Module 3: Enabling Secure Internet Access

Demonstrate the procedure that you use to create a site and content rule to show students how site and content rules use policy elements Configuring Bandwidth Rules Explain that ISA Se

Contents

Overview 1

Access Policy and Rules Overview 2

Configuring Access Policies and Rules 18

Using ISA Server Authentication 28

Lab A: Enabling Secure Internet Access 35

Review 52

Module 3: Enabling Secure Internet Access

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructional Designer: Victoria Fodale (Azwrite LLC)

Technical Lead: Joern Wettern (Independent Contractor)

Program Manager: Robert Deupree Jr

Product Manager: Greg Bulette

Lead Product Manager, Web Infrastructure Training Team: Paul Howard

Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,

Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner

Graphic Artist: Andrea Heuston (Artitudes Layout & Design)

Editing Manager: Lynette Skinner

Editor: Stephanie Edmundson

Copy Editor: Kristin Elko (S&T Consulting)

Production Manager: Miracle Davis

Production Coordinator: Jenny Boe

Production Tools Specialist: Julie Challenger

Production Support: Lori Walker ( S&T Consulting)

Test Manager: Peter Hendry

Courseware Testing: Greg Stemp (S&T OnSite)

Creative Director, Media/Sim Services: David Mahlmann

CD Build Specialist: Julie Challenger

Manufacturing Support: Laura King; Kathy Hershey

Operations Coordinator: John Williams

Lead Product Manager, Release Management: Bo Galford

Group Manager, Business Operations: David Bramble

Group Manager, Technical Services: Teresa Canady

Group Product Manager, Content Development: Dean Murray

General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge and skills to configure

access policies for enabling secure Internet access for client computers

After completing this module, students will be able to:

Explain the use of access policies and rules to enable Internet access

Create policy elements

Configure access polices and rules

Configure bandwidth rules

Explain the use of authentication for outgoing Web requests

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft® PowerPoint® file 2159A_03.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the lab

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read “Configuring Policy Elements,” “Configuring Access Policy,” and

“Configuring Bandwidth“ in ISA Server Help

Presentation:

50 Minutes

Lab:

60 Minutes

Module Strategy

Use the following strategy to present this module:

Access Policies and Rules Overview Describe the components of access policies Use the slide graphic to explain how Microsoft Internet Security and Acceleration (ISA) Server 2000 processes outgoing Web requests Focus on protocol rules and site and content rules Mention that Internet Protocol (IP) packet filters and routing rules are covered in later modules Emphasize the importance of proper planning before creating the rules for access policies

Creating Policy Elements Explain that before you can configure an access policy, you must create the associated policy elements that you will use when defining the rules Describe each policy element

Configuring Access Polices and Rules Explain that proper planning helps to ensure that you configure rules that are appropriate for your organization Emphasize that ISA Server processes Web requests only if a protocol rule permits the use of the protocol and a site and content rule allows access to the site Demonstrate the procedure that you use to create a protocol rule to show students how protocol rules use policy elements Demonstrate the procedure that you use to create a site and content rule to show students how site and content rules use policy elements

Configuring Bandwidth Rules Explain that ISA Server uses bandwidth rules to determine how to process client requests when your network is congested Mention that ISA Server only applies bandwidth rules when there is insufficient bandwidth to process all of the user requests Demonstrate the procedure that you use to create a bandwidth rule to show students how bandwidth rules use policy elements

Using ISA Server Authentication Explain that that way that you configure authentication for ISA Server depends on the type of client Mention that requiring authentication for all Web Proxy clients enables you to configure access rules that are based on users and group membership Mention that authentication also enables you

to include information about user Web activity in ISA Server logs Describe the types of authentication that are available for each type of client

Describe the types of authentication that ISA Server supports Explain the use of listeners and the procedures that you use to configure authentication

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Install the Firewall Client manually

Important

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Configure the default gateway manually

Setup Requirement 5

The lab in this module requires that Microsoft Internet Explorer be configured

on all of the student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

• A schedule that is called x High Network Utilization (where x is the

student’s assigned student number)

• A destination set that is called x Contoso Sports Site (where x is the

student’s assigned student number)

• A client address set that is called x Accounting Department (where x is

the student’s assigned student number)

• A protocol definition that is called x LoB Application (where x is the

student’s assigned student number)

• A content group that is called x New Graphics Format (where x is the

student’s assigned student number)

• A bandwidth priority that is called x High Priority (where x is the

student’s assigned student number)

The following protocol rules are created on the ISA Server computer for each student:

• A protocol rule that is called x Allow HTTP, HTTP-S, and FTP (where x

is the student’s assigned student number)

• A protocol rule that is called x Allow Access to LoB Application (where

x is the student’s assigned student number)

The following site and content rules are created on the ISA Server computer for each student:

• A site and content rule that is called x Deny Access to Sports Site (where

x is the student’s assigned student number)

• A site and content rule that is called x Deny Access to Pictures (where x

is the student’s assigned student number)

A bandwidth rule that is called x High Priority for Microsoft

Windows Media™ (where x is the student’s assigned student number) is

created on the ISA Server computer for each student:

ISA Server is configured for an effective bandwidth of 256 kilobits per second (Kbps)

Authentication for outgoing Web requests uses Basic and Integrated authentication ISA Server asks unauthorized users for authentication

Overview

Access Policies and Rules Overview

Creating Policy Elements

Configuring Access Policies and Rules

Configuring Bandwidth Rules

Using ISA Server Authentication

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Microsoft® Internet Security and Acceleration (ISA) Server provides based access control that enables organizations to securely control outbound access Network administrators can configure access policies to specify which content and sites are accessible, whether a particular protocol is available for outgoing Internet requests, and during which times access is allowed In addition, network administrators can configure authentication to restrict access

policy-on a per-user basis or policy-on a per-group basis

After completing this module, you will be able to:

Explain the use of access policies and rules to enable Internet access

Create policy elements

Configure access polices and rules

Configure bandwidth rules

Explain the use of authentication for outgoing Web requests

In this module, you will learn

about configuring access

policies to enable secure

Internet access for client

computers

Access Policy and Rules Overview

Understanding Access Policy Components

Processing Outgoing Client Requests

Planning an Access Policy Strategy

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

One of the primary functions of ISA Server is connecting your internal network

to the Internet while implementing your organization’s policies that define the type of Internet access that you allow By creating an access policy and associated rules, you can allow or deny users access to specific protocols, Internet sites, and content When ISA Server processes an outgoing request, it uses the access policy to determine if access should be allowed or denied It is important to plan a strategy before creating an access policy to ensure that the rules that you create meet the needs of your organization

Topic Objective

To list the topics related to

access policies and rules

Lead-in

One of the primary functions

of ISA Server is connecting

your internal network to the

Internet while protecting

your internal users from

inappropriate or malicious

content

Understanding Access Policy Components

Site and Content Rule

Site and Content Rule

Policy Element Policy Element Element Element Policy Policy Allow or

Deny

Allow or Deny Allow or Allow or Deny Deny

Access PolicyProtocol Rule

Policy Element Policy Element Element Element Policy Policy Allow or

Deny

Allow or Deny Allow or Allow or Deny Deny

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

An access policy consists of the following components:

communicate between the internal network and the Internet

Proxy clients are allowed or denied access

you can create policy elements that define a schedule or a specific type of content

Processing Outgoing Client Requests

Is there a site and content rule that denies the request?

Is there a site and content rule that denies the request?

Is there a protocol rule that denies the request?

Is there a protocol rule that denies the request?

Request from

Is there a protocol rule that allows the request?

Is there a protocol rule that allows the request?

Is there a site and content rule that allows the request?

Yes No

Does a routing rule specify routing to an upstream server?

Yes

Route to upstream server Route to upstream server No

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When ISA Server processes an outgoing client request, it checks protocol rules and site and content rules to determine if access is allowed A request is allowed only if both a protocol rule and a site and content rule each allow the request and if there is no rule that explicitly denies the request

ISA Server also controls Internet traffic based on Internet Protocol (IP) packet filters and routing rules For more information about IP packet filters and routing rules, see Module 6, “Configuring the Firewall,” and Module 9,

“Configuring ISA Server for the Enterprise,” in Course 2159A, Deploying and

Managing Microsoft Internet Security and Acceleration Server 2000

When you install ISA Server as a stand-alone server, a site and content rule named "Allow Rule" allows access to all content on all sites by default

However, because ISA Server contains no protocol rules by default, no traffic is allowed to pass until you define at least one protocol rule

Topic Objective

To describe the process that

ISA Server uses to process

outgoing client requests

Lead-in

When ISA Server processes

an outgoing client request, it

checks protocol rules and

site and content rules to

determine if access is

allowed

Delivery Tip

Use the slide graphic to

explain how ISA Server

processes outgoing client

requests Focus on protocol

rules and site and content

rules Mention that IP packet

filters and routing rules are

covered in later modules

Note

Key Points

By default, a site and

content rule named "Allow

Rule" allows access to all

content on all sites

Planning an Access Policy Strategy

Determine Organizational Requirements

Define Rules

Create Policy Elements

Create Rules by Using Policy Elements

Test Rules

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You should perform the following tasks when planning an access policy strategy:

Determine your organization’s requirements based on your business needs

Because an access policy should be consistent with business needs, it is important to identify your business needs before you create an access policy For example, one of your business needs may include giving users access to a supplier’s Web site

Define the rules that are needed

You define rules to implement your organization’s access policy For example, you can create a rule to grant access for all employees to the www.contoso.msft Web site during business hours

Create policy elements

Rules require policy elements, which are the building blocks that you use to create rules For example, you can create a policy element that defines specific computers or directories at www.contoso.msft

Create rules that use the policy elements

When you create rules, you use policy elements to define the rules

Test rules

Ensure that the rules allow the required access for your users, without providing more access than necessary Ensure that you test all of the rules before allowing users to gain access to the Internet

Topic Objective

To identify the tasks that

you must perform to plan an

access policy strategy

Lead-in

You should perform the

following tasks when

planning an access policy

strategy

Delivery Tip

Emphasize the importance

of proper planning before

creating the rules for an

access policy

Creating Policy Elements

Policy Element Overview

Creating Schedules

Creating Bandwidth Priorities

Creating Destination Sets

Creating Client Address Sets

Creating Protocol Definitions

Creating Content Groups

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Policy elements are the components that you use to create ISA Server rules Policy elements give you more control to define users, locations, bandwidth allocation, specific protocols, and types of content in policy rules ISA Server includes several types of policy elements that you can use to create rules for your access policy

Policy elements do not define any access policy by themselves Rather, you use policy elements as components of rules that control access

Topic Objective

To identify the topics related

to creating policy elements

Lead-in

Policy elements are the

components that you use to

create ISA Server rules

Important

Policy Element Overview

Policy Elements Can Include:

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you can configure an access policy, you must create the associated policy elements that you will use when defining the rules ISA Server policy elements can include:

can allocate to different types of network traffic You use bandwidth priorities in bandwidth rules that determine which connection gets priority over others to allocate available network bandwidth

computers For access policy rules, destination sets are computers that are not on the internal network

using an IP address or range of IP addresses For access policy rules, client address sets are computers on the internal network

clients can use to communicate with other computers

extensions

Internet The dial-up entry includes the name of the network dial-up connection that is configured for the remote access server and the user name and password for a user who has permissions to gain access to the dial-up connection

Topic Objective

To describe the policy

elements that are available

in ISA Server

Lead-in

Before you can configure an

access policy, you must

create the associated policy

elements that you will use

when defining the rules

Key Points

Before you can configure an

access policy, you must

create the associated policy

elements that you will use

when defining the rules

Emphasize that policy

elements are the building

blocks of rules

Click Active to add

portions of the week, or

click Inactive to remove

portions of the week.

Set the activation times for rules that are based on this schedule.

12 · 2 · 4 · 6 · 8 · 10 · 12 · 2 · 4 · 6 · 8 · 10 · 12

Al Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sunday from 12 AM to 12 AM

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use schedules to create rules that apply separate access policies during different times of the day or the week For example, you can create a schedule to use in a rule for an access policy that allows access to the Internet during the lunch hour only

3 In the Description box, type a description for the schedule

4 In the schedule table, click a cell, day, or hour, or drag multiple cells, to select the specified times

5 To modify the schedule, do the following tasks, and then click OK:

• Click Active to add portions of the week to the schedule

• Click Inactive to remove portions of the week from the schedule

When a blue cell appears, the rule is in effect during that period; when a white cell appears, the rule is not in effect during that period

By default, ISA Server contains the Weekends schedule and the Work hours schedule, which you can modify for use in policy rules

Topic Objective

To describe the procedure

that you use to create

schedules

Lead-in

You can apply a schedule to

a rule to determine when a

rule is in effect

Delivery Tip

Compare the New

schedule dialog box to

other Windows 2000

schedule dialog boxes, such

as the one that you use to

define logon hours for users

Note

Creating Bandwidth Priorities

New Bandwidth Priority

Name:

Description (optional):

OK Cancel

Basic Priority Assigns high priority to incoming traffic.

OK Cancel

High Priority Assigns high priority to incoming traffic.

Outbound bandwidth (1-2000):

Inbound bandwidth (1-200): 30

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use bandwidth priorities to create bandwidth rules that assign a higher priority

to specific traffic that is moving to or from the Internet For example, you can create a bandwidth rule that assigns a high bandwidth priority to traffic for specific employees or departments Before you can assign this type of bandwidth rule, you must create the associated bandwidth priorities

How Bandwidth Priorities Work

Bandwidth priorities assign priorities to connections that pass through ISA Server Bandwidth priorities are directional and can be controlled for both inbound connections and outbound connections

When there is limited bandwidth, ISA Server allocates this bandwidth according to bandwidth priorities that you assign to traffic that is processed by ISA Server You can use a number between 1 and 200 to specify a bandwidth priority A higher number indicates a higher priority

When you assign a bandwidth priority, you must assess the impact of that bandwidth priority in relationship to the other bandwidth priorities that you assign For example, if you assign bandwidth priority A to30 and you assign bandwidth priority B to 20, ISA Server will allocate 60 percent of the available bandwidth to traffic with bandwidth priority A and will allocate 40 percent of the available bandwidth to traffic with bandwidth priority B when processing bandwidth rules

Topic Objective

To describe the procedure

that you use to create

bandwidth priorities

Lead-in

Bandwidth priorities define a

priority level for connections

that pass through ISA

Server

Delivery Tip

Explain that the numbering

system that you use to

specify bandwidth priorities

is a relative numbering

system The effect of a

given number that you use

for a bandwidth priority is

determined by how it

compares to all of the other

numbers that you use

Creating a New Bandwidth Priority

To create a new bandwidth priority:

1 In ISA Management, in the console tree, right-click Bandwidth Priorities, point to New, and then click Bandwidth Priority

2 In the New Bandwidth Priority dialog box, in the Name box, type the

name of the bandwidth priority

3 In the Description box, type a description of the bandwidth priority

4 Do the following tasks, and then click OK:

• To define the bandwidth priority for outbound traffic, in the Outbound bandwidth box, type a number between 1 and 200

• To define the bandwidth priority for inbound traffic, in the Inbound bandwidth box, type a number between 1 and 200

Creating Destination Sets

Remove

New Destination Set

Name: Partner Web Description

(optional):

Cancel

Include these computers:

Name/IP Range Path

To include all the files, use this format: /dir/*.

To select a specific file, use this format: /dir/filename.

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use destination sets to create rules that allow or deny access to one or more computers For example, you can create a destination set that includes the Web sites of business partners and then allow access to this destination set You can specify destination sets by using a domain name or by using a range of IP addresses You can also allow or deny access to specific directories on a computer Other rules, such as bandwidth rules, also use destination sets

To create a new destination set:

1 In ISA Management, in the console tree, click Destination Sets, and then in the details pane, click Create a Destination Set

2 In the New Destination Set dialog box, in the Name box, type a name for

the destination set

3 In the Description box, type a description for the destination set

4 Click Add, and then in the Add/Edit Destination dialog box, do one of the

following:

If specifying a

Computer or domain name

Click Destination, and then type the computer name or click Browse to select a computer on your network To add

all of the computers in a domain, type *.domain (where

domain is the name of your domain) For example, to add

all of the computers in the contoso.msft domain, you would

type *.contoso.msft

IP address Click IP addresses In the From box, type the first IP

address in the range, and then in the To box, type the last IP

address in the range To include a single computer, type the

same IP address in the From box and in the To box

Topic Objective

To describe the procedure

that you use to create

destination sets

Lead-in

You can specify destination

sets by using a domain

name or by using a range of

IP addresses

5 To specify a particular path on a Web site, in the Path box, type the path of

the specified computer by using the format listed in the following table, and

then click OK twice:

All of the files in a directory /dir/*

A specific file in a directory /dir/filename

ISA Server processes path components of a rule for only client requests that use the Hypertext Transfer Protocol (HTTP) protocol and for only Web Proxy client requests that use the File Transfer Protocol (FTP) protocol ISA Server ignores the path component of a destination set when processing any other client requests but still evaluates the computer and IP address components of any applicable destination set, independent of the protocol that the client uses For more information, see “Site and content rules” in ISA Server Help

Delivery Tip

Emphasize that ISA Server

processes the path

component for only certain

types of client requests but it

processes the remainder of

a destination set for all client

requests

Important

Creating Client Address Sets

Add/Edit IP Addresses

Client set IP addresses:

Cancel OK

From: 192 168 101 0 To: 192 168 101 255

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use client address sets to create rules that allow or deny access to outgoing Web requests from a single computer or from a set of computers Other rules, such as bandwidth rules, also use client address sets

To create a client address set:

1 In ISA Management, in the console tree, click Client Address Sets, and then in the details pane, click Create a Client Set

2 In the Client Set dialog box, in the Name box, type a name for the client

6 Click OK twice

Although you can use the Open Windows’ User Manager button on the

Configure Client Address Sets taskpad to create or modify Microsoft Windows® 2000 security groups on the ISA Server computer, the security groups are separate policy elements from the client address sets

Topic Objective

To describe the procedure

that you use to create client

address sets

Lead-in

Use client address sets to

apply a policy rule to

outgoing Web requests from

a single computer or from a

set of computers

Note

Creating Protocol Definitions

Type a number between between 1 and 65535 to specify the port number

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Protocol definitions define the communications parameters that a protocol uses You use protocol definitions to create rules that allow or deny access based on specific protocols ISA Server includes many predefined protocol definitions for the most popular protocols If you use a protocol for which ISA Server does not contain a definition, you can create a new protocol definition for that protocol

You can create protocol definitions for only the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols To control network traffic that uses any other protocol types, such as the Internet Control Message Protocol (ICMP), you must create packet filters For more information about packet filters, see Module 6, “Configuring the Firewall,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Server 2000

Protocol Definition Overview

Before you create a new protocol definition, you must know how the protocol works This knowledge includes the port number that a protocol uses, the protocol type, and the direction of the connection Generally, you obtain port information from an application vendor or from a protocol specification, such

as a Request for Comments (RFC)

The Internet Assigned Numbers Authority (IANA) maintains a registry

of assigned protocol and port numbers For more information, see the IANA Web site at http://www.iana.org/numbers.htm

Topic Objective

To describe the procedure

that you use to create

protocol definitions

Lead-in

Use protocol definitions to

create policy rules that

control access based on

specific protocols

Delivery Tip

Emphasize that ISA Server

contains more than 80

predefined policy definitions

Before creating a new policy

definition, students should

always check carefully for a

Emphasize that knowledge

about the protocol is crucial

when creating protocol

definitions

Note

Primary Connections

Protocols use at least one port during a session When you define a protocol definition, you must specify which port the protocol uses to establish the session This port is the primary connection For example, the Simple Mail Transfer Protocol (SMTP) uses TCP port 25 for a client connection to a mail server To create a protocol definition for SMTP, you must specify a primary connection that uses TCP port 25 for outgoing connections

Secondary Connections

Some protocols use multiple ports during the same session When creating a protocol definition for this type of protocol, you must define one or more secondary connections in addition to the primary connection For example, the FTP protocol uses TCP port 21 for a client to establish an initial connection with a server and then, by default, the FTP server uses TCP port 20 for a connection to the client to transfer data To create a protocol definition for the FTP protocol, in addition to configuring a primary connection that uses TCP port 21 for an outgoing connection, you must configure a secondary connection that uses TCP port 20 for incoming connections

Before deleting a protocol definition that you created, always ensure that no rules use that protocol definition If a rule uses a protocol definition that you delete, ISA Server will not start In addition, you cannot modify or delete built-in protocol definitions or the protocol definitions that are defined by application filters For more information about protocol definitions and application filters and for a list of protocol definitions included with ISA Server, see “Configuring protocol definitions” in ISA Server Help

Creating a New Protocol Definition

To create a new protocol definition:

1 In ISA Management, in the console tree, right-click Protocol Definitions, and then in the details pane, click Create a Protocol Definition

2 In the New Protocol Definition Wizard, in the Name box, type the name of the protocol definition, and then click Next

3 On the Primary Connection Information page, specify a port number

between 1 and 65535 that the protocol uses for the initial connection Specify the protocol type, which is TCP or UDP Specify the direction:

• Outbound (TCP only) An internal computer establishes the connection

• Inbound (TCP only) An external computer establishes the connection

• Send (UDP only) An internal computer sends packets without

expecting the external host to reply by using the same connection

• Send/Receive (UDP only) An internal computer sends packets and

expects the external host to reply by using the same connection

• Receive (UDP only) An external computer sends packets without

expecting the internal host to reply by using the same connection

• Receive/Send (UDP only) An external computer sends packets and

expects the internal host to reply by using the same connection

Important

Delivery Tip

Point out that the settings

for direction are different for

the TCP protocol and the

UDP protocol This

difference is because UDP

is a connectionless protocol

and TCP is a

connection-oriented protocol

4 On the Secondary Connections page, specify whether to use secondary

connection settings If the protocol that you are defining uses secondary

connections, for each secondary connection, click New, and then specify the

port range, protocol type, and the direction of the secondary connection,

click OK, and then click Next

5 On the Completing the New Protocol Definition Wizard page, review your

choices, and then click Finish

Creating Content Groups

ISA Server includes several preconfigured content groups.

ISA Management

Action View Tree Name Description Content Types

Internet Security and Acceleration Server Servers and Arrays LONDON Monitoring Computer Access Policy Publishing Bandwidth Rules Policy Elements Schedules Bandwidth Priorities Destination Sets Client Address Sets Protocol Definitions

Application Applications application/hta.application/x-internet-signup.application/x-pkcs7-certific Application Data Files Files containing data for applications application/x-mscardfile.application/x-perform.application/x-msclip.appl Audio Audio files audio.*,.ra,.ram,.rmi,.au,.snd,.aif,.aifc,.wav,.m3u,.mid,.mp3 Compressed Files Compressed Files application/x-gzip,application/x-tar,application/x-gtar,application/x-com Documents Documents text/tab-separated-values,text/xml,text/h323,application/postscript,appl HTML Documents HTML Documents text/webviewhtml,text/html,.htm,.html,.htt,.stm,.xsl Images All known types of images cod,.cmx,.ief,.pbm,.pnm,.ppm,.gif,.bmp,.jfif,.jpe,.jpg,.jpeg,.ico,.pgm,.ras Macro Documents Documents that may contain macr… application/msword,application/vnd.ms-excel,application/x-msaccess,a Text Text content txt,.h,.c,.htc,.vcf,.etx,.uls,.css,.bas,.rtx,text/plain,text/x-component,text/ Video Video files video/*,.asf,.asr,.asx,.avi,.ivf,.lsf,.lsx,.mov,.movie,.mlv,.mp2,.mpa,.mpe, VRML VRML x-world/x-vrml,.flr,.wrl,.wrz,.xaf,.xof

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Content groups define types of Web content Use content groups to create rules that allow or deny access to Web requests based on the type of content When you create content groups, you must specify the content's Multipurpose Internet Mail Extensions (MIME) type and file extension ISA Server uses MIME types when applying rules to HTTP traffic and file extensions when applying rules to FTP traffic ISA Server includes many predefined content groups You can also define new content groups when you want to create a rule that is not predefined

For a list of default MIME types and files extensions, see “Configuring content groups” in ISA Server Help

To create a content group:

1 In ISA Management, in the console tree, right-click Content Groups, point

to New, and then click Content Group

2 In the New Content Group dialog box, in the Name box, type the name of

the content group

3 In the Description box, type a description for the content group

4 In the Available Types box, do one of the following:

Select an existing content type Select a file extension or a MIME type

Add a new content type Type a new file extension or a MIME type

5 Click Add, repeat this step for additional content types, and then click OK

ISA Server uses content groups only when applying rules to HTTP requests from all client types and to FTP requests from Web Proxy clients

Topic Objective

To describe the procedure

that you use to create

content groups

Lead-in

In addition to limiting access

to particular destinations,

you can apply rules to

specific content groups

Note

Key Points

Explain that ISA Server only

uses content groups when

applying rules to HTTP

requests from all client types

and to FTP requests from

Web Proxy clients

Important

Configuring Access Policies and Rules

Planning Access Policies

Creating Protocol Rules

Creating Site and Content Rules

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server access policies and the rules that you use to implement these policies help your organization meet specific security and performance needs Proper planning helps to ensure that you configure rules that are appropriate for your organization Rules determine the type of access to grant users for specific sites on the Internet An access policy can contain protocol rules and site and content rules In addition, ISA Server uses bandwidth rules to determine which connections get priority

ISA Server access policies

and rules help an

organization meet specific

security and performance

needs

Planning Access Policies

Gather organizational support.

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you configure Internet access for clients, you must carefully examine the Internet access requirements of your organization and then implement policies and authentication methods that are based on those requirements Use the following steps to plan your access policies:

1 Determine the policy structure The first step in designing an access policy

is to determine how you want to structure your access policy:

• Allow all access with the exception of specific rules that deny access

This policy is best suited for an organization that makes Internet access freely available and that has few reasons to restrict Internet access of any kind by employees

• Deny all access except the type of access that you specifically allow

This policy is best suited for an organization that uses the Internet for only a few specific uses

Many organizations employ a combination of both types of access policy For example, an organization may allow access to all Web sites, except for a few selected Web sites, by using the HTTP protocol The same organization may allow other outgoing Internet traffic by using only a few protocols that have been specifically approved

2 Gather organizational support When designing your organization’s access policy, it is recommended that you confer with all relevant decision makers

in your organization, including management, human resources, and legal departments

3 Implement policy After your access policy is in place, you can configure ISA Server authentication and rules to implement your organization’s requirements It is recommended that all required components of the policy are in place before you allow Internet access

4 Evaluate policy After you have configured your rules, it is important that you periodically review the policy You must ensure that all rules work together and that they do not conflict with each other

Topic Objective

To describe the process that

is used to plan access

policies

Lead-in

There are four steps in the

planning process

Creating Protocol Rules

Name the Rule Specify the Rule Action

Select the Protocol(s)

Select a Schedule Select a Client Type Finish Start

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Protocol rules determine the protocols that clients can use to gain access to the Internet For example, a protocol rule might allow clients to use the HTTP protocol

ISA Server processes a request for a user to gain access to an Internet site only if a protocol rule permits the use of the protocol and a site and content rule allows access to the site

To create a protocol rule:

1 In ISA Management, in the console tree, expand Access Policy, click Protocol Rules, and then in the details pane, click Create a Protocol Rule

2 In the New Protocol Rule Wizard, in the Protocol rule name box, type a name for the protocol rule, and then click Next

3 On the Rule Action page, click Allow or Deny to specify the rule action, and then click Next

4 On the Protocols page, click one of the following options, and then click

Next

ISA Server allows or denies all IP traffic For SecureNAT clients, ISA Server allows or denies all traffic that matches an existing protocol definition

the rule will apply

the rule will not apply

Topic Objective

To describe the key steps

that you perform to create

protocol rules

Lead-in

Protocol rules determine the

protocols that clients can

use to gain access to the

Internet

Key Points

ISA Server processes a

request for a user to gain

access to an Internet site

only if a protocol rule

permits the use of the

protocol and a site and

content rule allows access

to the site

Important

Delivery Tip

Demonstrate the procedure

that you use to create a

protocol rule to show

students how protocol rules

use policy elements

5 On the Schedule page, select a schedule, and then click Next

6 On the Client Type page, click one of the following options, and then click Next

Specific computers (client address sets)

On the Client Sets page, click Add to add client

sets The rule applies to requests from only the computers that belong to the client set that you select

users and groups The rule applies to requests from only the users or groups that you select

7 On the Completing the New Protocol Rule Wizard page, review your

choices, and then click Finish

Disabling and Deleting Protocol Rules

You can disable protocol rules that you are not using To disable a protocol

rule, in the details pane, click the rule, and then on the Action menu, click Disable To re-enable a rule, click the rule, and then on the Action menu, click Enable To permanently remove a rule, click the rule, and then click Delete a Protocol Rule

Creating Site and Content Rules

Name the Rule Specify the Rule Action

Select a Destination Set

Select a Schedule Select a Client Type

Start

Finish

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Site and content rules determine if users or client address sets can gain access to specific content on specific destination sets For example, a site and content rule might allow a group of users to gain access to any destination on the Internet from any computer in a specific department

To create a site and content rule:

1 In ISA Management, in the console tree, expand Access Policy, click Site and Content Rules, and then in the details pane, click Create a Site and Content Rule

2 In the New Site and Content Rule Wizard, in the Site and Content rule name box, type a name for the rule, and then click Next

3 On the Rule Action page, click Allow or Deny to specify the rule action

You can also choose to redirect users to a specific Web page when users attempt to gain access to a prohibited Web site For example, you can use a Web page to provide information about your organization’s access

policies To redirect users, on the Rule Action page, select the If HTTP request, redirect request to this site check box, and then type the complete

URL of the Web page, such as http://www.nwtraders.msft/denied.htm

Topic Objective

To describe the key steps

that you perform to create

site and content rules

Lead-in

Site and content rules

determine when users or

client address sets can gain

access to content on

specific destination sets

Delivery Tip

Demonstrate the procedure

that you use to create a site

and content rule to show

students how site and

content rules use policy

elements

Note

4 On the Destination Sets page, select the destination to which the rule applies, perform the associated actions, and then click Next

then select the previously configured destination set

then select the previously configured destination set

5 On the Completing the New Site and Content Rule Wizard page, review

your choices, and then click Finish

Disabling and Deleting Site and Content Rules

You can disable site and content rules that you are not using To disable a site

and content rule, in the details pane, click the rule, and then on the Action menu, click Disable To re-enable a rule, click the rule, and then on the Action menu, click Enable To permanently remove a rule, click the rule, and then click Delete a Site and Content Rule

Using Content Groups in Site and Content Rules

You cannot add a content type to a site and content rule by using the New Site and Content Rule Wizard

To add a content group to an existing rule:

1 In ISA Management, in the detail pane, click the site and content rule that

you want to configure, and then click Configure a Site and Content Rule

2 In the Properties dialog box for the rule, on the HTTP Content tab, click Selected content groups, select one or more check boxes for the applicable content groups, and then click OK

Delivery Tip

Explain that your choice on

the Destination Sets page

determines the other pages

that the wizard will display