
one of the primary deployment scenarios for ISA Server 2004. Many organizations
are taking a look at ISA Server as an Internet-edge firewall. Another common scenario is to use another firewall as the Internet-edge firewall and use ISA Server as
a second firewall, chiefly for application filtering.
ISA Server 2004 is a full-featured firewall. ISA Server provides advanced filtering
functionality and intrusion detection. ISA Server supports an unlimited number of
networks, and a user-friendly interface for configuring the access rules that define
what types of network traffic will be allowed between networks. ISA Server also
provides network templates as a means for simplifying the deployment of networks and firewall access rules. But the most powerful feature of using ISA Server
as a firewall is its application-layer filtering. Many of the recent security breaches
and attacks occur at the application layer, so an application-layer firewall is crucial to protecting your network.
7-1
7-2
Chapter 7
Configuring ISA Server as a Firewall
Lessons in this Chapter:
■
Lesson 1: Introduction to ISA Server as a Firewall . . . . . . . . . . . . . . . . . . . . . .7-3
■
Lesson 2: Configuring Multiple Networking on ISA Server . . . . . . . . . . . . . . . 7-12
■
Lesson 3: Implementing Perimeter Networks and Network Templates . . . . . . 7-24
■
Lesson 4: Configuring Intrusion Detection and IP Preferences . . . . . . . . . . . . 7-37
■
Lesson 5: Implementing Application and Web Filtering . . . . . . . . . . . . . . . . . 7-46
Before You Begin
This chapter presents the skills and concepts related to deploying ISA Server 2004 as a
firewall. If you plan to complete the practices and lab in this chapter, prepare the
following:
■
A Microsoft Windows Server 2003 (Standard Edition or Enterprise Edition) computer
installed as DC1 and configured as a domain controller in the cohovineyard.com
domain.
■
A second Windows Server 2003 computer installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. Three network interfaces
should be installed on this server. The external interface should be connected to
a network that contains one or more Web servers. If possible, the network interface should be attached to the Internet.
■
A Microsoft Windows XP computer installed as CLIENT1. This computer must be
a member of the cohovineyard.com domain. The Windows Server 2003 Resource
Kit tools must be installed on the client computer.
■
To complete the troubleshooting lab at the end of the chapter, MSN Messenger or
Windows Messenger must be installed on CLIENT1 and a user account configured
to use MSN Messenger. The external interface on ISA1 must have access to the
Internet.
Lesson 1
Introduction to ISA Server as a Firewall
7-3
Lesson 1: Introduction to ISA Server as a Firewall
Firewalls are deployed to limit network traffic from one network to another. To distinguish between network traffic that should be allowed and network traffic that should
be blocked, firewalls use packet filters, stateful filters, application filters, and intrusion
detection. This lesson describes this core functionality provided by firewalls and how
this functionality is implemented in ISA Server 2004.
After this lesson, you will be able to
■ Describe packet filtering and the benefits of using packet filtering
■ Describe stateful filtering the benefits of using stateful filtering
■ Describe application filtering and the benefits of using application filtering
■ Describe intrusion detection and the benefits of using intrusion detection
Estimated lesson time: 30 minutes
What Is Packet Filtering?
A firewall’s primary role is to prevent network traffic from entering an internal network
unless the traffic is explicitly permitted. One way that a firewall ensures this is through
packet filtering. Packet filters control access to the network at the network layer by
inspecting and allowing or denying the Internet Protocol (IP) packets. When the firewall inspects an IP packet, it examines only information in the network and transport
layer headers.
A packet-filtering firewall can evaluate IP packets using the following criteria:
■
Destination address The destination address may be the actual IP address of
the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external
interface of ISA Server in the case of a network address translation (NAT) network
relationship.
■
Source address This is the IP address of the computer that originally transmitted
the packet.
■
IP protocol and protocol number You can configure packet filters for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control
Message Protocol (ICMP), and any other protocol. Each protocol is assigned a
number. For example, TCP is protocol 6, and the Generic Routing Encapsulation
(GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is
protocol 47.
7-4
Chapter 7
Configuring ISA Server as a Firewall
■
Direction This is the direction of the packet through the firewall. In most cases,
the direction can be defined by inbound, outbound, or both. For some protocols,
such as File Transfer Protocol (FTP) or UDP, the directional choices may be Receive
Only, Send Only, or Both.
■
Port numbers A TCP or UDP packet filter defines a local and remote port. The
local and remote ports can be defined by a fixed port number or a dynamic port
number.
Advantages and Disadvantages of Packet Filtering
Packet filtering has advantages and disadvantages. Among its advantages are the
following:
■
Packet filtering must inspect only the network and transport layer headers, so
packet filtering is very fast.
■
Packet filtering can be used to block a particular IP address or to allow a particular
IP address. If you detect an application-level attack from an IP address, you can
block that IP address at the packet-filter level. Or, if you need to enable access to
your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.
■
Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks
all access on the external interface of the firewall to packets that have a source IP
address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress
filter prevents packets from leaving your network that have a source IP address
that is not on the internal network.
Disadvantages of packet filtering are the following:
■
Packet filters cannot prevent IP address spoofing or source-routing attacks. An
attacker can substitute the IP address of a trusted host as the source IP address and
the packet filter will not block the packet. Or the attacker can include routing
information in the packet that includes incorrect routing information for return
packets so that the packets are not returned to the actual host, but to the attacker’s
computer.
■
Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a
single IP packet into multiple fragments. Most packet-filtering firewalls check only
the first fragment and assume that the other fragments of the same packet are
acceptable. The additional fragments may contain malicious content.
■
Packet filters are not application-aware. You may be blocking the default Telnet
port (Port 23) on your firewall, but allowing access to the Hypertext Transfer Protocol (HTTP) port (Port 80). If an attacker can configure a Telnet server to run on
Port 80 on your network, the packets would be passed to the server.
Lesson 1
Introduction to ISA Server as a Firewall
7-5
ISA Server 2004 and Packet Filtering
ISA Server 2004 does not have an option for directly configuring packet filtering. However, ISA Server does operate as a packet filter firewall, inspecting traffic at the network
and transport layers. For example, if you define a firewall access rule that enables all
protocol traffic from an IP address on one network to an IP address on another network, ISA Server uses a packet filter to allow that traffic. Or, if you configure a firewall
access rule that denies the use of the default Telnet port (TCP Port 23), ISA Server will
use a packet filter to block that port. ISA Server also enables ingress and egress filtering
by default. ISA Server 2000 supports direct configuration of packet filters. If you
upgrade to ISA Server 2004 from ISA Server 2000, the packet filter definitions are
replaced by access rules.
!
Exam Tip
You may get an exam question that states a company requirement to block all
connection attempts from a specific host, or to allow a specific protocol from a particular
host. Remember that, with ISA Server 2004, you can only configure this type of access using
an access rule.
What Is Stateful Filtering?
When a firewall uses stateful filtering, the firewall examines not only the packet header
information, but the status of the packet as well. For example, the firewall can inspect
a packet at its external interface and determine whether the packet is a response to a
request from the internal network. This check can be performed at both the transport
and the application layers.
Stateful filtering uses information about the TCP session to determine whether a packet
should be blocked or allowed through the firewall. TCP sessions are established using
the TCP three-way handshake, the purpose of which is to synchronize the sequence
number and acknowledgment numbers and to exchange other information defining
how the two hosts will exchange packets. The following steps outline the process:
1. The initiator of the TCP session, typically a client, sends a TCP segment to the
server. The client sends its sequence number and requested that the server provide its sequence numbers (by setting the SYN bit to 1).
2. The responder of the TCP session, typically a server, sends back a TCP segment
containing its initial sequence number and an acknowledgment (ACK) of the client’s sequence number. The server sets both the SYN bit and ACK bit to 1. The
ACK bit indicates that the server has received the client’s sequence number.
7-6
Chapter 7
Configuring ISA Server as a Firewall
3. The initiator sends the server a TCP segment containing an acknowledgment of
the server’s sequence number. Once the client and server have agreed on the
sequence numbers, they will use the sequence numbers to track all packets. TCP
uses the information to recover from errors, such as packets arriving out of order
or packets not arriving.
TCP uses a similar handshake process to end a connection. This guarantees that both
hosts have finished transmitting and that all data was received.
A firewall uses this TCP information to perform stateful filtering. When a client on the
internal network sends the first packet in the three-way handshake, the server forwards
the packet and records that the packet has been sent. When the response comes back
from the server, the firewall accepts the packet because it is in response to an internal
request. If a packet arrives with only the SYN bit set, or with the SYN and ACK bits set,
and the firewall does not have a record of a client request, the firewall blocks the
packet.
The firewall can also use other characteristics of TCP session to control traffic. For
example, when the client initiates the session, the firewall can set a timer and keep the
session open only as long as specified by the timer. The firewall can also analyze application-level data to perform stateful filtering. For example, when a client sends a GET
command for a specific Uniform Resource Locator (URL) on a Web server, the firewall
can track the request and allow a response. An HTTP packet that arrives without a corresponding client request is dropped.
Advantages and Disadvantages of Stateful Filtering
Using stateful filtering has several advantages. For example, stateful filtering ensures
that all network traffic forwarded by the firewall is part of an existing session, or
matches the rules for creating a new session. In addition, stateful filtering implements
dynamic packet filtering, which ensures that specific ports are available only when a
valid session exists. For example, if the Web Proxy filter requests that a Web server
respond on Port 1159, ISA Server will listen on Port 1159 for only as long as the connection exists.
However, stateful filtering still does not provide enough protection against the threats
to network security. Many of the newest attacks occur at the application level. For
example, a client computer may download malicious code in an HTTP packet that is
part of a legitimate session. Only application-layer stateful inspection can block these
types of attacks.
Lesson 1
Introduction to ISA Server as a Firewall
7-7
ISA Server Connection Rules
ISA Server uses connection rules to keep track of sessions. Whenever a packet arrives
at the server, ISA Server attempts to associate the packet with a connection rule, based
on the protocol, source, and destination. A connection rule has the following attributes:
■
Protocol number
■
Source (IP address and port/endpoint)
■
Destination (IP address and port/endpoint)
■
Source address translation (used for NAT connections)
■
Destination address translation (used for NAT connections)
■
Statistics (number of bytes transferred, last access time)
■
Misc. (checksum delta, used when doing address translation)
If the packet matches a connection rule, the packet is forwarded. If the packet does not
match a connection rule, ISA Server checks the firewall access rules to determine if a
new connection rule can be created. If no firewall access rule blocks the creation of the
connection rule, ISA Server creates the connection and forwards the packet. If a firewall rule blocks the creation of the connection rule, the packet is dropped.
See Also
You can use the Firewall Kernel Mode Tool to monitor the current connections on
the ISA Server computer, and to view the connection creation objects that define what new
connections can be created. You can download the Firewall Kernel Mode Tool from http://
www.microsoft.com/isaserver/downloads/2004.asp.
What Is Application-Layer Filtering?
Application-layer filtering enables the firewall to inspect the application data in a TCP/
IP packet for unacceptable commands and data. For example, a Simple Mail Transport
Protocol (SMTP) filter intercepts network traffic on Port 25 and inspects it to make sure
the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls
that are capable of application-layer filtering can stop dangerous code at the edge of
the network before it can do any damage.
Note
Application filters are described in more detail in the last section of this chapter.
7-8
Chapter 7
Configuring ISA Server as a Firewall
Advantages and Disadvantages of Application-Layer Filtering
Application-layer filtering can be used to stop attacks from sources such as viruses and
worms. To the packet-filtering firewall, most worms look like legitimate network traffic. The headers of the packets are identical in format to those of legitimate traffic. It is
the payload that is malicious; only when all the packets are put together can the worm
be identified as malicious code, so these exploits often travel straight through to the
private network because the firewall allowed what appeared to be legitimate application data.
Real World Why Use an Application Filtering Firewall?
An application-layer firewall has become critical in securing a network from
attack. For years, companies deployed firewalls that provide packet filtering and
stateful filtering. Many excellent firewalls that provide this level of filtering are
available. The problem is that these firewalls are so good that attackers no longer
bother to attack the firewall at the network layer, but at the application layer,
where many of the most serious security breaches have occurred.
Attacks at the application layer use legitimate application-level protocols and
ports. To a firewall that performs only packet and stateful filtering, the network
packets appear to be normal application data. For example, an SMTP message
that contains a virus is just an SMTP message with an attachment. Or the Web
page that downloads a worm to your computer is just a series of HTTP packets.
The problem is not evident until the application client or server removes the network layer information and starts processing the application data.
Most organizations that I work with realize the need for an application-layer filter
for e-mail and have deployed advanced SMTP filtering servers that can examine
the contents of every e-mail message and block messages based on message contents or attachments. These organizations have become increasingly aware of the
need for the same level of filtering for HTTP packets. HTTP has become the protocol of choice for many applications. HTTP traffic is allowed through virtually
every firewall and every user’s computer already has the HTTP client software
installed. This makes using HTTP very attractive to an attacker. An important step
in securing your network from these types of attacks is to ensure that the Web
browsers installed on your client computers are fully patched and configured for
optimal security. The second way to secure your network against this type of
attack is to implement a firewall that can examine each HTTP packet and block
the packet based on the application data. ISA Server 2004 is one of the best application-layer firewalls available today.
Lesson 1
Introduction to ISA Server as a Firewall
7-9
But the advantages of application-layer filtering transcend the prevention of attacks. It
can also be used to protect your network and systems from the harmful actions often
taken by unaware employees. For example, you can configure filters that prevent
potentially harmful programs from being downloaded through the Internet, or ensure
that critical customer data does not leave the network in an e-mail.
Application-layer filtering can also be used to more broadly limit employee actions on
the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer fileexchange services. These types of services can consume substantial network resources
and raise legal liability concerns for your organization.
The most significant disadvantage of application-filtering firewalls is performance.
Because an application-layer filtering firewall examines the actual payload of each
packet, application-layer filtering is usually slower than packet or stateful filtering.
What Is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is
attempted or in progress. If you detect an intrusion attempt early enough, you may be
able to prevent a successful intrusion. If an intrusion does occur, you must be alerted
as soon as possible to reduce the potential impact of the intrusion and to eliminate the
vulnerability in your network security.
An intrusion-detection system (IDS) that is located at the edge of a network inspects all
traffic in and out of the network and identifies patterns that may indicate a network or
system attack. An IDS is usually configured with information about a wide variety of
known attacks, then monitors the network traffic for signatures indicating that a known
attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic.
A complete IDS includes several layers. One device may be located at the network
perimeter and monitor all traffic entering and leaving the network. Additional devices
may be deployed on the internal networks, or on routers connecting networks. A final
layer of protection is provided by host-based systems in which an IDS is configured on
individual computers. The most sophisticated IDS can collect information from all the
layers and correlate data to make the most accurate intrusion-detection decisions.
Intrusion-detection systems also provide options for configuring alerts or responses to
intrusion attempts. At the very least, an IDS should alert an administrator when an
attack is detected. More sophisticated IDSs provide additional responses to attacks,
including shutting down or limiting the functionality of the systems under attack.
7-10
Chapter 7
Configuring ISA Server as a Firewall
Although both an IDS and a firewall relate to network security, an IDS differs from a
firewall in that a firewall looks for intrusions to stop them from happening. The firewall
limits the access between networks to prevent intrusion and does not signal an attack
from inside the network. An IDS evaluates a suspected intrusion as it occurs and signals an alarm.
ISA Server and Intrusion Detection
ISA Server includes intrusion-detection functionality that monitors for several wellknown vulnerabilities. ISA Server detects intrusions at two different network layers.
First, ISA Server detects intrusions at the network layer. This enables ISA Server to
detect vulnerabilities that are inherent to the IP layer. Second, ISA Server uses application filters to detect intrusions at the application layer. You can use third-party application filters to add more intrusion detection or create your own application filters using
the filter application programming interfaces (APIs) defined in the ISA Server software
development kit (SDK).
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You are the ISA Server administrator of your organization. You have deployed ISA
Server 2004 as the firewall and configured it so that the users have unrestricted
access to the Internet. You suspect that some of your users have installed a peer
to peer file sharing application which is not an approved application. The application uses a custom protocol and port number to communicate with other computers. You need to ensure that traffic from that application is not allowed into
your network from the Internet. What is the easiest way for you to accomplish
this?
a. Create a packet filter to block the port used by the application.
b. Do nothing. The traffic is blocked by default.
c. Configure an application filter to block the traffic.
d. Create an access rule to block the port used by the application.
2. How does application filtering protect the internal network?
a. By blocking IP fragments
b. By inspecting the data in a packet for unacceptable commands and data
Lesson 1
Introduction to ISA Server as a Firewall
7-11
c. By blocking connections to particular ports
d. By allowing or disallowing traffic based on connection rules
3. What feature of ISA Server prevents IP addresses that logically appear on the
Internal network from entering your network through the external interface?
a. Egress filtering
b. Ingress filtering
c. Application-layer filtering
d. Stateful filtering
Lesson Summary
■
Firewalls are used to limit network traffic from one network to another. Firewalls
use packet filters, stateful filters, application filters, and intrusion detection to distinguish network traffic that should be allowed from network traffic that should be
blocked.
■
Packet filters control access to the network by inspecting the packet network and
transport layer information and allowing or denying the IP packets based on that
inspection.
■
Stateful filtering not only examines the packet header information, but examines
the status of the packet as well. This check can be performed at both the transport
and application layers.
■
Application filtering enables the firewall to inspect the application data in a TCP/
IP packet for unacceptable commands and data. Application-layer filtering can be
used to stop attacks from sources such as viruses and worms.
■
An intrusion-detection system is located at the edge of a network or at different
points in the network and inspects all traffic in and out of the network by identifying patterns that may indicate a network or system attack.
7-12
Chapter 7
Configuring ISA Server as a Firewall
Lesson 2: Configuring Multiple Networking on ISA Server
The role of a firewall is to block all traffic from flowing from one network to another
unless that traffic is explicitly permitted. To understand how ISA Server works as a firewall, you first need to know how ISA Server implements networks.
After this lesson, you will be able to
■ Describe multinetworking
■ Describe the default networks configured in ISA Server 2004
■ Create and modify network objects
■ Configure network rules
Estimated lesson time: 25 minutes
ISA Server Support for Multiple Networks
ISA Server 2004 uses networks to define blocks of IP addresses that may be directly
attached to the ISA Server computer or IP addresses that may be remote networks. ISA
Server uses these networks as components when you create access rules. ISA Server
supports an unlimited number of networks.
Note ISA Server 2000 supports only three networks: the Internal network, the External network, and a perimeter network (also known as a demilitarized zone, or DMZ, or a screened
subnet). One of the significant enhancements in ISA Server 2004 is that it supports an unlimited number of networks.
What Is Multinetworking?
Multinetworking means that you can configure multiple networks on ISA Server, and
then configure network and access rules that inspect and filter all network traffic
between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall, as shown in
Figure 7-1.
Lesson 2
Configuring Multiple Networking on ISA Server
7-13
Web Server
Perimeter Network
File Server
E-Mail Server
Internet
Internal Network
ISA Server
F07im01
Figure 7-1
A three-legged firewall configuration
In this configuration, you create three networks:
■
The servers that are accessible from the Internet are usually isolated on their own
network, such as a perimeter network.
■
The internal client computers and servers that are not accessible from the Internet
are located on an internal network.
■
The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how
external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules
between each network.
Note
The client’s membership in a network is automatically assigned. In the case of local
area network (LAN)–connected clients, a computer becomes a network member based on the
computer’s IP address; in the case of virtual private network (VPN) clients, a computer
becomes a network member based on its connection method.
7-14
Chapter 7
Configuring ISA Server as a Firewall
You might also need to configure a more complicated network environment such as
the one shown in Figure 7-2. In this scenario, you could have the following:
■
Two perimeter networks Perhaps you are deploying some servers that are
domain members and other servers that are stand-alone servers. The domain
members need to be able to communicate with domain controllers that are located
on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
■
Two internal networks You might have a group of client computers that needs
to access the Internet using a different application or with security rules different
from the other client computers. You can create an additional internal network
and configure specific Internet access rules for each network.
■
VPN client and VPN remote-site networks ISA Server defines a network for
VPN clients, and you can define a network for each remote site connected with a
site-to-site VPN connection.
Web Server
Custom
Clients Network
Perimeter Network
File Server
E-Mail Server
VPN
Clients Network
Branch Office
Network
(Site-to-Site VPN)
Internal Network
E-Mail Front-End Server
Authenticated
Perimeter Network
F07im02
Figure 7-2 ISA Server 2004 supports an unlimited number of networks.
Because ISA Server supports per-network policies, you can configure unique access
rules for each of these networks.
Lesson 2
Configuring Multiple Networking on ISA Server
7-15
Planning
ISA Server does not support separate networks and access rules for networks
that are not directly attached to the ISA Server computer. For example, organizations often
have multiple IP networks associated with the internal corporate network. For example,
you may have an internal network such as 10.10.0.0/16 and another network such as
192.168.1.0/24. If both networks are accessible through the same network interface
on the ISA Server computer (for example, the IP address for the internal interface may be
192.168.1.1), both networks must be defined on the Internal network properties.
Default Networks Enabled in ISA Server
When you install ISA Server 2004 on a server with at least two network cards, it is configured in advance with a default set of networks. Table 7-1 lists the default networks.
Table 7-1
ISA Server Default Networks
Network
Description
Local Host
This network represents the ISA Server computer. Use this network to
control all traffic to and from ISA Server rather than traffic that flows
through ISA Server. The Local Host network cannot be modified. In
most cases, you will use the system policy to define what network
traffic will flow to and from the ISA Server computer, but you can also
create access rules that use the Local Host network.
External
This network includes all computers (IP addresses) that are not explicitly associated with any other network. The External network is generally considered an untrusted network and represents all hosts on the
Internet. The default External network cannot be modified.
Internal
This network includes all computers (IP addresses) that were specified
as internal during the installation process.
VPN Clients
This network contains addresses of currently connected VPN clients.
The range of possible addresses is configured when you configure the
VPN properties.
Quarantined VPN
Clients
This network contains addresses of VPN clients that have not cleared
quarantine.
Note A network set rule element represents a grouping of one or more networks. You can
use this rule element to apply rules to more than one network. By default, ISA Server includes
two network sets: All Networks, which includes all the networks attached to ISA Server, and
All Protected Networks, which includes all networks except the External network. You can also
create network sets that include any combination of networks on the server.
7-16
Chapter 7
Configuring ISA Server as a Firewall
How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may
provide all the configuration options required. However, in a larger organization with
a more complex network environment and more complicated requirements, you may
need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,
type the name for the network. Click Next.
5. On the Network Type page, as shown in Figure 7-3, select the type of network
you are creating. Select one of the following options:
❑
External Network
❑
Internal Network
❑
Perimeter Network
❑
VPN Site-To-Site Network
F07im03
Figure 7-3 Choosing a network type for a new network
Lesson 2
Configuring Multiple Networking on ISA Server
7-17
See Also
Configuring VPN site-to-site networks will be discussed in detail in Chapter 10,
“Configuring Virtual Private Networks for Remote Clients and Networks.”
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network
Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,
and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then
click Finish.
To modify a network, click the network in ISA Server Management Console and then
click Edit Selected Network.
How to Configure Network Rules
When you enable networks or network objects on ISA Server, you can configure network rules that define how network packets will be passed between networks or
between computers. Network rules determine whether there is a relationship between
two network entities and what type of relationship is defined. Network relationships
can be configured as follows:
■
Route When you specify this type of connection, client requests from the source
network are directly routed to the destination network. The source client address
is included in the request. A route relationship is bidirectional. That is, if a routed
relationship is defined from network A to network B, a routed relationship also
exists from network B to network A.
■
Network Address Translation (NAT)
When you specify this type of connection, ISA Server replaces the IP address of the client on the source network with
its own IP address. A NAT relationship is directional. It indicates that the addresses
from the source network are always translated when passing through ISA Server.
For example, by default a NAT network relationship is defined between the Internet and the internal network. When a client makes a request on the Internet, the
IP addresses of the internal client computer are replaced by the address on the ISA
Server computer before the request is passed to the server on the Internet. On the
other hand, when a packet from the Internet is returned to the client computer, the
address of the server is not translated. Client computers on the internal network
can access the actual addresses of computers on the Internet, but computers on
the Internet cannot access the internal IP addresses.
7-18
Chapter 7
Configuring ISA Server as a Firewall
Planning If you are using the private IP addresses on any network that is protected by ISA
Server, you must define a NAT relationship between that network and the Internet. This is
because the private IP addresses are not routable on the Internet. In this configuration, only
the IP address assigned to the external network adapter on the ISA Server computer is accessible from the Internet so all other addresses must be translated.
When no relationship is configured between networks, ISA Server drops all traffic
between the two networks.
Default Network Rules
When you install ISA Server 2004, the default network rules listed in Table 7-2 are
created.
Table 7-2 ISA Server Default Network Rules
Network Rule
Network Relationship
Local Host Access
This rule defines a route relationship between the Local Host network and
all other networks.
VPN Clients to
Internal Network
This rule defines a route relationship among the Internal network and the
Quarantined VPN Clients and the VPN Clients networks.
Internet Access
This rule defines a NAT relationship among the internal network, the
Quarantined VPN Clients, and the VPN Clients networks and the External
network.
How Network Rules and Access Rules Are Applied
ISA Server uses both network rules and access rules to determine whether a client
request is passed from one network to another. Together, the network rules and access
rules comprise the firewall policy. The firewall policy is applied in the following way:
1. A user using a client computer sends a request for a resource located on another
network. For example, a client on the Internal network sends a request to a server
located on the Internet.
2. ISA Server checks the network rules to verify that the two networks are connected.
If no network relationship is defined between the two networks, the request is
refused.
3. If a network rule defines a connection between the source and destination networks, ISA Server next processes the access rules. The rules are applied in order
of priority as listed in the ISA Server Management Console interface. If an allow
rule allows the request, then the request is forwarded without checking any additional access rules. If no access rule allows the request, the final default access rule
is applied, which denies all access.
Lesson 2
Configuring Multiple Networking on ISA Server
7-19
4. If the request is allowed by an access rule, ISA Server checks the network rules
again to determine how the networks are connected. ISA Server checks the Web
chaining rules (if a Web Proxy client requested the object) or the firewall chaining
configuration (if a SecureNAT client or a Firewall client requested the object) to
determine how the request will be serviced.
5. The request is forwarded to the Internet Web server.
!
Exam Tip
Remember that both access rules and network rules can block access to a network resource. If an exam question presents you with a scenario in which a user cannot
access a resource on another network, look for information on both the access rule configuration and the network rule configuration.
Creating a New Network Rule
To create a new network rule, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and click Networks.
2. In the Details pane, click the Network Rules tab.
3. On the Tasks tab, click Create a New Network Rule.
4. On the Welcome to the New Network Rule Wizard page, in the Network Rule
Name: box, type the name for the network rule. Click Next.
5. On the Network Traffic Sources page, click Add, as shown in Figure 7-4.
F07im04
Figure 7-4
Configuring the network traffic source for a network rule
7-20
Chapter 7
Configuring ISA Server as a Firewall
6. On the Add Network Entities page, select the Network Entity to which this rule
will apply. Click Add, and then click Close.
7. On the Network Traffic Sources page, click Next.
8. On the Network Traffic Destinations page, click Add.
9. On the Add Network Entities page, select the Network Entity to which this rule
will apply. Click Add, and then click Close.
10. On the Network Traffic Destinations page, click Next.
11. On the Network Relationship page, as shown in Figure 7-5, click Network Address
Translation or Route. Click Next.
F07im05
Figure 7-5 Configuring the network relationship for a network rule
12. On the Completing The New Network Rule Wizard page, review the settings and
then click Finish.
Planning
To determine the address relationship between two computers on different networks, ISA Server processes network rules according to the order that the rules are listed in
the ISA Server Management Console interface, looking for a rule that matches the computer
addresses. The first rule that matches the computer addresses defines the network relationship. This means that you may have a routing relationship configured between two networks,
but a NAT relationship configured between a specific computer on the network and the other
network. In this case, the network rule defining the NAT relationship should be listed first to
ensure that this specific rule is applied
Lesson 2
Configuring Multiple Networking on ISA Server
7-21
Practice: Configuring Multiple Networking on ISA Server
In this practice, you will configure a new network on the ISA Server computer. You will
then configure a new network rule that defines a NAT relationship between the Internet and the perimeter network and another network rule that defines a route relationship between the Internal network and the perimeter network.
Note
To complete this practice, you need three network adapters installed on the computer
running ISA Server. This practice assumes that the third network adapter is assigned the IP
address 172.6.1.1. All other practices only require two network adapters. Later practices do
not depend on this practice.
Exercise 1: Configuring a New Network on ISA Server
1. Log on to ISA1 as an Administrator. Open ISA Server Management Console.
2. In the Microsoft ISA Server Management Console tree, expand the Configuration
node and click Networks.
3. In the details pane, click the Networks tab.
4. On the Tasks tab, click Create a New Network.
5. On the Welcome To The New Network Wizard page, in the Network Name: box,
type Perimeter Network. Click Next.
6. On the Network Type page, click Perimeter Network, and then click Next.
7. On the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type 172.16.1.0 as the Starting Address
and 172.16.1.255 as the Ending Address. Click OK.
9. On the Network Addresses page, click Next.
10. On the Completing The New Network Wizard page, review the settings and then
click Finish.
11. Click Apply to apply the changes.
Exercise 2: Configuring New Network Rules on ISA Server
1. In the Details pane, click the Network Rules tab.
2. On the Tasks tab, click Create a New Network Rule.
3. On the Welcome To The New Network Rule Wizard page, in the Network Rule
Name: box, type Perimeter to External Network Rule. Click Next.
4. On the Network Traffic Sources page, click Add.
7-22
Chapter 7
Configuring ISA Server as a Firewall
5. On the Add Network Entities page, expand Networks, click Perimeter Network,
and click Add. Click Close.
6. On the Network Traffic Sources page, click Next.
7. On the Network Traffic Destinations page, click Add.
8. On the Add Network Entities page, expand Networks, click External and then
click Add. Click Close.
9. On the Network Traffic Destinations page, click Next.
10. On the Network Relationship page, click Network Address Translation. Click Next.
11. On the Completing The New Network Rule Wizard page, review the settings and
click Finish.
12. Configure another network rule named Internal To Perimeter Network, which
defines a route relationship between the Internal network and the Perimeter Network that you created in the previous practice.
13. Click Apply to apply the changes.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. The research department in your organization has unique network access requirements. All the computers used by the department users are on a separate subnet
that must be isolated from the production environment. The users need unrestricted Internet access. What should you do to facilitate that?
Lesson 2
Configuring Multiple Networking on ISA Server
7-23
2. You have configured four different internal networks on your ISA Server. Each network represents a different department in your organization. The different departments have some unique Internet access rule requirements, but you also want
some of the access rules to be the same for all departments. What is the easiest
way to accomplish this?
3. All users in your organization require access to the Internet from their desktop
computers. From their desktop computers, the users should be able to use any
protocol to access the Internet. However, when the users are using one of the
publicly accessible computers located in the office lobby, they should be able to
use only HTTP to access the Internet. What are two possible ways to configure
this?
a. Configure a network that includes the internal network and the publicly
accessible computers. Enable only HTTP access to the Internet from that
network.
b. Configure a computer set that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that computer set.
c. Configure a domain name set that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that computer set.
d. Configure a new network that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that network.
Lesson Summary
■
ISA Server 2004 supports multinetworking, which means that you can configure
multiple networks on ISA Server, and then configure network and access rules that
inspect and filter all network traffic between all networks.
■
ISA Server is configured in advance with the following networks: Local Host,
External, Internal, VPN Clients, and Quarantined VPN Clients.
■
Network rules determine whether there is a relationship between two network
entities and whether the relationship is a route and NAT relationship.
7-24
Chapter 7
Configuring ISA Server as a Firewall
Lesson 3: Implementing Perimeter Networks and
Network Templates
Many organizations use perimeter networks to isolate servers and resources from both
the Internet and the internal network. In this configuration, servers that need to be
accessible from the Internet are placed in a separate network behind a firewall. These
servers might also be separated from the internal network by another firewall or by
connecting the perimeter network and the internal networks to different interfaces on
the firewall. ISA Server enables the configuration of almost any perimeter network configuration. To simplify the task of implementing ISA Server as a firewall, ISA Server
2004 provides several network templates. This lesson describes how to implement a
perimeter network with ISA Server 2004.
After this lesson, you will be able to
■ Describe what a perimeter network is
■ Describe the network templates included with ISA Server 2004
■ Implement network templates
Estimated lesson time: 30 minutes
What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the
Internet. Perimeter networks allow external users to gain access to specific servers that
are located on the perimeter network while preventing direct access to the internal network. Perimeter networks have the following characteristics:
■
Protected by one or more firewalls Perimeter networks are separated from
the Internet by one or more firewalls or routers. The perimeter network is usually
also separated from the internal network by a firewall. The firewall protects the
servers in the perimeter network from the Internet and filters traffic between the
perimeter network and the internal network.
■
Contain publicly accessible servers and services The servers in the perimeter network are usually accessible to users from the Internet. The types of servers
or services that are often located in the perimeter network include VPN servers
and clients, remote access servers (RASs) and clients, Web servers, application
front-end servers, SMTP gateway servers, and proxy servers.
■
Must be accessible from the Internet Because the servers on the perimeter
network must be accessible from the Internet, the firewall protecting the perimeter
network must allow network traffic from the Internet. This traffic must be filtered
to ensure that only legitimate traffic enters the perimeter network. Because almost
all network traffic will flow from the Internet to the perimeter network, most firewall rules can be configured to allow only inbound traffic.
Lesson 3
Implementing Perimeter Networks and Network Templates
7-25
■
Require network connectivity to the internal network Frequently, the computers on the perimeter network must be able to connect to resources on the internal network. For example, VPN or RAS Clients connect to the VPN or RAS server,
but then must gain access from that server to the internal network. An SMTP gateway server must be able to forward messages to internal e-mail servers. An application front-end server may need to connect to a database server on the internal
network. Often, users on the internal network must also be able to connect to
servers in the perimeter network. This means that you must configure firewall
access rules on the firewall between the perimeter network and the internal network to enable the required network traffic.
■
Require some level of network protection The servers on the perimeter network must be partially isolated both from the Internet and the internal network.
The firewalls on both sides of a perimeter network should not forward all traffic,
but should filter traffic flowing in both directions. Only required network traffic
should be allowed to pass between networks.
Benefits of Using a Perimeter Network
The main reason for using a perimeter network is to provide an additional layer of
security. A perimeter network is commonly used for deploying publicly accessible
servers while servers that should never be accessed from the Internet are located on
the internal network. In this way, even if an attacker penetrates the perimeter network
security, only the perimeter network servers are compromised.
The servers in the perimeter network usually do not contain confidential or private
organization data. This data and critical applications are located on the internal network. By implementing a perimeter network, you ensure that there is an additional
layer of security between the Internet and the internal servers.
The perimeter network can also be used to secure other connections to the internal
network. For example, many organizations are using mobile clients such as wireless
devices or cell phones to access information such as e-mail on the internal network.
These devices greatly increase the security risks; one way to reduce that risk is to install
the wireless access servers for these devices in the perimeter network and then use the
internal firewall to filter traffic from these servers to the internal network. VPN servers
and clients can be secured using the same method.
Important Although a well-designed perimeter network can greatly enhance your network’s
security, you must ensure that it is not your only level of defense. Because of the importance of
the Internet both for providing services to customers and for providing access to business partners, many organizations deploy multiple servers in the perimeter network. Often the configuration of the access rules on both the external and internal networks can be quite complicated.
This can lead to configuration errors or reduced security due to the number of ports that must
be open. To reduce the risk, you must implement all other defense-in-depth components
7-26
Chapter 7
Configuring ISA Server as a Firewall
Network Perimeter Configuration Options
Perimeter networks provide an additional layer of network security by protecting publicly accessible servers from unauthorized access while also partially isolating these
servers from the internal network. The design of a secure network perimeter includes
protection for the internal network as well as for servers that must be accessible from
the Internet. There are three broad types of network perimeter configurations:
■
Bastion host In this configuration, there is only a single firewall between the
Internet and the internal network, as shown in Figure 7-6. The bastion host acts as
the main connection for computers on the internal network that are accessing the
Internet. As a firewall, the bastion host is designed to defend against attacks that
are aimed at the internal network. A bastion host uses two network adapters, one
connected to the internal network and one connected to the Internet. This configuration physically isolates the internal network from potential intruders on the
Internet. However, the bastion host is only a single line of defense between an
internal network and the Internet.
E-Mail Server
Application Server
Internal Network
Internet
Firewall
Web Server
F07im06
Figure 7-6 A bastion host perimeter configuration uses a single firewall with two
network interfaces
■
Three-legged configuration A three-legged configuration creates a perimeter
network that gives users on the Internet limited access to network resources on
the perimeter network while preventing unwanted traffic to computers that are
located on the internal network (Figure 7-1 shows ISA Server deployed in a threelegged perimeter configuration). A three-legged configuration uses a firewall with
three network adapters—one connected to the internal network, one connected to
a perimeter network, and one connected to the Internet. Frequently, each server
in the perimeter network has IP addresses that are routable on the Internet, so the
firewall routes traffic to the perimeter network. The firewall screens and routes
packets to the perimeter as defined by the firewall configuration. However, the
firewall computer does not allow direct access to resources that are located on the
internal network. One advantage of a three-legged firewall is that it gives you a
single point of administration to configure access to both your perimeter network
Lesson 3
Implementing Perimeter Networks and Network Templates
7-27
and your internal network. A disadvantage of a three-legged firewall is that it presents a single point of access to all parts of your network. If the firewall is compromised, both the perimeter network and the internal network might be
compromised.
■
Back-to-back configuration This perimeter network configuration places the
perimeter network between two firewalls, as shown in Figure 7-7. The two firewalls are connected to the perimeter network with one firewall connected to the
Internet and the other firewall connected to the internal network. In this configuration, there is no single point of access from the Internet to the internal network.
To reach the internal network, an attacker would need to get past both firewalls.
It is common to use two different firewall vendors in this configuration for maximum security. This dual-vendor configuration prevents an exploit on one firewall
from being easily exploited on both firewalls. A back-to-back configuration allows
the creation of very granular rules for internal and external access to the network.
For example, you can create rules that allow only HTTP and SMTP traffic access to
the screened subnet from the Internet and rules that allow only Internet Protocol
security (IPSec)–encrypted traffic access to the back-end servers on the internal
network from the screened subnet.
Web Server
Application Server
E-Mail Server
Perimeter
Network
Internal Network
E-Mail Front-End Server
F07im07
Figure 7-7
Caution
A back-to-back perimeter configuration uses multiple firewalls
One of the more common reasons for firewall security breaches is incorrect configuration of the firewall. Regardless of how good your firewall is, it is only as secure as your configuration. One of the problems with deploying a back-to-back perimeter network is that the
firewall configurations can be quite complex. The problem can be compounded if you deploy
two firewalls and you are not thoroughly familiar with both firewalls. If you do not have the
training or experience to configure two firewalls, then consider becoming an expert in only one
firewall and using just that firewall. A single firewall with a secure configuration is more secure
than two incorrectly configured firewalls.
7-28
Chapter 7
Configuring ISA Server as a Firewall
What Are Network Templates?
ISA Server 2004 can be deployed in any of the perimeter network configurations. To
simplify the deployment, ISA Server 2004 includes several network templates that you
can use to configure ISA Server based on one of the perimeter network scenarios. A
network template is stored in an Extensible Markup Language (XML) file that includes
the following:
■
Networks and network sets
■
Network rules that describe the relationships between networks and network sets
■
Access rule elements
■
Access rules
To apply a network template, run the Network Template Wizard. When you run the
wizard, you can choose the level of access that will be enabled between networks. For
example, you may want internal users to be able to access resources on the Internet
using all protocols, but only use HTTP or HTTPS to access the perimeter network. The
access rules created by the wizard are based on the level of access you grant.
Important
When you apply a network template, the Network Template Wizard overwrites
your current ISA Server configuration with the settings provided in the template. If you have
configured access rules that you want to retain, export the access rules before applying the
network template, and then import the access rules after applying the template.
ISA Server Template Types
ISA Server 2004 provides the following templates:
■
Edge Firewall This template assumes a network topology with ISA Server configured as a bastion host. One network interface is connected to the internal network, the other is connected to an external network (Internet). When you select
this template, you can allow all outgoing traffic, or limit outgoing traffic to allow
only Web access.
■
3-Leg Perimeter This template assumes a network topology with ISA Server
configured as the firewall for a three-leg perimeter configuration. In this configuration, ISA Server has three network interfaces, one connected to the internal network, one connected to the external network, and one connected to a perimeter
network.
■
Front End This template assumes a network topology with ISA Server at the
edge of a network, with another firewall configured at the back end, protecting
the internal network.
Lesson 3
!
Implementing Perimeter Networks and Network Templates
7-29
■
Back End This template assumes a network topology with ISA Server deployed
between a perimeter network and the internal network, with another firewall
located between the perimeter network and the Internet.
■
Single Network Adapter This template assumes a single network adapter configuration within a perimeter or corporate network. In this configuration,
ISA Server is used as a Web proxy and caching server.
Exam Tip
Be familiar with each of these network templates and the default settings
applied by the templates. When you see an exam question that mentions a network template,
you should have a clear idea what the template does so that you can troubleshoot any problems with the template.
How to Implement Network Templates
To implement a network template, run the Network Template Wizard. When you apply
the template, you can select a firewall access policy that best matches your corporate
security guidelines. For example, Table 7-3 lists the firewall policies available when
you select the Edge Firewall network template and also details the rules that are created when you select the policy.
Table 7-3
Firewall Policies Applied by the Internet-Edge Template
Policy Name
Description
Rules Created
Block all
This policy blocks all network access None
through ISA Server. This option does
not create any access rules other than
the default rule that blocks all access.
Use this option when you want to
define firewall policy on your own.
Block Internet
access, allow
access to Internet
service provider
(ISP) network
services
This policy blocks all network access
through ISA Server except for access
to external network services such as
DNS. This option is useful when services are provided by your ISP. Use
this option when you want to define
firewall policy on your own.
Allow limited
Web access
This policy allows limited Web access Allow HTTP, HTTPS, and FTP
using HTTP, Hypertext Transfer Proto- from Internal network to External
col Secure (HTTPS), and FTP only. All network.
other network access is blocked
Allow DNS from Internal network
and VPN Clients network to
External network (Internet).
7-30
Chapter 7
Configuring ISA Server as a Firewall
Table 7-3 Firewall Policies Applied by the Internet-Edge Template
Policy Name
Description
Rules Created
Allow limited
Web access and
access to ISP network services
This policy allows limited Web access
using HTTP, HTTPS, and FTP, and
allows access to ISP network services.
All other network access is blocked.
Allow HTTP, HTTPS, and FTP
from Internal network and VPN
Clients network to External network. Allow DNS from Internal
network and VPN Clients network to External network (Internet). Allow all protocols from
VPN Clients network to Internal
network.
Allow unrestricted This policy allows unrestricted access
access
to the Internet through ISA Server.
ISA Server will prevent access from
the Internet to protected networks.
Allow all protocols from Internal
network and VPN Clients network to External network (Internet). Allow all protocols from
VPN Clients network to Internal
network.
To apply the Edge Firewall template, use the following procedure:
1. In the ISA Server Management Console tree, select Networks.
2. In the Task pane, on the Templates tab, shown in Figure 7-8, click Edge Firewall.
F07im08
Figure 7-8 Configuring the Edge Firewall template
Lesson 3
Implementing Perimeter Networks and Network Templates
7-31
3. On the Welcome To The Network Template Wizard page, click Next.
4. On the Export The ISA Server Configuration page, click Export to export the network configuration before modifying it.
Tip
Before implementing a significant change to the ISA Server configuration, you should
export the firewall settings. The export performed during the Network Template Wizard
exports the entire ISA Server configuration, including networks and network rules.
5. In the Export Configuration dialog box, choose a location and name for the .xml
file and click Export. When the export finishes, click OK.
6. On the Export The ISA Server Configuration page, click Next.
7. On the Internal Network IP Address page, shown in Figure 7-9, confirm that all
internal network addresses are listed. Modify the address ranges if required. Click
Next.
F07im09
Figure 7-9
Configuring the Internal network IP addresses using a network template
8. On the Select A Firewall Policy page, select the appropriate firewall policy (see
Figure 7-10). Click Next.
7-32
Chapter 7
Configuring ISA Server as a Firewall
F07im10
Figure 7-10 Configuring the firewall policy using a network template
9. On the Completing The Network Template Wizard page, review the configuration
and click Finish.
10. In the Details pane, click Apply to apply the new access rule.
Modifying Access Rules Applied by Network Templates
Network templates simplify the configuration of ISA Server 2004 network and access
rules. However, in most cases, the access rules applied by the template may not meet
your requirements exactly. In these cases, you must modify the access rules implemented by the template. There are many scenarios in which you may need to define
Internet access more precisely by modifying the access rules, such as the following:
■
Modifying Internet access based on user or computer sets The default network template defines the same access rules for all users and all computers on the
internal network. If all client computers are Firewall clients or Web Proxy clients
and you want to ensure that all users authenticate before gaining access to the
Internet, you may want to change the rule created by the wizard to apply to All
Authenticated Users. If you want to apply more or less restrictive policies based on
user or computer groups, you can create a user set or computer set, and then create an access rule that applies the settings you need.
■
Modifying Internet access for different protocols The network template
either allows all protocols, or a selected group of the most common Internet protocols. If you want to allow all users to use a different set of protocols, you can
modify the default rule created by the network template. If you want a selected
user group to be able to use other protocols, create the user set, then create a new
access rule granting the required access.
Lesson 3
Implementing Perimeter Networks and Network Templates
7-33
■
Modifying network rules to change network relationships In some cases,
you may also need to change the default network rules that are created by the network templates. For example, the 3-Leg Perimeter network template creates a
route relationship between the perimeter network and the external network and a
NAT relationship between the perimeter network and the internal network. If you
use private IP addresses in the perimeter network, you must change the perimeter
network to external network rule to a NAT relationship.
■
Configuring publishing rules or access rules for inbound access The network template only enables Internet and perimeter network access from the internal networks. To enable access to internal resources from the Internet, you must
configure publishing rules.
To simplify the configuration of the additional access rules, choose the network template that most closely meets your requirements when you run the wizard. For example, if you are implementing a three-legged perimeter network configuration in which
almost all users must be able to access the Internet using all protocols, then choose the
3-Leg Perimeter network template and enable unrestricted access when you run the
wizard. Then create additional access rules that apply the exceptions. For example,
you may need to create a more restrictive policy for some users.
Practice: Implementing Network Templates
In this practice, you will apply the Edge Firewall template. Then you will review the
access and network rules created by the template. Finally, you will test the template
settings to ensure that you have Internet access.
Exercise 1: Applying the Edge Firewall Template
1. In the ISA Server Management Console tree, expand ISA1, then expand Configuration, and then click Networks.
2. In the Task pane, on the Templates tab, click Edge Firewall.
3. In the Welcome to the Network Template Wizard, click Next.
4. On the Export the ISA Server Configuration page, click Export to export the network configuration before modifying it.
5. In the Export Configuration dialog box, type Network Configuration PreTemplate in the File Name box. Click the check boxes for Export user permission
settings and Export confidential information (encryption will be used) and then
click Export.
6. Type a password in the Password and Confirm Password boxes. Click OK. When
the export finishes, click OK.
7-34
Chapter 7
Configuring ISA Server as a Firewall
7. On the Export the ISA Server Configuration page, click Next.
8. On the Internal Network IP Address page, confirm that the start address is
10.10.0.0 and the end address is 10.10.0.255. Also ensure that the network broadcast address (10.255.255.255) is listed. Click Next.
9. On the Select a Firewall Policy page, click Allow limited Web access and access to
ISP network services. Click Next.
10. On the Completing the Network Template Wizard page, review the configuration
and click Finish.
11. Click Apply to apply the changes.
Exercise 2: Reviewing the Access and Network Rules Created by the
Edge Firewall Template
1. In the ISA Server Management Console tree, click Firewall Policy.
Note Notice that all the access rules you previously configured were overwritten by the
template. Moreover, the perimeter network and network rule that you created in the previous
practice were overwritten by the template.
2. In the Task pane, double-click Web Access Only and examine the properties of
the access rule. Click OK.
The Web Access Only access rule allows HTTP, HTTPS, and FTP traffic from the
Internal and VPN Clients network to the External network.
3. In the Task pane, double-click Allow DNS To The Internet and examine the properties of the access rule. Click OK.
The Allow DNS To The Internet access rule allows DNS traffic from the Internal
and VPN Clients network to the External network.
4. In the Task pane, double-click VPN Clients To Internal Network and examine the
properties of the access rule. Click OK.
The VPN Clients To Internal Network access rule allows all protocols from the
VPN Clients network to the Internal network.
5. Click Networks. In the details pane, click Network Rules.
6. Double-click the Internet Access Network Rule and examine the properties of the
access rule. Click OK.
The Internet Access Network Rule defines a NAT relationship between the Internal, Quarantined VPN Clients and VPN Clients networks, and the External
network.
Lesson 3
Implementing Perimeter Networks and Network Templates
7-35
Exercise 3: Testing Internet Access
1. Switch to the CLIENT1 virtual machine and log on to the cohovineyard.com
domain.
2. Open Microsoft Internet Explorer and attempt to connect to www.microsoft.com.
3. Attempt to connect to www.msn.com.
4. Attempt to connect to ftp://ftp.microsoft.com. You may need to clear the Enable
Folder View for FTP Sites on the Advanced tab in Internet Options to view the FTP
directory listing. All connections should be successful.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You are the network administrator of a small company. Your company does not
publish any servers to the Internet and your ISP handles all Internet services for
your organization. You need to enable Internet access for your internal users
using only HTTP and HTTPS. What network template and policy would work
best for you?
2. You use a third-party firewall solution as your Internet-edge firewall. You have
installed ISA Server 2004 and you are using it just to take advantage of the caching
capabilities. What network template will you choose?
a. Front Firewall
b. Bastion Host
c. Edge Firewall
d. Single Network Adapter
7-36
Chapter 7
Configuring ISA Server as a Firewall
3. Your organization is designing a new perimeter network configuration. The organization is planning on deploying several Web servers and other application servers that need to be accessible from the Internet. At the same time, the organization
requires that these servers be isolated from the internal network so that only
selected traffic can pass from the publicly accessible servers to the internal
network. The company must implement the most secure solution possible. What
perimeter network configuration should the organization implement?
a. Configure a bastion host firewall.
b. Configure a three-leg perimeter network.
c. Configure a back-to-back perimeter network with two firewalls from the same
vendor.
d. Configure a back-to-back perimeter network with two firewalls from different
vendors.
Lesson Summary
■
A perimeter network is a network that you set up separately from an internal network and the Internet. Perimeter networks are used to isolate servers and
resources from both the Internet and the internal network.
■
There are three general types of network perimeter configurations; bastion host,
three-legged configuration, and back-to-back configuration.
■
The network templates included with ISA Server 2004 include preconfigured networks and network sets, network rules, access rules, and access rule elements.
The templates are designed to simplify the process of configuring ISA Server. After
applying the network template, you may need to modify the access rules or add
additional access rules to meet your company requirements.
Lesson 4
Configuring Intrusion Detection and IP Preferences
7-37
Lesson 4: Configuring Intrusion Detection and IP
Preferences
ISA Server 2004 provides two additional options for increasing security; these options
are intrusion detection and IP preferences. These options are used to configure how
ISA Server will respond to various attacks or malformed IP packets. This lesson
describes how to configure these options.
After this lesson, you will be able to
■ Describe the intrusion-detection configuration options
■ Configure intrusion detection
■ Describe the IP preferences configuration options
■ Configure IP preferences
Estimated lesson time: 20 minutes
Intrusion-Detection Configuration Options
To protect your network, you will also need to know how to configure your ISA Server
for intrusion detection. Intrusion detection identifies when an attack is attempted
against your network and performs a set of configured actions, or alerts, in case of an
attack. To detect potential attacks, ISA Server compares network traffic and log entries
to well-known attacks. When ISA Server detects suspicious activities, it triggers an alert.
You can configure the actions that ISA Server will perform in the event of an alert.
These actions include connection termination, service termination, e-mail alerts, logging, and others.
Intrusion Detection at the IP Level
ISA Server provides intrusion detection for well-known IP attacks listed in Table 7-4.
Table 7-4
IP Attack
ISA Server Intrusion-Detection Options
Description
Windows out- This alert notifies you that there was an out-of-band, denial-of-service (DoS)
of-band attack attack attempted against a computer protected by ISA Server. An out-of-band
attack occurs when a Windows system receives a packet with the “URGENT”
flag set. The system expects data will follow that flag. The exploit consists of
setting the URGENT flag, but not following it with data. The port most susceptible is TCP Port 139, the NetBIOS Session Service port. If mounted successfully, this attack causes the computer to fail or causes a loss of network
connectivity on vulnerable computers.
7-38
Chapter 7
Configuring ISA Server as a Firewall
Table 7-4 ISA Server Intrusion-Detection Options
IP Attack
Description
Land attack
This alert notifies you that a TCP SYN packet was sent with a spoofed source
IP address and port number that match those of the destination IP address and
port. If the attack is successfully mounted, it can cause some TCP implementations to go into a loop that causes the computer to fail.
Ping-of-death
attack
This alert notifies you that an IP fragment was received with more data than
the maximum IP packet size. If the attack is successfully mounted, a kernel
buffer overflows, which causes the computer to fail.
Port scan
This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed.
IP half scan
This alert notifies you that repeated attempts to send TCP packets with invalid
flags were made. During an IP half-scan attack, the attacking computer does
not send the final ACK packet during the TCP three-way handshake. Instead,
it sends other types of packets that can elicit useful responses from the target
host without causing a connection to be logged. This is also known as a
stealth scan, because it does not generate a log entry on the scanned host. If
this alert occurs, log the address from which the scan occurs. If appropriate,
configure the ISA Server rules to block traffic from the source of the scans.
UDP bomb
This alert notifies you that there is an attempt to send an illegal UDP packet.
These UDP packets will cause some older operating systems to fail when the
packet is received. If the target machine does fail, it is often difficult to determine the cause.
Intrusion Detection at the Application Layer
ISA Server also provides built-in application filters that detect DNS networking protocol
and Post Office Protocol (POP) intrusions. The DNS intrusion-detection filter detects
the following known DNS exploits:
■
DNS host name overflow A DNS host name overflow occurs when a DNS
response for a host name exceeds a certain fixed length (255 bytes). Applications
that do not check the length of the host names may overflow internal buffers on
the server when copying this host name, allowing a remote attacker to execute
arbitrary commands on a targeted computer. This filter inspects the response that
an internal client receives from an external DNS server.
■
DNS length overflow DNS responses for IP addresses contain a length field,
which should be 4 bytes. By formatting a DNS response with a larger value, some
applications executing DNS lookups will overflow internal buffers, potentially
Lesson 4
Configuring Intrusion Detection and IP Preferences
7-39
allowing a remote attacker to execute arbitrary commands on a targeted computer.
This filter inspects the response that an internal client receives from an external
DNS server.
■
DNS zone transfer A malicious user executes a zone transfer to gather a list of
all the host names in a domain. This filter detects when an Internet user attempts
to execute a zone transfer from an internal DNS server through ISA Server.
The POP filter intercepts and analyzes POP traffic destined for the published servers.
The application filter checks for POP buffer overflow attacks. A POP buffer overflow
attack occurs when a remote attacker attempts to gain root access to a POP server by
overflowing an internal buffer on the server.
How to Configure Intrusion Detection
By default, ISA Server is configured with most of the intrusion-detection options
already enabled. To review and configure intrusion detection of common attacks, use
the following procedure:
1. In the ISA Server Management Console tree, click General.
2. In the Details pane, click Enable Intrusion Detection and DNS Attack Detection.
3. On the Common Attacks tab, shown in Figure 7-11, ensure that Enable Intrusion
Detection is selected.
F07im11
Figure 7-11
Configuring intrusion detection
7-40
Chapter 7
Configuring ISA Server as a Firewall
4. Select one or more of the attack options. The only option that is not configured by
default is the Port Scan. If you select this option, you can also specify when the
alert will be raised. You can choose to raise the alert after a specified number of
attacks on well-known ports or after a specified number of attacks on all ports.
5. To enable intrusion detection of DNS attacks, click the DNS Attacks tab, and then
click Enable Detection And Filtering Of DNS Attacks.
6. Select one or more of the attack options. The only option that is not enabled by
default is DNS Zone Transfer.
7. When you finish configuring intrusion detection, click OK.
Note After configuring intrusion detection, you can also configure the alert settings. For
more information about configuring alerts and responses to alerts, see Chapter 11, “Implementing Monitoring and Reporting.”
IP Preferences Configuration Options
Another option on ISA Server 2004 that you can use to improve security is to configure
the IP preferences. IP preferences are used to configure how ISA Server will handle
specific types of IP packets. Configuring IP preferences is more complicated than configuring intrusion detection because, in most cases, IP preferences can be used to
block normal packets that may or may not be used by attackers. You can configure the
following IP preferences on ISA Server:
■
IP option You can configure ISA Server to refuse all packets that have the IP
options flag set in the header, or you can configure ISA Server to drop packets
with only specific IP options enabled. The IP options flags that are most commonly used by attackers are the source routing options. The source route option
in the IP header allows the sender to override routing decisions that are normally
made by the routers between the source and destination machines. An attacker
can use source routing to reach addresses on the internal network that normally
are not reachable from other networks, by routing the traffic through another
computer that is reachable from both the other network and the internal network.
Because source routing can be used in this way, you should disable source routing
on your ISA Server computer.
■
IP fragments You can also configure ISA Server to drop all IP fragments. A single IP datagram can be separated into multiple datagrams of smaller sizes known
as IP fragments. If you enable this option, then all fragmented packets are
Lesson 4
Configuring Intrusion Detection and IP Preferences
7-41
dropped when ISA Server filters packet fragments. A common attack that uses IP
fragments is the teardrop. In the teardrop attack, multiple IP fragments are sent to
a server. However, the IP fragments are modified so that the offset fields within the
packet overlap. When the destination computer tries to reassemble these packets,
it is unable to do so. It may fail, stop responding, or restart. Enabling IP fragment
filtering can interfere with streaming audio and video. In addition, Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be established successfully
because packet fragmentation may take place during certificate exchange.
!
Exam Tip
Blocking IP fragments is an example of a configuration option that may provide
some additional security but at the cost of some functionality. If you get an exam question in
which users cannot use streaming media, yet need this functionality, one of the possible
explanations is that IP fragments are being blocked. By default, IP fragment blocking is not
enabled on ISA Server.
■
IP routing When IP routing is enabled, ISA Server sends the original network
packet from one network to another. ISA Server can filter the network packet. When
IP routing is disabled, ISA Server sends only the data (and not the original network
packet) to the destination. Also, when IP routing is disabled, ISA Server sends each
packet through the firewall in user mode. Disabling IP routing is more secure, but
can also decrease router performance.
How to Configure IP Preferences
By default, ISA Server is configured with the most important IP preferences set. You can
modify the default settings. To configure IP preferences, use the following procedure:
1. In the ISA Server Management Console tree, click General.
2. In the Details pane, click Define IP Preferences.
3. On the IP Options tab, ensure that Enable IP Options Filtering is selected, as
shown in Figure 7-12. You can then configure the level of IP options filtering by
denying all packets with the IP option flag configured or by denying packets with
specific IP options set. By default, packets with IP options Record Route, Time
Stamp, Loose Source Route, and Strict Source Route are denied.
7-42
Chapter 7
Configuring ISA Server as a Firewall
F07im12
Figure 7-12 Configuring IP Options
4. On the IP Fragments tab, shown in Figure 7-13, click Block IP Fragments to block
all IP fragments. By default, this option is not enabled.
F07im13
Figure 7-13 Configuring IP Fragments
Lesson 4
Configuring Intrusion Detection and IP Preferences
7-43
5. On the IP Routing tab, as shown in Figure 7-14, clear the check box for Enable IP
Routing to disable IP routing. By default, IP routing is enabled.
F07im14
Figure 7-14
Configuring IP Routing
Practice: Configuring Intrusion Detection and IP Preferences
In this practice, you will modify the intrusion-detection configuration on ISA Server
2004. You will then test the intrusion-detection configuration.
Exercise 1: Modifying the Default Intrusion Detection
1. In the ISA Server Management Console tree, expand ISA1, then expand Configuration, and then click General.
2. In the Details pane, click Enable Intrusion Detection And DNS Attack Detection.
3. On the Common Attacks tab, ensure that Enable Intrusion Detection is selected.
4. Select Port Scan and configure ISA Server to detect after five attacks on wellknown ports.
5. On the DNS Attacks tab, select DNS Zone Transfer. Click OK.
6. Click Apply to apply the changes.
7-44
Chapter 7
Configuring ISA Server as a Firewall
Exercise 2: Testing Intrusion Detection
In this exercise, you will use the Portqry.exe utility that is included with the Windows
Server 2003 Resource Kit to perform a port scan on the internal network interface of
the ISA Server computer.
1. On CLIENT1, open a command prompt and configure user context to be the
C:\Program Files\Windows Resource Kits\Tools folder (or in the folder where the
resource kit is installed).
2. Type portqry.exe –n 192.168.1.1 –r 1:20.
3. On the ISA1 virtual machine, in the Microsoft ISA Server Management Console
tree, click Monitoring.
4. On the Alerts tab, locate the Intrusion Detected alert. You may need to wait a few
minutes for the alert to appear. Expand the alert and read the Alert Information at
the bottom of the Details pane.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. Your organization has just deployed an ISA Server computer as a firewall. The
security policy for your organization requires that all settings on the ISA Server
computer be configured as securely as possible. After you implement a secure
configuration, users report that they can no longer access a streaming media site.
Access to this site is critical for the company, so you must enable access to the site.
What security setting should you change to enable access to the site?
a. Enable IP routing
b. Disable all filtering based on IP options
c. Disable filtering of IP fragments
d. Disable filtering based on the source-routing IP options
Lesson 4
Configuring Intrusion Detection and IP Preferences
7-45
2. You have configured intrusion detection to detect when the ISA Server interfaces
are being exposed to a port scan. You configure the alert to send an e-mail to your
account when the alert is triggered. You are now receiving a high number of
e-mails from the ISA Server computer. You want to reduce the number of e-mails
sent to your account, but still want to know when there are frequent port scans of
your ISA Server. What should you do?
3. You have configured ISA Server 2004 as a bastion host. You are concerned about
the security of your DNS database. One of the internal DNS servers must be accessible from the Internet but you want to ensure that zone transfers will never be
allowed to clients that are not on your internal network. How will you accomplish
this?
Lesson Summary
■
The purpose of intrusion detection is to detect network attacks as early as possible
to ensure that appropriate corrective actions can be taken. ISA Server provides
intrusion detection for well-known IP attacks and also provides built-in application filters that detect DNS networking protocol and POP intrusions.
■
By default, the most important intrusion detection options are enabled in ISA
Server 2004. You can configure additional options.
■
IP preferences are used to configure how ISA Server will handle specific IP packets. You can configure the following IP preferences on ISA Server: IP Option,
IP Fragments, and IP Routing.
■
Configuring IP preferences can be difficult because for some of the options you will
block some functionality when you enable the IP preference. You need to balance
the need for security versus functionality when configuring IP preferences.
7-46
Chapter 7
Configuring ISA Server as a Firewall
Lesson 5: Implementing Application and Web Filtering
An important advantage of ISA Server over traditional firewalls is its ability to filter the
application data in the network packets as they enter or leave the network. This feature
is especially important because of the near-universal use of HTTP. Almost all organizations allow users on the internal network to use HTTP to access Web resources. Most
organizations also allow HTTP traffic into the network as Internet users access internal
Web resources. The fact that HTTP is so widely used means HTTP-based attacks have
become increasingly popular and sophisticated. Moreover, many applications which
have traditionally used another protocol are now using HTTP to carry the application
data. Because of this, it is critical to examine all HTTP traffic entering or leaving the
organization’s network. This lesson provides an overview of how application and Web
filters work in ISA Server 2004 and then focuses on how to implement and manage
HTTP filtering in ISA Server 2004.
After this lesson, you will be able to
■ Define an application filter
■ Define a Web filter
■ Describe how the HTTP Web filter works
■ Configure an HTTP Web filter
Estimated lesson time: 30 minutes
What Are Application Filters?
Application filters work with the firewall service in ISA Server to intercept and process
network packets as they pass through ISA Server. Application filters examine the application-level data within those packets and then filter the packets based on firewall
rules. ISA Server application filters are implemented as Component Object Model
(COM)–server dynamic link libraries (DLLs) that run in the same process space as the
firewall service. When the firewall service starts, all application filters that are registered with the firewall service are also loaded.
Application filters are add-ons to the firewall service. When a packet arrives, the firewall service uses firewall rules defined in the rules engine to check the packet. One
check is to see if an application filter is associated with the protocol used by the
packet. If there is, the firewall service passes the packet to the application filter for further inspection. An application filter can perform protocol- or system-specific tasks
such as authentication and checking for viruses.
Lesson 5
Implementing Application and Web Filtering
7-47
See Also
To view all the application filters included with ISA Server 2004, open the ISA
Server Management Console, expand Configuration, and then click Add-ins. The application
filters are listed on the Application Filters tab. You can enable or disable the Web filters from
this interface, but most applications filters cannot be modified.
Application filters can be used in several different ways on ISA Server, including:
■
Enabling firewall traversal for complex protocols Application filters can
extend the ability of ISA Server to handle complicated protocols that require more
than a single TCP connection. Some applications, such as FTP or media streaming
applications, initiate a connection with a server using a specified port number.
However, once the initial connection has been established, the server and client
negotiate one or more dynamic ports that will be used for further communications. An application filter can enable the firewall traversal of these protocols.
ISA Server uses the application filter to track the negotiation between the client
and server as they determine the secondary connections, and then ISA Server can
dynamically configure the ports required for the secondary connections. An example of such a filter is the built-in FTP application filter that handles all aspects of
configuring a firewall to automatically allow a secondary FTP data channel. The
FTP filter can also be modified to control whether users can download and upload
files using FTP. By default, the FTP filter only allows users to download files.
■
Enabling protocol-level intrusion detection Application filters can examine
the contents of application packets to check for protocol-level intrusion detection.
A common example of this type of filtering is based on filtering commands to protect against buffer overflow attempts. ISA Server provides POP3, SMTP, and DNS
application filters that provide this type of functionality.
■
Enabling protocol-level content filtering Application filters can parse highlevel application protocols, look for actual data (the payload), and apply rules and
processing based on the content. For example, you can use the feature to provide
protocol-level syntax validation, antivirus scanning on file transfers, or scans of the
content based on defined strings. The SMTP filter provided with ISA Server is an
example of these types of application filters.
■
Generating alerts and log events Application filters can also be used to create
alerts and log events based on the activity discovered by the application filter. For
example, if a DNS application filter detects repeated attack attempts, the filter can
create an alert or log the information.
7-48
Chapter 7
Configuring ISA Server as a Firewall
Note Many third-party vendors use application filters to implement features such as content filtering, access control, specialized authentication methods, and intrusion detection. For
a listing of many of the third-party products that are compatible with ISA Server, see http://
www.isaserver.org and the Partners Web site at http://www.microsoft.com/isaserver/partners.
What Are Web Filters?
Web filters also extend the functionality of the firewall service in ISA Server by providing advanced filtering capability for HTTP packets as they pass through ISA Server.
Web filters are DLLs that are based on the Microsoft Internet Information Services (IIS)
Internet Server Application Programming Interface (ISAPI) model. The Web filters are
loaded by the Web proxy filter, which is an application filter. When a Web filter is
loaded, it passes information to the Web proxy filter that specifies the types of events
that the filter is configured to monitor. Each time one of those events occurs, the Web
filter is notified.
Web filters can be used to perform a number of different tasks, including the following:
■
Request scanning and modification A Web filter can scan HTTP client requests
and modify or add a header to a request. For example, you could use a Web filter
to add a cookie header to the request, or remove a header sent by the client.
■
Response scanning and modification Web filters can scan and modify the
server responses. For example, during link translation, ISA Server substitutes the
externally accessible server names for the internal names. The link translation filter
included with ISA Server is a Web filter.
■
Block specific responses Web filters can be used to block access to particular
sites based on the content of the server response. These features can also be used
to scan HTTP packets for viruses.
■
Traffic logging and analysis Web filters can be used to log specific information about HTTP traffic and to create reports based on the logged information.
■
Data encryption or compression Web filters can be used to apply custom
data encryption or compression schemes to HTTP packets.
■
Custom authentication schemes Outlook Web Access (OWA) forms-based
authentication, RSA SecurID authentication, and Remote Authentication Dial-In
User Service (RADIUS) authentication are all implemented as Web filters in
ISA Server. Third-party vendors can use Web filters to implement additional
authentication schemes.
Lesson 5
Implementing Application and Web Filtering
7-49
See Also To view all the Web filters included with ISA Server 2004, open the ISA Server
Management Console, expand Configuration, and then click Add-ins. The Web filters are listed
on the Web Filters tab. You can enable or disable the Web filters from this interface but most
Web filters cannot be modified.
How the HTTP Web Filter Works
One of the more important Web filters included with ISA Server 2004 is the HTTP filter.
Many Internet applications now use HTTP to tunnel the application traffic. For example, Microsoft MSN Messenger uses HTTP as the application-layer protocol. The only
way to block these types of applications without blocking all HTTP traffic is to use
HTTP filtering.
HTTP filtering can be applied in two general scenarios:
■
Clients on an internal network accessing HTTP objects on another network
through ISA Server. This access is controlled by ISA Server access rules, to which
an HTTP policy can be applied using the HTTP filter.
■
Clients on the Internet accessing HTTP objects on a Web server that is published
through ISA Server. This access is controlled by ISA Server Web publishing rules,
to which an HTTP policy can be applied using the HTTP filter.
HTTP filtering is rule-specific, so that you can apply different levels and types of filtering depending on the specific requirements of your firewall policy. For example, you
can use HTTP filtering to block the use of a particular peer-to-peer file-sharing service
for one set of users, but allow it for another set, or you can allow Internet users to use
specific HTTP methods such as POST for one Web publishing rule, but deny the
method on another Web publishing rule. (Table 7-6, later in this chapter, lists HTTP 1.1
methods.)
Note
HTTP filters can also filter HTTPS traffic in a Web publishing Secure Sockets Layer
(SSL) bridging scenario. In this case, ISA Server decrypts the packet and inspects it before reencrypting the packet. HTTP filters cannot filter HTTPS traffic in an SSL tunneling scenario.
For more details about configuring SSL bridging and tunneling, see Chapter 8, “Implementing
ISA Server Publishing.”
7-50
Chapter 7
Configuring ISA Server as a Firewall
HTTP Filter Options
The HTTP filter can block HTTP requests based on the following options:
■
Length of request headers and payload Limits the maximum HTTP header
size and request body size for a client request.
■
Length of Uniform Resource Locator (URL)
client requests.
■
HTTP request method Specifies the HTTP method, such as POST, GET, or
HEAD, that will be blocked.
■
HTTP request file-name extension Prevents the downloading of any content
using HTTP based on file extensions such as .exe, .asp, or .dll.
■
HTTP request or response header Specifies how server headers will be
returned or forwarded when the server responds to the client. For example, the
request or response header may be Location, Server, or Via.
■
Signature or pattern in the requester response headers or body Specifies
HTTP access based on specific strings in the response header or body.
Limits the maximum URL size for
The HTTP filter is initially configured with defaults that help ensure secure HTTP
access. However, depending on the specific deployment scenario, these options
should be customized.
See Also
To fully understand how the HTTP filter works, you must understand how HTTP
works. For more information about HTTP, see Request for Comments (RFC) 2616: Hypertext
Transfer Protocol HTTP/1.1, located at http://www.ietf.org/rfc/rfc2616.txt.
How to Configure a HTTP Web Filter
HTTP filters are applied on a per-rule basis. To configure the HTTP filters on a particular access rule or Web publishing rule, modify the HTTP policy for that rule.
Important The one exception to the per-rule application of the HTTP filter is the Maximum
headers length setting on the General tab of the Configure HTTP Policy For Rule dialog box.
This setting is applied to all rules globally, which means that if you change it in one rule, it is
changed in all rules.
Lesson 5
Implementing Application and Web Filtering
7-51
Configuring HTTP Policy General Properties
To access the HTTP policy associated with a specific rule, right-click the rule in
ISA Server Management Console and select Configure HTTP, as shown in Figure 7-15.
F07im15
Figure 7-15
Configuring the HTTP policy general properties
Table 7-5 describes the configuration options available on the General tab of an HTTP
policy.
Table 7-5
Setting
Configuring HTTP Policy General Properties
Configuration Options Explanation
Request Headers, Specify the maximum
Maximum headers number of bytes that a
length (bytes)
request can have in its
headers (URL and
headers) before it is
blocked.
Reducing the allowed header size mitigates the
risk of attacks that require complex and long
headers, such as buffer overflow attacks and
some denial-of-service attacks. If you set the maximum header length too low, it could break some
legitimate applications that use long headers.
Request Payload,
To block requests
Allow any payload exceeding a specified
length
maximum payload
length, clear the Allow
Any Payload Length
(Bytes) check box. Then,
in Maximum Payload
Length (Bytes), specify
the maximum number of
bytes.
By limiting the request payload you can restrict
the amount of data a user can POST to your
Web site in a Web publishing scenario. To
determine what limit to set, estimate the maximum size of a file that would constitute a legitimate POST based on your site usage and use
that as the allowed payload length.
7-52
Chapter 7
Configuring ISA Server as a Firewall
Table 7-5 Configuring HTTP Policy General Properties
Setting
Configuration Options Explanation
URL Protection,
Maximum URL
length (bytes)
Specify the maximum
URL length allowed.
URL Protection,
Maximum query
length (bytes)
Specify the maximum
The query is the part of a URL that follows “?”.
query length allowed in a You may want to limit the query length if you
request.
learn of an attack based on a long query string.
By default the maximum query length is set to
10240.
URL Protection,
Verify
normalization
Use this to block requests
with URLs containing
escaped characters after
normalization.
URL Protection,
Block high bit
Characters
Specify that URLs with
When you select Block high-bit characters, URLs
high-bit characters will be that contain double-byte character sets (DBCS) or
blocked.
Latin 1 characters will be blocked. These are typically characters from languages that require
more than 8 bits to represent the characters of
the language, and therefore use 16 bits.
Executables, Block
responses containing Windows executable content
Specify that responses
containing Windows executable content are to be
blocked.
Use this option to limit the length of URLs used
in a request. You may want to limit the URL
length if you learn of an attack based on a long
URL string. By default the maximum query
length is set to 10240.
Web servers receive requests that are URL
encoded. This means that certain characters
may be replaced with a percent symbol (%) followed by a particular number. For example,
%20 corresponds to a space. Normalization is
the process of decoding URL-encoded requests.
Because the percent symbol (%) itself can be
URL-encoded, an attacker can submit a URL
request to a server that is double-encoded.
When you select Verify Normalization, the
HTTP filter normalizes the URL twice. If the
URL after the first normalization is different
from the URL after the second normalization,
the filter rejects the request.
This option blocks all Windows executable
content (responses that begin with MZ). In
most cases, it is recommended to use file extensions to block specific types of files.
How to Configure HTTP Web Filter Methods
HTTP methods (also known as HTTP verbs) are instructions sent in a request message
that notify an HTTP server of the action to perform on the specified resource. For
example, “GET” specifies that a resource is being retrieved from the server. Table 7-6
lists the HTTP 1.1 methods defined in RFC 2616.
Lesson 5
Implementing Application and Web Filtering
7-53
HTTP 1.1 Methods
Table 7-6
Method
Description
GET
Retrieves the specified Uniform Resource Identifier (URI).
HEAD
Retrieves only the header of the specified URI.
POST
Asks the server to accept the enclosed information, such as a bulletin board
message of form data.
PUT
Asks the server to accept the enclosed information as the specified URI.
DELETE
Asks the server to delete the specified URI.
TRACE
Asks the server to return the request message (used for diagnostics).
CONNECT
Reserved for requesting a proxy tunnel.
To configure HTTP methods, follow this procedure.
1. To access the HTTP policy associated with a specific rule, right-click the rule in
ISA Server Management Console and select Configure HTTP.
2. To modify the HTTP methods settings on the HTTP policy, click the Methods tab,
as shown in Figure 7-16.
F07im16
Figure 7-16
Configuring the HTTP methods
3. In Specify The Action Taken For HTTP Methods, select one of the following
options:
❑
Allow All Methods—No blocking according to method will be applied.
7-54
Chapter 7
Configuring ISA Server as a Firewall
❑
Allow Selected Methods—All requests will be blocked except those with the
specified methods.
❑
Block Specified Methods (Allow All Others)—All requests will be allowed
except those with methods specified in the list.
4. If you have selected either of the last two options, click Add to add a method to
the list.
5. When you click Add, the Method dialog box opens, as shown in Figure 7-17. Provide the method (case-sensitive) and a description, and then click OK.
F07im17
Figure 7-17 Configuring a specific HTTP method
An example of blocking by method would be to block POST so that internal clients
cannot post data to an external Web page. This is useful in a secure network scenario
where you want to prevent sensitive information from being posted on a Web site. This
can also be useful in Web publishing, to prevent attackers from posting malicious
material to your Web site.
How to Configure HTTP Web Filter Extensions
You can configure ISA Server to allow or deny HTTP downloads based on file extensions. When the HTTP filter is configured in this way, it analyzes each HTTP request to
see if the request includes a configured extension. ISA Server considers an extension to
be any character or characters that fall after the last period (.) of a URL and that end
with a slash (/) or question mark (?) or the end of the URL if there is no slash or question mark.
In addition, if ISA Server identifies characters following a period that seem to be an
extension (for example, .exe, .dll, or .com), the HTTP filter uses those as the extension.
If there are multiple entries that appear to be extensions, ISA Server evaluates only the
first extension.
Table 7-7 lists some examples of client requests and how ISA Server evaluates the
extensions.
Lesson 5
Table 7-7
Implementing Application and Web Filtering
7-55
How ISA Server Evaluates Extensions
Client Request
Extension
http://server/path/file.ext
.ext
http://server/path/file.htm/additional/path/info.asp
.asp
http://server/Path.exe/file.ext
.exe
In the last example listed in the table, if the HTTP filter allows .exe extensions, the
request will be allowed (even if the filter does not allow .ext extensions). To work
around this issue, configure a signature setting that denies the .ext signature in the URL.
To specify file extensions, follow this procedure:
1. To access the HTTP policy associated with a specific rule, right-click the rule in
ISA Server Management Console and select Configure HTTP.
2. To modify the HTTP extensions settings on the HTTP policy, click the Extensions
tab, as shown in Figure 7-18.
F07im18
Figure 7-18
Configuring the HTTP extensions
7-56
Chapter 7
Configuring ISA Server as a Firewall
3. In Specify The Action Taken For File Extensions, select one of the following
options:
❑
Allow All Extensions—No blocking according to requested file extensions will
be applied.
❑
Allow Selected Extensions—All requests will be blocked except those with
specified requested file extensions.
❑
Block Specified Extensions (Allow All Others)—All requests will be allowed
except those with requested file extensions specified in the list.
4. Click Add to add an extension to the list.
5. When you click Add, the Extension dialog box opens, as shown in Figure 7-19. Provide the extension (which is case-sensitive) and a description, and then click OK.
F07im19
Figure 7-19 Configuring a specific HTTP extension
6. Select Block Requests Containing Ambiguous Extensions if you want to block content when ISA Server cannot determine the extension.
A typical use of extension blocking is to block executable files such as .exe, .bat, or .cmd
files. Another example is to use extension blocking to prevent worm attacks. For example, the Code Red Worm uses a header that included “GET http://<ipaddress>/
default.ida?” so you could stop the worm from entering the network by blocking .ida
extensions. You can also use file extensions to enforce organizational policies that restrict
the types of data that can be downloaded.
How to Configure HTTP Web Filter Headers
When a client sends a request to a Web server, or when the server responds, the first
part of that response is always the HTTP request or response.
■
The HTTP request from the client includes the client’s HTTP method (such as
GET) as well as the URI that the client is requesting and the protocol version.
■
The server HTTP response contains the protocol version followed by a numeric
status code and its associated textual phrase. For example, if the server responds
with a 2xx code, the server is indicating that the request was successfully received,
Lesson 5
Implementing Application and Web Filtering
7-57
understood, and accepted. A 4xx code is a client error that indicates that the
request contains bad syntax or cannot be fulfilled.
After the HTTP request or response, the client and server send an HTTP header. The
request-header fields allow the client to pass additional information about the
request, and about the client itself, to the server. Headers contain information about
the client, including browser and operating system data, authorization information,
and the format types that client supports for the server response. The client header
can also use the User-Agent to indicate the specific application that is making the
request. You can use this header information to block HTTP packets.
To configure how the HTTP filter will manage headers, follow this procedure:
1. To access the HTTP policy associated with a specific rule, right-click the rule in
ISA Server Management Console and select Configure HTTP.
2. To modify the HTTP headers settings on the HTTP policy, click the Headers tab,
as shown in Figure 7-20.
F07im20
Figure 7-20
Configuring the HTTP headers
3. In Headers, list the headers that will be blocked. Click Add to add a header to the
list. When you click Add, the Header dialog box opens. Specify whether the
response or request header will be checked, provide the header, and then click
OK.
4. In Server Header, specify how the server header will be returned in the response.
The server header is a response header that contains information such as the name
7-58
Chapter 7
Configuring ISA Server as a Firewall
of the server application and software version information, for example, HTTP:
Server = Microsoft-IIS/6.0. The possible settings are the following:
❑
Send Original Header—The original header will be returned in the response.
❑
Strip Header From Response—No header will be returned in the response.
❑
Modify—A modified header will be returned in the response. If you select this
option, in Change To, type the value that will appear in the response.
5. In Via Header, specify how the Via header will be forwarded in the request or
returned in the response. Via headers provide a way for proxy servers in the path
of a request to ensure that they are also included in the path of the response. Each
server along the request’s path can add its own Via header. Each sender along the
response path removes its own Via header and forwards the response to the server
specified in the next Via header on the stack. For example, you can use this
feature to avoid disclosing the name of your computer running ISA Server in a
response. The possible settings are:
❑
Send Default—The default header will be used.
❑
Modify Header In Request And Response—The Via header will be replaced
with a modified header. If you select this option, in the Change too box, type
the header that will appear instead of the Via header.
How to Configure HTTP Web Filter Signatures
An HTTP signature can be any string of characters in the HTTP header or body. To
block an application based on signatures, you must identify the specific patterns the
application uses in request headers, response headers, and body, and then modify the
HTTP policy to block packets based on that string.
One of the difficulties in configuring the HTTP policy to block packets based on the
signature is ensuring that the signature contains the specific information you need to
block the chosen HTTP packet while not blocking other packets. For example, if you
create an HTTP policy to block the word “Mozilla,” you would block most Web
browsers as well as other applications. This is because most Web browsers are
Mozilla-compatible and include this term in HTTP headers. In most cases, you should
use a more application-specific string. For example, to block MSN Messenger, configure the rule to block User-Agent: MSN Messenger in the request header.
To configure how the HTTP filter will manage signatures, follow this procedure:
1. To access the HTTP policy associated with a specific rule, right-click the rule in
ISA Server Management Console and select Configure HTTP.
Lesson 5
Implementing Application and Web Filtering
7-59
2. To modify the HTTP signatures settings on the HTTP policy, click the Signatures
tab as shown in Figure 7-21. The Signatures tab shows the signatures that will be
blocked.
F07im21
Figure 7-21
Configuring the HTTP policy signatures
3. Click Add to add a signature to the list as shown in Figure 7-22. In the Signature
dialog box, in the Name text box, type a name for the signature search.
F07im22
Figure 7-22
Configuring a specific HTTP signature
4. Under Signature search criteria, in the Search In drop-down list, select the part of
the client request or server response you want the Web filter to search. Then, in
the Signature text box, type the string that you want to filter.
5. When you have added signatures to the list on the Signatures tab, you can enable
or disable specific signatures using the check boxes next to the signature names.
7-60
Chapter 7
Configuring ISA Server as a Firewall
Note When you configure the HTTP policy to search the HTTP request body or response
body, you can also specify how much of the body will be scanned for the signature and what
format to use when scanning. By default, the filter will scan only the first 100 bytes of the
request or response body. Increasing this number can negatively affect the server performance. You can also specify whether to search using text or binary format.
You can use HTTP signatures to block access to specific applications or to specific content. For example, if you configure the policy to block User-Agent: MSN Messenger in
the request header, users will not be able to use MSN Messenger through the firewall.
You can also block access to sites that might contain malicious code if you are aware
of common malicious code. For example, a Web page containing <iframe src="?"/>
will cause Internet Explorer to use up central processing unit (CPU) resources in an
infinitely nested iframe element. To prevent access to Web pages containing this code,
use a signature that searches in the response body for the text <iframe src="?"/>.
HTTP signature filtering assumes that all HTTP requests and responses are Uniform Transformation Format-8 (UTF-8, a transformation of Unicode character encoding) encoded. If
a different encoding scheme is used, signature blocking cannot be performed.
Table 7-8 shows some of the signatures used by common HTTP-based applications.
Tip
If you do not know the application signature for an application that you want to block,
you can use a network sniffer, such as Network Monitor, to capture the traffic between the
application client and a server. Then you can analyze the traffic to determine which signature
you should block.
Table 7-8 Application Signatures for Common Applications
Application
Search In
HTTP Header
Signature
MSN Messenger
Request headers
User-Agent:
MSN Messenger
Windows Messenger
Request headers
User-Agent:
MSMSGS
Netscape 7
Request headers
User-Agent:
Netscape/7
Netscape 6
Request headers
User-Agent:
Netscape/6
AOL Messenger (and all
Gecko browsers)
Request headers
User-Agent:
Gecko/
Yahoo Messenger
Request headers
Host:
msg.yahoo.com
Kazaa
Request headers
P2P-Agent:
Kazaa
Kazaaclient:
Kazaa
Request headers
User-Agent:
KazaaClient
Lesson 5
Table 7-8
Implementing Application and Web Filtering
7-61
Application Signatures for Common Applications
Application
Search In
HTTP Header
Signature
Kazaa
Request headers
X-Kazaa-Network:
KaZaA
Gnutella
Request headers
User-Agent:
Gnutella
Gnucleus
Edonkey
Request headers
User-Agent:
e2dk
Internet Explorer 6.0
Request headers
User-Agent:
MSIE 6.0
Morpheus
Response header
Server:
Morpheus
Bearshare
Response header
Server:
Bearshare
BitTorrent
Request headers
Simple Object Access
Request headers
Protocol (SOAP) over HTTP Response headers
User-Agent:
BitTorrent
User-Agent:
SOAPAction
See Also For more information about configuring HTTP filtering in ISA Server 2004, see the
HTTP Filtering in ISA Server 2004 article at http://www.microsoft.com/technet/prodtechnol/
isa/2004/plan/httpfiltering.mspx. This article includes excellent information on best practices
for configuring HTTP filtering and includes an XML file that can be imported into ISA Server to
configure the HTTP filter based on the best practices.
Practice: Configuring an HTTP Web Filter
In this practice, you will test the default HTTP filtering policy on the computer running
ISA Server. Then you will modify the HTTP filter configuration in several ways and
then test the results.
Note
In this practice, you are working with the HTTP Web Filter for an outbound Internet
access rule. You can apply the same HTTP policies to inbound Web access after you configure
a Web publishing rule.
Exercise 1: Testing HTTP Connections with the Default HTTP Filter
1. On CLIENT1, open Internet Explorer and, in the Address box, type http://
www.microsoft.com/abc and then press ENTER. The Microsoft Web server
response indicates that there is no Microsoft.com Web page matching your
7-62
Chapter 7
Configuring ISA Server as a Firewall
request. HTTP Filtering allowed the request, and the error message was returned
from the Microsoft Web server because the requested object does not exist.
2. In Internet Explorer, in the Address box, type http://www.microsoft.com/
%252e and then press ENTER. The HTTP request that you typed contains a doubleencoded hexadecimal representation, which is often used in Unicode canonicalization attacks. Again, the HTTP filter did not block the request.
Tip
The HTTP policy that is assigned by default to a Web publishing rule blocks this type of
request, but it is not blocked on Internet access rules.
3. In Internet Explorer, in the Address box, type http://www.microsoft.com/
scripts/root.exe?/dir+c and then press ENTER. The Microsoft Web server
response indicates that there is not Microsoft.com Web page matching your
request.
Exercise 2: Configuring the HTTP Filter Settings
1. On ISA1, open ISA Server Management Console. Click Firewall Policy
2. Right-click Web Access Only and click Configure HTTP.
3. On the General tab, click Verify Normalization. This option will block the doubledecoded request (http://www.microsoft.com/%252e).
4. On the Extensions tab, click Block Specified Extensions (Allow All Others) in the
Specify The Action Taken For File Extension drop-down list.
5. Click Add. In the Extension dialog box, in the Extension text box, type .exe. Click
OK.
6. On the Signatures tab, click Add. In the Signature dialog box, fill in the following
information and then click OK.
❑
Name: Block ABC
❑
Search In: Request URL
❑
Signature: abc
7. Click OK and then click Apply to apply the changes.
Exercise 3: Testing HTTP Connections with the Modified HTTP Filter
1. On CLIENT1, open Internet Explorer and, in the Address box, type http://
www.microsoft.com/abc and then press ENTER. Internet Explorer displays an
error message from ISA Server. HTTP filtering blocked the request and returned an
error that indicates that the attempt was blocked by the HTTP filter.
Lesson 5
Implementing Application and Web Filtering
7-63
2. In Internet Explorer, in the Address box, type http://www.microsoft.com/%252e
and then press ENTER. The HTTP filter blocked the request and returned an internal
server error that indicates that the attempt was blocked by the HTTP Security filter.
3. In Internet Explorer, in the Address box, type http://www.microsoft.com/
scripts/root.exe?/dir+c and then press ENTER. Again, the HTTP filter blocked
the request because of the .exe file extension in the request header.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
these questions in the “Questions and Answers” section at the end of this chapter.
1. You are the ISA Server 2004 administrator for your organization. You create a Web
publishing rule to allow access to your Web site. You want to ensure that no one
from the external network can post any content or create any unauthorized links
to other pages. You want to configure this on the ISA Server that you used to publish the Web site. What must you do?
2. You have deployed ISA Server and are using it as a proxy server for all client connections to the Internet. All users are allowed to use HTTP, HTTPS, and FTP to
access the Internet. You review the firewall logs on the computer running ISA
Server and notice that some users are accessing Web sites that contain information
that is not acceptable under the organization’s security policy. You need to block
the user access to these Web sites based on the URL that the users type into Internet Explorer. How can you do this?
a. Configure the HTTP policy to block access based on signatures.
b. Configure the HTTP policy to block access based on methods.
c. Configure the HTTP policy to block access based on headers.
d. Configure the HTTP policy to block access based on extensions.
3. You use the Edge Firewall network template to configure Internet Access for your
internal users. You used the template to enable HTTP, HTTPS, and FTP access to
the Internet. Your users need to place files on an FTP server at a partner FTP site.
7-64
Chapter 7
Configuring ISA Server as a Firewall
Now your users report that they are unable to put files on the FTP server. What
must you do to correct the problem?
Lesson Summary
■
Application filters work with the firewall service in ISA Server to intercept and
process network packets as they pass through ISA Server. ISA Server application
filters can be used to implement various types of functionality on ISA Server.
■
Web filters extend the functionality of the firewall service in ISA Server by providing advanced filtering capability for HTTP packets as they pass through
ISA Server.
■
One of the most important Web filters included with ISA Server 2004 is the HTTP
filter. Many Internet applications now use HTTP to tunnel the application traffic.
The only way to block these types of applications without blocking all HTTP traffic
is to use HTTP filtering.
■
HTTP filters are applied on a per-rule basis. To configure the HTTP filters on a
particular access rule or Web publishing rule, you must modify the HTTP policy
for that rule.
Case Scenario Exercise
7-65
Case Scenario Exercise
In this exercise, you will plan an ISA Server configuration for a fictitious organization.
Read the scenario and then answer the question that follows. If you have difficulty
completing this work, review the material in this chapter before beginning the next
chapter. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter.
Scenario 1
You are the ISA Server administrator for your organization. You need to set up ISA
Server 2004 to protect your network from unwanted traffic and you want to deal with
any attacks from the Internet in a proactive manner. You also need to publish a public
Web site. You have only one IP address that you can use that is routable on the Internet. Your ISP hosts the Internet DNS records for your domain. Your internal clients use
your corporate DNS server on the internal network to resolve all queries. Your organization’s security policy states the following:
■
Authenticated Users are allowed access to the Internet using HTTP and HTTPS
and FTP only.
■
No peer-to-peer file-sharing applications are allowed to run on your network.
■
Only members of the Administrators group should be able to download executable files from the Internet.
■
The Web server that is accessible from the Internet must be isolated from the internal network.
■
No one must be able to post objects to your Web server from the Internet.
Scenario 1 Question
1. How will you configure ISA Server 2004 to meet the security requirements?
7-66
Chapter 7
Configuring ISA Server as a Firewall
Troubleshooting Lab
In this lab, you will troubleshoot an HTTP Web filter problem. The new security policy
in your organization prohibits the use of MSN Messenger and Windows Messenger
from your internal network to the Internet. You need to block the use of these applications on your firewall.
Exercise 1: Testing Internet Access Using MSN Messenger
1. On CLIENT1, start MSN Messenger or Windows Messenger from the Start menu.
2. Log on using your account. Ensure that you can access the Internet using MSN
Messenger or Windows Messenger.
Exercise 2: Configuring the HTTP Web Filter to Block an Application
1. On ISA1, start ISA Server Management Console. Click Firewall Policy.
2. Right-click the Web Access Only access rule and click Configure HTTP.
3. In the Configure HTTP Policy For Rule dialog box, click the Signature tab. Click
Add.
4. In the Name text box, type Block MSN Messenger.
5. From the Search In list, click Request Headers.
6. In the HTTP header box, type User-Agent.
7. In the Signature box, type MSN Messenger.
8. Click Add again.
9. In the Name text box, type Block Windows Messenger.
10. From the Search In list, click Request Headers.
11. In the HTTP header box, type User-Agent.
12. In the Signature box, type MSMSGS.
13. Click OK to close the Signature box and then click OK to close the Configure
HTTP Policy For Rule dialog box.
14. Click Apply to apply the changes.
Exercise 3: Testing the HTTP Web Filter Signature Block
1. On CLIENT1, try to access the Internet using MSN Messenger or Windows Messenger.
2. Confirm that you cannot access the Internet using these applications.
Chapter Summary
7-67
Chapter Summary
■
Firewalls are used to limit network traffic from one network to another. Firewalls
use packet filters, stateful filters, application filters, and intrusion detection to distinguish between network traffic that should be allowed and network traffic that
should be blocked.
■
ISA Server 2004 supports multi-networking, which means that you can configure
multiple networks on ISA Server, and then configure network and access rules that
inspect and filter all network traffic between all networks. ISA Server comes preconfigured with the following networks: Local Host, External, Internal, VPN Clients, and Quarantined VPN Clients. Network rules determine whether there is a
relationship between two network entities and whether the relationship is a route
and network address translation (NAT) relationship.
■
A perimeter network is a network that you set up separately from an internal network and the Internet. There are three general types of network perimeter configurations; bastion host, three-legged configuration, and back-to-back configuration.
The network templates included with ISA Server 2004 include preconfigured networks and network sets, network rules, access rule elements, and access rules.
The templates are designed to simplify the process of configuring ISA Server.
■
The purpose of intrusion detection is to detect network attacks as early as possible
to ensure that appropriate corrective actions can be taken. ISA Server provides
intrusion detection for well-known IP attacks and also provides built-in application filters that detect DNS protocol and Post Office Protocol (POP) intrusions. IP
preferences are used to configure how ISA Server will handle specific IP packets.
You can configure the following IP preferences on ISA Server: IP Option, IP fragments, and IP Routing.
■
Application filters work with the firewall service in ISA Server to intercept and
process network packets as they pass through ISA Server. ISA Server application
filters can be used to implement various types of functionality on ISA Server. Web
filters extend the functionality of the firewall service in ISA Server by providing
advanced filtering capability for HTTP packets as they pass through ISA Server.
One of the most important Web filters included with ISA Server 2004 is the HTTP
filter. HTTP filters are applied on a per-rule basis. To configure the HTTP filters on
a particular access rule or Web publishing rule, you must modify the HTTP policy
for that rule.
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
7-68
Chapter 7
Configuring ISA Server as a Firewall
Key Points
■
ISA Server does not support the direct configuration of a packet filter. To block all
connection attempts from a specific host, or to allow a specific protocol from a
particular host you must configure an access rule.
■
Both access rules and network rules are processed by ISA Server before network
traffic is passed through the firewall. Check the configuration of both types of
rules when troubleshooting network access.
■
ISA Server network templates simplify the configuration of the ISA Server settings.
However, the templates also enable only outbound access and have a limited set
of configuration options. You should have a clear idea what each template does so
that you can troubleshoot any problems with the template.
■
Blocking IP fragments is an example of a configuration option that may provide
some additional security but at the cost of some functionality. If users cannot use a
streaming media application one of the possible explanations is that IP fragments
are being blocked. By default, IP fragment blocking is not enabled on ISA Server.
■
HTTP Web filter rules are applied on a per rule basis. Just because you have configured filtering on one rule, does not mean that filtering is applied to all rules. If
you have multiple rules that grant access to the Internet, you need to configure the
filter for all the rules.
Key Terms
intrusion detection A means to detect when an attack is attempted or in progress
against a network. If you detect an intrusion attempt early enough, you may be able to
prevent a successful intrusion.
network rule Defines how network packets will be passed between networks. Network rules determine whether there is a relationship between two network entities and
what type of relationship is defined.
network template A set of ISA Server configuration options that define networks
and network sets, network rules, access rule elements, and access rules.
packet filtering Filters network packets by inspecting and allowing or denying the
IP packets based on information in the IP packet network layer header.
perimeter network A network that is separated from an internal network and the
Internet. Perimeter networks allow external users to gain access to specific servers that are
located on the perimeter network while preventing direct access to the internal network.
Exam Highlights
7-69
stateful filtering Filters network packets by using information about the TCP session to determine if a packet should be blocked or allowed through the firewall.
Web filters Extend the functionality of the firewall service in ISA Server by providing
advanced filtering capability for HTTP packets as they pass through ISA Server.
7-70
Chapter 7
Configuring ISA Server as a Firewall
Questions and Answers
Page
7-10
Lesson 1 Review
1. You are the ISA Server administrator of your organization. You have deployed ISA
Server 2004 as the firewall and configured it so that the users have unrestricted
access to the Internet. You suspect that some of your users have installed a peerto-peer file sharing application which is not an approved application. The application uses a custom protocol and port number to communicate with other computers. You need to ensure that traffic from that application is not allowed into
your network from the Internet. What is the easiest way for you to accomplish
this?
a. Create a packet filter to block the port used by the application.
b. Do nothing. The traffic is blocked by default.
c. Configure an application filter to block the traffic.
d. Create an access rule to block the port used by the application.
D is correct. You can block the application by creating an access rule to block the port used by
the application. A is incorrect because you cannot specifically create packet filters in ISA
Server 2004. B is incorrect because, if the application is already installed, the request is coming from an internal user and stateful filtering will allow the connection. C may be possible if you
have an application filter that blocks the protocol used by the application, but just blocking the
port is easier in this scenario.
2. How does application filtering protect the internal network?
a. By blocking IP fragments
b. By inspecting the data in a packet for unacceptable commands and data
c. By blocking connections to particular ports
d. By allowing or disallowing traffic based on connection rules
B is correct. The advantage of using an application filter is that it can inspect the data in an IP
packet. A and C are incorrect because application filters do not block IP fragments or ports.
D is incorrect because connection rules track session status.
3. What feature of ISA Server prevents IP addresses that logically appear on the Internal network from entering your network through the external interface?
a. Egress filtering
Questions and Answers
7-71
b. Ingress filtering
c. Application-layer filtering
d. Stateful filtering
B is correct. Ingress filtering blocks all packets on the external interface that have a source
address that is logically on the Internal network. Egress filtering is the opposite of ingress
filtering—it blocks packets on the Internal interface that have a source address which is logically on the external network. Application-layer filtering filters traffic based on application data,
while stateful filtering filters traffic based on its state in the context of previous network packets.
Page
7-22
Lesson 2 Review
1. The research department in your organization has unique network access requirements. All the computers used by the department users are on a separate subnet
that must be isolated from the production environment. The users need unrestricted Internet access. What should you do to facilitate that?
Create a new internal network that is defined by the range of IP addresses for the research
department subnet. Then define a network rule between the research department network and
the Internet and define an access rule that allows full access to the Internet from the research
department network.
2. You have configured four different internal networks on your ISA Server. Each network represents a different department in your organization. The different departments have some unique Internet access rule requirements, but you also want
some of the access rules to be the same for all departments. What is the easiest
way to accomplish this?
Create a network set that includes the four network objects. Then configure the common
access rules and assign them to the network set. Configure the unique access rules for each
department and assign them to the department network. Ensure that the access rules for the
department networks are listed before the access rules that apply to the network set.
3. All users in your organization require access to the Internet from their desktop
computers. From their desktop computers, the users should be able to use any protocol to access the Internet. However, when the users are using one of the publicly
accessible computers located in the office lobby, they should be able to use only
HTTP to access the Internet. What are two possible ways to configure this?
a. Configure a network that includes the internal network and the publicly accessible computers. Enable only HTTP access to the Internet from that network.
b. Configure a computer set that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that computer set.
7-72
Chapter 7
Configuring ISA Server as a Firewall
c. Configure a domain name set that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that computer set.
d. Configure a new network that includes the publicly accessible computers.
Enable only HTTP access to the Internet from that network.
B and D are correct. You can group all the publicly accessible computers by creating a computer
set or network that includes all the computers. After you have grouped the computers, you can
apply an access rule to those computers. A network object that includes both internal and the
publicly accessible computers would apply the rule to both groups of computers. A domain
name set can only be used to define what Web sites can be accessed.
Page
7-35
Lesson 3 Review
1. You are the network administrator of a small company. Your company does not
publish any servers to the Internet and your ISP handles all Internet services for
your organization. You need to enable Internet access for your internal users using
only HTTP and HTTPS. What network template and policy would work best for
you?
Because your company does not publish servers, there is no need for a perimeter network. The
Edge Firewall template, with the Block Internet Access, Allow Access To Internet Service Provider Network Services policy, would be the best choice because it allows DNS traffic through
to your ISP. Then create an access rule to allow HTTP and HTTPS traffic from the Internal network. Any other policies also allow FTP access or unrestricted access.
2. You use a third-party firewall solution as your Internet-edge firewall. You have
installed ISA Server 2004 and you are using it just to take advantage of the caching
capabilities. What network template will you choose?
a. Front Firewall
b. Bastion Host
c. Edge Firewall
d. Single Network Adapter
D is correct. If you only want caching functionality then the Single Network Adapter template will
apply the Allow Web Proxy and Caching policy. Then you must configure your clients to be Web
Proxy clients. All the other deployment scenarios listed as possible answers are used to provide firewall functionality, not just caching.
3. Your organization is designing a new perimeter network configuration. The organization is planning on deploying several Web servers and other application servers
that need to be accessible from the Internet. At the same time, the organization
requires that these servers be isolated from the internal network so that only
Questions and Answers
7-73
selected traffic can pass from the publicly accessible servers to the internal network.
The company must implement the most secure solution possible. What perimeter
network configuration should the organization implement?
a. Configure a bastion host firewall.
b. Configure a three-leg perimeter network.
c. Configure a back-to-back perimeter network with two firewalls from the same
vendor.
d. Configure a back-to-back perimeter network with two firewalls from different
vendors.
D is correct. A back-to-back firewall configuration with firewalls from two different vendors is the
most secure configuration. Even if attackers get past one firewall, they will need to use a different attack to bypass the second firewall. Both the bastion host and a three-leg perimeter use
a single firewall, which is less secure than multiple firewalls. In addition, the bastion host configuration does not provide any isolation between the publicly accessible servers and the internal network.
Page
7-44
Lesson 4 Review
1. Your organization has just deployed an ISA Server computer as a firewall. The
security policy for your organization requires that all settings on the ISA Server
computer be configured as securely as possible. After you implement a secure
configuration, users report that they can no longer access a streaming media site.
Access to this site is critical for the company, so you must enable access to the site.
What security setting should you change to enable access to the site?
a. Enable IP routing
b. Disable all filtering based on IP options
c. Disable filtering of IP fragments
d. Disable filtering based on the source-routing IP options
C is correct. Streaming media frequently requires the use of IP fragments, so filtering all IP fragments may block access to streaming media content. Enabling or disabling IP routing will not
affect access to streaming media. Streaming media also does not require any IP options,
including the source-routing options.
2. You have configured intrusion detection to detect when the ISA Server interfaces
are being exposed to a port scan. You configure the alert to send an e-mail to your
account when the alert is triggered. You are now receiving a high number of
e-mails from the ISA Server computer. You want to reduce the number of e-mails
sent to your account, but still want to know when there are frequent port scans of
your ISA Server. What should you do?
7-74
Chapter 7
Configuring ISA Server as a Firewall
On the Intrusion Detection–Common Attacks Property page, you can increase the number of
attacks before an alert is triggered. In this way, you will not receive as many e-mails, but will still
receive an e-mail after multiple attacks have been detected.
3. You have configured ISA Server 2004 as a bastion host. You are concerned about
the security of your DNS database. One of the internal DNS servers must be accessible from the Internet but you want to ensure that zone transfers will never be
allowed to clients that are not on your internal network. How will you accomplish
this?
On the General Configuration settings on the Intrusion Detection–DNS Attacks properties page,
Select Enable Detection And Filtering of DNS Attacks and ensure that DNS Zone Transfers is
enabled.
Page
7-63
Lesson 5 Review
1. You are the ISA Server 2004 administrator for your organization. You create a Web
publishing rule to allow access to your Web site. You want to ensure that no one
from the external network can post any content or create any unauthorized links
to other pages. You want to configure this on the ISA Server that you used to publish the Web site. What must you do?
Configure your Web publishing rule’s HTTP Policy to block the POST and LINK Methods.
2. You have deployed ISA Server and are using it as a proxy server for all client connections to the Internet. All users are allowed to use HTTP, HTTPS, and FTP to
access the Internet. You review the firewall logs on the computer running ISA
Server and notice that some users are accessing Web sites that contain information
that is not acceptable under the organization’s security policy. You need to block
the user access to these Web sites based on the URL that the users type into Internet Explorer. How can you do this?
a. Configure the HTTP policy to block access based on signatures.
b. Configure the HTTP policy to block access based on methods.
c. Configure the HTTP policy to block access based on headers.
d. Configure the HTTP policy to block access based on extensions.
A is correct. To block access to Web sites based on the URL typed by the user, configure the
HTTP policy to block access based on the signatures that you want to block.
3. You use the Edge Firewall network template to configure Internet Access for your
internal users. You used the template to enable HTTP, HTTPS, and FTP access to
the Internet. Your users need to place files on an FTP server at a partner FTP site.
Now your users report that they are unable to put files on the FTP server. What
must you do to correct the problem?
You must modify the configuration of the FTP Web filter to enable the users to upload FTP content. By default, the FTP policy only allows downloads. To modify the FTP policy, right-click the
access rule and click Configure FTP. You must clear the Read Only option.
Questions and Answers
7-75
Case Scenario Exercise
Page
7-65
Scenario 1 Question
1. How will you configure ISA Server 2004 to meet the security requirements?
You should start by applying the 3-Leg Perimeter network template on the ISA Server computer.
Since you have only one IP address that you can use on the Internet, you must use a private IP
subnet in the perimeter network. You must modify the network rule created by the network template to define a NAT relationship between the perimeter network and the Internet. When you
apply the wizard, chose the Allow Limited Web Access option. Modify the Web Access Only rule
created by the wizard to apply to Authenticated Users instead of All Users and configure HTTP
Filtering for the rule to block the signatures for all peer-to-peer file-sharing applications and to
block all executable content. Create an access rule to allow DNS traffic from your internal DNS
server to the Internet and then configure your internal DNS server to forward all queries to your
ISP’s DNS server. Finally, configure a Web publishing rule for the public Web site and set the
HTTP Policy to block the POST method on the rule.
8 Implementing ISA Server
Publishing
Exam Objectives in this Chapter:
■
Create policy elements, access rules, and connection limits. Policy elements
include schedule, protocols, user groups, and network objects.
■
Create policy rules for Web publishing.
■
❑
Install certificates for Web publishing.
❑
Configure authentication for Web access.
❑
Configure bridging.
❑
Configure link translator.
Create policy rules for server publishing.
❑
Publish a Web server by using server publishing rules.
❑
Publish an RPC server.
❑
Publish an FTP server.
❑
Publish a Terminal Services server.
❑
Publish a VPN server or device.
Why This Chapter Matters
Now that you have configured Microsoft Internet Security and Acceleration (ISA)
Server 2004 to allow internal clients to access the Internet, and understand how to
configure ISA Server as a firewall, you are ready for the next step in your ISA
Server deployment. That step is configuring ISA Server to publish internal servers
to the Internet, so that users on the Internet can access those internal resources.
Many organizations now host corporate Web sites or make messaging servers
accessible from the Internet. Other organizations have much more complex
requirements. Perhaps they are hosting multiple Web sites, or they may need to
enable access to a wide variety of servers on the internal or perimeter network.
8-1
8-2
Chapter 8
Implementing ISA Server Publishing
Making internal resources accessible to the Internet increases the security risks for
the organization. By default, firewalls such as ISA Server block all traffic from the
Internet to the protected networks. When you make external resources available,
you deliberately allow network traffic from the Internet onto your internal or
perimeter network. To reduce this risk, the firewall at the perimeter of the network must be able to block all malicious network traffic from entering the organization’s network from the Internet and ensure that users from the Internet can
access only the required servers.
ISA Server 2004 uses Web and server publishing rules to publish internal network
resources to the Internet. Web publishing rules determine how ISA Server deals
with Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure
(HTTPS) requests from the Internet intended for internal Web servers. Server publishing rules define how ISA Server responds to requests from the Internet for
other network resources on the internal network. You must know how to use
these rules to securely publish internal network resources to the Internet.
Lessons in this Chapter:
■
Lesson 1: Introduction to Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4
■
Lesson 2: Configuring Web Publishing Rules. . . . . . . . . . . . . . . . . . . . . . . . . 8-13
■
Lesson 3: Configuring Secure Web Publishing Rules . . . . . . . . . . . . . . . . . . . 8-33
■
Lesson 4: Configuring Server Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . 8-47
■
Lesson 5: Configuring ISA Server Authentication . . . . . . . . . . . . . . . . . . . . . . 8-63
Before You Begin
This chapter presents the skills and concepts related to publishing internal Web sites
and other internal services to the Internet. If you plan to complete the practices and lab
in this chapter, you should prepare the following:
■
A Microsoft Windows Server 2003 (Standard Edition or Enterprise Edition) computer
installed as DC1 and configured as a domain controller in the cohovineyard.com
domain. This server must have the following configuration:
❑
Microsoft Internet Information Services (IIS) installed, with a default Web and
file transfer protocol (FTP) site configured.
❑
Remote Desktop connections must be enabled.
❑
Routing And Remote Access must be enabled and configured for virtual private network (VPN) connectivity.
Why This Chapter Matters
8-3
■
A second Windows Server 2003 computer installed as ISA1 and configured as a
domain member in the cohovineyard.com domain. This server should have two
network interfaces installed.
■
A Microsoft Windows XP computer installed as CLIENT1. This computer must be
a member of the cohovineyard.com domain.
■
A Microsoft Windows Server 2003 (Standard Edition or Enterprise Edition) computer installed as SERVER1. This computer should not be a member of the
cohovineyard.com domain. This server should be located on the same network as
the external interface of the ISA Server computer. This server should run the
Domain Name System (DNS) Service and the DNS client setting should be configured to use the server’s Internet Protocol (IP) address as the DNS server.
8-4
Chapter 8
Implementing ISA Server Publishing
Lesson 1: Introduction to Publishing
Most organizations want users from the Internet to be able to access some resources
that are located on the organization’s internal or perimeter network. You can use ISA
Server 2004 to provide secure access to internal resources for Internet users. ISA Server
2004 uses publishing to provide this secure access. This lesson introduces the concepts
of Web publishing and server publishing. It also provides an overview of how to configure DNS to enable Web and server publishing.
After this lesson, you will be able to
■ Describe a Web publishing rule
■ Describe a server publishing rule
■ Describe how to integrate DNS with the Web publishing scenarios
Estimated lesson time: 25 minutes
What Are Web Publishing Rules?
ISA Server uses Web publishing rules to make Web sites on protected networks available to users on other networks, such as the Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web
servers.
Web publishing rules provide the following functionality:
■
Access to Web servers running HTTP protocol When you configure a Web
publishing rule, you configure ISA Server to listen for HTTP or HTTPS requests
from the Internet and to forward or proxy that request to a Web server on a protected network. To publish servers using any other protocols, you need to use a
server publishing rule.
■
HTTP application-layer filtering HTTP application-layer filtering enables
ISA Server to inspect the application data in each packet passing through
ISA Server. This includes filtering of Secure Sockets Layer (SSL) packets if you
enable SSL bridging. This provides an additional layer of security not provided by
most server publishing rules.
■
Path mapping Path mapping enables you to hide the details of your internal
Web site configuration by redirecting external requests for parts of the Web site to
alternate locations within the internal Web site. This means that you can limit
access to only specific areas within a Web site.
Lesson 1
Introduction to Publishing
8-5
■
User authentication You can configure ISA Server to require that all external
users authenticate before their requests are forwarded to the Web server hosting
the published content. This protects the internal Web server from authentication
attacks. Web publishing rules support several methods of authentication, including
Remote Authentication Dial-In User Service (RADIUS), integrated, basic, digest,
digital certificates, and RSA SecurID.
■
Content caching The content from the internal Web server can be cached on
ISA Server, which improves the response time to the Internet client while decreasing the load on the internal Web server.
■
Support for publishing multiple Web sites using a single IP address Many
organizations use a single external IP address that is routable on the Internet. You
can configure multiple Web publishing rules that can make multiple internal Web
sites available to Internet clients using that single IP address.
■
Link translation With link translation, you can provide access to complex Web
pages that include references to other internal Web servers that are not directly
accessible from the Internet. Without link translation, any link to a server that is
not accessible from the Internet would appear as a broken link. Link translation
can be used to publish complex Web sites providing content from many servers
while hiding the complexity from the Internet users.
Note ISA Server 2004 also provides secure Web publishing rules. These rules are Web
publishing rules that use SSL to encrypt network traffic. ISA Server provides multiple options
for using SSL. For example, you can configure ISA Server to encrypt all the traffic from ISA
Server to the Internet client but not to encrypt the traffic on the internal network. Or you can
encrypt just the traffic on the internal network. You can also configure ISA Server to encrypt
the traffic on both the internal network and the Internet. You can also configure ISA Server to
apply application filtering on the encrypted packets. With this configuration, the ISA Server
computer will decrypt the packet, filter it, and then encrypt the packet again.
What Are Server Publishing Rules?
Web publishing and secure Web publishing rules can grant access only to Web servers
using HTTP or HTTPS. To grant access to internal resources using any other protocol,
you must configure server publishing rules. When you create a server publishing rule,
you are configuring ISA Server to listen for client requests using a particular port number. When ISA Server receives a request on the external interface for that port, it checks
the server publishing rule to determine which internal server is providing the service.
ISA Server then passes the request to the internal server. The internal server responds
to the client request, forwarding the response to ISA Server, which forwards the
response to the client.
8-6
Chapter 8
Implementing ISA Server Publishing
Server publishing rules to provide the following functionality:
■
Access to multiple protocols Server publishing rules provide access to protocols
that Web publishing rules cannot. Web publishing rules can only publish servers
using HTTP or HTTPS; for all other protocols, you must use a server publishing rule.
ISA Server is configured in advance with a variety of protocol definitions for commonly used protocols that can be incorporated within server publishing rules. You
can also create custom protocol definitions. Any protocol definition in which the primary connection is defined as inbound can be used for a server publishing rule.
■
Application-layer filtering for specified protocols Application-layer filtering
enables ISA Server to inspect the application data in each packet passing through
ISA Server. ISA Server can apply application-layer inspection for server publishing
when an application filter is registered for a specific protocol. For all other network traffic, ISA Server can apply packet and stateful filtering. ISA Server cannot
inspect incoming SSL packets for servers published by server publishing rules.
■
Support for encryption Some of the protocol definitions provided with
ISA Server are secure protocols. For example, ISA Server includes definitions for
secure Internet Message Access Protocol (IMAPS) and secure Post Office Protocol
(POPS). When a server publishing rule is configured to use these protocols,
ISA Server can forward encrypted data between the client computer and the internal published server.
■
IP address logging for the client computer By default, when you publish a
server using server publishing rule, the source IP address that is received by the
internal server is the IP address of the client computer on the Internet.
Considerations for Configuring DNS for Web and Server Publishing
One of the complicating considerations when publishing internal Web servers as well
as other servers to the Internet is DNS name resolution. Often, clients from the internal
network, as well as clients from the Internet, must connect to the same internal server
using the same DNS name. However, the internal clients usually need to connect to a
different IP address than the external clients.
!
Exam Tip
One of the more common reasons for Web publishing rule failures is DNS resolution errors. If you see an exam question in which users on one network can access a
resource using the fully qualified domain name (FQDN) but users on another network cannot,
check the DNS resolution configuration. Because some users can access the server, you
know that the server is functional; therefore, the problem may be name resolution. If name
resolution seems to be set up correctly, check the publishing rule configuration.
For example, you may have a corporate Web server located on a perimeter network
that needs to be accessible to both internal users and Internet users. A possible config-
Lesson 1
Introduction to Publishing
8-7
uration is shown in Figure 8-1. In this configuration, a route configuration is configured
between the internal network and the perimeter network, so when the internal clients
try to access www.cohovineyard.com, they must connect to the IP address of
172.16.10.1. However, users from the Internet must access www.cohovineyard.com by
connecting to the external network interface on the ISA Server computer (131.107.1.1).
ISA Server then uses a Web publishing rule to provide access to the corporate Web
server. The solution to providing access to the same server using two different IP
addresses is to deploy a split DNS.
http://www.cohovineyard.com
IP Address
172.16.10.1
Web Server
Perimeter Network
IP Address
131.107.1.1
Internal Client
Internet
Internal
Network
ISA Server
Figure 8-1
Internet Client
Enabling access to a Web site for internal and Internet clients
A split DNS uses two different DNS servers with the same DNS domain name to provide
name resolution for internally and externally accessible resources. Both DNS servers are
authoritative for the same domain name. For example, in the Web publishing scenario
shown in Figure 8-1, one DNS server, used by all the internal clients, has a host record
for the Web server that points to the actual IP address of the Web server. The second
DNS server, accessible to Internet clients, has a host record for the Web server that
points to the IP address of the external interface of the server running ISA Server.
Security Alert To implement a split DNS, you need two DNS servers, both of which are
authoritative for the same domain. However, these two servers should not have the same
resource records. For example, your internal DNS server will have the IP addresses for all the
internal servers (including the domain controllers if you have deployed Active Directory directory service). This information should never be made available on the Internet DNS server.
The Internet DNS server should only have resource records for the hosts that must be accessible from the Internet. If you are exposing a single Web site and a single messaging server to
the Internet, then the Internet DNS server should have only the resource records required to
resolve the IP addresses for those two servers.
8-8
Chapter 8
Implementing ISA Server Publishing
With a split DNS, users from both the Internet and the internal network can access the
corporate Web site, as illustrated in Figure 8-2.
SOA cohovineyards.com
www.cohovineyards.com A 131.107.1.1
http://www.cohovineyard.com
IP Address
172.16.10.1
Web Server
Perimeter Network
Internal Client
Internet DNS
Server
IP Address
131.107.1.1
Internet
Internal
Network
Internet
Client
ISA Server
Internal DNS
Server
SOA cohovineyards.com
www.cohovineyards.com A 172.16.10.1
F08im02
Figure 8-2 Implementing a split DNS
When the Internet client wants to access the Web server, it must resolve the name
www.cohovineyard.com. The client sends a query to the DNS server on the Internet.
Because the DNS server has a Start of Authority (SOA) record for the cohovineyard.com
domain, the DNS server checks its zone files for the requested information. The server
responds with the IP address of the external interface of the server running ISA Server.
The client will then send the Web request to the IP address provided by the DNS server,
and ISA Server will forward the request to the Web server.
Note
The scenario described here assumes a Network Address Translation (NAT) relationship between the external network and the perimeter network and a route relationship
between the internal network and the perimeter network. If the network relationships were
reversed, then the host record on the external DNS would point to the actual IP address for
the Web server, while the host record on the internal DNS would point to the IP address of the
internal network interface on ISA Server.
Lesson 1
Introduction to Publishing
8-9
When the internal client wants to access the Web server, it will query the internal DNS
server for the IP address of www.cohovineyard.com. The internal DNS server will
check its zone files, and provide the client with the actual IP address of the Web server.
The internal client will then directly connect to the internal Web server. If the Web
server is located on a perimeter network, the request will be passed through
ISA Server.
Important Firewall clients and Web proxy clients do not require a split DNS configuration to
access the internal Web sites as they can use the Internet IP address to access the internal
server. In this configuration, the Web requests are passed through ISA Server. However,
Secure Network Address Translation (SecureNAT) clients cannot connect to the internal Web
servers using an Internet IP address as SecureNAT client requests cannot be routed back
through the ISA Server computer. Even if you do not need to implement a split DNS, it is still
a best practice to implement a split DNS, especially if you publish Web servers on the internal network. In this way, Web Proxy and Firewall clients can access the internal Web servers
directly rather than through the ISA Server computer.
Practice: Configuring DNS for Web and Server Publishing
In this practice, you will configure the DNS servers on the internal and external network (representing the Internet in your practice configuration) to correctly resolve the
addresses for the Web site and FTP site located on DC1. SERVER1 is configured as the
external DNS server in this scenario. You will use these DNS records in later exercises
when testing the publishing rules.
Exercise 1: Creating the Internet DNS Records for Cohovineyard.com
1. Log on to SERVER1 using an administrator account.
2. Open the DNS Management Console from the Administrative Tools folder.
3. Right-click Forward Lookup Zones, and then click New Zone.
4. On the Welcome To The New Zone Wizard page, click Next.
5. On the Zone Type page, accept the default of Primary Zone and click Next.
6. On the Zone Name page, type cohovineyard.com as the zone name. Click Next.
7. On the Zone File page, accept the default zone file name and click Next.
8. On the Dynamic Update page, accept the default and click Next.
9. On the Completing The New Zone Wizard page, review the configuration and
then click Finish.
8-10
Chapter 8
Implementing ISA Server Publishing
10. Expand cohovineyard.com, then right-click cohovineyard.com and click New
Host (A).
11. In the New Host dialog box, type www in the Name box. Type the IP address
assigned to the external interface of the ISA Server computer in the IP address
box. Click Add Host.
12. In the New Host dialog box, type ftp in the Name box. Type the IP address
assigned to the external interface of the ISA Server computer in the IP address
box. Click Add Host.
13. In the New Host dialog box, type secure in the Name box. Type the IP address
assigned to the external interface of the ISA Server computer in the IP address
box. Click Add Host.
14. In the DNS dialog box, click OK.
15. Click Done. Close the DNS Management Console.
Exercise 2: Creating the Internal DNS Records for Cohovineyard.com
1. Log on to DC1 using an administrator account.
2. Open the DNS Management Console from the Administrative Tools folder.
3. Expand Forward Lookup Zones and then expand cohovineyard.com.
4. Right-click cohovineyard.com and click New Host (A).
5. In the New Host dialog box, type www in the Name box. Type 10.10.0.10 in the
IP address box. Click Add Host.
6. In the New Host dialog box, type ftp in the Name box. Type 10.10.0.10 in the IP
address box. Click Add Host.
7. In the New Host dialog box, type secure in the Name box. Type 10.10.0.10 in the
IP address box. Click Add Host.
8. In the DNS dialog box, click OK.
9. Click Done, then close the DNS Management Console.
Exercise 3: Testing Internal Access to Cohovineyard.com Web Sites
1. Log on to CLIENT1 using a domain user account.
2. Open Internet Explorer and type www.cohovineyard.com into the Address box.
The connection should be successful.
3. Connect to secure.cohovineyard.com and ftp://ftp.cohovineyard.com. All connections
should be successful.
Lesson 1
Introduction to Publishing
8-11
Note You cannot access the internal Web sites from the Internet (SERVER1) at this point
because you have not configured any publishing rules that allow this access.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed ISA Server 2004 as a Bastion Host. You need to provide a
secure method of publishing your Web site. You also need to be able to configure
ISA Server to inspect the contents of the packets to and from the Web server using
application filters. What feature of ISA Server 2004 makes this possible?
a. SSL Tunneling
b. Link Translation
c. SSL Bridging
d. Path Mapping
2. You implement a split DNS configuration to support a Web site in your perimeter
network. ISA Server 2004 is your external firewall. There is a NAT relationship
between the external network and the perimeter network. What IP address should
the Internet DNS record return for external clients to access the Web site?
a. The internal IP address of the ISA Server computer
b. The actual IP address of the Web server
c. The IP address of your internal DNS server for name resolution
d. The external IP address of the ISA Server computer
3. You have a Web server in a perimeter network that hosts multiple Web sites that
have links to each other. How can you enable access to these sites to users on the
Internet using ISA Server 2004?
8-12
Chapter 8
Implementing ISA Server Publishing
Lesson Summary
■
A Web publishing rule is a firewall rule that specifies how ISA Server routes incoming requests to internal Web servers. Web publishing is used to provide access to
Web servers running HTTP and HTTPS. Web publishing rules also enable application-layer filtering, path mapping, user authentication, content caching, support for
publishing multiple Web sites using a single IP address, and link translation.
■
Server publishing rules are firewall rules that specify how ISA Server routes incoming requests to internal servers using any available protocol. Server publishing
rules are used to provide access for multiple protocols, application-layer filtering
for specified protocols, support for encryption, and IP address logging for the client computer.
■
A split DNS configuration uses two different DNS servers to provide name resolution for internally and externally accessible resources. Implementing a split DNS
requires two DNS servers that both host the zone files for the same DNS domain
name but have host records with different IP addresses for the required servers.
Lesson 2
Configuring Web Publishing Rules
8-13
Lesson 2: Configuring Web Publishing Rules
ISA Server uses Web publishing rules to provide a secure and flexible way to publish
the content on internal Web servers to the Internet. When you enable Web publishing
rules, you can configure a variety of options, including Web listeners, path mapping,
and link translation. This lesson describes how to configure Web publishing.
After this lesson, you will be able to
■ Identify Web publishing rules configuration components
■ Configure Web listeners
■ Configure path mapping
■ Configure link translation
■ Configure Web publishing rules
Estimated lesson time: 30 minutes
Components of a Web Publishing Rule Configuration
Web publishing rules map incoming HTTP or HTTPS requests to the appropriate Web
servers located on a network protected by ISA Server. Web publishing rules determine
what incoming requests for HTTP objects will be accepted by ISA Server and how
ISA Server will respond to those requests. If the HTTP request matches a Web publishing rule, the request is forwarded to the Web server located on the internal or perimeter network.
Web Publishing Configuration Options
When you configure Web publishing rules, you must configure the components listed
in Table 8-1.
Table 8-1
Web Publishing Rule Configuration Options
Configuration Option
Explanation
Action
Defines whether the Web publishing rule will allow or deny
access.
Name (or IP address)
Defines the name or IP address of the Web server that is published by this rule.
Users
Defines which users can access the Web site.
Traffic source
Defines the network objects that can access the published Web
server. The network objects that you specify must also be included
in the Web listener specified for this Web publishing rule.
8-14
Chapter 8
Implementing ISA Server Publishing
Table 8-1 Web Publishing Rule Configuration Options
Configuration Option
Explanation
Public name
Defines the Uniform Resource Locator (URL) or IP address that is
made accessible by this rule. You can configure ISA Server to
allow access based on a specific URL or allow access to all URLs.
If you specify a URL, ISA Server will respond only to requests
using that URL. If you allow access to all URLs, ISA Server will
respond to all requests using the appropriate protocol.
Web listener
Defines the IP address on the computer running ISA Server that
listens for requests from clients.
Path mappings
Defines how ISA Server will modify the external path specified in
the request and map it to a corresponding internal path.
Bridging
Defines how HTTP requests are forwarded to the published
server. You can configure the requests so that they are redirected
using HTTP, SSL, or FTP.
Link translation
Defines how ISA Server updates Web pages that include references to internal server names.
Note The following sections describe these configuration options. In the last section of this
lesson, you will see how to put all the options together to create a Web publishing rule.
How to Configure Web Listeners
Web listeners are used by Web and secure Web publishing rules. A Web listener is an
ISA Server configuration object that defines how the ISA Server computer listens for
HTTP requests and SSL requests. The Web listener defines the network, IP address, and
the port number on which ISA Server listens for client connections.
Web listeners are required for Web publishing rules to function. If the ISA Server computer receives a HTTP or HTTPS on a network adapter and no Web listener is configured for the IP address associated with the network adapter, ISA Server will discard all
the requests before applying Web server publishing rules. If the computer running
ISA Server has multiple network adapters or IP addresses, you can configure the same
listener configuration for all IP addresses, or you can configure separate listener configurations for different IP addresses.
A Web listener can be used in multiple Web publishing rules so long as the publishing
rules share a common configuration. For example, if you have two Web publishing rules
that both use HTTP and require basic authentication, then both Web publishing rules can
use the same Web listener. However, if one publishing rule requires all users to
authenticate, and the other rule requires anonymous access, then you must configure
two different Web listeners.
Lesson 2
Configuring Web Publishing Rules
8-15
To configure a Web listener, you must configure the following options:
■
Network This option specifies the network on which ISA Server will listen for
incoming Web requests. The network that you select depends on the origin of the
Web requests. For example, if the published Web site allows client requests from
the external network (Internet), then the external network should be selected for
the Web listener. After selecting a network, you can also specify whether the Web
listener will listen for requests on all IP addresses on ISA Server that are part of
that network, or on specified IP addresses.
■
Port numbers This option specifies the port number on which the Web listener
will listen for incoming Web requests. By default, ISA Server listens on Port 80 for
HTTP requests, but this setting can be modified. You can also enable the Web listener to listen for SSL requests (the default is Port 443). If you choose SSL, an
appropriate certificate must be installed on the computer running ISA Server so
that the computer running ISA Server can authenticate itself to the client.
■
Client authentication methods This option specifies the supported authentication methods if you are going to require authentication on the Web listener. If
you select the option to require authentication, all users must authenticate using
one of the authentication methods specified for the incoming Web requests. The
authentication that you configure for the computer running ISA Server is in addition to any authentication that the published Web server requires. ISA Server
authentication determines whether a request is passed to the Web server. The
authentication method that you configure for the Web server determines whether
a user is allowed to gain access to content on the Web server.
■
Client Connection Settings This option specifies the number of concurrent
client connections and connection timeout values for the Web listener.
How to Configure a Web Listener
Note
You can create a Web listener before creating a Web publishing rule, or you can create the Web listener while you create the Web publishing rule. The following procedure
describes how to configure the Web listener first.
To create a Web listener, complete the following procedure:
1. In the ISA Server Management Console tree, click Firewall Policy.
2. On the Toolbox tab, expand Network Objects and then right-click Web Listeners
and click New Web Listener.
3. On the Welcome To The New Web Listener Wizard page, in the Web Listener
Name text box, type the name for the Web Listener.
8-16
Chapter 8
Implementing ISA Server Publishing
4. On the IP Addresses page, shown in Figure 8-3, select the network on which the
listener will listen for requests. If you are publishing a Web site for Internet access,
select External.
F08im03
Figure 8-3 Configuring the network on which the Web listener will listen
5. If you have multiple network adapters or multiple IP addresses associated with the
network you selected, you can configure the specific IP address on which this
Web listener will listen by clicking the Address tab to display the External Network
Listener IP Selection dialog box, shown in Figure 8-4. In this dialog box, you can
configure the ISA Server computer to listen on all IP addresses or only some IP
addresses associated with the selected network.
F08im04
Figure 8-4 Configuring the network on which the Web listener will listen
Lesson 2
!
Configuring Web Publishing Rules
8-17
Exam Tip
If an exam scenario describes the ISA Server computer as having multiple network adapters or multiple IP addresses associated with a specific network, remember this
configuration option. If a client tries to access a Web site using a particular IP address, but
the Web listener is listening on a different IP address on the same network, the client will not
be able to connect to the Web site.
6. On the Port Specification page, select the protocol and port number used by the
Web listener, shown in Figure 8-5. By default, the Web listener will listen on for
HTTP requests on Port 80. If this listener is used for a secure Web publishing rule,
you must also enable SSL and configure a certificate.
F08im05
Figure 8-5
Configuring the protocols and port numbers for a Web listener
Caution
Be careful about changing the default port numbers for the protocols. All Web
browsers use the standard port numbers, and if you change the port numbers, you must
instruct each user to use the new port number. For example, if you change the port number to
8888 and you are using the Web publishing rule to publish the www.cohovineyard.com site,
you would have to instruct the users to use http://www.cohovineyard.com:8888 to connect to
the site.
7. On the Completing The New Web Listener Wizard page, review the configuration
and then click Finish.
After you create the Web listener, you can modify the Web listener settings by doubleclicking the Web Listener object in the Toolbox. In addition to the settings that you can
8-18
Chapter 8
Implementing ISA Server Publishing
configure during the Web listener creation, you can also configure the authentication
methods supported on the Web listener and the connection settings. The settings are
accessible on the Preferences tab, as shown in Figure 8-6.
F08im06
Figure 8-6 Configuring the Web listener preferences
Note
Figure 8-6 should look familiar to you because it is almost identical to the Web Proxy
tab on the Internal Network Properties dialog box. Although you may not have known it at the
time, when you configured the Web proxy settings, you were actually configuring a Web listener for the Internal network.
To configure the client connection options, click Advanced on the Preferences tab to
get to the Advanced Settings dialog box, as shown in Figure 8-7. In this dialog box, you
can configure the maximum number of concurrent client connections that will be
accepted by the Web listener and the connection time-out for idle connections.
F08im07
Figure 8-7 Configuring the Web listener advanced settings
Lesson 2
Configuring Web Publishing Rules
8-19
See Also
The authentication options will be discussed in Lesson 5, “Configuring ISA
Server Authentication,” later in this chapter.
How to Configure Path Mapping
Path mapping is an ISA Server feature that enables ISA Server to redirect user requests
to an alternate path on internal Web servers. When a user connects to a Web site published on ISA Server, the user types a specific URL. Before forwarding a request to the
published Web server, ISA Server checks the URL specified in the request. If a path
mapping is configured for that URL, ISA Server will replace the path specified in the
request with an internal path name and forward it to the appropriate Web server.
Note
Path mapping is used for both Web publishing and secure Web publishing rules but
not for server publishing rules.
How Path Mapping Works
Path mapping can be used in several different scenarios. For example, an organization
may have a Web site that is accessible on the Internet using the URL http://
www.cohovineyard.com. If the entire Web site is located on a single Web server, you
can use path mapping to redirect client requests to different virtual directories on that
server. The URL http://www.cohovineyard.com/catalog can be redirected to a virtual
directory named CurrentCatalog on the Web server while the URL http://
www.cohovineyard.com/sales is redirected to the SalesData virtual directory. If you
rename the virtual directory on the Web server, you can just reconfigure the path mapping on ISA Server without interfering with client connectivity.
You can also use path mapping to redirect client requests to multiple internal Web
servers. For example, when users request the URL http://www.cohovineyard.com/sales,
they can be directed to the Sales virtual directory on one Web server. When users
request the URL http://www.cohovineyard.com/catalog, they are redirected to a Catalog
virtual directory on another Web server.
Important To redirect client requests to multiple back-end servers, you must configure
multiple Web publishing rules. Each Web publishing rule can only redirect client requests to a
single Web server. To redirect the client requests described above, you would configure a Web
publishing rule that publishes the Sales virtual directory on one Web server, and another Web
publishing rule that publishes the Catalog virtual directory on another server.
8-20
Chapter 8
Implementing ISA Server Publishing
ISA Server 2004 performs this redirection transparently. Internet users see only that
they are connecting to the Web sites and paths they entered into the browsers or
accessed by clicking links to those URLs. ISA Server tracks these requests and forwards
them to the appropriate Web server.
How to Configure Path Mapping
Note
The procedure described here assumes that you have already created a Web publishing rule and are modifying its configuration. You can also configure path mappings while creating the Web publishing rule.
To configure path mapping, complete the following procedure:
1. In the ISA Server Management Console tree, click Firewall Policy.
2. In the details pane, click the applicable Web publishing rule.
3. On the Tasks tab, click Edit Selected Rule.
4. Path mapping is configured on the Paths tab, shown in Figure 8-8. By default, the
/* internal path is published, which means that the entire Web site is available. To
modify path mapping, click the listed path mapping and click Remove. Then
click Add.
F08im08
Figure 8-8 Configuring path mapping on a Web publishing rule
5. In the Path Mapping dialog box, shown in Figure 8-9, type the path on the Web
server. This path is the actual internal path to which the ISA Server computer will
send the request.
Lesson 2
Configuring Web Publishing Rules
8-21
F08im09
Figure 8-9
Configuring an additional path mapping
6. Under External Path, select one of the following:
❑
Same As Published Folder. If the path specified in the user request is identical
to the path on the published Web server.
❑
The Following Folder. If the path specified in the user request needs to be
mapped to a virtual directory with a different name on a Web server. Type the
path to which requests on the published Web server will be mapped. When
specifying the internal path to which the request will be mapped, use this
format: /path/*.
Important
The paths used for path mapping on a Web publishing rule cannot overlap. For
example, you cannot use an internal path of /* and an internal path of /salesdata/* on the
same Web publishing rule because the salesdata path overlaps with the root directory. You
can use an internal path of /salesdata/* and an internal path of /catalog/* on the same
Web publishing rule. The same rules apply to the external path.
7. Click OK to close the Web Publishing Rule Properties dialog box.
How to Configure Link Translation
Path mapping allows you to redirect client requests from the ISA Server computer to
different locations on one or more Web servers. By using path mapping you can mask
a complex internal Web server configuration and present a simple Web site view to the
Internet. Link translation can provide the same end result, but is used in different situations. Link translation is used when the Web pages published on ISA Server contain
links to other Web servers on the protected network, and those Web servers are not
accessible from the Internet.
Link translation is an ISA Server configuration object that enables ISA Server to replace
internal server names on Web pages with server names that are accessible from the
8-22
Chapter 8
Implementing ISA Server Publishing
Internet. Some published Web sites may include references to internal names of computers other than the server listed in the Web publishing rule. If these internal computer names are not accessible to clients outside the network, these references will
appear as broken links. ISA Server includes a link translation feature to ensure that the
information on these servers is accessible to Internet clients without requiring that the
internal server names be revealed or accessible.
Link Translation Levels
ISA Server provides several levels of link translation functionality so that you can provide the appropriate level of link connectivity:
■
Header link translation Header link translation ensures that any URL returned
in a header to the client is translated to an externally recognizable URL. When the
user accesses the link, it is recognized by the Web publishing rule and forwarded
to the correct internal server. This link translation is always enabled by default in
any Web publishing rule.
■
Translation of links in the body of a returned Web page This functions in the
same manner as the header link translation, but includes links returned in the body
of Web pages, not just in the header. For example, a Web page on a server named
Web1 that is accessed through the URL www.cohovineyard.com may include a reference to an image using http://Web1.cohovineyard.com/images/image1.jpg. This
link needs to be translated to http://www.cohovineyard.com/images/image1.jpg in
order to be accessible from the Internet. To enable this link translation, you need
to enable the replacement of absolute links in Web pages on a Web publishing rule.
■
Translation of links to other internal Web pages Link translation works only
for links to the Web server specified in the Web publishing rule. If you want links
to other internal Web servers to also be translated, you have to provide information about how to translate each link. This information is stored by ISA Server in
a link dictionary.
For example, Coho Vineyard may have two internal Web servers named WEB1
and WEB2. The Web site on WEB1 may include cross-references to pages on the
other server. For example, WEB1 may have a reference to http://Web2/images/
image1.jpg. This link will not work on the Internet. You can create a link translation dictionary entry for the www.cohovineyard.com Web publishing rule substituting any reference to WEB2 with www.cohovineyard.com.
How to Configure Link Translation
To configure link translation on an existing Web publishing rule, complete the following procedure:
1. In the ISA Server Management Console tree, click Firewall Policy.
Lesson 2
Configuring Web Publishing Rules
8-23
2. In the details pane, click the applicable Web publishing rule.
3. On the Link Translation tab, shown in Figure 8-10, click Replace Links In Web
Pages To Enable Link Translation. Clicking this option enables link translation for
Web page bodies.
F08im10
Figure 8-10
Configuring link translation on a Web publishing rule
4. To enable link translation to other internal Web pages, click Add to open the
Add/Edit Dictionary Item dialog box, shown in Figure 8-11.
F08im11
Figure 8-11
Configuring link dictionary entries on a Web publishing rule
5. In Replace This Text, provide the internal name of the server to be translated,
such as WEB2. In With this text, provide the replacement value, such as
www.cohowinery.com. Click OK.
Note
You can configure link translation only after you have created the Web publishing rule.
8-24
Chapter 8
Implementing ISA Server Publishing
How to Configure Web Publishing Rules
Now that you understand most of the complicated pieces that comprise a Web publishing rule, you are ready to create the rule. To create a Web publishing rule, complete the
following procedure:
1. In the ISA Server Management Console, click Firewall Policy. On the Tasks tab,
click Publish A Web Server.
2. On the Welcome To The New Web Publishing Rule Wizard page, type the name
for the Web publishing rule, and then click Next.
3. On the Select A Rule Action page, click Allow and click Next.
4. On the Define Web Site To Publish page, as shown in Figure 8-12, configure the
options listed in Table 8-2.
F08im12
Figure 8-12 Configuring the published Web site on a Web publishing rule
Table 8-2 Web Site Configuration Options
Configuration Option
Explanation
Computer Name Or
IP Address
Specifies the Web server computer name or IP address for the server
that hosts the Web site that you want to publish.
Lesson 2
Table 8-2
!
Configuring Web Publishing Rules
8-25
Web Site Configuration Options
Configuration Option
Explanation
Forward The Original
Host Header Instead
Of The Actual One
Specifies that ISA Server forward the host header that it received from
the client. By default, ISA Server substitutes a host header that it uses
to refer to the internal Web server, rather than sending the original
host header that ISA Server received. This means that a client request
that includes the host header of Host: www.cohovineyard.com is
replaced with Host: DC1.cohovineyard.com as specified in the Web
publishing rule. All requests are then routed to the same Web site on
the published server.
To publish more than one Web site on a Web server, configure the Web
publishing rule to forward the original host header to the published
server. For example, if client requests for www.cohovineyard.com and
www.cohowinery.com need to be forwarded to two different Web sites
on the same internal server, configure the Web publishing rule to forward the original host header.
Path
Specifies the Web site folder that you want to publish, such as Sales.
If you leave this field blank, you will be publishing the entire site.
Exam Tip If you use a server name as the published server when you configure a Web publishing rule, the ISA Server computer must be able to resolve the DNS name for the internal
Web server. If ISA Server is configured to use an internal DNS server, ensure that the name
you use on the Web publishing rule is available in DNS. If you do not want to configure ISA
Server to use an internal DNS server, you can use a hosts file on the DNS server to provide
name resolution. If you get an exam question where users cannot access the Web site that is
being published, check for information that would indicate that the ISA Server computer cannot resolve the server name.
5. On the Public Name Details page, shown in Figure 8-13, configure a public name,
which defines what requests will be received by the ISA Server computer and forwarded to the Web server. You have two options:
❑
Any Domain Name—This option means that any request that is resolved to
the IP address of the external Web listener of the ISA Server computer will be
forwarded to your Web site.
❑
This Domain Name (Type Below)—This option means that the ISA Server
computer will forward only requests for a specific URL. To configure this,
type the specific domain name in Public Name. You can also specify a specific folder in Folder that would also be required in the request. For example,
if you configure the www.cohovineyard.com as the public name and Sales as
8-26
Chapter 8
Implementing ISA Server Publishing
the folder, then only requests for www.cohovineyard.com/sales will be forwarded by this rule.
F08im13
Figure 8-13 Configuring the public name for a Web publishing rule
Security Alert
In almost every case, you should use a specific public name rather than
use any domain name when publishing a Web site. Choosing a specific public name means
that ISA Server will only accept requests that use that name in the request header, and that
all other requests will be dropped.
6. On the Select Web Listener page, select a preconfigured Web listener or click New
to create a Web listener.
7. On the User Sets page, configure the user sets that will be allowed to access the
published Web site. By default, the All Users user set, which includes anonymous
users is granted access.
8. On the Completing the New Web Publishing Rule Wizard page, review the configuration and then click Finish.
You can also modify the configuration for the Web publishing rule after you configure
the rule. To modify the configuration of the Web publishing rule, select Firewall Policy
in the ISA Server Management Console and double-click the rule. Most of the configuration options are identical to the options available when you created the rule, with
some additional options. For example, you can configure a schedule for when the publishing rule will be available. Moreover, you can configure how ISA Server will forward
Lesson 2
Configuring Web Publishing Rules
8-27
requests to the published Web server. To configure this option, open the Web publishing rule properties and select the To tab, as shown in Figure 8-14.
F08im14
Figure 8-14
Configuring ISA Server proxy requests to a Web server
Note
For an explanation of when to use the option to forward the original host header, see
Table 8-2.
ISA Server provides two options for proxying requests to the published server:
!
■
Requests Appear To Come From The ISA Server Computer This is the
default option. When this is configured, the ISA Server computer substitutes its
own IP address for the original client IP address when forwarding the request to
the Web server. This means that if you enable logging on the Web server, all client
connections will appear to come from the ISA Server computer.
■
Requests Appear To Come From The Original Client When you select this
option, ISA Server sends the original client IP address to the published Web server.
Some applications require that the actual client IP address be sent to the Web
server. In addition if you want to log the client IP addresses for all connections to
the Web server, you need to enable this option.
Exam Tip
Remember that, by default, client IP addresses are not sent to the published
Web server. If you see an exam question that requires the logging of the client IP address in a
Web publishing scenario, you must change the default configuration.
8-28
Chapter 8
Implementing ISA Server Publishing
Real World
Implementing Complex Web Publishing Scenarios
ISA Server 2004 provides a great deal of flexibility when configuring Web publishing rules. In fact, you can enable almost any Web publishing scenario with single
ISA Server computer. This includes some of the complicated scenarios that I have
encountered when working with large corporations. Some requirements that can
complicate Web publishing include the following:
■
The need to publish multiple Web sites that have different domain names.
These Web sites may be hosted on a single Web server, or on multiple Web
servers.
■
The need to use a single IP address to publish multiple Web sites.
■
The need to publish a Web site with a single domain name that is distributed
across multiple internal Web servers.
For most of these scenarios, there is more than one way to solve them. You can
use path mapping and link translation to deal with some complex situations. Here
are some other suggestions:
■
If you need to publish multiple Web sites that have different domain names
or different host names, you have to configure multiple Web publishing
rules. For example, if you are publishing www.cohovineyard.com and
www.cohowinery.com on the ISA Server computer, you will need two different Web publishing rules, each with a different public name. The same is true
if you are publishing the www.cohovineyar d.com site and the
store.cohovineyard.com site. The configuration is easy when the Web sites
are on different Web servers; you just create two Web publishing rules pointing to the two Web servers, and correctly configure the public name for each
publishing rule. If the Web server has multiple IP addresses assigned to it,
you can configure the Web server to listen for HTTP requests on a different
IP address for each Web site, and then configure ISA Server to forward the
Web requests to the appropriate IP address.
■
If the two Web sites are on the same server and the Web server only has one
IP address, the configuration is a bit more complex. You will still need two
Web publishing rules, each configured with the appropriate public name.
However, when you configure the Web publishing rule, you need to configure
it to forward the original host header to the published server. Then on the Web
server, ensure that the Web sites are distinguished by the host headers.
Lesson 2
Configuring Web Publishing Rules
8-29
■
Another alternative when publishing multiple Web sites on the same Web
server is to change the ports on which ISA Server will forward HTTP requests
to the Web server. By default, all HTTP requests are forwarded using Port 80.
However, you can configure the Web server to listen on an alternate port for
one of the Web sites and then configure ISA Server to forward requests to
that alternate port for the appropriate Web publishing rule.
■
In some cases, you may also need to publish a Web site with multiple virtual
directories with the virtual directories distributed across multiple Web servers. For example, www.cohovinyard.com/sales may be configured on one
Web server, while www.cohovineyard.com/updates is configured on another
server. Just www.cohovineyard.com may be hosted on a third Web server. To
configure this, you need to configure three Web publishing rules and then
use path mapping on each rule to distribute client requests to the appropriate Web server. So you need to create one Web publishing rule that will
respond to requests sent to the sales virtual directory and configure the rule
to forward the request to the correct Web server. You need to configure
another Web publishing rule for the updates virtual directory and another for
the www.cohovineyard.com site. In this case, you must ensure that the publishing rule for the www.cohovineyard.com domain is listed after the first two
rules to ensure that this rule is processed last.
All these scenarios have assumed that you have a single IP address on the ISA
Server computer that is connected to the Internet. If you have multiple IP addresses
available on the ISA Server computer, you can configure multiple Web listeners and
use each of these Web listeners to configure multiple rules. As I mentioned, just
about any Web site configuration can be published using ISA Server.
!
Exam Tip Any of these complicated scenarios could show up on the exam. If you see an
exam question that requires access to multiple URLs remember that you need to create multiple Web publishing rules for each URL with the correct public name information. Then just
ensure that the requests from the ISA Server computer are forwarded to the appropriate Web
server, or to the appropriate Web site on the Web server.
Practice: Configuring Web Publishing Rules
In this practice, you will configure a new Web listener and then configure and test a
Web publishing rule.
Exercise 1: Configuring a New Web Listener
1. On ISA1, in the ISA Server Management Console, click Firewall Policy.
8-30
Chapter 8
Implementing ISA Server Publishing
2. On the Toolbox tab, expand Network Objects, click New, and then click Web
Listener.
3. On the Welcome To The New Web Listener Wizard page, in the Web listener name
field, type HTTP Listener and then click Next.
4. On the IP Addresses page, select External and then click Next.
5. On the Port Specification page, ensure that Enable HTTP is selected and that
HTTP port is 80. Click Next.
6. On the Completing The New Web Listener Wizard page, review the configuration
and click Finish.
7. Click Apply to apply the changes.
Exercise 2: Configuring a New Web Publishing Rule
1. On the Tasks tab, click Publish a Web Server.
2. On the Welcome To The New Web Publishing Rule Wizard page, in the Web Publishing Rule Name field, type Coho Vineyard Web Site and click Next.
3. On the Select Rule Action page, ensure that the default Allow is selected. Click Next.
4. On the Select Web Site To Publish page, in the Computer Name Or IP Address
box, type DC1.cohovineyard.com. Accept the default settings for the other
options and click Next.
5. On the Public Name Details page, in the Accept Requests For drop-down list,
click This Domain Name (Type Below). In the Public Name box, type
www.cohovineyard.com and then click Next.
6. On the Select Web Listener page, click HTTP Listener from the Web listener list.
Click Next.
7. On the User Sets page, accept the default. Click Next.
8. On the Completing The New Web Publishing Rule Wizard page, review the configuration settings and click Finish.
9. Click Apply to apply the changes.
Exercise 3: Testing Internet Access to the Cohovineyard.com Web Site
1. On SERVER1, open Microsoft Internet Explorer and type www.cohovineyard.com
into the Address box.
2. The connection should be successful. Close Internet Explorer.
Lesson 2
Configuring Web Publishing Rules
8-31
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You are the network administrator for your organization and you use Active Directory in a single-domain environment. Your organization includes five branch
offices that need access to the Web site that is hosted on a server in the perimeter
network at your head office. These branch offices connect to the head office
through the Internet. You need to ensure that only Authenticated Users can access
the site. How will you configure ISA Server?
2. You have published your company’s Web site under the public name of
www.cohovineyard.com. The internal name of the Web server hosting the site is
WebSrv01. The site does not contain any references to other servers. What must you
configure in your Web Publishing rule to allow Internet clients to access the site
properly?
a. Configure a link translation dictionary entry to replace www.cohovineyard.com
with WebSrv01 in the HTTP request header.
b. Create a path mapping entry to map www.cohovineyard.com to WebSrv01.
c. Configure a link translation dictionary entry to replace WebSrv01 with
www.cohovineyard.com in the response header.
d. Do nothing; the required level of link translation is enabled by default.
3. You have just published two separate Web sites on one Web server by implementing Host Headers. The server is located on your perimeter network. You use ISA
Server 2004 as your external firewall. Internet clients report that they always get
the default Web site on the server, regardless of which two URLs they enter into
their Web browser. What is the problem and how will you fix it?
8-32
Chapter 8
Implementing ISA Server Publishing
Lesson Summary
■
Web publishing rules map incoming requests to the appropriate Web servers
located on the internal or perimeter network. Web publishing rules determine
how ISA Server will intercept incoming requests for HTTP objects on a Web server,
and how ISA Server will respond on behalf of the Web server.
■
A Web listener is an ISA Server configuration object that defines how the
ISA Server computer listens for HTTP requests and SSL requests. The Web listener
defines the IP address and the port number on which ISA Server listens for client
connections.
■
Path mapping is an ISA Server feature that enables ISA Server to redirect user
requests to multiple internal Web servers or to multiple locations on the same Web
server.
■
Link translation is an ISA Server configuration object that enables ISA Server to
replace internal server names on Web pages with server names that are accessible
from this Internet. ISA Server provides several levels of link translation functionality so that you can provide the appropriate level of link connectivity.
■
To configure a new Web publishing rule, use the New Web Publishing Rule Wizard.
Lesson 3
Configuring Secure Web Publishing Rules
8-33
Lesson 3: Configuring Secure Web Publishing Rules
Secure Web publishing provides an additional layer of security when publishing an
internal Web site by enabling the option to use SSL to encrypt all network traffic to and
from the Web site. Secure Web publishing is critical when securing Web sites that contain confidential information, or when the Web site asks clients to submit confidential
information such as credit-card numbers. This lesson describes how to configure
secure Web publishing.
After this lesson, you will be able to
■ List the components to configuring secure Web publishing rules
■ Install digital certificates on ISA Server
■ Describe SSL bridging
■ Describe SSL tunneling
■ Configure secure Web publishing rules
Estimated lesson time: 45 minutes
Components of a Secure Web Publishing Rule Configuration
Secure Web publishing rules are a special type of Web publishing rule. Because of this,
many of the same configuration options apply to both types of rules. The most important additional configuration you must address is how to configure SSL for the secure
Web publishing rule.
What Is Secure Sockets Layer?
Secure Sockets Layer (SSL) is used to validate the identities of two computers involved
in a connection across a public network, and to ensure that the data sent between the
two computers is encrypted. To do this, SSL uses digital certificates and public and private keys. SSL enables the following features:
■
Server authentication Server authentication allows a client to confirm a server’s
identity. SSL-enabled client software can use standard techniques of public-key
cryptography to check that a server’s certificate and public ID are valid and have
been issued by a certificate authority (CA) that the client is configured to trust.
■
Client authentication Client authentication allows a server to confirm a user’s
identity. Using the same techniques as those used for server authentication,
SSL-enabled server software can check that a client’s certificate and public ID are
valid and have been issued by a CA listed in the server’s list of trusted CAs. Client
authentication is optional for most secure Web sites.
8-34
Chapter 8
■
Implementing ISA Server Publishing
Encrypted SSL connections All network traffic, including the confidential parts
of the authentication process, is sent using an encrypted SSL connection that is
created between the client and server. In addition, the client and server will automatically detect if the data sent over an encrypted SSL connection has been altered
in transit.
See Also
SSL requires the use of digital certificates and public and private keys that are
issued by a CA. To understand how these components work together, you need to understand Public Key Infrastructure (PKI) concepts. For detailed information about PKI, see the
technical reference named PKI Technologies located at http://www.microsoft.com/resources/
documentation/WindowsServ/2003/all/techref/en-us/W2K3TR_sec_pki_over.asp.
SSL Configuration Options
As you prepare to implement secure Web publishing rules, you need to decide how
you want to configure SSL on ISA Server. ISA Server supports two SSL configurations:
■
SSL tunneling With SSL tunneling, the SSL connection is set up directly between
the client computer and the Web server. In this scenario, the ISA Server computer
does not encrypt or decrypt the network packets but merely forwards encrypted
packets between the client and the Web server. ISA Server cannot inspect the content of the packets because the contents are encrypted as they pass through the
ISA Server computer.
■
SSL bridging With SSL bridging, the ISA Server computer acts as the end point
for one or more SSL connections. The network packets can still be encrypted from
the Web client to the Web server, however, in an SSL bridging scenario, the
ISA Server computer will decrypt network traffic from the client computer and
then re-encrypt it before sending it to the Web server. The ISA Server computer
will accept the encrypted reply packets from the Web server, decrypt them, and
then encrypt the packets again before sending them back to the client. ISA Server
can be configured to require SSL connections from clients, or SSL connections
when connecting to Web server, or both. In an SSL bridging scenario, ISA Server
can inspect the HTTP packets while they are not encrypted.
Enabling SSL on ISA Server
Before you can enable SSL in a secure Web publishing scenario, you must obtain one
or more digital server certificates issued by a CA. The number and placement of the
digital certificates depends on what SSL configuration option you choose. Follow these
guidelines:
Lesson 3
Configuring Secure Web Publishing Rules
8-35
■
If you plan to use SSL in an SSL tunneling configuration, you must install a digital
certificate only on the Web server. The Web server and the client will use this certificate and the associated keys to create the SSL connection.
■
If you plan to use SSL in a SSL bridging configuration, you must install a digital
certificate on the ISA Server computer, and possibly, on the Web server. To create an SSL connection with the client, the ISA Server computer must have a certificate installed. If you are also configuring an SSL connection between the ISA
Server computer and the published Web server, then the Web server must have
a certificate installed.
■
If you require client certificates, you also need install digital certificates on each
client computer. In this configuration, the ISA Server computer or the Web server
will use the client certificate to authenticate the client.
Planning
If you plan to implement client certificates, ensure that you have an efficient process in place for issuing and managing client certificates. Each client certificate must be
stored on the client computer or on a device like a smart card. In large organizations with
thousands of client computers, distributing and managing the client certificates can be a
great deal of work. However, client certificates do provide an extra level of security if you have
a Web site that requires a very high level of security.
The most important decision that you need to make when obtaining the server certificates is deciding from where you will get the certificates. You have essentially two
choices: you can obtain server certificates from a commercial CA, or you can deploy a
CA inside your organization and use it to issue the server certificates. Both Microsoft
Windows 2000 Server and Microsoft Windows Server 2003 include a Certificate Services
component that you can use to create a CA.
Creating your own CA and using it to issue the server certificates has a couple of
advantages. First, if you use the Certificate Services included with Windows Server, you
do not have to pay for the Certificate Server software or any of the certificates. Second,
if you install your own CA, you have complete control of issuing and managing the
certificates.
Security Alert If you do decide to deploy your own CA infrastructure, you need to ensure
that your CA infrastructure is very secure. If an attacker can ever compromise your root CA, or
obtain a subordinate CA certificate from the root CA, every certificate issued by the CA
becomes suspect. If this happens, you will need to rebuild your entire CA infrastructure and
reissue all client certificates.
8-36
Chapter 8
Implementing ISA Server Publishing
Despite these advantages, however, you probably should not use your own CA to issue
certificates for your ISA Server or public Web server. This is especially true if users from
outside your organization will be accessing the Web site. The reason for this is that the
client software will not be configured to trust your internal CA and the users will get an
error message every time they access your Web site. PKI is built on the concept of trust;
when a client computer connects to a Web server, the client checks to see if it trusts the
CA that issued the server certificate. If the client is configured to trust the CA, then the
SSL negotiation begins. If the client is not configured to trust the CA, the user will
receive an error message, or the connection will fail. Most Web browsers are preconfigured with certificates for the most popular commercial CAs.
Planning
Using an Enterprise CA installed on Windows Server 2003 or Windows 2000
Server can greatly simplify the process of managing certificates. The Enterprise CA requires,
and is tightly integrated with Active Directory. You can configure policies in Active Directory
that automate the process of issuing and renewing certificates. Moreover, certificates issued
to domain users are stored in Active Directory so the public keys can easily be retrieved by
other clients. If you are running Active Directory, and only internal clients will connect to your
ISA Server or Web servers, an Enterprise CA can greatly simplify your certificate management
processes.
How to Install Digital Certificates on ISA Server
Once you have decided where you will get the certificate from, the next step is obtaining and installing the server certificate on ISA Server. Depending on the required configuration, you may also need to install a certificate on the internal Web server.
The procedure for installing a server certificate on the computer running ISA Server
varies depending on the CA you are using and on the ISA Server computer configuration, as follows:
■
If you use an internal CA that provides a Web site for clients to obtain certificates,
you can connect to the Web site from the ISA Server computer and apply for and
install the certificate. You will complete this procedure in the practice that follows
this lesson.
■
If you use an external CA, you need to create a certificate request and forward it
to the external CA. You can create the certificate request on the server running
ISA Server. However, this requires that IIS be installed on the computer running
ISA Server. This is not recommended, so you should prepare the request on the
Web server computer, install the certificate on the Web server computer, and then
export it and import it to the ISA Server computer.
Lesson 3
Configuring Secure Web Publishing Rules
8-37
See Also
For more information about how to request and install a certificate from a commercial CA, see the Knowledge Base article, Generating a Certificate Request File Using the
Certificate Wizard in IIS 5.0, located at http://support.microsoft.com/kb/228821/EN-US and
the Knowledge Base article named Installing a New Certificate with Certificate Wizard for Use
in SSL/TLS, located at http://support.microsoft.com/kb/228836/EN-US.
When you request the certificate, the name on the certificate must be the FQDN that
users use to access the Web site. For example, if you are deploying the certificate on an
ISA Server computer named ISA1.cohovineyard.com, but users will be using an FQDN
of secure.cohovineyard.com to connect to the server, the certificate name must be
secure.cohovineyard.com. If the common name on the certificate does not match the
FQDN used by client computers to access the Web site, clients will receive an error
message when they send HTTPS requests.
If you plan to use SSL tunneling or if you plan to configure a secure connection
between the ISA Server computer and the Web server, you will need to request and
install a server certificate on the Web servers. The name on the certificate must be the
FQDN that ISA Server uses to access the Web site. For example, if the Web publishing
rule specifies Web1.cohovineyard.com as the internal server name, then this must be
the FQDN on the certificate. This must also be the FQDN used by clients to connect to
the server in an SSL tunneling scenario. You must install this certificate before the Web
servers can accept SSL tunneling connections and before the Web servers can accept
secure connections from ISA Server.
How to Configure SSL Bridging
One of the options that ISA Server provides for securing network traffic is SSL bridging.
SSL bridging means that the ISA Server computer operates as the end point for an SSL
connection. The SSL connection could be between ISA Server and the client or
between ISA Server and the internal Web server. The primary benefit of using SSL
bridging is that it enables application filtering of SSL traffic.
How SSL Bridging Works
SSL bridging is used when ISA Server ends or initiates an SSL connection. This connection can be with the client computer, with the internal Web server, or both.
A common scenario in which SSL bridging is used is in a Web publishing scenario. The
scenario works as follows:
1. An external client uses HTTPS to request an object from a Web server located on
the internal network. By default, the client connects to ISA Server on the standard
SSL port, Port 443. ISA Server responds with a server-side SSL certificate to the client and the client authenticates the server. After authentication, the client and
server create a secure encryption channel.
8-38
Chapter 8
Implementing ISA Server Publishing
2. ISA Server accepts the client’s request and decrypts it, terminating the SSL connection. ISA Server inspects the client request to ensure that the request is not blocked
by a firewall access rule. If the request is not blocked, ISA Server continues processing the request. If ISA Server is configured to enable caching, and the object
is in the cache, ISA Server returns the object to the client.
3. If the object is not in the cache, ISA Server forwards the request to the internal
Web server specified in the Web publishing rule. The Web publishing rule also
defines how ISA Server communicates the request to the published Web server
(FTP, HTTP, or SSL). If the secure Web publishing rule is configured to forward the
request using HTTPS, ISA Server initiates a new SSL connection with the Web
server, sending a request to Port 443. Because the ISA Server computer is now an
SSL client, the Web server responds with a server-side certificate.
4. After the SSL connection has been created, the Web server responds by sending
the requested object back to ISA Server.
5. ISA Server receives the object and decrypts it. At this point, ISA Server inspects
the information based on the firewall access rules and the HTTP policy. If the
reply is acceptable, ISA Server then encrypts the object again and passes it to the
requesting client.
One of the important benefits of using SSL bridging is that it allows stateful inspection
of SSL connections and application-layer filtering of the contents of HTTPS packets.
Because ISA Server decrypts each packet, it can inspect the application-layer data
before re-encrypting the packet. This prevents attackers from hiding malicious code
inside SSL packets. The most significant disadvantage with using SSL bridging is that
encrypting and decrypting network traffic is CPU-intensive, so the ISA Server computer
performance may be affected.
SSL Bridging Options
You can configure the SSL bridging options when you configure a secure Web publishing rule or you can change the Web publishing rule after the initial configuration.
ISA Server supports three SSL bridging options:
■
SSL bridging from ISA Server to the client A client requests an SSL object.
ISA Server decrypts the request and forwards it to the Web server. The Web server
returns the HTTP object to ISA Server. ISA Server encrypts the object and sends it
to the client. In this scenario, SSL is used to secure only the connection between
ISA Server and the client.
■
SSL bridging from ISA Server to the Web server A client requests an HTTP
object from an internal Web server. ISA Server accepts the request, encrypts it, and
forwards it to the Web server. The Web server returns an encrypted object to
ISA Server. Then, ISA Server decrypts the object and sends it to the client. In this
Lesson 3
Configuring Secure Web Publishing Rules
8-39
scenario, SSL is used to secure only the connection between ISA Server and the
Web server.
■
SSL bridging from client to Web Server The client requests an SSL object.
ISA Server decrypts the request, and then encrypts it again and forwards it to the
Web server. The Web server returns the encrypted object to ISA Server. ISA Server
decrypts the object and then encrypts it again and sends it to the client. In this scenario, SSL is used to encrypt all connections.
How to Configure SSL Tunneling
In an SSL tunneling scenario, ISA Server does not encrypt or decrypt packets, but simply forwards SSL packets from the client to the Web server. SSL tunneling means that
ISA Server does not need to decrypt SSL packets, but it also means that the encrypted
packets cannot be inspected by ISA Server.
How SSL Tunneling Works
In SSL tunneling mode, a client can establish a tunnel through the computer running
ISA Server directly to the internal Web server. In tunneling mode, the connection
between the client and the Web server is encrypted. Because ISA Server does not
decrypt the packet, it cannot inspect the application-layer contents of the packet. SSL
tunneling can also be used in a Web publishing scenario as follows:
1. An external client uses HTTPS to request an object from a Web server located on
the internal network. The request is sent to an external IP address on the
ISA Server computer.
2. ISA Server checks the Web publishing rule for the request. If the rule specifies SSL
tunneling mode, ISA Server forwards the request to the internal Web server without decrypting the packet.
3. The Web server responds with a server-side SSL certificate to the client and the
client authenticates the server. After authentication, the client and server create a
secure encryption channel.
4. The Web server then encrypts the requested object and sends it to ISA Server,
which forwards it to the client.
Note
You can configure SSL tunneling only when you initially create the secure Web publishing rule. When you configure an SSL tunneling for a secure Web publishing rule using the ISA
Server Wizard, you are actually configuring a server publishing rule that uses HTTPS. For more
details on this, see the section “How to Publish a Web Server,” later in this chapter.
8-40
Chapter 8
Implementing ISA Server Publishing
How to Configure a New Secure Web Publishing Rule
To configure a new secure Web publishing rule, complete the following procedure:
1. To configure a secure Web publishing rule that will require the ISA Server to terminate the client SSL connection, you must first install a server certificate on the
ISA Server computer.
2. After installing the server certificate, create or configure a Web listener that will listen for SSL connections. When you configure the Web listener to listen for SSL
connections, you need to configure the server certificate that ISA Server will use
when responding to client SSL requests.
3. In the ISA Server Management Console, click Firewall Policy. On the Tasks tab,
click Publish A Secure Web Server.
4. On the Welcome To The SSL Web Publishing Rule Wizard page, in the SSL Web
Publishing Rule name field, type rule name and click Next.
5. On the Publishing Mode page, shown in Figure 8-15, configure the publishing
mode to use either SSL bridging or SSL tunneling.
F08im15
Figure 8-15 Choosing an SSL publishing mode
6. On the Select Rule Action page, ensure that the default Allow is selected. Click
Next.
7. On the Bridging Mode page, shown in Figure 8-16, choose one of the following
options:
Lesson 3
Configuring Secure Web Publishing Rules
8-41
❑
Secure Connection To Clients—When you select this mode, ISA Server establishes a secure HTTPS connection with the client, but forwards the request as
standard HTTP to the published Web server.
❑
Secure Connection To Web Server—When you select this mode, ISA Server
establishes a standard HTTP connection with the client, but forwards the
request as secure HTTPS to the published Web server.
❑
Secure Connection To Client And Web Server—When you select this mode,
ISA Server establishes a secure HTTPS connection with the client, and also
forwards the request as secure HTTPS to the published Web server.
F08im16
Figure 8-16
Choosing an SSL bridging mode
8. The remaining steps in the wizard are almost identical to the steps for configuring
a Web publishing rule. The only difference is that you need to choose or create a
Web listener that listens for SSL requests.
You can modify the SSL bridging configuration for the secure Web publishing rule after
you create the Web publishing rule. If you decide that you no longer need SSL connections between the ISA Server computer and the client computers, change the Web listener to support HTTP rather than HTTPS connections. If you decide to change the SSL
configuration for the ISA Server to Web server connection, access the Bridging tab on
the Web Publishing Rule Properties dialog box, shown in Figure 8-17. On this tab, if
you choose the option Redirect Requests To SSL Port, the connection between the ISA
Server computer and the Web server will be secured. If the Web server is configured to
require client certificates, you must also select Use a Certificate to Authenticate to the
SSL Web Server, and select a certificate that ISA Server will use to authenticate to the
Web server.
8-42
Chapter 8
Implementing ISA Server Publishing
F08im17
Figure 8-17
The Bridging tab of the Web Publishing Rule Properties dialog box
Tip
Notice that the SSL settings are configured on each publishing rule. This means that
you have a great deal of flexibility about how you will deploy SSL. You can have one Web publishing rule that requires SSL connections to both client and server, and have another rule
that requires only SSL connections between the ISA Server and the client computers. If you
have multiple Web listeners (which requires multiple IP addresses on the relevant network),
you can even use different certificates to authenticate the ISA Server computer.
Practice: Configuring Secure Web Publishing Rules
In this practice, you will configure a secure Web Publishing rule. This publishing rule
will require SSL connections from the client computer to the ISA Server, but not SSL
connections from the ISA Server to the Web server (DC1.cohovineyard.com). To begin,
install an Enterprise CA on DC1.cohovineyard.com. Then use the Certification Authority to issue a certificate for the ISA Server computer. Once the certificate is in place, you
will configure and test the secure Web publishing rule.
Exercise 1: Installing an Enterprise CA
1. On DC1, log on as an Administrator.
2. Open Control Panel and open Add Or Remove Programs.
3. Click Add/Remove Windows Components. On the Components list, click Certificate Services.
4. In the Microsoft Certificate Services warning box, click Yes and then click Next.
5. On the CA Type page, click Enterprise Root CA and then click Next.
Lesson 3
Configuring Secure Web Publishing Rules
8-43
6. On the CA Identifying Information Page, type Coho Vineyards CA as the common name for the CA and click Next.
7. On the Certificate Database Settings page, click Next.
8. Click OK to clear the warning message, and then wait for the installation to finish.
You may need to provide the Windows Server 2004 installation CD to complete
the installation.
9. When the installation completes, click Finish.
Exercise 2: Enabling Access to the Certification Authority Web Site
By default, the system policy on ISA Server prevents you from accessing the certificate
services Web site on DC1. Therefore, you have to change the system policy before you
can access the Web server to obtain the certificate.
1. On ISA1, open the ISA Server Management Console if necessary, and click Firewall Policy.
2. On the Tasks tab, click Edit System Policy.
3. In the System Policy Editor dialog box, in Configuration Groups, click Allowed Sites.
4. On the To tab, click System Policy Allowed Sites and then click Edit.
5. Click New, and type *.cohovineyard.com.
6. Click OK and then click OK again to close the System Policy Editor.
7. Click Apply to apply the changes.
Exercise 3: Installing a Certificate on ISA Server
1. On ISA1, open Internet Explorer.
2. In the Address bar, type http://DC1.cohovineyard.com/certsrv.
3. Log on as cohovineyard\administrator with the appropriate password.
4. On the Welcome page, under Select A Task, click Request A Certificate.
5. On the Request A Certificate page, click Advanced Certificate Request.
6. On the Advanced Certificate Request page, click Create And Submit A Request To
This CA.
7. On the Advanced Certificate Request page, in the Certificate Template drop-down
list, click Web Server. Complete the form using the following information:
❑
Name: Secure.cohovineyard.com
❑
E-Mail: [email protected]
8-44
Chapter 8
Implementing ISA Server Publishing
❑
Company: Coho Vineyard
❑
Country/Region: US
8. Under Key Options, select Store Certificate In The Local Computer Certificate
Store.
9. Submit the request by clicking Submit. Review the two warning dialog boxes that
appear, and click Yes for both.
10. Click Install This Certificate. Review the warning dialog box that appears, and then
click Yes. When you receive the message that the certificate is successfully
installed, close Internet Explorer.
Exercise 4: Configuring a New Secure Web Publishing Rule
1. In the ISA Server Management Console, ensure that Firewall Policy is selected
under the ISA1 node.
2. On the Tasks tab, click Publish A Secure Web Server.
3. On the Welcome To The SSL Web Publishing Rule Wizard page, in the SSL Web
Publishing Rule name field, type Coho Vineyard Secure Site and click Next.
4. On the Publishing Mode page, accept the default configuration of SSL Bridging
and click Next.
5. On the Select Rule Action page, ensure that the default Allow is selected. Click Next.
6. On the Bridging Mode page, click Secure Connection To Clients. Click Next.
7. On the Select Web Site To Publish page, in the Computer Name or IP Address box,
type DC1.cohovineyard.com. Accept the default settings for the other options
and click Next.
8. On the Public Name Details page, ensure This Domain Name (Type Below) is
selected in the Accept Requests From box. Then, in the Public Name box, type
Secure.cohovineyard.com. Click Next.
9. On the Select Web Listener page, click New to create a Web listener.
10. On the Welcome To The New Web Listener Wizard page, in the Web Listener
Name field, type HTTPS Listener and click Next.
11. On the IP Addresses page, click External and then click Next.
12. On the Port Specification page, clear the check box for Enable HTTP and select
the check box for Enable SSL. Ensure that the SSL port is 443. Click Select.
13. In the Select Certificate dialog box, select the certificate issued by the Coho
Vineyards CA and then click OK.
Lesson 3
Configuring Secure Web Publishing Rules
8-45
14. Click Next.
15. On the Completing The New Web Listener Wizard page, review the configuration
and click Finish.
16. On the Select Web Listener page, click Next.
17. On the User Sets page, accept the default, All Users. Click Next.
18. On the Completing The New SSL Web Publishing Rule Wizard page, review the
configuration settings, and click Finish.
19. Click Apply to apply the changes.
Exercise 5: Testing the Secure Web Publishing Rule
1. On SERVER1, open Internet Explorer and type https://secure.cohovineyard.com
into the Address box.
!
Exam Tip
You should get a Security Alert message stating that the certificate used by the
Web server was issued by a Certification Authority that you have not chosen to trust. This is
the warning message other clients would receive if they connect to your Web site and you
have used an internal CA. Click Yes to continue. Remember this warning message for the
exam.
2. The connection should be successful.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. True or False? ISA Server 2004 always requires a digital server certificate to be
installed in order for Internet clients to connect to a Web site using SSL.
2. You publish two Web sites in your perimeter network. You need to configure
secure access to both of them. There are many domain laptop users in your organization who work from the office and from home. You must ensure that only
8-46
Chapter 8
Implementing ISA Server Publishing
users who can authenticate to your domain from the Internet can get to one site,
but allow public access to the other. You have installed Microsoft Certificate Server
as an Enterprise Root Authority. What else must you do?
3. You are publishing a secure Web site that hosts a Web application that requires the
actual IP address of the requesting client. You have installed a commercial CA certificate on the ISA Server computers. Users report that although they are able to
establish a session to the Web site, they cannot use the application. How will you
address this problem?
Lesson Summary
■
Secure Web publishing rules are a special type of Web publishing rules that use
SSL to encrypt traffic between the server and client. When you configure a Secure
Web publishing rule, you need to decide how you are going to configure SSL.
Before you can use SSL, you must install a server certificate on ISA Server.
Depending on the required configuration, you may also need to install a certificate
on the internal Web server.
■
SSL bridging means that the ISA Server computer operates as the end point for an
SSL connection. The SSL connection could be between ISA Server and the client or
between ISA Server and the internal Web server. ISA Server supports three SSL
bridging options: SSL bridging from ISA Server to the client, SSL bridging from
ISA Server to the Web server, and SSL bridging from client to Web Server.
■
In SSL tunneling mode, a client establishes a tunnel through the computer running
ISA Server directly to the internal Web server. ISA Server does not decrypt the
packet, it cannot inspect the application-layer contents of the packet.
■
Configuring a secure Web publishing rule is similar to configure a Web publishing
rule. The primary differences are that you need to use a Web listener that is
enabled for SSL, and you need to choose an SSL tunneling or bridging mode.
Lesson 4
Configuring Server Publishing Rules
8-47
Lesson 4: Configuring Server Publishing Rules
Web publishing rules are used on ISA Server to enable access to HTTP and HTTPS content on internal Web servers. Server publishing rules are used to enable access to internal applications that use other protocols. Server publishing is a secure and flexible way
to publish the content or services provided by internal servers to the Internet. This lesson describes how to configure server publishing.
After this lesson, you will be able to
■ List the server publishing rule configuration options
■ Configure a new server publishing rule
■ Implement server publishing rules to publish various services
■ Troubleshoot Web and server publishing
Estimated lesson time: 45 minutes
Components of a Server Publishing Rule Configuration
Server publishing rules are used on ISA Server to map a port number on an external
interface of the ISA Server computer to the IP address of an internal server providing
a specific service. When ISA Server receives a request on the external IP address for a
specific port, it passes the request to the internal server defined on the server
publishing rule.
ISA Server performs the following steps when a client accesses a server that is published using a server publishing rule:
1. A client computer on the Internet needs to access an application server on a network protected by the ISA Server computer. In most cases, the client computer
will perform a DNS lookup to locate the IP address for the server that is providing
the service. The IP address provided to the clients is the IP address of the external
network interface of the ISA Server computer. The client request is sent to the IP
address.
2. ISA Server checks the destination port number and then uses the server publishing
rule to map the request to an IP address of an internal server. The request is forwarded to the internal server.
3. The internal server returns the object to the ISA Server computer, which passes it
on to the requesting client.
8-48
Chapter 8
Implementing ISA Server Publishing
When you configure server publishing rules, you need to configure the components
listed in Table 8-3.
Table 8-3 Server Publishing Rule Configuration Options
Configuration Option
Explanation
Action
Enables a server publishing rule to be configured to allow or deny
network traffic that matches the publishing rule.
Traffic
Defines the protocol that is allowed by this server publishing rule.
Each server publishing rule can enable only one protocol.
Traffic source
Defines the network objects that can access the published server.
You can limit access to the published server based on networks, network sets, computers, computer sets, address ranges, or subnets.
Traffic destination
Defines the IP address of the published server. You can also configure
whether the client requests will appear to come from the client computer or from ISA Server. On a server publishing rule, the default is
that the client requests appear to come from the original client.
Networks
Defines the network on which ISA Server will listen for connections
on the protocol port. You can also configure ISA Server to listen
on all IP addresses on the specified network, or only on specific
IP addresses.
Schedule
Defines when the server publishing rule will be active.
Port Override Options
When you create a server publishing rule, ISA Server listens for client requests on the
default port for that protocol. However, you can modify the ports used by ISA Server.
For example, you can configure the server publishing rule for FTP services to listen for
client connections on Port 2121 rather than on Port 21. You can also specify that ISA
Server redirect the client request to an alternate port number on the internal server.
You could configure ISA Server to send all FTP requests to Port 2111 on the internal
server (assuming that the internal FTP server has been modified to provide FTP services on that port). In either case, ISA Server receives client requests for the published
service on the firewall port specified, and then forwards requests to the designated port
on the published server.
Tip
The port override option can be useful when multiple services are using the same
default port number on one ISA Server. For example, you can publish one FTP server on the
default port for one set of users, and publish another FTP server on another, nonstandard
port for a different set of users.
Lesson 4
Configuring Server Publishing Rules
8-49
SSL for Server Publishing
Server publishing rules use SSL in the same way that Web publishing rules use SSL tunneling. When a client connects to ISA Server using SSL with a protocol other than
HTTP, ISA Server simply redirects the SSL connection to the internal server. The client
computer will establish the SSL connection directly with the internal server, not with
ISA Server.
Note
ISA Server does not support SSL bridging when configuring a server publishing rule.
SSL bridging is available only when publishing Web servers using a secure Web publishing
rule.
There is little configuration required on ISA Server to enable SSL for server publishing.
To enable secure server publishing, you need only configure the server publishing rule
to use a secure protocol. For example, to enable SSL access to an IMAP server, you just
configure the server publishing rule to allow the secure IMAP (IMAPS) Server protocol
rather than the IMAP4 Server protocol. This means that ISA Server will listen for client
connections on Port 993 rather than on Port 143. You do not need to configure a server
certificate on ISA Server, but you do need to configure a server certificate on the internal server providing this service.
How to Configure a Server Publishing Rule
To configure a new server publishing rule, complete the following procedure:
1. Ensure that the internal server that you are publishing is correctly configured. The
server must be configured as a SecureNAT client and have the required service
installed and configured.
!
Exam Tip
If a server publishing rule looks like it is configured properly, but users still cannot access the server, check the server IP address configuration. The published server must
be a SecureNAT client.
2. Open the ISA Server Management Console, and click Firewall Policy.
3. On the Tasks tab, click Create New Server Publishing Rule to start the New Server
Publishing Rule Wizard.
4. On the Welcome To The New Server Publishing Rule Wizard page, in the Server
Publishing Rule Name box, type a name for the publishing rule and click Next.
5. On the Select Server page, in the Server IP Address box, type the IP address of the
internal server. Click Next.
8-50
Chapter 8
Implementing ISA Server Publishing
6. On the Select Protocol page, shown in Figure 8-18, in the Selected Protocol list,
select the appropriate protocol and click Next.
F08im18
Figure 8-18 Selecting a protocol for a server publishing rule
7. After you select a protocol, you can also override the port mappings for the protocol. To do this, click Ports. In the Ports dialog box that opens (shown in Figure 8-19),
you can modify the settings listed in Table 8-4.
F08im19
Figure 8-19 Configuring port override on a server publishing rule
Lesson 4
Table 8-4
Configuring Server Publishing Rules
8-51
Port Override Configuration Options
Category
Configuration Option
Use This Option To
Firewall Ports
Publish Using The Default
Port Defined In The Protocol
Definition
Configure ISA Server to listen for connections
on the default protocol port.
Publish On This Port Instead
Of On The Default Port
Configure ISA Server to listen for connections
on an alternative port.
Send Requests To The Default
Port On The Published Server
Configure ISA Server to forward requests to
the default protocol port on the published
server.
Send Requests To This Port
On The Published Server
Configure ISA Server to forward requests to
an alternative port on the published server.
Allow Traffic From Any
Allowed Source Port
Configure ISA Server to accept connection
attempts on any port.
Limit Access To Traffic From
This Range Of Source Ports
Configure ISA Server to accept connection
attempts on a limited range of ports.
Published
Server Ports
Source Ports
8. On the IP Addresses page, select the network on which the ISA Server computer
will listen for client requests. Click Next.
Note
If you have multiple IP addresses connected to the appropriate network on the ISA
Server computer, you can also configure the server publishing rule to listen on all IP
addresses for the network, or only a specific address.
9. On the Completing The New Server Publishing Rule Wizard page, review the settings and click Finish.
You can also modify the configuration for the server publishing rule after you configure
the rule. To modify the configuration of the server publishing rule, select Firewall Policy
in the ISA Server Management Console and double-click the rule. Most of the configuration options are identical to the options you used when creating the rule. However, like
a Web publishing rule, you can also configure a schedule for the server publishing rule,
and configure how the server will forward client requests. Server publishing rules are different than Web publishing rules in that, by default, the original client IP address is sent
to the published server rather than the ISA Server computer IP address.
8-52
Chapter 8
Implementing ISA Server Publishing
Important
Server publishing rules do not provide the option of authenticating users. This
is because server publishing is implemented using NAT, and the internal servers must be configured as SecureNAT clients. If you need to limit which users can access the published
server, you must configure authentication on the published application or server. The only
option you have for restricting access to the application on the server publishing rule is to
limit which IP addresses are allowed to connect to the application.
Server Publishing Scenarios
Server publishing rules are fairly straightforward to configure in most scenarios. The
configuration options for all server publishing rules are very much the same — you
need to configure a port number, enter the published server IP address, and select
on which network or networks the ISA Server computer will listen for the protocol
connections.
!
Exam Tip
The following server publishing rules are explicitly mentioned in the objectives
for the ISA Server exam. Make sure you understand when to use each type of rule and how to
configure the rule.
How to Publish a Web Server
You cannot use a server publishing rule to publish an HTTP server. However, you can
use either the SSL Web Publishing Rule Wizard or the Server Publishing Rule Wizard to
publish a Web server using HTTPS. In fact, if you choose to use SSL tunneling when
you use the SSL Web Publishing Wizard, you are actually configuring a server
publishing rule.
To use the Server Publishing Rule Wizard to publish an HTTPS server, you must ensure
that the appropriate certificate is configured on the Web server. Then start the wizard
and enter the IP address of the Web server as the published server, and HTTPS server
as the protocol. Because the rule will use SSL tunneling, you cannot configure the
HTTP Web filter to filter any of the network traffic.
How to Publish a Remote Procedure Call Server
One of the more complicated server publishing scenarios is publishing a Remote Procedure Call (RPC) server. Many client applications use RPCs to connect to a serverbased application. The most common of these applications is an Outlook client communicating with Microsoft Exchange Server.
Publishing an RPC server is difficult because RPCs use multiple ports to create the connection between the client and server. A single server may be hosting multiple
Lesson 4
Configuring Server Publishing Rules
8-53
RPC-based applications so the client and server must have some means of determining
which application the client wants to connect to. To do this, the RPC client initiates
communication with the server using Port 135, which is the endpoint mapping service
port. The RPC client then sends the server a universally unique identifier (UUID) that
identifies the specific application or service that the client wants to gain access to, and
requests that the endpoint mapper send it a port number that the server will use for
that application. The endpoint mapper returns an available port number to the RPC client. This port is randomly chosen and could be any port over 1024. The client then
uses that port number to connect to the server application.
To provide secure access to an RPC server, ISA Server must be able to manage the
UUIDs and the dynamic assignment of ports. To do this, ISA Server provides an RPC filter. The RPC application filter works as follows:
1. The RPC client issues a request over TCP Port 135 through ISA Server to the RPC
server. As part of the request the client sends the UUID for the service with which
it wants to communicate.
2. The application server sends a response back with a port number on which the
client can communicate with the specified application.
3. ISA Server uses the RPC application filter to capture this information, and maintains it in a table. ISA Server allocates a new port on external interface of the ISA
Server computer, and changes the response that it sends to the RPC client to reflect
this change. This information is also maintained in the table.
4. The RPC client establishes a connection to the port that ISA Server instructed it to
use. ISA Server screens the RPC commands to ensure that no exploits are contained within the channel. The RPC filter matches the client response and port
number to the information it maintains in its table.
5. The RPC client response is forwarded by ISA Server to the application server.
6. The application server responds to the RPC client. ISA Server intercepts the
response and changes the source port number to match the information contained
in its table.
7. ISA Server forwards the responses to the RPC client.
To publish an RPC server, you need to configure an RPC protocol and then configure
a server publishing rule that uses the RPC protocol. You need to define the RPC protocol to define which UUIDs the ISA Server will accept. To configure an RPC protocol,
complete the following procedure:
1. In the ISA Server Management Console, click Firewall Policy, and then select the
Toolbox tab.
2. Click Protocols, click New, then click RPC Protocol.
8-54
Chapter 8
Implementing ISA Server Publishing
3. On the Welcome To The New RPC Protocol Definition Wizard page, type a name
for the new protocol, and then click Next.
4. On the Select Server page, shown in Figure 8-20, you can configure the UUID
interfaces that will be included with this protocol definition. To get a list of supported UUID server names from a server on the network, type the server name in
the Server Name text box and click Next.
F08im20
Figure 8-20 Configuring the server for an RPC protocol
5. On the Server interfaces page, shown in Figure 8-21, select some of or all the interfaces available on the server. If you are publishing a specific application, choose
only the UUID interface associated with that application, and then click Next.
F08im21
Figure 8-21 Configuring the UUID interfaces for an RPC protocol
6. On the Completing The New RPC Protocol Definition Wizard page, review the
configuration and then click Finish.
Lesson 4
Configuring Server Publishing Rules
8-55
After configuring the RPC protocol, use the protocol in a server publishing rule to publish the application server.
See Also The most common scenario for publishing an RPC server is to publish Exchange
Server for Outlook e-mail clients. To simplify the configuration of the Exchange Server publishing rules, ISA Server 2003 is preconfigured with a protocol object named Exchange RPC protocol, which already includes all the UUIDs used by Exchange Server clients. ISA Server also
includes a mail publishing wizard that can be used to publish the Exchange Server computer
for Outlook clients. For more information, see Chapter 9, “Integrating ISA Server 2004 and
Exchange Server.”
How to Publish an FTP Server
You can also use a server publishing rule to publish an FTP server. Configuring an FTP
publishing rule is the same as configuring any other server publishing rule. However,
when you configure a server rule to publish the FTP protocol, the FTP application filter
is automatically applied to the filter. Enabling FTP at the firewall can be complex because
FTP uses multiple ports and connections to transfer data. The FTP filter is specially
designed to handle this complexity and securely manage all needed connections.
The following steps describe how an FTP connection is set up:
1. The FTP client creates a connection to an FTP server using Port 21. As part of the
request, the FTP client also indicates on which port it will listen for a response.
This port will be a random port over 1023.
2. The server responds on the port indicated by the client, and the client and server
complete the three-way handshake.
3. Once the three-way handshake is complete, the server initiates a connection with
the client on Port 20. This port will be used as the data channel to actually transmit
the data. The server also indicates a port greater than 1023 to which the client
should respond.
4. The client and server complete a three-way handshake on the new ports and then
begin to transmit data.
The first two steps in the process are similar to most protocol connections. However,
when the FTP server initiates a connection back to the client on Port 20, the connection
is not part of any existing TCP session. The FTP filter enables the FTP connections by
monitoring the initial FTP connection between the FTP client and server and then
enables the server connection attempt to set up the data channel.
8-56
Chapter 8
Implementing ISA Server Publishing
There are several different configuration options available with the FTP filter:
■
You can disable the FTP filter on any access rule or server publishing rule. By
default, the FTP filter is enabled on all rules that enable FTP. If you want to disable
the FTP filter on a particular rule, access the protocol properties on the rule and
disable the FTP filter.
■
You can disable the FTP filter for all rules. To disable the FTP filter, access the
Add-ins container in ISA Server Management. Right-click FTP Access Filter and
select Disable.
■
You can configure the FTP filter to allow read-only access or read-write access for
each rule using FTP. By default, the FTP filter allows only read access to FTP servers. If you want to enable write access, locate the access rule in the Firewall Policy
container. Right-click the rule and click Configure FTP and then clear the Read
Only check box.
How to Publish a Terminal Services Server
Another possible server publishing scenario is to publish a Terminal Services server to
the Internet. Terminal Services is a Windows 2000 Server and Windows Server 2003
feature that allows multiple users to run applications on a Windows Server computer.
The application runs on the Windows Server computer with only keystrokes and
pointer actions sent from the client to the server, and screen display information sent
to the client from the server. Remote Desktop, which is included with Windows Server
2003 and Windows XP, is a limited version of Terminal Services.
Microsoft Terminal Services uses the Remote Desktop Protocol (RDP), which uses Port
3389 to communicate between the client and server. To publish a Terminal Services
computer, you need to create a server publishing rule that allows access using the RDP
protocol to the Terminal Services server IP address.
Security Alert
By default, a Windows Server 2003 Terminal Server will try to negotiate
encryption of all network traffic between the server and but will accept nonencrypted connections. If you are accessing the Terminal Server across the Internet, you should configure the
Terminal Server to require encryption.
One interesting Terminal Services scenario is one where you want to use Terminal Services to manage ISA Server from the Internet. You can enable this configuration by
enabling a server publishing rule that enables RDP access to the ISA Server computer.
If you want to publish both the ISA Server computer and an internal computer using
RDP, you need to configure two IP addresses on the ISA Server computer that are
accessible from the Internet. Then configure two different server publishing rules, one
Lesson 4
Configuring Server Publishing Rules
8-57
to allow RDP access to the ISA Server computer, and one to allow RDP access to the
internal Terminal Services computer. If you do not have multiple IP addresses available
on the external interface, then you can publish each terminal server on a different port.
How to Publish a VPN Server
You can also use ISA Server 2004 to publish VPN servers on the internal network to the
Internet. ISA Server can operate as a VPN remote-access server, but you can also use it
to publish other VPN servers. When you choose to publish a VPN server, you need to
choose which tunneling protocol you will use. You have two options: Point-to-Point
Tunneling Protocol (PPTP) or Layer-Two Tunneling Protocol over IP Security (L2TP
over IPSec).
See Also
For more information about these tunneling protocols, see Chapter 10, “Configuring Virtual Private Networks for Remote Clients and Networks.” Chapter 10 provides details
about how to configure the ISA Server computer as a VPN server.
To publish a VPN server, you need to configure the following:
■
Configure a computer to serve as the VPN endpoint. If you are using a Windows
Server computer, enable and configure Routing and Remote Access to allow VPN
connections. On the VPN server, set the default gateway to the internal interface of
the ISA Server computer.
■
To publish a VPN server running PPTP, you just need to configure a server publishing rule that allows PPTP connections from the Internet to the VPN server.
■
Deploying an L2TP over IPSec VPN server is more complicated. First of all, L2TP
requires either a pre-shared key or digital certificate for authentication. Because
the pre-shared key has to be identical for all clients, the use of digital certificates
is strongly recommended. This means that a digital certificate must be installed on
the VPN server and on each VPN client. Secondly, L2TP over IPSec does not support NAT connections without the NAT traversal (NAT-T) update. This means that
all L2TP over IPSec clients must have the NAT-T update installed and you need to
configure ISA Server to enable NAT-T connections.
See Also
For more information about the NAT-T update, see the article, “L2TP/IPSec NAT-T
Update for Windows XP and Windows 2000,” located at http://go.microsoft.com/fwlink/
?LinkId=28084.
L2TP over IPSec requires two publishing rules. One rule is used to publish Internet Key
Exchange (IKE) negotiation and a second rule to publish NAT-T. The first rule uses the
IKE Server protocol, while the second rule uses the IPSec NAT-T Server protocol.
8-58
Chapter 8
Implementing ISA Server Publishing
Guidelines for Troubleshooting Web and Server Publishing
By using the ISA Server publishing wizards, you can easily publish internal resources
to the Internet. However, there are also many situations in which you may need to
troubleshoot connectivity to those published resources. Use the following guidelines to
troubleshoot ISA Server Web and server publishing issues:
■
Check the resource availability Can you access the published resource
directly? For example, if you are publishing a Web site, try connecting to the Web
site from a computer that is located on the same network as the Web server. If the
Web site is not available from the same network, then the primary issue is related
to the Web server and not to the ISA Server configuration.
■
Check the DNS records Does the resource named on the Internet resolve to an
IP address on the external network adapter of the computer running ISA Server? If
not, then check the zone information on the Internet DNS server that is authoritative for your domain name.
■
Check the error message When you fail to connect to the published resource,
check the error message that you receive. This is particularly useful when troubleshooting Web publishing rules because HTTP defines a standard set of error messages. For example, if you fail to connect to the Web site and receive an Error 403
page, you know that the connection to the external IP of the computer running
ISA Server has succeeded. The issue will therefore be an ISA Server Web publishing issue or an IIS issue. If you receive a 500 Internal Server Error page, there is
likely a problem with the SSL certificate on the Web server.
■
Check on which ports the ISA Server is listening for connections You can
check this by using the Netstat utility. To use Netstat, type netstat -an at a command prompt on the ISA Server computer. If ISA Server is not listening on a Port
80 or a Port 443, check the Web listener configuration. For other ports, check the
server publishing rules configurations.
■
Check the publishing rule configuration When configuring a Web publishing rule, ensure that the public name matches the name that an external user specifies to access the Web site. Also confirm that the internal destination server name
or IP address is correct. If you are using a server name for the internal Web server,
ensure that ISA Server can resolve the IP address for the server name. You can
accomplish this by configuring ISA Server to use an internal DNS server that can
provide name resolution, or configuring the server name in the HOSTS file on the
computer running ISA Server.
■
Check SSL configuration and certificates If a connection to a secure resource
is failing, check the SSL configuration and the installed server certificates. In a
secure Web publishing scenario, check the SSL bridging configuration and ensure
that ISA Server and the Web server both have certificates if required. Also, check
Lesson 4
Configuring Server Publishing Rules
8-59
that the name on the certificate matches the FQDN that is used to connect to the
certificate. In a server publishing scenario, check the certificate on the published
server, and check the server publishing rule to ensure that it is configured to use
a secure protocol rather than the nonsecure protocol. Any one of the following
problems will result in the Web client receiving a 500 Internal Server Error page:
!
❑
The certificate on the internal Web server is not valid on the date of the
request.
❑
The Certification Authority that issued the Web site certificate for the internal
Web server is not trusted by the ISA Server 2004 firewall.
❑
The server name provided on the Web publishing rule To tab does not match
the name on the certificate installed on the published Web site.
Exam Tip
In most cases, when you see a 500 Internal Server error in a secure Web publishing scenario, the problem is with the certificate configuration.
Practice: Configuring Server Publishing Rules
In the following practice, you will configure several server publishing rules and then
test the rules to ensure that they are correctly configured. You will publish an FTP
server, a VPN server that is using PPTP, and a Remote Desktop server.
Note This practice assumes that DC1 is configured as an FTP server and as a VPN server
using Routing And Remote Access. Remote Desktop also should be enabled on DC1.
Exercise 1: Configuring a New Server Publishing Rule
1. If necessary, open ISA Server Management Console, expand the ISA Server computer node, and click Firewall Policy.
2. On the Tasks tab, click Create New Server Publishing Rule to start the New Server
Publishing Rule Wizard.
3. On the Welcome To The New Server Publishing Rule Wizard page, in the Server
Publishing Rule Name box, type Coho Vineyard FTP Site and click Next.
4. On the Select Server page, in the Server IP Address box, type 10.10.0.10.
Click Next.
5. On the Select Protocol page, in the Selected Protocol list, click FTP Server and
click Next.
6. On the IP Addresses page, select the check box for External. Click Next.
8-60
Chapter 8
Implementing ISA Server Publishing
7. On the Completing The New Server Publishing Rule Wizard page, review the settings and click Finish.
8. Configure another server publishing rule named Coho Vineyard VPN Server that
uses the PPTP Server protocol to enable connections to 10.10.0.10.
9. Configure another server publishing rule named Coho Vineyard Remote Desktop
Server that uses the RDP (Terminal Services) Server to enable connections to
10.10.0.10.
10. Click Apply to apply the changes.
Exercise 2: Testing the Server Publishing Rules
1. Switch to the SERVER1 virtual machine.
2. Open Internet Explorer. On the Tools menu, click Internet Options. On the
Advanced tab, ensure Enable Folder View For FTP Sites is not selected and click OK.
3. In the Address box, type ftp://ftp.cohovineyard.com into the Address box. The
connection should be successful. Close Internet Explorer.
4. Click Start, point to Control Panel, then point to Network Connections and click
New Connection Wizard.
5. On the Welcome To The New Connection Wizard page, click Next.
6. On the Network Connection Type page, click Connect To The Network At My
Workplace, and then click Next.
7. On the Network Connection page, click Virtual Private Network Connection and
click Next.
8. On the Connection Name page, type Coho Vineyard VPN and click Next.
9. On the VPN Server Selection page, type the IP address for the external interface of
the ISA Server computer and click Next.
10. On the Connection Availability page, click Next.
11. On the Completing The New Connection Wizard page, click Finish.
12. On the Connect Coho Vineyard VPN dialog box, type the password for the administrator account and then click Connect. The connection should be successful.
13. Right-click the connection icon and click Disconnect.
14. Click Start, point to Accessories, point to Communications and click Remote Desktop Connection.
15. In the Remote Desktop Connection dialog box, type the IP address for the external interface of the ISA Server computer and click Connect. The connection should
be successful.
16. In the Remote Desktop desktop, click Cancel.
Lesson 4
Configuring Server Publishing Rules
8-61
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You have installed ISA Server 2004 as a front-end firewall protecting a perimeter
network. You need to publish two separate FTP servers in the perimeter network.
One of the FTP servers is for public users to download evaluation versions of your
product. The other needs to be restricted to the Web Developers group in your
domain so they can post code revisions from the Internet. You have only one IP
address that you can use on the Internet. How will you configure ISA Server to
meet these requirements?
2. You have just published a secure Web site on your perimeter network using a
server publishing rule. Internal users are able to access the site without receiving
any error messages, but Internet users receive a warning whenever they access
the site. You confirm that the ISA Server certificate is valid and that it was issued
by a well-known commercial CA. What is the most likely cause for the warning
message?
3. You need to enable SSL access to an IMAP Server computer. What steps must you
take to do this? (Choose two answers.)
a. Install a server certificate on the ISA Server computer.
b. Create a server publishing rule for IMAPS Server protocol.
c. Install a server certificate on the IMAP Server computer.
d. Create a server publishing rule for IMAP Server protocol.
e. Install a server certificate on both the IMAP Server computer and the ISA
Server computer.
8-62
Chapter 8
Implementing ISA Server Publishing
Lesson Summary
■
Server publishing rules are used on ISA Server to map a port number on an external interface of the ISA Server computer to the IP address of an internal server providing a specific service.
■
Server publishing rules are fairly easy to configure. For most rules, all you need to
do is choose the protocol that you want to publish and enter the IP address for the
server that you are publishing.
■
There are many possible scenarios where you can use a server publishing rule.
Some examples include publishing a secure Web site, an FTP server, an RPC
server, a VPN server, and a Terminal Services server.
■
There are many situations in which you may need to troubleshoot Web and server
publishing. To troubleshoot ISA Server Web and server publishing issues check
whether the resource is available on the local network, check name resolution,
and then check the publishing rule configuration.
Lesson 5
Configuring ISA Server Authentication
8-63
Lesson 5: Configuring ISA Server Authentication
In many cases, the network resources that are published by Web or server publishing
rules are confidential and should be available only to authorized users. To enforce this,
you can configure ISA Server 2004 to require authentication for all users accessing a
published resource. This lesson describes the types of authentication supported by
ISA Server 2004 and how to configure authentication.
After this lesson, you will be able to
■ Describe how access rules and authentication work together to provide secure Internet
access
■ Identify the Web publishing authentication options on ISA Server 2004
■ Describe how RADIUS authentication works and how to implement it
■ Implement SecurID for ISA authentication
Estimated lesson time: 30 minutes
How Authentication and Web Publishing Rules Work Together
Authentication is an integral part of any firewall policy. You can limit access to internal
resources by limiting access based on the IP address of a computer. However, in most
cases, it is much more effective to provide access only to specific users who have
authenticated themselves.
Important
Authentication applies only to Web publishing rules. You cannot configure
authentication on server publishing rules.
Authentication and Web publishing rules work together in the following ways:
■
Users can gain access to an internal resource protected by ISA Server only if an
access rule or publishing rule grants access to that resource. When you create a
publishing rule, you can limit which users can gain access to the resource using
the rule. Whenever a rule is configured to grant access to a specific set of users
other than the All Users user set, authentication becomes an important part of how
the rule is evaluated.
■
For Web publishing and secure Web publishing rules, you must configure a Web listener as part of the rule definition. The Web listener defines which authentication
methods are enabled. You can configure a Web listener to use more than one
authentication mechanism. These authentication mechanisms can be used simultaneously on a Web listener: Basic, Digest, Integrated, and Client Certificate Authentication. RADIUS, SecurID, or forms-based authentication methods must be the only
8-64
Chapter 8
Implementing ISA Server Publishing
authentication mechanism configured on a Web listener. Once you have configured
the Web listener for a Web publishing or secure Web publishing rule, you can then
specify which users can gain access to resources based on the rule.
■
When ISA Server receives a request for an internal resource, it processes the firewall policy rules in order. When a firewall rule matches the client request, but
ISA Server requires client authentication to validate the match, ISA Server will
request that the client authenticate. In other words, if the firewall rule limits access
to users other than the All Users user set, then the user must provide credentials
to prove his or her identity.
Important
By default, Web publishing rules and secure Web publishing rules grant access
to the All Users user set, which includes anonymous, or unauthenticated, users. To limit
access to a Web publishing rule, remove the All Users user set and add the All Authenticated
Users or a specific user set.
ISA Server Web Publishing Authentication Scenarios
When designing an authentication strategy for ISA Server Web publishing rules, you
have several options. You can configure ISA Server to perform the authentication, or
you can configure the published server to perform the authentication. In some cases,
you may want to require authentication on both ISA Server and the published server.
Configure Authentication on ISA Server
In some cases, you may want users to authenticate before they reach the internal network. To enable this, you can configure the Web listener associated with the publishing rule to require authentication. Once the users authenticate with ISA Server, they
can then access the Web server on the internal network. This is a secure configuration
because if users cannot successfully authenticate with ISA Server, they cannot access
anything on the internal network.
Use ISA Server authentication if you have fairly simple authentication requirements.
For example, if you want to ensure that only authenticated users can access all your
published Web servers, then configure the Web listener to allow access to the All
Authenticated Users user set. This option also has the added benefit of offloading
authentication activity to the ISA Server computer.
Lesson 5
Configuring ISA Server Authentication
8-65
See Also For information about how to configure authentication, see Chapter 5, “Enabling
Secure Internet Access with ISA Server 2004.” Although Chapter 5 deals specifically with how
to configure authentication for outbound Internet access, the options and procedures for configuring authentication are the same when configuring authentication for inbound access. The
only differences are that you need to configure the authentication protocols on the Web listener rather than on the Internal network properties, and you can configure OWA Forms-Based
authentication and SecurID authentication on the Web listener. OWA Forms-Based authentication will be discussed in detail in Chapter 9.
Configure Authentication on the Internal Web Server
Another option for configuring authentication is to configure the internal Web server to
require authentication. In this scenario, ISA Server allows anonymous access to the published server, but the server requests authentication. In this configuration, ISA Server uses
pass-through authentication to complete the authentication. Pass-through authentication
refers to the ability of ISA Server to pass a client’s authentication information to the destination server. The following steps describe how pass-through authentication works in a
Web publishing scenario:
1. The client sends a request for an object on a Web server protected by ISA Server.
Because the publishing rule allows anonymous access, ISA Server does not
prompt for authentication but passes the request to the Web server.
2. The Web server receives the request and responds that authentication is required.
3. ISA Server passes the authentication-required response to the client.
4. The client returns authentication information to ISA Server.
5. ISA Server passes the client authentication information to the Web server.
6. After successful authentication, the client communicates with the Web server.
This option transfers all authentication activity to the internal server. This is a recommended solution when you have complex authentication requirements. For example,
you may be publishing multiple Web sites with some allowing anonymous access,
while others require authentication. In this scenario, it is easier to configure authentication on the internal Web server.
Important If you are publishing resources using a server publishing rule, you can only configure authentication on the server hosting the internal resource. You cannot configure
authentication on a server publishing rule.
8-66
Chapter 8
Implementing ISA Server Publishing
Configure Authentication on ISA Server and on the Internal Web Server
You can also design an authentication strategy that requires that users authenticate on
ISA Server as well as on the internal Web server. You may choose to implement this
solution if you have a Web site with varying types of confidential information. For
example, you may want to limit access to a private Web site in your organization to
only users who have valid domain user accounts. However, the Web site may also contain a confidential area that should be accessible only to executives. In this case, you
could enable ISA Server authentication to limit access to the Web site to the Domain
Users group, and then use authentication on the Web server to limit access to confidential information.
When you configure authentication using an authentication option other than basic
authentication on both servers, the users have to provide their credentials more than
once. If you are using basic authentication on both ISA Server and the internal Web
server, you can use basic authentication delegation to enable single sign-on for the
users. When you enable basic authentication delegation, ISA Server authenticates the
users, and then forwards the user credentials to the Web server, allowing the Web
server to authenticate users without requesting credentials a second time.
To enable basic authentication delegation, select the check box for Forward Basic
Authentication Credentials (Basic Delegation) on the Users tab of the Web publishing
or secure Web publishing rule, as shown in Figure 8-22.
F08im22
Figure 8-22
Configuring basic authentication delegation
Lesson 5
Configuring ISA Server Authentication
8-67
How to Implement RADIUS Server for Authentication
ISA Server enables the use of RADIUS to authenticate users. RADIUS is an industrystandard protocol used to provide authentication in heterogeneous environments. To
implement RADIUS authentication, you need to implement the following components:
■
RADIUS server A RADIUS server has access to all the user accounts within a
defined namespace. The RADIUS server passes authentication requests to an
authentication server (such as an Active Directory domain controller) and can also
be used to apply policies to user connections. Microsoft includes Internet Authentication Server (IAS), which is a RADIUS server with Windows 2000 Server and
Windows Server 2003.
■
RADIUS client A RADIUS client is typically a dial-up server, VPN server, or wireless access point. The RADIUS client is the server that users connect to when they
want to access a network. The RADIUS client collects the user credentials and
sends them in the form of a RADIUS message to a RADIUS server. The RADIUS
server authenticates the RADIUS client request, and sends back a RADIUS message
response. If the RADIUS message response indicates that the user has been successfully authenticated, the user is granted access.
ISA Server can be configured as a RADIUS client. This means that when users connect
to ISA Server, ISA Server will send the user logon information to a RADIUS server
rather than to an Active Directory domain controller.
The most important benefit of using RADIUS for ISA Server authentication is that you can
authenticate users based on their Active Directory user names without requiring that
ISA Server be a member of the Active Directory domain. In organizations that have
deployed Active Directory, most user accounts are stored in Active Directory. One of the
benefits of using ISA Server as a firewall is that you can use those Active Directory
accounts to authenticate user access, for both inbound and outbound access. However,
for ISA Server to authenticate Active Directory users, the computer running ISA Server
must be a member of the Active Directory domain. Security best practices specify that the
firewall should not be located on a server that is a member of a Windows domain. The
problem with using a firewall that is a member of a domain is that if an attacker were able
to compromise the firewall, the attacker could potentially leverage the firewall’s domain
member status to launch a successful attack against other internal network servers.
You can use RADIUS to gain the benefit of using the Active Directory domains for
authentication without joining the server running ISA Server to the domain. When
ISA Server is configured to use RADIUS authentication for incoming Web requests, the
firewall forwards the request to a RADIUS server located on a protected network. The
RADIUS server can forward the authentication requests to an Active Directory domain
controller, another RADIUS server, or a directory server created by a third party that
accepts RADIUS authentication messages.
8-68
Chapter 8
Implementing ISA Server Publishing
How to Implement RADIUS Authentication
Configuring ISA Server to use RADIUS for authentication requires several steps. The
high-level steps are described here (you will complete the detailed steps in the following practice):
1. Install IAS on a computer running Windows Server 2003 or Windows 2000 Server.
IAS is one of the Networking Services installed by using Add Or Remove Programs
from Control Panel.
2. Configure IAS to accept ISA Server as a RADIUS client. To configure this option,
open the Internet Authentication Service console from the Administrative Tools
menu. Right-click RADIUS clients and click New RADIUS client. To complete the
configuration, you need to provide the ISA Server name and IP address and configure a shared secret that will be used to authenticate the connection between the
ISA Server and the RADIUS server.
3. Configure IAS to use Active Directory for its user account database. To do this, you
must register the IAS server in the Active Directory domain.
4. Configure the Active Directory user accounts and remote access policies. When
the user attempts to authenticate on a RADIUS server, the RADIUS server checks
the user account properties and the remote access policies to determine if the user
can authenticate. The user account must be configured to allow dial-in access or
configured so that dial-in access is controlled by a remote access policy. Then a
remote access policy must be created that will allow the user dial-in access.
5. Configure ISA Server to use a RADIUS server for authentication. To do this, expand
the Configuration container in ISA Server management, click General and then click
Define RADIUS Servers. To add a RADIUS server, click Add and then specify the
RADIUS server name, shared secret, and port number, as shown in Figure 8-23.
F08im23
Figure 8-23 Configuring ISA Server to use a RADIUS server for authentication
Lesson 5
Configuring ISA Server Authentication
8-69
6. Configure a Web listener to use RADIUS authentication. To do this, perform the
following steps:
a. Access the Web Listener properties on the Firewall Policy Toolbox tab.
b. On the Web Listener Properties dialog box, select the Preferences tab and
click Authentication, as shown in Figure 8-24.
F08im24
Figure 8-24
Configuring a Web listener to use a RADIUS server for authentication
c. Select RADIUS authentication and then click RADIUS Servers to select the
RADIUS server that will be used by the Web listener.
Off the Record
Although RADIUS authentication does enable you to configure authentication based on domain groups without joining the ISA Server computer to the Active Directory
domain, the current implementation of RADIUS authentication on ISA Server is too limited to be
feasible in a complex environment. When you configure the RADIUS remote access policy, you
can choose to which group the policy will apply. You can also configure whether the group has
permission to connect or not. However, you can apply only one remote access policy for ISA
Server authentication. For example, if you create a remote access policy that allows members
of the Managers group to access the server, and then configure the Web Listener to use
RADIUS, only members of the Members of the Managers group will be able to access the Web
site. That may be what you want but once you configure this rule, you cannot enable RADIUS
authentication for another Web publishing rule and provide access to another group of users.
You can configure a user set on the ISA Server computer, but there is no way for ISA Server to
pass the user set information to the RADIUS server. Because of this limitation, RADIUS cannot
be used to configure complex authentication requirements on ISA Server. About the best you
can do is configure RADIUS to grant access to the Domain Users group, and then use more
granular permissions on the Web site.
8-70
Chapter 8
Implementing ISA Server Publishing
How to Implement SecurID for Authentication
The RSA SecurID authentication system is a two-factor user authentication system.
Two-factor authentication means that users need to identify themselves with two
unique factors: something they know (a password or PIN) and something they have (in
this case, an RSA SecurID token that generates a unique six-digit passcode every
minute). ISA Server 2004 enables the option to authenticate users based on authentication credentials from the RSA SecurID product from RSA Security, Inc.
To implement RSA SecurID authentication, you need the following components:
■
RSA ACE/Server This computer retains information about users, groups, hosts,
and tokens. For each user, the RSA ACE/Server maintains a list of hosts to which
the user can log on, and a logon name, which can differ from one host to the other.
■
RSA ACE/Agent This computer provides Web content, and requires the user to
provide credentials for RSA SecurID. When using SecurID authentication with ISA
Server, ISA Server is the RSA ACE/Client.
■
Client
Usually, this is a Web browser that receives Web content.
When a user attempts to access Web pages that are protected by RSA SecurID, the ISA
Server computer requests a Web browser cookie. This cookie will only be present if the
user has authenticated recently. If the user’s cookie is missing, the user is prompted for
a username and passcode for SecurID. The passcode consists of a combination of the
user’s PIN and tokencode. The tokencode is displayed on the user’s token and changes
once every minute. The RSA ACE/Agent on the ISA Server computer passes these credentials to the RSA ACE/Server computer for validation. If the credentials are successfully validated, a cookie is delivered to the user’s browser for subsequent activity
during the session, and the user is granted access to the content.
Configuring ISA Server to use RSA SecurID is similar to configuring ISA Server to use a
RADIUS server for authentication. The high-level steps are described here (to complete
the detailed steps, you need access to an RSA ACE/Server):
1. On the RSA ACE/Server, set up ISA Server as an RSA ACE/Agent. To do this, you
need to add the ISA Server computer name and IP address as an Agent Host. Then
copy the Sdconf.rec file, located in the ACE\Data folder on the RSA ACE/Server
computer, to the %Windir%\System32 folder on the ISA Server computer. ISA
Server uses this file when connecting to the RSA ACE/Server.
2. Add users to the ISA Server Host record on the ACE Server computer. Users with
valid authentication credentials must be specified on the ACE Server computer.
3. Configure a Web listener to use SecurID for authentication.
Lesson 5
Configuring ISA Server Authentication
8-71
Practice: Configuring ISA Server Authentication
In this practice, you will install and configure Internet Authentication Service on DC1.
Then you will configure ISA Server to use RADIUS for authentication and to use the IAS
server as the RADIUS server. Then you will configure a Web publishing rule to use
RADIUS authentication. Finally, you will test RADIUS authentication.
Exercise 1: Installing and Configuring IAS Server
1. On DC1, log on as an administrator.
2. Open Control Panel and open Add Or Remove Programs.
3. Click Add/Remove Windows Components. On the Components list, click Networking Services and then click Details.
4. Click the check box for Internet Authentication Service and then click OK.
5. Click Next, and then wait for the installation to finish. You may need to provide
the Windows Server 2004 installation CD to complete the installation.
6. When the installation finishes, click Finish.
7. Open Internet Authentication Services from the Administrative Tools folder.
8. Right-click Internet Authentication Service (Local) and click Register Server in
Active Directory.
9. Read the notice explaining that IAS will be able to read users’ dial-in settings, and
click OK.
10. When you receive the Server registered message, click OK.
11. Right-click RADIUS Clients and click New RADIUS Client.
12. In the New RADIUS Client dialog box, in the Friendly Name text box, type ISA1.
In the Client Address (IP or DNS) text box, type 10.10.0.1. Click Next.
13. In the Additional Information dialog box, in the Client-Vendor list, ensure that
RADIUS Standard is selected. Type a password for the Shared Secret and the Confirm Shared Secret. Click Finish.
14. Close Internet Authentication Service.
Exercise 2: Configure ISA Server to Use the RADIUS Server for Authentication
1. On ISA1, in the ISA Server Management Console, expand Configuration and then
click General.
2. Under Additional Security Policy, click Define RADIUS Servers.
3. In the RADIUS Servers dialog box, click Add.
8-72
Chapter 8
Implementing ISA Server Publishing
4. In the Add RADIUS Server dialog box, in the Server Name box, type
DC1.cohovineyard.com.
5. Click Change to change the Shared Secret.
6. In the Shared Secret dialog box, type the same password you used earlier as the
New Secret and Confirm New Secret and then click OK.
7. In the Add RADIUS Servers dialog box, click OK.
8. In the RADIUS Servers dialog box, click OK.
9. Click Firewall Policy, double-click the Coho Vineyard Secure Site to open the Web
publishing rule’s properties.
10. On the Listener tab, click Properties to access HTTPS Web listener properties.
11. On the Preferences tab, click Authentication.
12. Configure the Authentication settings to allow only RADIUS authentication and to
require all users to authenticate.
13. Click Select Domain and type Cohovineyard.com. Click OK.
14. Click RADIUS Servers and ensure that DC1.cohovineyard.com is configured as the
RADIUS server. Click OK until the HTTPS dialog box is closed.
15. In the Coho Vineyard Store Site Properties dialog box, on the Users tab, remove
All Users. Add the All Authenticated Users user set. Click OK.
16. Click Apply to apply the changes.
Exercise 3: Configure the Remote Access Policy on IAS
1. On DC1, open Internet Authentication Services from the Administrative Tools
folder.
2. Right-click Remote Access Policies and click New Remote Access Policy.
3. On the Welcome To The New Remote Access Policy Wizard page, click Next.
4. On the Policy Configuration Method page, click Set Up a Custom Policy, and type
Secure Site Access Policy in the Policy Name: text box and click Next.
5. On the Policy Conditions page, click Add.
6. In the Select Attributes dialog box, click Windows-Groups and click Add.
7. In the Groups dialog box, click Add.
8. In the Enter the Object Names To Select text box, type Domain Users. Click OK.
9. In the Group dialog box, click OK.
10. On the Policy Conditions page, click Next.
Lesson 5
Configuring ISA Server Authentication
8-73
11. On the Permissions page, click Grant Remote Access Permission, and then click Next.
12. On the Profile page, click Edit Profile.
13. In the Edit Dial-in Profile Dialog box, click the Authentication tab.
14. Select Unencrypted Authentication (PAP,SPAP). Click OK.
15. In the Dial-in Settings box, click No and then click Next.
Security Alert The option you just selected shows another limitation with the RADIUS
server implementation. You must enable nonsecure authentication in order to pass credentials from the ISA Server to the RADIUS server.
16. On the Completing The New Remote Access Policy Wizard page, click Finish.
17. Ensure that the Secure Site Remote Access Policy is listed first in the Remote
Access Policy list. If it is not, right-click the policy and click Move Up.
Exercise 4: Test the RADIUS Authentication
1. On SERVER1, open Internet Explorer.
2. Connect to https://secure.cohovineyard.com. When prompted to log on, enter the
user name and password of a domain user that has access.
3. After you connect to the Web site, change the HTTPS Web listener to use Basic
and Integrated authentication.
Tip If you cannot access the Web site, ensure that the user account you are using has
Allow Dial-in permissions set on the user account in Active Directory.
Lesson Review
Use the following questions to help determine whether you have learned enough to
move on to the next lesson. If you have difficulty answering these questions, review
the material in this lesson before beginning the next lesson. You can find answers to
the questions in the “Questions and Answers” section at the end of this chapter.
1. You have deployed Active Directory in a single-domain environment. You want to
use RADIUS authentication for your internal Web site. What steps do you take to
configure this? (Choose two answers.)
a. Configure the ISA Server 2004 computer as a RADIUS Server computer.
b. Register the RADIUS Server computer in Active Directory.
c. Register the ISA Server 2004 computer in Active Directory.
d. Configure the ISA Server 2004 computer as a RADIUS Client computer.
8-74
Chapter 8
Implementing ISA Server Publishing
2. You are configuring a Web site that contains some confidential information. Most
of the information on the Web site should be available to all users with user
accounts in your domain, while some folders should be accessible only to managers. You are configuring a Web listener and a Web publishing rule to enable this
access. How can you configure authentication on ISA Server and the Web server?
a. Configure ISA Server to require authentication for all users. Allow the managers access to the Web site. Use Internet Information Server (IIS) authentication
to allow access to all authenticated users.
b. Configure ISA Server to allow all users access to the Web site. Use IIS authentication to restrict access to the manager’s folders.
c. Configure ISA Server to require authentication for all users. Allow all authenticated users access to the Web site. Use IIS authentication to restrict access to
the managers’ folders.
d. Configure ISA Server to allow all users access to the Web site. Use IIS authentication to restrict access to authenticated users.
3. You have deployed ISA Server 2004 in a 3-Leg perimeter firewall configuration.
The ISA Server computer is not a member of your Active Directory domain. You
need to provide access to a Web site in your perimeter network. Only Domain
Users should be able to access the site. What authentication method should you
implement?
a. RADIUS
b. Digest
c. Basic
d. Integrated
Lesson Summary
■
Authentication and Web publishing rules work together to ensure that users can
gain access to an internal resource protected by ISA Server only if an access rule
or publishing rule grants access to that resource. If the access rule requires authentication, then the user must provide authentication credentials before they will be
granted access.
■
In some cases, you may want users to authenticate before they reach the internal
network. To enable this, you can configure the Web listener associated with the
publishing rule to require authentication. Another option for authentication is to
configure the internal Web server to require authentication. In this scenario,
ISA Server allows anonymous access to the published server, but the server
requests authentication. The third option is an authentication strategy that requires
that users authenticate on ISA Server as well as on the internal Web server.
Lesson 5
Configuring ISA Server Authentication
8-75
■
ISA Server enables the use of RADIUS to authenticate users connecting to Web
servers. To implement RADIUS authentication, you need to implement a RADIUS
Server, configure ISA Server as a RADIUS client and then configure a Web listener
to use RADIUS authentication.
■
ISA Server 2004 enables the option to authenticate users based on authentication
credentials from the RSA SecurID product from RSA Security, Inc. The RSA SecurID
authentication system is a two-factor user authentication system. To implement RSA
SecurID authentication, you need to configure an RSA ACE/Server, configure ISA
Server as an RSA ACE/Client, and then configure a Web listener to use SecurID
authentication.
Case Scenario Exercises
In these exercises, you will plan an ISA Server 2004 publishing configuration for a fictitious organization. Read the scenario and then answer the question that follows. If
you have difficulty completing this work, review the material in this chapter before
beginning the next chapter. You can find answers to these questions in the “Questions
and Answers” section at the end of this chapter.
Scenario 1
You are the network administrator for your organization. You publish a public Web site
and a secure Web site on two separate servers in your perimeter network. Your organization has a head office and two branch offices. You have deployed a single Active
Directory domain. Users at the branch offices use the Internet to access your Web sites.
You need to ensure that only Domain Users have access to the secure site and only
members of the Managers group have access to the Sales folder of the secure site. You
need to ensure that all network traffic is encrypted from the client to the Web server
that is hosting the secure Web site. However, you also need to ensure that ISA Server
can inspect all traffic coming to the secure site from the Internet. You have deployed
ISA Server 2004 as an Internet-edge firewall at the branch offices and as a front-end
firewall at the head office. You want to provide access to the secure site in the most
cost-effective manner.
Scenario 1 Question
1. How will you configure the head office ISA Server computer and how will you
configure DNS to enable the required access?
8-76
Chapter 8
Implementing ISA Server Publishing
Scenario 2
You are the network administrator for your organization. Your organization has just
opened a branch office. You have deployed ISA Server 2004 in a 3-Leg perimeter configuration at the head office and now deploy ISA Server as a Bastion Host at the branch
office. Users at the branch office need secure access to the IMAP and SMTP servers at
the head office. No other users or servers require secure access to the IMAP and SMTP
server from the Internet. You also host a Streaming Media server. You also need to publish a Web site for public access. The Web site includes links that reference content on
the Streaming Media server by its Universal Naming Convention (UNC) path.
Scenario 2 Question
1. How will you configure the head office ISA Server computer to publish these Web
services?
Troubleshooting Lab
In this lab, you will troubleshoot an ISA Server Web publishing issue. You have configured the Coho Vineyard Secure Site Web publishing rule to require SSL connections
from the Internet clients to the ISA Server computer. You have also configured the Web
publishing rule to require authentication. However, because the Web site contains confidential information, you also need to configure SSL connections from the ISA Server
computer to the back-end Web server.
Exercise 1: Configuring SSL Connections
1. On ISA1, in the ISA Server Management Console, click Firewall Policy.
2. Double-click Coho Vineyard Secure Site.
3. On the Bridging tab, clear the check box for Redirect Requests To HTTP Port.
Select the check box for Redirect Requests To SSL Port. Click OK.
4. Click Apply to apply the changes.
Exercise 2: Testing the Configuration
1. On SERVER1, open Internet Explorer.
Troubleshooting Lab
8-77
2. Connect to https://secure.cohovineyard.com. When prompted to log on, enter the
user name and password of a domain user.
3. You will not be able to access the Web site.
Exercise 3: Enabling the SSL Connection
The reason why the SSL connection to the Web server failed is because there is no certificate installed on DC1 so when the ISA Server tried to bridge the SSL connection and
establish a new SSL connection with DC1, the connection failed.
1. On DC1, open Internet Information Services (IIS) Manager.
2. Expand DC1 and then expand Web Sites.
3. Right-click Default Web Site and click Properties.
4. On the Directory Security tab, click Server Certificate.
5. On the Welcome To The Web Server Certificate Wizard page, click Next.
6. On the Server Certificate page, click Create A New Certificate and then click Next.
7. On the Delayed or Immediate Request page, click Send The Request Immediately
To An Online Certification Authority. Click Next.
8. On the Name And Security Settings page, accept the default and click Next.
9. On the Organization Information page, type Coho Vineyards as the Organization
Name and Security as the Organizational Unit Name. Click Next.
10. On the Your Site’s Common Name page, type DC1.Cohovineyard.com. This
name must match the name that ISA Server is using to connect to the Web server.
11. On the Geographical Information page, enter your country and region information. Click Next.
12. On the SSL Port page, click Next.
13. On the Choose A Certification Authority page, click Next.
14. On the Certificate Request Submission page, click Next.
15. On the Completing The Web Server Certificate Wizard page, click Finish.
16. Under Secure Communications, click Edit. Click Require Secure Channel and then
click OK twice.
17. Close all open windows.
Exercise 4: Testing the Configuration
1. On SERVER1, open Internet Explorer.
2. Connect to https://secure.cohovineyard.com. When prompted to log on, enter the
user name and password of a domain user. The connection should be successful.
8-78
Chapter 8
Implementing ISA Server Publishing
Chapter Summary
■
A Web publishing rule is a firewall rule that specifies how ISA Server will route
incoming requests to internal Web servers. Server publishing rules are firewall
rules that specify how ISA Server will route incoming requests to internal servers
using any available protocol. To provide name resolution for internally and externally accessible resources, you may need to implement a split DNS configuration.
■
Web publishing rules map incoming requests to the appropriate Web servers
located on the internal or perimeter network. A Web listener is an ISA Server configuration object that defines how the ISA Server computer listens for HTTP
requests and SSL requests. Path mapping is an ISA Server feature that enables
ISA Server to redirect user requests to multiple internal Web servers or to multiple
locations on the same Web server. Link translation is an ISA Server configuration
object that enables ISA Server to replace internal server names on Web pages with
server names that are accessible from the Internet.
■
Secure Web publishing rules are a special type of Web publishing rules that use
SSL to encrypt traffic between the server and client. SSL bridging means that the
ISA Server operates as the end point for an SSL connection. The SSL connection
could be between ISA Server and the client or between ISA Server and the internal
Web server. In SSL tunneling mode, a client establishes a tunnel through the computer running ISA Server directly to the internal Web server.
■
Server publishing rules are used on ISA Server to map a port number on an external interface of the ISA Server computer to the IP address of an internal server providing a specific service. Server publishing rules are fairly easy to configure. For
most rules, all you need to do is choose the protocol that you want to publish and
enter the IP address for the server that you are publishing. To troubleshoot
ISA Server Web and server publishing issues check whether the resource is available on the local network, check name resolution and then check the publishing
rule configuration.
■
Authentication and Web publishing rules work together to ensure that users can
gain access to an internal resource protected by ISA Server only if an access rule
or publishing rule grants access to that resource. If the access rule requires authentication, then the user must provide authentication credentials before they will be
granted access. You can configure authentication on ISA Server, on the internal
Web server, or on both. ISA Server enables the use of RADIUS as well as the use
of the RSA SecurID product from RSA Security, Inc. to authenticate users connecting to Web servers.
Exam Highlights
8-79
Exam Highlights
Before taking the exam, review the key points and terms that are presented in this
chapter. You need to know this information.
Key Points
■
One of the most common reasons why Web and server publishing rules fail is
because of DNS resolution errors. If you see an exam question where users on
one network can access a resource using the FQDN but users on another network
cannot, then check the DNS resolution configuration.
■
Firewall clients and Web proxy clients do not require a split DNS configuration to
access the internal Web sites as they can use the Internet IP address to access the
internal server. However, SecureNAT clients cannot connect to the internal Web
servers using an Internet IP address so you must deploy a split DNS configuration
for SecureNAT clients to access internal Web sites.
■
If the ISA Server computer has multiple network adapters or multiple IP
addresses associated with a specific network, remember that you can configure
Web listeners or server publishing rules to listen on one or all of the IP addresses
on that network.
■
If you use a server name as the published server when you configure a Web publishing rule, the ISA Server computer must be able to resolve the DNS name for the
internal Web server.
■
SSL settings are configured on each publishing rule. This means that you can have
one Web publishing rule that requires SSL connections to both client and server,
and have another rule that requires only SSL connections between the ISA Server
and the client computers. If you have multiple Web listeners (which requires multiple IP addresses on the relevant network), you can even use different certificates
to authenticate the ISA Server computer.
■
In order to redirect client requests to multiple back-end servers, you must configure multiple Web publishing rules. Each Web publishing rule can only redirect client
requests to a single Web server.
■
By default, Web publishing rules and secure Web publishing rules grant access to
the All Users user set, which includes anonymous, or unauthenticated, users. To
limit access to a Web publishing rule, remove the All Users user set and add the All
Authenticated Users or a specific user set.
■
If you are publishing resources using a server publishing rule, you can only configure authentication on the server hosting the internal resource. You cannot configure authentication on a server publishing rule.
8-80
Chapter 8
Implementing ISA Server Publishing
Key Terms
link translation An ISA Server configuration object that enables ISA Server to
replace internal server names on Web pages with server names that are accessible
from this Internet.
pass-through authentication Refers to the ability of ISA Server to pass a client’s
authentication information to the destination server.
path mapping An ISA Server feature that enables ISA Server to redirect user
requests to multiple internal Web servers or to multiple locations on the same Web
server.
Remote Authentication Dial-In User Service (RADIUS) An industry-standard protocol used to provide authentication in heterogeneous environments.
server publishing rules Firewall rules that specify how ISA Server will route incoming requests to internal servers using any available protocol.
split DNS Uses two different DNS servers with the same DNS domain name to provide name resolution for internally and externally accessible resources. Both DNS
servers are authoritative for the same domain name.
SSL bridging Occurs when the ISA Server computer operates as the endpoint for an
SSL connection. The SSL connection could be between ISA Server and the client or
between ISA Server and the internal Web server.
SSL tunneling Occurs when a client establishes an SSL tunnel through the ISA Server
computer directly to the Web server using HTTPS.
Web listener An ISA Server configuration object that defines how the ISA Server
computer listens for HTTP requests and SSL requests. The Web listener defines the
network, IP address, and the port number on which ISA Server listens for client
connections.
Web publishing rule A firewall rule that specifies how ISA Server will route incoming requests to internal Web servers.
Questions and Answers
8-81
Questions and Answers
Page
8-11
Lesson 1 Review
1. You have deployed ISA Server 2004 as a Bastion Host. You need to provide a
secure method of publishing your Web site. You also need to be able to configure
ISA Server to inspect the contents of the packets to and from the Web server using
application filters. What feature of ISA Server 2004 makes this possible?
a. SSL Tunneling
b. Link Translation
c. SSL Bridging
d. Path Ma