ISA server 2006 ronald beekelaar Lab Manual

Module A: giới thiệu ISA 20066Module B: cấu hình Outbound Internet truy cập19Module C: Publishing Web Servers and Other Servers32Module D: Publishing an Exchange Server60Module E: Enabling VPN kết nối82Module F: ISA Server 2006 triển khai Branch Office Gateway105Module G: Enterprise Management of ISA Servers119Module H: cấu hình cân bằng tải138Module I: sử dụng giám sát lập file log 170lab tổng hợpMôđun A: Giới thiệu về Máy chủ ISA 6Bài tập 1 Khám phá giao diện người dùng 6Bài tập 2 Dễ sử dụng: Nhiều mạng 10Bài tập 3 Dễ sử dụng: Cơ sở quy tắc đơn 14Bài tập 4 Dễ sử dụng: Giám sát 17Môđun B: Cấu hình truy cập Internet đi 19Bài tập 1 Cho phép truy cập web đi từ máy tính của khách hàng 19Bài tập 2 Kích hoạt việc sử dụng lệnh Ping từ Máy tính khách 23Bài tập 3 Cho phép truy cập ra khỏi máy chủ ISA 25Bài tập 4 Định cấu hình Máy chủ ISA 2006 cho Khả năng chống lũ 27Môđun C: Xuất bản máy chủ web và các máy chủ khác 32Bài tập 1 Xuất bản một Máy chủ Web trong Mạng nội bộ 32Bài tập 2 Xuất bản Máy chủ Web trên Máy chủ Máy chủ 36Bài tập 3 Thực hiện dịch liên kết trên máy chủ web đã xuất bản 40Bài tập 4 Sử dụng dịch liên kết chéo trang web để xuất bản SharePoint Server 42Bài tập 5 Xuất bản trang trại web để cân bằng tải 46Bài tập 6 Xuất bản nhiều máy chủ đầu cuối 54Môđun D: Xuất bản Exchange Server 60Bài tập 1 Xuất bản quyền truy cập Web Quản lý chứng chỉ 60Bài tập 2 Xuất bản một Máy chủ Exchange cho SMTP và POP3 67Bài tập 3 Xuất bản Exchange Server cho Outlook (RPC) 69Bài tập 4 Xuất bản Exchange Server cho RPC qua HTTP 72Môđun E: Kích hoạt kết nối VPN 82Bài tập 1 Định cấu hình Máy chủ ISA để chấp nhận các kết nối VPN đến 82Bài tập 2 Định cấu hình máy tính khách để thiết lập kết nối VPN 85Bài tập 3 Cho phép truy cập mạng nội bộ cho khách hàng VPN 88Bài tập 4 Định cấu hình Kiểm dịch VPN trên Máy chủ ISA 90Bài tập 5 Tạo và phân phối hồ sơ trình quản lý kết nối 95Bài tập 6 Sử dụng cách ly VPN trên máy tính khách 101Môđun F: Máy chủ ISA 2006 là Cổng văn phòng chi nhánh 105Bài tập 1 Định cấu hình nén HTTP để giảm mức sử dụng băng thông 105Bài tập 2 Định cấu hình Máy chủ ISA vào Bộ nhớ cache BITS Nội dung 112Bài tập 3 Định cấu hình Cài đặt DiffServ để Ưu tiên Lưu lượng Mạng 116Môđun G: Quản lý doanh nghiệp của Máy chủ ISA 119Bài tập 1 Chính sách doanh nghiệp và Chính sách mảng 119Bài tập 2 Quản lý từ xa và Quản trị dựa trên vai trò 126Bài tập 3 Làm việc với Máy chủ lưu trữ cấu hình (Tùy chọn) 132Môđun H: Cấu hình cân bằng tải 138Bài tập 1 Định cấu hình Cân bằng tải mạng (NLB) 138Bài tập 2 Kiểm tra chi tiết về NLB 146Bài tập 3 Sử dụng CARP để phân phối nội dung bộ đệm 156Bài tập 4 Sử dụng CARP và Nội dung được lên lịch Tải xuống Công việc 164Môđun I: Sử dụng theo dõi, cảnh báo và ghi nhật ký 170Bài tập 1 Giám sát máy chủ ISA 170Bài tập 2 Kiểm tra kết nối từ máy chủ ISA 173Bài tập 3 Ghi nhật ký Máy khách Truy cập 176

Trang 1

ISA Server 2006

Lab Manual

Module B: Configuring Outbound Internet Access 19

Module C: Publishing Web Servers and Other Servers 32

Module F: ISA Server 2006 as Branch Office Gateway 105

Module G: Enterprise Management of ISA Servers 119

Module I: Using Monitoring, Alerting and Logging 170

Lab version 3.0f (6-Aug-2006)

Trang 2

Lab Summary

Contents

There are nine modules in this lab You can complete each of these lab modules independent of the other modules

 The monitor icons ( ) indicate which virtual machines are needed

 The 06 code indicates exercises that are specific to ISA Server 2006.

 The EE code indicates exercises that are specific to ISA Server Enterprise Edition.

 The up arrow (  ) indicates exercises that depend on the previous exercise

Lab Summary 2

Module A: Introduction to ISA Server 6

Exercise 1 Exploring the User Interface 6

Exercise 2 Ease of Use: Multiple Networks 10

Exercise 3 Ease of Use: Single Rule Base 14

Exercise 4 Ease of Use: Monitoring 17

Module B: Configuring Outbound Internet Access 19

Exercise 1 Allowing Outbound Web Access from Client Computers 19

Exercise 2 Enabling the Use of the Ping command from Client Computers 23

Exercise 3 Allowing Outbound Access from the ISA Server 25

Exercise 4 Configuring ISA Server 2006 for Flood Resiliency 27

Module C: Publishing Web Servers and Other Servers 32

Exercise 1 Publishing a Web Server in the Internal Network 32

Exercise 2 Publishing the Web Server on the ISA Server Computer 36

Exercise 3 Performing Link Translation on a Published Web Server 40

Exercise 4 Using Cross-Site Link Translation to Publish SharePoint Server 42

Exercise 5 Publishing a Web Farm for Load Balancing 46

Exercise 6 Publishing Multiple Terminal Servers 54

Module D: Publishing an Exchange Server 60

Exercise 1 Publishing Exchange Web Access - Certificate Management 60

Exercise 2 Publishing an Exchange Server for SMTP and POP3 67

Exercise 3 Publishing an Exchange Server for Outlook (RPC) 69

Exercise 4 Publishing an Exchange Server for RPC over HTTP 72

Module E: Enabling VPN Connections 82

Exercise 1 Configuring ISA Server to Accept Incoming VPN Connections 82

Exercise 2 Configuring a Client Computer to Establish a VPN Connection 85

Exercise 3 Allowing Internal Network Access for VPN Clients 88

Exercise 4 Configuring VPN Quarantine on ISA Server 90

Exercise 5 Creating and Distributing a Connection Manager Profile 95

Exercise 6 Using VPN Quarantine on the Client Computer 101

Module F: ISA Server 2006 as Branch Office Gateway 105

Exercise 1 Configuring HTTP Compression to Reduce Bandwidth Usage 105

Exercise 2 Configuring ISA Server to Cache BITS Content 112

Den Par Flo Fir Ist

 

Trang 3

Exercise 3 Configuring DiffServ Settings to Prioritize Network Traffic 116

Module G: Enterprise Management of ISA Servers 119

Exercise 1 Enterprise Policies and Array Policies 119

Exercise 2 Remote Management and Role-based Administration 126

Exercise 3 Working with Configuration Storage Servers (Optional) 132

Module H: Configuring Load Balancing 138

Exercise 1 Configuring Network Load Balancing (NLB) 138

Exercise 2 Examining Details on NLB 146

Exercise 3 Using CARP to Distribute Cache Content 156

Exercise 4 Using CARP and Scheduled Content Download Jobs 164

Module I: Using Monitoring, Alerting and Logging 170

Exercise 1 Monitoring the ISA Server 170

Exercise 2 Checking Connectivity from the ISA Server 173

Exercise 3 Logging Client Computer Access 176

Trang 4

Lab Setup

To complete each lab module, you need to review the following:

Virtual PC This lab makes use of Microsoft Virtual PC 2004, which is an application that

allows you to run multiple virtual computers on the same physical hardware During the lab you will switch between different windows, each of which contains

a separate virtual machine running Windows Server 2003.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

 To issue the Ctrl-Alt-Del keyboard combination inside a virtual machine, use the <right>Alt-Del instead.

 To enlarge the size of the virtual machine window, drag the right bottom corner of the window

 To switch to full-screen mode, and to return from

full-screen mode, press <right>Alt-Enter.

Lab Computers

The lab uses five computers in virtual machines

 Denver.contoso.com (green) is domain controller for the contoso.com domain

on the Internal network Denver runs DNS, RADIUS, Exchange 2003 SP1, SharePoint Services 2.0 and is also Certification Authority (CA)

 Istanbul.fabrikam.com (purple) is Web server and client computer on the

External network (Internet) Istanbul runs Outlook 2003 Istanbul is not member of a domain

 Paris (red) runs ISA Server 2006 Standard Edition Paris has three network

adapters, which connect to the Internal network, the Perimeter network and the External network (Internet) The Perimeter network is not used in this lab

 Florence (red) and Firenze (red) run ISA Server 2006 Enterprise Edition

Both computers have three network adapters Florence and Firenze are in an array named Italy Only Florence runs Configuration Storage server (CSS)

Trang 5

The computers cannot communicate with the host computer.

To allow you to examine and understand the traffic on the network, in each virtual machine Microsoft Network Monitor 5.2, which is part of Windows Server 2003, isinstalled

To start the lab

Before you can do any of the lab modules, you need to start the virtual machines, and then you need to log on to the computers

In each exercise you only have to start the virtual machines that are needed

To start any virtual machine:

1 On the desktop, double-click the shortcut Open ISA 2006 Lab Folder.

2 In the lab folder, double-click any of the Start computer scripts.

(For example: double-click Start Paris to start the Paris computer.)

3 When the logon dialog box has appeared, log on to the computer

To log on to a computer in a virtual machine:

1 Press <right>Alt-Del (instead of Ctrl-Alt-Del) to open the logon dialog box.

2 Type the following information:

 User name: Administrator

and then click OK.

3 You can now start with the exercises in this lab manual

Enjoy the lab!

Comments and feedback

Please send any comments, feedback or corrections regarding the virtual machines

or the lab manual to:

Ronald Beekelaar

v-ronb@microsoft.com

Lab version 3.0f (6-Aug-2006)

Trang 6

Module A: Introduction to ISA Server

Exercise 1

Exploring the User Interface

In this exercise, you will explore the user interface of ISA Server.

Note that the steps in this exercise and the other exercises in this module, do not enable, configure or test the functionality of ISA Server In later modules, the functionality is configured and used in scenarios.

 Note: This lab exercise uses the following computer: Paris

Refer to the beginning of the manual for instructions on how to start this computer Log on to the computer

 Perform the following steps on the Paris computer.

1. On the Paris computer,

explore the task pane a. Microsoft ISA Server, and then click ISA Server Management On the Paris computer, on the Start menu, click All Programs, click

configuration of the ISA server is done.

b In the ISA Server console, in the left pane, expand Paris, expand

Configuration, and then select Add-ins.

 Note: The Add-ins node is only used here as an example to start the

exploration of the new user interface.

parts:

 The tree pane (or left pane) - This pane contains a short list of nodes The

nodes logically group related management or configuration settings.

 The details pane (or right pane) - For each node in the left pane, the details

pane contains detailed information related to the node The details pane may contain several tabs, such as Application Filters and Web Filters for the Add- ins node.

 The task pane - The task pane contains a Tasks tab with relevant commands

for the selected node in the tree pane, or for the configuration element in the

details pane The task pane also contains an Help tab with context sensitive

help for the selected node or configuration element.

c. Drag the vertical divider between the tree pane (left) and the details pane, to make the details pane area larger or smaller

d. On the vertical divider between the details pane and the task pane, click the arrow button

for the details pane.

e. Click the arrow button again

task pane.

f Ensure that in the left pane, the Add-ins node is selected, and then in the

Trang 7

right pane, on the Web Filters tab, select (for example)

RADIUS Authentication Filter.

a configuration element (a web filter in this example) is selected in the right pane.

g In the right pane, right-click RADIUS Authentication Filter.

filter (Do not click a command on the menu.)

or select from a more extensive list of commands by right-clicking the configuration element.

h In the task pane, select the Help tab.

information related to the selection configuration element.

i In the task pane, select the Tasks tab.

 The following task is related to the use of Virtual PC.

2. Explore how you can make

the Virtual PC window larger, or

switch to full-screen mode

a Drag the bottom right corner of the Paris window, to make the window

larger or smaller

system, which allows you to select any arbitrary resolution, by dragging the bottom right corner of the Virtual PC window.

b Press the Ctrl-key, and then drag the bottom right corner of the

Virtual PC window, to snap the window size to standard resolutions, such as 800x600

c Press <right>Alt-Enter.

d If a warning message box appears, click Continue to confirm that you can press <right>Alt-Enter again to return from full-screen mode.

<right>Alt-Enter The resolution of the guest operating system is automatically

adjusted to fill the entire screen of the host computer You may need to

maximize the ISA Server console window, in order to use the entire screen.

 Virtual PC calls the <right>Alt key, the "host key".

e Press <right>Alt-Enter again to return from full-screen mode.

3. Explore the main nodes in

the ISA Server console:

- Configuration

- Networks

- Firewall Policy

- Monitoring

a In the ISA Server console, in the left pane, select Configuration.

main areas of configuration:

 Configuration node - This node contains all configuration settings that are

relatively static This includes Networks configuration, Cache configuration, Add-ins (application filters and Web filters) and General You would typically

not change the configuration of those elements very often ISA Server 2006

Enterprise Edition also has a Servers node.

 Firewall Policy node - This node contains a single list of all the access rules

(outgoing) and the publishing rules (incoming) These rules will change more often, since they reflect the business rules and firewall access policy of a company.

b In the left pane, select Networks.

connected to the ISA Server Network rules are defined between each network This includes networks directly connected by network adapters such as

External, Internal and Perimeter, virtual networks such as all the VPN Clients and Quarantined VPN Clients and special networks such as Local Host.

policy rules is done by selecting a network template from Templates tab in the

task pane.

Trang 8

(Do not change the network template now.)

c In the left pane, select Firewall Policy.

publishing rules.

configuration.

d. If the task pane is closed, click the arrow button to open the task pane

tab named Toolbox This tab has 5 sliding sections (Protocols, Users,

Content Types, Schedules and Network Objects) that list all the rule elements that you can use in the access rules and publishing rules.

e In the task pane, on the Toolbox tab, click the Protocols heading, and then click Common Protocols.

new access rules or publishing rules are created.

f In the task pane, on the Toolbox tab, click the Users heading, and then click New.

users (from Windows, RADIUS or SecurID) and groups, defined together in a single set You can apply an access rule or publishing rule to one or more user sets.

g Click Cancel to close the New User Set Wizard.

h In the left pane, select Monitoring.

Sessions, Services, Reports, Connectivity Verifiers and Logging) that allow you

to monitor, control, investigate, troubleshoot and plan firewall operations ISA Server 2006 Enterprise Edition also has a Configuration tab.

a running System Performance monitor that displays a real-time graph of the current rate of allowed and dropped packets.

i On the Dashboard tab, click the Sessions summary box header.

displays the client sessions that are currently active on the ISA Server If you only want to see specific sessions, you can filter the session list.

lab module.

4 Explore the Export and

Import configuration commands a. In the ISA Server console, in the left pane, right-click Paris.The context menu of the Paris node contains Export and Import

commands You can use these commands to export configuration setting to an XML file, and import the settings later at this computer or at another computer.

of almost all the nodes in the left pane This includes the Networks node, the Firewall Policy node and even individual rules and rule elements.

Trang 9

Exercise 2

Ease of Use: Multiple Networks

In this exercise, you will explore how ISA Server uses multiple networks.

explore how ISA Server uses

multiple networks with

IP address ranges, instead of the

concept of a Local Address Table

(LAT).

a. On the Paris computer, in the ISA Server console, in the left pane,

expand Paris, expand Configuration, and then select Networks.

ISA Server 2006, in comparison with ISA Server 2000, is the concept of

multiple networks connected to the ISA Server, which are all treated similarly

for configuration purposes.

and Destination network.

b In the right pane, on the (lower) Networks tab, right-click Internal, and then click Properties.

c In the Internal Properties dialog box, select the Addresses tab.

 ISA Server 2004 and ISA Server 2006 - The IP addresses of the Internal

network only define what network interfaces are included in the network named

Internal Other networks, such as Perimeter are defined in a similar fashion There is no equivalent to ISA Server 2000's Local Address Table (LAT) The

application of packet filters, rules and Network Address Translation (NAT) or routing of IP packets is configured separately.

 ISA Server 2000 - The LAT is a very significant part of the configuration of

ISA Server It automatically determines on which network interface packet filters are applied and where NAT or routing of IP packets is performed.

d Click Cancel to close the Internal Properties dialog box.

range 23.1.1.0 - 23.1.1.255 The Local Host network is defined as the ISA Server computer itself All other IP addresses belong to the External

network.

The VPN Client and Quarantined VPN Clients networks have dynamic

membership and contain connecting VPN client computers.

e On the Network Sets tab, right-click All Protected Networks and then click Properties.

f. In the All Protected Networks Properties dialog box, select the

Networks tab.

in firewall policy rules as well This makes it easy to refer to all networks, or all related networks You can define additional network sets.

existing networks, EXCEPT the External network.

Networks and Network Sets at the enterprise-level, so that they can be used in all ISA Server arrays With enterprise networks, individual array

administrators don’t need to be aware of changes in the larger corporate networks Changes to an enterprise network take effect without requiring an

Trang 10

array administrator to make changes to an individual array.

g Click Cancel to close the All Protected Networks Properties dialog box.

h On the Start menu, click Control Panel, and then click

Network Connections.

has three network adapters To avoid confusion in the lab exercises, the network adapters on Paris were renamed as part of the lab setup from Local Area Connection (#2 and #3) to External Connection,

Internal Connection and Perimeter Connection.

i Click the Start button again to close the Start menu.

2. Explore how

Network Rules define Network

Address Translation (NAT) or

routing of IP packets between

networks

For demonstration purposes, create

and discard a new network rule

a In the ISA Server console, in the left pane, ensure that Networks is

selected

b In the right pane, select the Network Rules tab.

client source address with ISA Server address) or Route (use client source

address in request) for traffic between each pair of networks or network sets, if the firewall policy allows network traffic between these networks.

computer and all networks (rule 1), between the VPN networks and the Internal network (rule 2) and between the Perimeter network and the External network (rule 4).

It uses NAT for all traffic from the Internal and VPN networks to the Perimeter

network (rule 3) and from the Internal and VPN networks to the External network (rule 5).

 Route network rules automatically work in both directions NAT

network rules are defined in one direction If there is no network rule defined between two networks, ISA Server does not allow traffic between those networks.

c In the task pane, on the Tasks tab, click Create a Network Rule.

d. In the New Network Rule Wizard dialog box, in the

Network rule name text box, type VPN Perimeter Access, and then click Next.

e On the Network Traffic Sources page, click Add.

f. In the Add Network Entities dialog box,

 click Networks, click VPN Clients, and click Add,

and then click Close to close the Add Network Entities dialog box.

g On the Network Traffic Sources page, click Next.

h On the Network Traffic Destinations page, click Add.

i. In the Add Network Entities dialog box,

 click Networks, click Perimeter, and click Add,

j On the Network Traffic Destinations page, click Next.

k On the Network Relationship page, select Route, and then click Next.

l On the Completing the New Network Rule Wizard page, click Finish.

from computers on the VPN Clients network to the Perimeter network.

 Note: The new network rule is not applied yet.

demonstration purposes Do not apply the new rule to ISA Server.

m On the top of the right pane, click Discard to remove the unsaved changes, such as the new VPN Perimeter Access rule.

n Click Yes to confirm that you want to discard the changes.

Trang 11

3. Explore how

network templates are used to

configure network rules

and firewall policy rules

a In the ISA Server console, in the left pane, ensure that Networks is

selected

b In the task pane, select the Templates tab.

network topologies They can be used to configure the network rules between networks and the firewall policy rules The graphic associated with each network template helps you understand the selected network topology.

3-Leg Perimeter, Front Firewall, Back Firewall and Single Network Adapter).

1 Install network adapters and assign IP addresses.

2 Install the ISA Server software The installation wizard asks you to specify

the IP addresses of the Internal network.

3 Open the ISA Server console and select the Network Template that most

closely matches your network topology.

4 Modify the created firewall policy rules to meet specific security

requirements For example limit access to specific users.

 Note: Installing ISA Server 2006 Enterprise Edition also includes a

step to install the Configuration Storage Server, which stores the configuration information of all ISA Server arrays.

c On the Templates tab, click 3-Leg Perimeter.

 Note: 3-Leg Perimeter is already the current active network

template on Paris It matches most closely the network topology of the lab environment For demonstration purposes, this task explores the Network Template Wizard without changing any settings.

d In the Network Template Wizard dialog box, click Next.

backup (XML) file, which can be restored later.

e On the Export the ISA Server Configuration page, click Next.

f On the Internal Network IP Addresses page, click Next.

g On the Perimeter Network IP Addresses page, click Next.

sets These firewall policies allow you to start with a set of firewall policy rules that best matches your network and security policy.

h On the Select a Firewall Policy page, in the Select a firewall policy list box, select Allow limited Web access, allow access to network services on

Perimeter network.

i In the Description list box, scroll to the end of the text to see a

description of the firewall policy rules that are created, if this firewall policy is selected

j On the Select a Firewall Policy page, click Next.

k On the Completing the Network Template Wizard page, click CANCEL (do NOT click Finish).

not changed.

4 Explore the client support

configuration settings per network

a In the ISA Server console, in the left pane, ensure that Networks is selected, and then in the right pane, select the (lower) Networks tab.

b Right-click Internal, and then click Properties.

c In the Internal Properties dialog box, select the Firewall Client tab.

selected network (Internal) can access other networks such as the Internet, through ISA Server, by using the Firewall Client software (port 1745).

d Select the Web Proxy tab.

Trang 12

selected network (Internal) can access other networks through ISA Server, by using a Web Proxy client such as a Web browser (port 8080).

e Click Cancel to close the Internal Properties dialog box.

Trang 13

Exercise 3

Ease of Use: Single Rule Base

In this exercise, you will explore how ISA Server uses a single list of firewall rules.

explore the single firewall policy

rule list

Create an access rule:

Name: Allow Web traffic to

b In the right pane, on the Firewall Policy tab, select Default rule.

 Note: New rules are added to the rule list before the currently

selected rule Although it does not make a difference when only the default rule exists, it is a good practice to always explicitly select an existing rule, before creating a new rule.

c In the task pane, on the Tasks tab, click Create Access Rule.

d In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web traffic to Internet, and then click Next.

e On the Rule Action page, select Allow, and then click Next.

f On the Protocols page, in the This rule applies to list box, select

Selected protocols, and then click Add.

g. In the Add Protocols dialog box,

 click Web, click HTTP, and click Add,

and then click Close to close the Add Protocols dialog box.

h On the Protocols page, click Next.

i On the Access Rule Sources page, click Add.

j. In the Add Network Entities dialog box,

 click Networks, click Internal, and click Add,

k On the Access Rule Sources page, click Next.

l On the Access Rule Destinations page, click Add.

m. In the Add Network Entities dialog box,

 click Networks, click External, and click Add,

n On the Access Rule Destinations page, click Next.

o On the User Sets page, click Next.

p On the Completing the New Access Rule Wizard page, click Finish.

from the Internal network to the External network for all users The External

network represents the Internet.

q Do NOT click Apply to apply the new rule.

Trang 14

2 Add the HTTPS and FTP

protocol to the Allow Web traffic

to Internet access rule.

a In the task pane, on the Toolbox tab, in the Protocols section, click

Web.

b Drag HTTPS from the Toolbox to HTTP in the Protocols column of the Allow Web traffic to Internet access rule.

c Drag FTP from the Toolbox to HTTP/HTTPS in the Protocols column

of the Allow Web traffic to Internet access rule.

d Click the box with the minus-sign in front of the

Allow Web traffic to Internet access rule to display the access rule with

multiple protocols on a single line

firewall policy rule, you can also right-click on the rule, and select Properties,

as is shown in the next task.

3. Explore the properties of

the Allow Web traffic to Internet

access rule

a Right-click the Allow Web traffic to Internet access rule, and then click Properties.

b. In the Allow Web traffic to Internet Properties dialog box, on the

Protocols tab, click Add.

c In the Add Protocols dialog box, click Common Protocols.

also add non-TCP/UDP protocols, such as Ping (ICMP) to the access rule.

d Click Close to close the Add Protocols dialog box.

e On the To tab, click Add.

the External network, you can limit access to specific destinations by using any

of the other network entities (Computers, Address Ranges, Subnets, Domain Name Sets, URL Sets and Computer Sets).

f Click Close to close the Add Network Entities dialog box.

g On the From tab, click Add.

h In the Add Network Entities dialog box, click Networks.

can be used as the source network in an access rule.

i Click Close to close the Add Network Entities dialog box.

j Click Cancel to close the Allow Web traffic to Internet Properties dialog

box

4. Explore the HTTP protocol

scanning features of the Allow

Web traffic to Internet access

rule

For demonstration purposes,

configure the rule to block HTTP

traffic from MSN Messenger.

application level filtering, or content filtering HTTP packets that do not meet the specifications on the General tab are blocked.

tunnel protocol, because the HTTP port 80 is configured to be allowed through most firewalls Application level filtering can block HTTP traffic that does not conform to the protocol specification or unwanted HTTP applications or content.

These settings, such as limiting the maximum URL length, would have blocked the exploitation of vulnerabilities described in more than 40 different Microsoft Security Bulletins, between MS98-003 and now.

c On the Signatures tab, click Add.

d. In the Signature dialog box, complete the following information:

 Name: MSN Messenger traffic

Trang 15

 Search in: Request headers

 HTTP Header: User-Agent

 Signature: MSMSGS

e Click OK to close the Configure HTTP policy for rule dialog box.

traffic from a Web browser, but it will block HTTP traffic from

MSN Messenger.

5. Explore the

System Policy Rules in the

Firewall Policy

a In the left pane, ensure that Firewall Policy is selected.

b In the task pane, on the Tasks tab, click Show System Policy Rules.

Local Host network (ISA Server computer) are shown These are called System Policy Rules.

 Note: ISA Server 2006 Enterprise Edition has four more system

policies rules (31 to 34) which specifically apply to traffic to and from ISA Server arrays.

c In the task pane, on the Tasks tab, click Edit System Policy.

minimal changes to the system policy rules, but you can enable or disable most system policy rules.

d Click Cancel to close the System Policy Editor dialog box.

e In the task pane, on the Tasks tab, click Hide System Policy Rules.

 Note: The following task is needed to avoid conflicts with other lab exercises.

6 Discard the Allow Web

traffic to Internet access rule a. traffic to Internet access rule In the right pane, click Discard to remove the unsaved Allow Web

b Click Yes to confirm that you want to discard the changes.

Right-click the access rule, click Delete, and then click Apply and OK to delete the access rule again.

Trang 16

Exercise 4

Ease of Use: Monitoring

In this exercise, you will explore how ISA Server uses monitoring.

explore the new Monitoring

features in ISA Server

expand Paris, and then select Monitoring.

control, investigate, troubleshoot and plan firewall operations.

by summary boxes By clicking the header of a summary box, you can go to the corresponding tab to see more details.

b Select the Alerts tab.

can configure for which types of events ISA Server creates an alert.

c Select the Sessions tab.

Web Proxy client and VPN client sessions You can also disconnect client sessions on this tab.

d Select the Services tab.

service and other related services.

If you enable the ISA Server for VPN connections, then the

Routing and Remote Access service status is also displayed.

For ISA Server 2006 Enterprise Edition, if you enable NLB integration, then

the Network Load Balancing driver status is also displayed.

e Select the Reports tab.

ISA Server activity over time, such as performance and security information You can also create new reports on this tab.

f Select the Connectivity Verifiers tab.

Connectivity Verifiers A connectivity verifier periodically connects from the

ISA Server to a computer that you specify, to test current connectivity by using either an HTTP GET request, a Ping request, or by attempting to establish a TCP connection to a port that you specify ISA Server can use connectivity verifiers to alert you if a network connection fails.

g Select the Logging tab.

 Note: You may (temporarily) need to close the task pane in order to

see the Logging tab.

and to view the contents of the log files online.

h In the task pane, on the Tasks tab, click Configure Firewall Logging.

MSDE Database (*.mdf), SQL Database (ODBC) or File (*.w3c, text).

Trang 17

i Click Cancel to close the Firewall Logging Properties dialog box.

 Note: The Logging tab also has an Live display mode that allows

you to see the log entries from the ISA Server log files on the screen,

immediately after they are written to the log files If you want to limit the log entries that are displayed to simplify finding specific information in the log files, you can create a filter.

j. Close the ISA Server console

Trang 18

Module B: Configuring Outbound

Internet Access

Exercise 1

Allowing Outbound Web Access from Client Computers

In this exercise, you will configure ISA Server to allow outbound Web access for client computers on the internal network.

 Note: This lab exercise uses the following computers: Denver - Paris - Istanbul

Refer to the beginning of the manual for instructions on how to start the computers Log on to the computers

 Perform the following steps on the Denver computer.

1. On the Denver computer,

test your connectivity by opening

Internet Explorer and attempting to

connect to http://

istanbul.fabrikam.com

a On the Denver computer, open Internet Explorer In the Address box, type http://istanbul.fabrikam.com, and then press Enter.

b. Look at the bottom of the Web page and view the reason why the Web page cannot be displayed

denied the specified URL) This is because you have not created any access rules yet.

Default rule This rule denies all network traffic This mean that ISA Server

denies any network traffic that you did not specifically allow in another rule.

c. Close Internet Explorer

create a new access rule

Name: Allow outbound Web

traffic

Applies to: HTTP, HTTPS, FTP

From network: Internal

To network: External

a On the Paris computer, on the Start menu, click All Programs, click

Microsoft ISA Server, and then click ISA Server Management.

b In the ISA Server console, expand Paris, and then select

Firewall Policy.

c In the right pane, on the Firewall Policy tab, select Default rule.

creating a new rule, to indicate where the new rule is added in the list.

d In the task pane, on the Tasks tab, click Create Access Rule.

Firewall Policy, click New, and then click Access Rule.

e In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Web traffic, and then click Next.

f On the Rule Action page, select Allow, and then click Next.

g On the Protocols page, in the This rule applies to list box, select

Trang 19

 The Add Protocols dialog box appears.

h. In the Add Protocols dialog box,

 click Common Protocols, click HTTP, and click Add,

 click HTTPS, and click Add,

 click Web, click FTP, and click Add,

headings in the Add Protocols dialog box.

i On the Protocols page, click Next.

j On the Access Rule Sources page, click Add.

k. In the Add Network Entities dialog box,

l On the Access Rule Sources page, click Next.

m On the Access Rule Destinations page, click Add.

n. In the Add Network Entities dialog box,

o On the Access Rule Destinations page, click Next.

p On the User Sets page, click Next.

q On the Completing the New Access Rule Wizard page, click Finish.

and HTTPS protocols from the Internal network to the External network for all users.

3. Apply the changes a Click Apply to apply the new rule, and then click OK.

4. Examine the network rule

for connectivity between the

Internal network and the External

network

a In the left pane, expand Configuration, and then select Networks.

b In the right pane, on the Network Rules tab, select the rule that defines the connectivity between the Internal network and the External network.

template, the network rule named Internet Access (rule 5) indicates that network traffic between the Internal network and the External network will use

NAT.

5. Examine the Web Proxy

settings of the Internal network.

a On the Networks tab, right-click Internal, and then click Properties.

b In the Internal Properties dialog box, select the Web Proxy tab.

listens (on port 8080) for requests from Web Proxy clients on the Internal network.

c Click Cancel to close the Internal Properties dialog box.

test your connectivity again by

opening Internet Explorer and

that you created grants access to network traffic to the Istanbul Web server.

b In Internet Explorer, on the Tools menu, click Internet Options.

c In the Internet Options dialog box, on the Connections tab, click

LAN Settings.

d Click Cancel to close the Local Area Network (LAN) Settings dialog

Trang 20

e Click Cancel to close the Internet Options dialog box.

f. Close Internet Explorer

g. Open a Command Prompt window

h At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

confirms that you can connect using the FTP protocol.

i Type Ctrl-C to close the FTP session.

j If the ftp> prompt appears, type quit, and then press Enter.

k. Close the Command Prompt window

create a new Computer Set rule

d Click Add, and then click Address Range.

e. In the New Address Range Rule Element dialog box, complete the following information:

 Name: Domain Controllers

 Start Address: 10.1.1.5

 End Address: 10.1.1.8

 Description: DCs on the internal network

Internal network The lab only has a single domain controller named Denver (10.1.1.5).

f Click OK to close the New Computer Set Rule Element dialog box.

8. Create a new access rule

Name: Deny restricted

computers

Action: Deny

Applies to: All outbound traffic

From: Restricted Internal

Computers

a In the Firewall Policy list, select the Allow outbound Web traffic rule.

b In the task pane, on the Tasks tab, click Create Access Rule.

c In the New Access Rule Wizard dialog box, in the Access rule name text box, type Deny restricted computers, and then click Next.

d On the Rule Action page, select Deny, and then click Next.

e On the Protocols page, in the This rule applies to list box, select

All outbound traffic, and then click Next.

f On the Access Rule Sources page, click Add.

g. In the Add Network Entities dialog box,

 click Computer Sets, click Restricted Internal Computers, and click Add,

h On the Access Rule Sources page, click Next.

i On the Access Rule Destinations page, click Add.

k On the Access Rule Destinations page, click Next.

l On the User Sets page, click Next.

m On the Completing the New Access Rule Wizard page, click Finish.

Trang 21

 A new firewall policy rule is created that denies all network traffic

from the computers in the Restricted Internal Computers set to the External

network.

 The new rule is listed first in the firewall policy rule list.

n Click Apply to apply the new rule, and then click OK.

attempting to connect to http://

istanbul.fabrikam.com.

Error) ISA Server denies access to the Istanbul Web site, because Denver (10.1.1.5) is in the Restricted Internal Computers set and is denied access by the new access rule.

b. Close Internet Explorer

10. On the Paris computer,

move the Allow outbound Web

traffic rule, before the Deny

restricted computers rule.

a. On the Paris computer, in the ISA Server console, in the left pane, select

b In the right pane, right-click the Allow outbound Web traffic rule (order 2), and then click Move Up.

the Deny restricted computers rule (order 2).

c Click Apply to save the changes, and then click OK.

11. On the Denver computer,

connecting to http://

Firewall Policy list contains a rule that denies access from the Denver (10.1.1.5) computer.

 Note: To evaluate access, ISA Server follows the Firewall Policy rule order very strictly Currently the Allow rule for Web traffic from Denver is listed before the Deny rule for all protocols from Denver.

12. On the Paris computer,

delete the Deny restricted

computers access rule.

b In the right pane, right-click the Deny restricted computers rule, and then click Delete.

c Click Yes to confirm that you want to delete the rule.

d Click Apply to save the changes, and then click OK.

Trang 22

Exercise 2

Enabling the Use of the Ping command from Client Computers

In this exercise, you will configure ISA Server to allow ICMP network traffic, used by the Ping command, from client computers on the internal network.

use the Ping command to test

connectivity with

istanbul.fabrikam.com

a. On the Denver computer, open a Command Prompt window

b At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

not allow outgoing ping requests (ICMP type 8 packets) from computers on the internal network to the Internet.

c. Close the Command Prompt window

create a new access rule

Name: Allow outbound Ping

traffic

Applies to: PING

d In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow outbound Ping traffic, and then click Next.

e On the Rule Action page, click Allow, and then click Next.

 click Common Protocols, click PING, and click Add,

ICMP type 8, from the Internal network to the External network for all users.

Trang 23

q Click Apply to apply the new rule, and then click OK.

3 Examine the PING

protocol definition

a In the task pane, on the Toolbox tab, in the Protocols section, expand

Common Protocols, right-click PING, and then click Properties.

b In the PING Properties dialog box, select the Parameters tab.

 Note: A protocol definition for a firewall policy rule, can use other protocols than only TCP (IP protocol 6) or UDP (IP protocol 17).

c Click Cancel to close the PING Properties dialog box.

connectivity with

istanbul.fabrikam.com again.

a. On the Denver computer, open a Command Prompt window

b At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

ISA Server allows outgoing echo requests from the computers on the internal network to the Internet.

 Note: All firewall policy rules are stateful This means that a single

rule allows the request and the corresponding reply to the sender.

 Perform the following steps on the Istanbul computer.

5. On the Istanbul computer,

connectivity with the ISA Server

a. On the Istanbul computer, open a Command Prompt window

b At the command prompt, type ping 39.1.1.1, and then press Enter.

incoming ping requests from computers on the Internet The

Allow outbound Ping traffic access rule only allows replies to earlier outgoing

ping requests to come from the Internet.

Trang 24

Exercise 3

Allowing Outbound Access from the ISA Server

In this exercise, you will configure ISA Server to allow outbound access from the ISA Server computer.

1. On the Paris computer, test

your connectivity by attempting to

establish an FTP session with

a. On the Paris computer, open a Command Prompt window

b At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

("Host is unreachable") By default, ISA Server does not allow an FTP connection from the ISA Server to the Internet.

c At the ftp> prompt, type quit, and then press Enter.

d. Close the Command Prompt window

Name: Allow FTP from firewall

Applies to: FTP

From network: Local Host

a In the ISA Server console, in the left pane, select Firewall Policy.

b. In the right pane, select the first rule to indicate where the new rule is added to the rule list

d In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow FTP from firewall, and then click Next.

e On the Rule Action page, click Allow, and then click Next.

 click Web, click FTP, and click Add,

 click Networks, click Local Host, and click Add,

from the ISA Server to the External network for all users.

q Click Apply to apply the new rule, and then click OK.

Trang 25

3. Test your connectivity

again by establishing an FTP

session with

a. Open a Command Prompt window

b At the command prompt, type ftp istanbul.fabrikam.com, and then press Enter.

confirms that you can connect using the FTP protocol.

c Type Ctrl-C to close the FTP session.

d If the ftp> prompt appears, type quit, and then press Enter.

 Note: ISA Server uses firewall policy rules to define access between

any defined network, including traffic that starts or ends at the ISA Server computer itself (Local Host network).

e. Close the Command Prompt window

Firewall Policy

b In the task pane, on the Tasks tab, click Show System Policy Rules.

Local Host network are shown These are called System Policy Rules.

 Note: ISA Server 2006 Enterprise Edition has four more system

policies rules (31 to 34) which specifically apply to traffic to and from ISA Server arrays.

5. Test your connectivity by

a Open Internet Explorer In the Address box, type

http://istanbul.fabrikam.com, and then press Enter.

Forbidden - ISA Server denied the specified URL).

access (HTTP) from the ISA Server (Local Host) However, rules 23, 26 and 30 only apply to specific destinations (watson.microsoft.com, microsoft.com, windows.com, windowsupdate.com and remote management computers), and rules 18, 19 and 29 are disabled, unless updated certificate revocation lists (CRLs) are downloaded (18), HTTP connectivity verifiers for monitoring are created (19), or scheduled download jobs are defined (29).

the Istanbul Web server, then you have to create a new access rule.

c. Open a Command Prompt window

d At the command prompt, type ping istanbul.fabrikam.com, and then press Enter.

f. Close the Command Prompt window

all networks.

6. Hide the

Firewall Policy

b In the task pane, on the Tasks tab, click Hide System Policy Rules.

c. Close the ISA Server console

Trang 26

Exercise 4

Configuring ISA Server 2006 for Flood Resiliency

In this exercise, you will configure ISA Server to block a large number of TCP connections from the same IP address.

Note: This exercise applies to new functionality in ISA Server 2006.

examine the flood mitigation

settings

b In the ISA Server console, in the left pane, expand Paris, expand

Configuration, and then select General.

c In the right pane, under Additional Security Policy, click

Configure Flood Mitigation Settings.

three different kind of attacks:

 Worm propagation - A computer on the internal network starts sending out

network packets to different IP addresses on the Internet.

 TCP denial-of-service attack - An attacker sends out TCP packets in order to

use up all the resources at the firewall, or server behind the firewall.

 HTTP denial-of-service attack - A computer on the internal network sends a

very large number of HTTP request over the same connection.

limits the number of connections, connection requests, and half-open connections per minute, or per rule, from a particular IP address.

d In the Flood Mitigation dialog box, on the Flood Mitigation tab, click the second Edit button.

160 concurrent TCP connections from the same IP address There is also a custom limit (400) that applies to a set of exception IP addresses.

e Click Cancel to close the Flood Mitigation Settings dialog box.

f In the Flood Mitigation dialog box, select the IP Exceptions tab.

limit applies.

2. Disable the logging of

network traffic blocked by flood

mitigation settings

a In the Flood Mitigation dialog box, select the Flood Mitigation tab.

b Clear the Log traffic blocked by flood mitigation settings check box.

after the flood mitigation settings have blocked an attack, you can disable the logging of those blocked network connections.

c Click OK to close the Flood Mitigation dialog box.

Name: Allow Web access (Flood)

a In the left pane, select Firewall Policy.

b In the right pane, select the first rule, or select Default rule if no other

rule exists, to indicate where the new rule is added to the rule list

Trang 27

Applies to: HTTP

d In the New Access Rule Wizard dialog box, in the Access rule name text box, type Allow Web access (Flood), and then click Next.

e On the Rule Action page, select Allow, and then click Next.

 click Common Protocols, click HTTP, click Add,

 click Networks, click Internal, click Add,

 click Networks, click External, click Add,

from the Internal network to the External network.

4. Apply the changes a Click Apply to apply the changes, and then click OK.

configure Internet Explorer not to

use a proxy server

a. On the Denver computer, open Internet Explorer

LAN Settings.

d. In the Local Area Network (LAN) Settings dialog box, clear the

Use a proxy server for your LAN check box, and then click OK.

HTTP connections to the ISA Server use the same connection to the Web Proxy TCP port 8080 In this exercise, you use two Internet Explorer windows, which should count as two separate connections.

e Click OK to close the Internet Options dialog box.

6. Use Internet Explorer to

connect to http://

istanbul.fabrikam.com/

web.asp

a In Internet Explorer, in the Address bar, type

http://istanbul.fabrikam.com/web.asp, and then press Enter.

Istanbul This is a single TCP connection from the Denver computer.

b. Do not close Internet Explorer

7 Use the C:\Tools\

tcpflooder.vbs tool to create 200

concurrent TCP connections

a Use Windows Explorer (or My Computer) to open the C:\Tools folder.

attempts to set up 200 connections to IP addresses 42.1.0.0 through 42.1.19.9.

 Note: By default, ISA Server allows a maximum of 160 concurrent

TCP connections from the same IP address.

b Right-click tcpflooder.vbs, and then click Open.

c Click Yes to confirm that you want to start TCP Flooder.

200 TCP connections.

Trang 28

 Note: The IP addresses on the 42.1.0.0 network do not exist in the

lab environment, but Denver will set up a maximum of 160 TCP connections with ISA Server ISA Server blocks the remaining 40 TCP connections.

d Press OK to acknowledge that 200 TCP connections are created.

e. Close the Tools folder

8. In Internet Explorer, refresh

the existing Web page, and attempt

to create a second connection to

Server time on the Web page is changed That is an indication that the page refreshed successfully.

(10.1.1.5), existing connections, such as the one in the Internet Explorer window can still be used.

b On the Start menu, click All Programs, and then click

Internet Explorer.

c In Internet Explorer, in the Address box, type

http://istanbul.fabrikam.com/web.asp, and then press Enter.

moments, Internet Explorer displays an error page to indicate that it cannot display the page.

d. Close the Internet Explorer windows

 Note: ISA Server blocks traffic based on the flood mitigation settings for 60 seconds To avoid the situation

where an attacker uses a large number of network packets with a spoofed sender IP address to intentionally block another computer, ISA Server will first complete a TCP three-way handshake to verify that the sender IP address is not spoofed

examine the flooding alert a. Monitoring.On the Paris computer, in the ISA Server console, in the left pane, select

b In the right pane, select the Alerts tab.

c In the task pane, on the Tasks tab, click Refresh Now.

d In the alert list, expand the Concurrent TCP Connections from One

IP Address Limit Exceeded alert, and then select the alert line below that.

identifies which IP address (10.1.1.5) exceeded the configured limit of concurrent TCP connections This information allows you to further investigate the cause of the high number of connection attempts.

10. Configure the log viewer

a In the right pane, select the Logging tab.

 Note: You may (temporarily) need to close the task pane in order to

see the Logging tab.

b In the task pane, on the Tasks tab, click Edit Filter.

c. In the Edit Filter dialog box, in the conditions list, select the

Log Time - Live condition.

d In the Condition drop-down list box, select Last Hour, and then click

Update.

e. Complete the following information:

 Filter by: Client IP

 Condition: Equals

 Value: 10.1.1.5

and then click Add To List.

f. Complete the following information:

 Filter by: Destination IP

Trang 29

 Condition: Greater or Equal

 Value: 42.1.0.0

and then click Add To List.

g Click Start Query to close the Edit Filter dialog box.

10.1.1.5 to the 42.1.0.0 network from the last hour The most recent log entry is listed first.

h. Scroll to the top of the list of log entries

address that is a close to 42.1.15.9 That is a exactly 160 concurrent TCP connections The last IP address may be a little lower, if ISA Server had existing connections, or may be a little higher if ISA Server closed a few TCP connections already.

configured Flood Mitigation to not log traffic that is blocked by the flood mitigation settings (all connections to IP address close to 42.1.16.0 through 42.1.19.9).

 Note: The following tasks are needed to avoid conflicts with other lab exercises.

11. Restore the log viewer filter

conditions:

Log Time: Live

Client IP: (remove)

Destination IP: (remove)

a In the task pane, on the Tasks tab, click Edit Filter.

b. In the Edit Filter dialog box, in the conditions list, select

Log Time - Last Hour.

c In the Condition drop-down list box, select Live, and then click

Update.

d In the conditions list, select the Destination IP condition, and then click

Remove.

e In the conditions list, select the Client IP condition, and then click

Remove.

f Click Start Query to close the dialog box.

g In the task pane, on the Tasks tab, click Stop Query.

12. On the Denver computer,

configure Internet Explorer to use

a proxy server

a. On the Denver computer, open Internet Explorer

 Bypass proxy server for local address: enable

and then click OK to close the Local Area Network (LAN) Settings dialog box.

e Click OK to close the Internet Options dialog box.

f. Close Internet Explorer

Trang 30

Module C: Publishing Web Servers and Other Servers

Exercise 1

Publishing a Web Server in the Internal Network

In this exercise, you will configure ISA Server to publish a Web server on the internal

network to client computers on the Internet.

create a new Web listener

Name: External Web 80

SSL: disable

Network: External

Compression: disable

Authentication: none

c In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

d. In the New Web Listener Definition Wizard dialog box, in the

Web listener name text box, type External Web 80, and then click Next.

e. On the Client Connection Security page, select

Do not require SSL secured connections with clients, and then click Next.

f. On the Web Listener IP Addresses page, complete the following information:

 Listen on network: External

 ISA Server will compress content: disable

and then click Next.

g. On the Authentication Settings page, in the drop-down list box, select

No Authentication, and then click Next.

h On the Single Sign On Settings page, click Next.

i On the Completing the New Web Listener Wizard page, click Finish.

the External network) with the name External Web 80 is created.

j Click Apply to save the changes, and then click OK.

2. Examine the effect of the

Web listener definition on the

listening ports

b At the command prompt, type netstat -ano | find ":80", and then press Enter.

":80" Currently the ISA Server does NOT listen on port 80 The creation of the Web listener definition did not change the listener configuration of the firewall yet.

Trang 31

 Note: The displayed line with port 8080 on the internal IP address

10.1.1.1, is the opened Web Proxy port for client computers on the Internal network.

The last column lists the process ID of the process that listens on the port.

3. Create a Web publishing

rule

Name: Web Home Page (on

Denver)

Publishing type:

single Web site

Internal site name:

b In the right pane, select the first rule, or select Default rule if no other

rule exists, to indicate where the new rule is added to the rule list

c In the task pane, on the Tasks tab, click Publish Web Sites.

Firewall Policy, click New, and then click Web Site Publishing Rule.

d. In the New Web Publishing Rule Wizard dialog box, in the

Web publishing rule name text box, type Web Home Page (on Denver), and

then click Next.

e On the Select Rule Action page, select Allow, and then click Next.

f On the Publishing Type page, select Publish a single Web site, and then click Next.

g On the Server Connection Security page, select Use non-secured

connections to connect to the published Web server, and then click Next.

h. On the Internal Publishing Details page, complete the following information:

 Internal site name: denver.contoso.com

 Use a computer name or IP address: disable (is default)

i. On the next Internal Publishing Details page, complete the following information:

 Path: (leave empty)

 Forward the original host header: disable (is default)

j. On the Public Name Details page, complete the following information:

 Accept requests for: This domain name (type below):

 Public name: www.contoso.com

k On the Select Web Listener page, in the Web listener drop-down list box, select External Web 80, and then click Next.

Publishing Rule Wizard, you can click the New button and create a new Web

listener definition from the Select Web Listener page.

l On the Authentication Delegation page, select No delegation, and client

cannot authenticate directly, and then click Next.

m On the User Sets page, click Next.

n. On the Completing the New Web Publishing Rule Wizard page, click

Finish.

at denver.contoso.com (10.1.1.5) as www.contoso.com on the External

network.

o Click Apply to apply the new rule, and then click OK.

4. Examine the effect of the

Web publishing rule on the

listening ports

process ID nnnn (last column) listens on the external IP address 39.1.1.1 on port 80.

c At the command prompt, type tasklist /svc | find "nnnn", and then

Trang 32

press Enter (Replace nnnn with the actual process ID displayed in output of

the previous step.)

process ID nnnn has image name wspsrv.exe and hosts the Microsoft Firewall service (fwsrv).

 Note: For performance reasons, all Web publishing rules, server

publishing rules, and all outgoing Web access, Firewall client and SecureNAT client traffic is handled by the Microsoft Firewall service (wspsrv.exe) In earlier versions of ISA Server, multiple different services were responsible for this traffic.

5. Examine the network rule

for connectivity between the

External network and the Internal

template, the network rule named Internet Access (rule 5) indicates that ISA

Server will use NAT for network traffic from the Internal network to the External network.

network to Denver on the Internal network) goes against the NAT direction, you need to create a publishing rule to allow this network traffic.

verify that www.contoso.com

resolves to 39.1.1.1.

a. On the Istanbul computer, open a Command Prompt window

b At the command prompt type ping www.contoso.com, and then press

Enter.

resolves to the external IP address of Paris 39.1.1.1 (ISA Server does not reply

to the ping request.)

7. Connect to the published

Web server on www.contoso.com,

and attempt to connect to 39.1.1.1.

a. Open Internet Explorer In the Address box, type

http://www.contoso.com, and then press Enter.

successfully published the Denver home page as www.contoso.com on the

External network (Internet).

b In the Address box, type http://39.1.1.1, and then press Enter.

code 403 (Forbidden - The server denied the specified URL).

public name www.contoso.com, not when using the IP address 39.1.1.1

directly.

8. On the Paris computer, add

the 39.1.1.1 public name to the

Web Home Page (on Denver)

Web publishing rule

b In the right pane, select the Web Home Page (on Denver) Web

publishing rule

c In the task pane, on the Tasks tab, click Edit Selected Rule.

d. In the Web Home Page (on Denver) Properties dialog box, on the

Public Name tab, click Add.

e In the Public Name dialog box, type 39.1.1.1, and then click OK.

www.contoso.com and 39.1.1.1.

Trang 33

f Click OK to close the Web Home Page (on Denver) Properties dialog

box

g Click Apply to apply the changed rule, and then click OK.

connect to the published Web

server on 39.1.1.1.

a. On the Istanbul computer, in Internet Explorer, ensure that

http://39.1.1.1 is in the Address box, and then click the Refresh button.

successfully published the Denver home page as www.contoso.com and 39.1.1.1 on the External network (Internet).

Trang 34

Exercise 2

Publishing the Web Server on the ISA Server Computer

In this exercise, you will configure ISA Server to publish a Web server on the ISA Server to client computers on the Internet.

configure the default Web site to

use port 81, and then start the Web

site

a On the Paris computer, on the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

b In the IIS Manager console, expand PARIS (local computer), expand

Web Sites, right-click Default Web Site (Stopped), and then click Properties.

c. In the Default Web Site (Stopped) Properties dialog box, on the

Web Site tab, in the TCP port text box, type 81, and then click OK.

for publishing Web sites (and publishing automatic discovery information for Web clients), the Web site on the ISA Server computer must be changed to another port.

d Right-click Default Web Site (Stopped), and then click Start.

e. Close the IIS Manager console

2. Examine the effect of

starting the default Web site on the

listening ports

process ID mmmm (last column) listens on all IP addresses (0.0.0.0) on port 81.

c At the command prompt, type tasklist /svc | find "mmmm", and then press Enter (Replace mmmm with the actual process ID displayed in output of

the previous step.)

process ID mmmm hosts the World Wide Web Publishing Service (W3SVC),

which is part of IIS.

port 81.

3. Create a Web publishing

rule

Name: Products Web Site (on

Paris)

Publishing type:

single Web site

Internal site name: Paris

IP address: 10.1.1.1

b. In the right pane, select the first rule to indicate where the new rule is added to the rule list

Web publishing rule name text box, type Products Web Site (on Paris), and

f On the Publishing Type page, select Publish a single Web site, and then

Trang 35

 Internal site name: Paris

 Use a computer name or IP address: enable

 Computer name or IP address: 10.1.1.1

 Note: After completing the wizard, the destination TCP port of the

rule can be set to 81.

 Public name: www.contoso.com

 Path: products

Finish.

10.1.1.1 (Paris) as www.contoso.com/products on the External network.

o In the right pane, select the Products Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click

Edit Selected Rule.

p. In the Products Web Site (on Paris) Properties dialog box, select the

Paths tab.

(/products) to the root of a Web site (/).

q Select the Listener tab.

r On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

www.contoso.com/products (port 80) to 10.1.1.1 (port 81).

s Click OK to close the Products Web Site (on Paris) Properties dialog

box

Denver) Web publishing rules share the same Web listener named External Web 80 The public name that is used in the incoming Web requests determines

which Web publishing rule applies.

(www.contoso.com) is a superset of the public name of the Products Web Site (on Paris) rule (www.contoso.com/products), it is important that the Products Web Site (on Paris) rule (currently order 1) is listed before the Web Home

Trang 36

Page (on Denver) rule (currently order 2).

t Click Apply to apply the new rule, and then click OK.

servers on www.contoso.com

/products

and

www.contoso.com.

a. On the Istanbul computer, open Internet Explorer In the Address box,

type http://www.contoso.com/products, and then press Enter.

Server successfully published the Paris home page as

www.contoso.com/products on the External network.

b In the Address box, type http://www.contoso.com, and then press

Enter.

result confirms that ISA Server publishes two Web sites now.

create a Web publishing rule

Name: Public Web Site (on

Paris)

Publishing type:

single Web site

Internal site name: Paris

Web publishing rule name text box, type Public Web Site (on Paris), and

f On the Publishing Type page, select Publish a single Web site, and then click Next.

 Internal site name: Paris

 Use a computer name or IP address: enable

 Computer name or IP address: 10.1.1.1

 Path: publicweb/*

 Public name: public.contoso.com

 Path: (remove /publicweb/*, and leave empty)

Finish.

Trang 37

 A new Web publishing rule is created that publishes the Web site at

10.1.1.1/publicweb (Paris) as public.contoso.com on the External network.

o In the right pane, select the Public Web Site (on Paris) Web publishing rule, and then in the task pane, on the Tasks tab, click Edit Selected Rule.

p In the Public Web Site (on Paris) Properties dialog box, select the Paths

tab

site (/) to a path (/publicweb) on a Web server.

You can also translate a path in the public name, to another path on the published Web server.

q On the Bridging tab, in the Redirect requests to HTTP port text box, type 81.

public.contoso.com (port 80) to 10.1.1.1/publicweb (port 81).

r Click OK to close the Public Web Site (on Paris) Properties dialog box.

s Click Apply to apply the new rule, and then click OK.

servers on public.contoso.com.

a On the Istanbul computer, open Internet Explorer In the Address box, type http://public.contoso.com, and then press Enter.

the /publicweb folder ISA Server successfully published the Paris home page in

the /publicweb folder as public.contoso.com on the External network.

Trang 38

Exercise 3

Performing Link Translation on a Published Web Server

In this exercise, you will configure ISA Server to enable link translation for a published Web site.

connect to the Web page

www.contoso.com

/links.htm.

a On the Istanbul computer, open Internet Explorer In the Address box, type http://www.contoso.com/links.htm, and then press Enter.

Translation Filter The Web Home Page (on Denver) Web publishing rule

from an earlier exercise makes the links.htm page available on the External network (Istanbul).

 The first image uses a relative address (pic1.jpg) Internet Explorer

automatically adds the current host name (www.contoso.com) to the relative address.

 The second image uses the full name of the Web server computer itself

(denver.contoso.com), which ISA Server automatically replaces (translates)

with www.contoso.com, so that it can be resolved when the Web server is published on the Internet.

 The link to the third image still uses the internal name (ronsbox) of the Web

server computer, and does not resolve correctly on the Internet.

b Hold the mouse pointer over the Translated link for pic1.jpg URL.

<a href=" pic1.jpg" > HTLM code to include the entire address that is used in the

Address box.

c Right-click on the displayed image (pic1.jpg), and then click Properties.

also translates <img src=" pic1.jpg" > HTML code to include the entire address.

d Click Cancel to close the Properties dialog box.

e. Do not close Internet Explorer

examine the

Link Translation Filter Web

filter

expand Configuration, and then select Add-ins.

b In the right pane, select the Web Filters tab.

from published Web servers pass through the list of Web filters, including the Link Translation Filter, before they are sent to the client computers.

3. Examine the current link

translation mappings for the Web

Home Page (on Denver) Web

publishing rule

a In the left pane, select Firewall Policy, and then in the right pane, select the Web Home Page (on Denver) Web publishing rule.

(and 39.1.1.1) to the Web server on denver.contoso.com.

b In the task pane, on the Tasks tab, click Edit Selected Rule.

c. In the Web Home Page (on Denver) Properties dialog box, select the

Trang 39

Link Translation tab.

create link translation mappings (such as "http://denver.contoso.com" to

"http://www.contoso.com") to perform link translation for this Web publishing

rule This ensures that the second graphical image (using http://denver.contoso.com) is displayed correctly.

d On the Link Translation tab, click Mappings.

defined link translation mappings for this rule, including the mapping from URL http://denver.contoso.com to URL http://www.contoso.com.

e. Close Internet Explorer

f Click Cancel to close the Web Home Page (on Denver) Properties

a In the left pane, select General.

b In the right pane, under Global HTTP Policy Settings, click

Configure Global Link Translation.

c In the Link Translation dialog box, select the Global Mappings tab.

mappings that apply to all Web publishing rules.

d On the Global Mappings tab, click Add.

e. In the Add Mapping dialog box, complete the following information:

 Internal URL: http://ronsbox

 Translated URL: http://www.contoso.com

mapping for https://ronsbox, but that is not needed for this exercise.

f Click OK to close Link Translation dialog box.

g Click Apply to save the changes, and then click OK.

refresh the content of the Web

page at www.contoso.com

/links.htm again, by pressing

Ctrl-F5 or Ctrl-Refresh.

a. On the Istanbul computer, in Internet Explorer, ensure that the

http://www.contoso.com/links.htm Web page is opened.

b Hold the Ctrl-key, and then click the Refresh button on the toolbar, to

refresh the content of the Web page

The Link Translation Filter on ISA Server has translated the http://ronsbox link

that was returned by the Denver Web server for the URL of pic3.jpg, to

http://www.contoso.com.

Trang 40

Exercise 4

Using Cross-Site Link Translation to Publish SharePoint Server

In this exercise, you will configure ISA Server to publish a SharePoint Server.

The portal Web site contains links to other Web servers By using cross-site link translation, you can access the links from the published portal Web site.

Note: This exercise applies to new functionality in ISA Server 2006.

connect to http://portal, and

examine the links on the Project-D

Portal Web site

a On the Denver computer, open Internet Explorer In the Address box, type http://portal, and then press Enter.

which runs on Denver on IP address 10.1.1.10.

b In the portal Web site, under Shared Documents, move the mouse pointer over Agenda (do not click).

http://portal.

d In the File Download dialog box, click Open to confirm that you want to

open the Agenda.doc file

e. Close WordPad

f In the portal Web site, under Links, move the mouse pointer over

Research Web Site (do not click).

http://server1.

servers on the internal network.

g Click Research Web Site.

a Web site running on Denver on IP address 10.1.1.21.

h On the toolbar, click the Back button.

i. Close Internet Explorer

create a new Web listener

Name: External Web 80

SSL: disable

Network: External

c In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners (if possible).

Định dạng
Số trang	171
Dung lượng	1,18 MB