Tài liệu Module 2: Installing and Maintaining ISA Serve docx

Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients Advanced Firewall Client Configuration Securing ISA Server 2004 Maintaining ISA Server

Module 2: Installing and Maintaining ISA Server

Installing ISA Server 2004

Choosing ISA Server Clients

Installing and Configuring Firewall Clients Advanced Firewall Client Configuration Securing ISA Server 2004

Maintaining ISA Server 2004

Lesson: Installing ISA Server 2004

System and Hardware Requirements for ISA Server 2004 Installation Types and Components

Configuration Choices During Installation

How to Perform an Unattended Installation of

ISA Server 2004

How to Verify an Installation of ISA Server 2004

Default Configuration for ISA Server 2004

How to Modify the ISA Server Installation

Upgrade Options from ISA Server 2000 to

ISA Server 2004

System and Hardware Requirements for ISA Server 2004

Windows Server 2000

or Windows Server 2003

Windows Server 2000

or Windows Server 2003

CPU RAM

Installation Types and Components

Configuration Choices During Installation

Practice: Installing ISA Server 2004

Installing ISA Server 2004

Internet Den-ISA-01

Den-DC-01

How to Perform an Unattended Installation of

ISA Server 2004

Why Use an Unattended Installation of ISA Server?

Modifying the Msisaund.ini File

[Setup Property Assignment]

PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx

INTERNALNETRANGES=1 192.168.1.0-192.168.1.255 INSTALLDIR=C:\Program Files\Microsoft ISA Server

COMPANYNAME=Coho Vineyards

DONOTDELLOGS=1

DONOTDELCACHE=1

ADDLOCAL=MSFirewall_Management,MSFirewall_ Services,Message_Screener,MSDE

[Setup Property Assignment]

PIDKEY=xxxxxxxxxxxxxxxxxxxxxxxxx

INTERNALNETRANGES=1 192.168.1.0-192.168.1.255 INSTALLDIR=C:\Program Files\Microsoft ISA

How to Verify an Installation of ISA Server 2004

Verify that the ISA Server services are installed

and started

Verify that the MSDE services are installed and started Review the setup log files

Check the Application Log in the Event Viewer

Check for ISA Server Alerts

Only Administrators can modify firewall policies

Traffic is routed between the ISA Server and all

other networks

Traffic is routed between the ISA Server and all

other networks

Traffic between the Internal network, the VPN

network, the VPN Quarantine network, and the

Internet will use network address translation

Traffic between the Internal network, the VPN

network, the VPN Quarantine network, and the

Internet will use network address translation

Traffic is routed between the VPN network and the Internal network

Traffic is routed between the VPN network and the Internal network

Default Configuration for ISA Server 2004

System policy permits access to the ISA Server

but access rules deny all network traffic through

the ISA Server

System policy permits access to the ISA Server

but access rules deny all network traffic through

the ISA Server

No servers are published

Web Proxy requests will be retrieved directly from the Internet

Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the Firewall Client installation share is configured if you install the

Firewall Client installation files

A rule enabling access to the Firewall Client

installation share is configured if you install the

Firewall Client installation files

Only Administrators can modify firewall policies

Traffic is routed between the ISA Server and all other networks

Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation

Traffic is routed between the VPN network and the Internal network System policy permits access to the ISA Server but access rules deny all network traffic through the ISA Server

No servers are published

Web Proxy requests will be retrieved directly from the Internet

Caching is disabled

A rule enabling access to the Firewall Client installation share is configured if you install the Firewall Client installation files

Practice: Verifying the Installation and Default

Configuration of ISA Server 2004

Verifying the successful installation of ISA Server 2004

Examining the default installation of ISA Server 2004

Internet Den-ISA-01

Den-DC-01

How to Modify the ISA Server Installation Options

Upgrade Options from ISA Server 2000 to ISA Server 2004

ISA Server 2000

Install ISA Server 2004 Install ISA

Server 2004

ISA Server 2000

Extract the ISA Server 2000 configuration

Extract the ISA Server 2000 configuration

Import the ISA Server Configuration Import the ISA

Server Configuration

Install ISA Server 2004

In-Place Upgrade

Migration

Lesson: Choosing ISA Server Clients

Types of ISA Server Clients

How to Configure a SecureNAT Client

How to Configure Web Proxy Clients

Guidelines for Choosing an ISA Server Client

Types of ISA Server Clients

Improves the performance of

Web requests for internal clients Allows internet access only for authenticated users

Does not require you to deploy client software

ISA Server Internet

Web Proxy Client Firewall Client

SecureNAT Client

SecureNAT clients do not require client installation or client configuration

SecureNAT clients do not require client installation or client configuration

How to Configure a SecureNAT Client

On a single subnet network, configure the IP address

of the internal network interface as the SecureNAT

client default gateway

On a single subnet network, configure the IP address

of the internal network interface as the SecureNAT

client default gateway

On a multiple subnet network, configure the IP address

of the router as the SecureNAT client default gateway

On a multiple subnet network, configure the IP address

of the router as the SecureNAT client default gateway

How to Configure Web Proxy Clients

Guidelines for Choosing an ISA Server Client

Avoid deploying client software SecureNAT clients

Use ISA Server only for

forward caching SecureNAT or Web Proxy clients

Allow access only for

authenticated clients Firewall clients or WebProxy clients

Publish servers on your

internal network SecureNAT clients

Improve Web performance for

non-Windows operating systems SecureNAT or WebProxy clients

Den-ISA-01

Den-DC-01

Practice: Configuring SecureNAT and Web Proxy Clients

Configuring ISA Server to log client connections

Configuring and testing

a SecureNAT client Configuring and testing

a Web Proxy client

Den-Clt-01

Lesson: Installing and Configuring Firewall Clients

How to Configure Firewall Client Settings

The Firewall Client Installation and

Configuration Process

Options for Automating the Firewall Client Installation

How to Configure Firewall Client Settings

The Firewall Client Installation and Configuration Process

The Firewall Client:

Uses a common Winsock service provider that

other Winsock applications use to connect to

application servers

Intercepts Winsock client application calls for remote

application servers and redirects the request to

ISA Server

Uses a common Winsock service provider that

other Winsock applications use to connect to

application servers

Intercepts Winsock client application calls for remote

application servers and redirects the request to

ISA Server

Install the Firewall Client:

From the Firewall Client share on computer running

ISA Server or another network share

From the Firewall Client share on computer running

ISA Server or another network share

Practice: Installing the Firewall Client

Configuring the Firewall Client settings

on ISA Server Installing the Firewall Client

Internet

Den-ISA-01

Den-DC-01 Den-Clt-01

Options for Automating the Firewall Client Installation

SMS package distributed to specific clients using SMS

SMS package distributed to specific clients using SMS

Lesson: Advanced Firewall Client Configuration

Advanced Firewall Client Configuration Options

Firewall Client Configuration Files

What is the Automatic Discovery Feature?

Advanced Firewall Client Configuration Options

Locallat.txt:

A client computer-specific file that defines local

addresses for that client

The client uses its own routing table, the

server-specific settings, and the Locallat.txt file to determine

the local IP addresses

A client computer-specific file that defines local

addresses for that client

The client uses its own routing table, the

server-specific settings, and the Locallat.txt file to determine

the local IP addresses

Advanced Firewall Client settings:

Can configure locally for each user and for each

computer

Configure changes to Firewall Client ini files

Can configure locally for each user and for each

computer

Configure changes to Firewall Client ini files

Firewall Client Configuration Files

Persistent=1

ForceCredentials=1

NameResolutionForLocalHost=L

What Is the Automatic Discovery Feature?

Where is Lon-ISA-02?

DNS or DHCP Server

DNS or DHCP Server

Den-ISA-01

Query DHCP or DNS for a WPAD entry

Query DHCP or DNS for a WPAD entry

WPAD: Den-ISA-01

Request Configuration File

Request Configuration File

Firewall Client Configuration

Firewall Client Configuration

DNS or DHCP Server

DNS or DHCP Server

Den-ISA-01

Request Configuration File

Request Configuration File

Firewall Client Configuration

Firewall Client Configuration

Practice: Configuring Automatic Discovery

Configure the ISA Server for Automatic Discovery

Configure DHCP for Automatic Discovery Configure DNS for Automatic Discovery

Internet

Den-ISA-01

Den-DC-01 DNS Server DHCP Server Den-Clt-01

Lesson: Securing ISA Server 2004

ISA Server and Defense in Depth

About Using Security Templates to Secure the Server Methods for Implementing Security Updates

Guidelines for Enabling Only Required Services

How to Secure the Network Interfaces

Configuring Administrative Roles

Best Practices for Securing the Server

User education

Policies, Procedures, & Awareness

ISA Server and Defense in Depth

Security at all levels:

 Increases an attacker’s risk of detection

 Reduces an attacker’s chance of success

Physical Security Guards, locks, tracking devices

ACLs, encryption, EFS Application hardening, antivirus

OS hardening, authentication, patch management, HIDS

OS hardening, authentication, patch management, HIDS Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control

Firewalls, Network Access Quarantine Control

Data Application Operating Systems Internal Network Perimeter

About Using Security Templates to Secure the Server

Configure one security template and then apply it to multiple computers, or reapply the template

occasionally to the same computers to ensure that the security settings are not changed

Configure one security template and then apply it to

multiple computers, or reapply the template

occasionally to the same computers to ensure that the security settings are not changed

Use the Security Templates MMC snap-in to apply the security templates to ISA Servers

Use the Security Templates MMC snap-in to apply the security templates to ISA Servers

Apply the security template through Group Policies at a domain or organizational unit level

Apply the security template through Group Policies at a domain or organizational unit level

Monitor security updates is to know what security updates are available and the security issues each update is designed to fix

Monitor security updates is to know what security updates are available and the security issues each update is designed to fix

Methods for Implementing Security Updates

Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to

implement security updates

Use tools like Microsoft Baseline Security Analyzer, Windows Update Service, Microsoft Windows Update Services, and Systems Management Server to

implement security updates

Implement security updates on ISA Server only after thorough evaluation and testing

Implement security updates on ISA Server only after thorough evaluation and testing

Guidelines for Enabling Only Required Services

Enable only required services

Enable only required services

Minimize the number of Windows 2000 and

Windows Server 2003 built-in services

Minimize the number of Windows 2000 and

Windows Server 2003 built-in services

How to Secure the Network Interfaces

Secure the External Network Interface

 Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks

 Disable NetBIOS over TCP/IP

 Disable LMHOSTS lookup

 Disable automatic DNS name registration

Configure the Internal Network Interface

 Disable components if not required

Configuring Administrative Roles

ISA Server Full

Administrator Can perform all administrative tasks

ISA Server Administrative Roles

Best Practices for Securing the Server

Securing ISA Server

Do Not Install ISA Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member

Rename the Administrator Account

Disable Unused Functionality

Apply Window Server Security Best Practices

Do Not Install ISA Server on a Domain Controller Avoid Installing an Internet Edge Server on a

Domain Member

Rename the Administrator Account

Disable Unused Functionality

Apply Window Server Security Best Practices

Practice: Securing the ISA Server

Configuring Active Directory for Securing ISA Server

Configuring Security on Den-ISA-01

Internet Den-ISA-01

Den-DC-01 Den-Clt-01

Lesson: Maintaining ISA Server 2004

About Monitoring the Server Running ISA Server About Exporting and Importing the ISA

About Monitoring the Server Running ISA Server

Monitor Event

Viewer Includes information about service failures, application errors, and warnings

Use the ISA Server

Dashboard Single interface for ISA alerts and performance

Review the ISA

Server Alerts Includes information about service conditions and error conditions

Monitor Server

Performance Use the pre-configured ISA Server Performance Monitor console

ISA Server monitoring tasks include

About Exporting and Importing the ISA Server

Configuration

Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to roll

back a configuration change

Use export and import to clone an ISA Server or to save a configuration for troubleshooting or to roll

back a configuration change

You can export the entire ISA Server configuration, or any individual or group of configuration settings

You can export the entire ISA Server configuration, or any individual or group of configuration settings

Importing a configuration overwrites all settings from the exported file

Importing a configuration overwrites all settings from the exported file

About Backing Up and Restoring the ISA Server Configuration

Use back up to create a configuration file that can be used for disaster recovery

Use back up to create a configuration file that can be used for disaster recovery

Back up creates a file with the entire ISA Server

Remote Administration Options for ISA Server

Use remote administration to manage physically

secured servers or servers in other offices

Use remote administration to manage physically

secured servers or servers in other offices

Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server

Use Remote Desktop or Terminal Services to manage all settings on the server running ISA Server

Configure the server running ISA Server to enable

Remote Desktop and configure System Policy to

enable remote MMC management

Configure the server running ISA Server to enable

Remote Desktop and configure System Policy to

enable remote MMC management

Use the ISA Server Management MMC to manage

ISA Server settings remotely

Use the ISA Server Management MMC to manage

ISA Server settings remotely