Tài liệu Module 6: Configuring the Firewall docx

Ensure that students understand that ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets

Contents

Overview 1

Examining Perimeter Networks 6

Examining Packet Filtering and

Configuring Packet Filtering

Configuring Application Filters 24

Lab A: Configuring the Firewall 35

Review 45

Module 6:

Configuring the Firewall

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructional Designer: Victoria Fodale (Azwrite LLC)

Technical Lead: Joern Wettern (Independent Contractor)

Program Manager: Robert Deupree Jr

Product Manager: Greg Bulette

Lead Product Manager, Web Infrastructure Training Team: Paul Howard

Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,

Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner

Graphic Artist: Andrea Heuston (Artitudes Layout & Design)

Editing Manager: Lynette Skinner

Editor: Stephanie Edmundson

Copy Editor: Kristin Elko (S&T Consulting)

Production Manager: Miracle Davis

Production Coordinator: Jenny Boe

Production Tools Specialist: Julie Challenger

Production Support: Lori Walker ( S&T Consulting)

Test Manager: Peter Hendry

Courseware Testing: Greg Stemp (S&T OnSite)

Creative Director, Media/Sim Services: David Mahlmann

CD Build Specialist: Julie Challenger

Manufacturing Support: Laura King; Kathy Hershey

Operations Coordinator: John Williams

Lead Product Manager, Release Management: Bo Galford

Group Manager, Business Operations: David Bramble

Group Manager, Technical Services: Teresa Canady

Group Product Manager, Content Development: Dean Murray

General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge and skills to configure Microsoft® Internet Security and Acceleration (ISA) Server 2000 as a firewall

After completing this module, students will be able to:

Secure the ISA Server computer

Explain the use of perimeter networks

Explain the use of packet filtering and Internet Protocol (IP) routing

Configure packet filtering and IP routing

Configure application filters

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft PowerPoint® file 2159A_06.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the lab

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read “Using Packet Filtering,” “Using extensions,” “Internet Security,”

“Perimeter Network Scenarios,” and “ISA Server system Security” in ISA Server Help

Read Module 9, “Implementing Security in Windows 2000,” in Course

2152, Implementing Microsoft Windows 2000 Professional and Server

Read Module 3, “Enabling Secure Internet Access,” Module 7,

“Configuring Access to Internal Resources,” and Module 8, “Monitoring

and Reporting,” in Course 2159A, Deploying and Managing Microsoft

Internet Security and Acceleration Server 2000

Review RFC 792, “Internet Control Message Protocol,” under Additional Readings on the Trainer Materials compact disc

Presentation:

75 Minutes

Lab:

30 Minutes

Module Strategy

Use the following strategy to present this module:

Securing the Server Discuss the best practices for securing computers, explaining that the list in the module is not comprehensive but is meant to be a guideline Explain that the ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values and emphasize that ISA Server includes no automatic method of reverting back to the original values

Examining Perimeter Networks Briefly describe the use of perimeter networks, which were introduced in Module 1 Ensure that students understand that ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable IP routing to move network packets between the networks

Examining Packet Filtering and IP Routing Explain that the packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows® 2000 Routing and Remote Access service Emphasize that you should use ISA Server, and not the Routing and Remote Access service, to configure packet filtering and routing on an ISA Server computer Explain that ISA Server treats IP addresses that are in the Local Address Table (LAT) as internal and does not apply packet filters to those addresses Explain that the decision to use IP routing to support a perimeter network depends on the type of perimeter network

Configuring Packet Filtering and IP Routing Tell students to always confirm that ISA Server does not include a predefined filter before creating a custom IP packet filter

Configuring Application Filters Explain that unlike IP packet filters, which make forwarding decisions based on the header of each IP packet, application filters can examine entire transactions between a client application and a server application Explain that some functionality of the Simple Mail Transfer Protocol (SMTP) filter depends on the Message Screener component Mention that the Message Screener is an optional ISA Server component that you usually install on a separate computer on your network Explain that redirecting Hypertext Transfer Protocol (HTTP) requests improves client performance and allows you to apply site and content rules to Firewall clients and SecureNAT clients Explain that the H.323 filter enables users who use conferencing applications, such as Microsoft NetMeeting®, to communicate with others over the Internet

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Install the Firewall Client manually

Important

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Configure the default gateway manually

Setup Requirement 5

The lab in this module requires that Microsoft Internet Explorer be configured

on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,

Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Create the rule manually

Overview

Securing the Server

Examining Perimeter Networks

Examining Packet Filtering and IP Routing

Configuring Packet Filtering and IP Routing

Configuring Application Filters

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Microsoft® Internet Security and Acceleration (ISA) Server 2000 includes several security features to help you enforce your security policies The ISA Server Security Configuration Wizard enables you to set the appropriate level

of system security for the operating system Packet filtering helps prevent unauthorized access to your internal network by inspecting incoming traffic and blocking packets that do not meet your specified security criteria Internet Protocol (IP) routing allows you to forward network packets according to rules that you define Application filters control application-specific traffic to determine if network traffic should be accepted, rejected, redirected, or modified

The packet filtering and routing functions of ISA Server provide more enhanced security than the packet filtering and routing functions of the Microsoft Windows® 2000 Routing and Remote Access To provide the most comprehensive security for your internal network, use ISA Server, not the Routing and Remote Access service, to configure packet filtering and routing

on an ISA Server computer

After completing this module, you will be able to:

Secure the ISA Server computer

Explain the use of perimeter networks

Explain the use of packet filtering and IP routing

Configure packet filtering and IP routing

Configure application filters

In this module, you will learn

how to configure ISA Server

as a firewall

Important

Securing the Server

Best Practices

Setting System Security

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server is an important component of an overall security strategy, but network security consists of many elements Using security best practices will also help you to secure your network effectively

ISA Server includes the ISA Server Security Configuration Wizard, which you can use to apply system security settings to a single ISA Server computer or to all of the servers in an array The ISA Server Security Configuration Wizard uses security templates that are included with Microsoft Windows 2000 Server

to configure the operating system for different levels of security You can set the appropriate level of system security, depending on how ISA Server functions in your network

Topic Objective

To identify the topics related

to securing the ISA Server

computer

Lead-in

ISA Server is an important

component of an overall

security strategy, but

network security consists of

many elements

Understand the Network Protocols that You Use With ISA Server Maintain Physical Security

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Because the ISA Server computer is often directly connected to the Internet, it

is important that you adequately secure that computer The following list presents security best practices to use as guidelines when securing computers in your network, and particularly the ISA Server computer:

Stay informed about security issues pertaining to Windows 2000 and ISA Server For security bulletins and other security-related information, see the Microsoft Security Web site at http://www.microsoft.com/security You may also want to subscribe to security-related mailing lists

Install the latest service pack and security updates Before installing any service packs or updates, test them thoroughly in a lab environment

Do not run unnecessary services on the ISA Server computer, and configure ISA Server with rules that allow only required network traffic to pass through the ISA Server computer

Audit security-related events and frequently review the associated log files

For more information about Windows 2000 auditing, see Module 9,

“Implementing Security in Windows 2000,” in Course 2152, Implementing

Microsoft Windows 2000 Professional and Server For more information

about monitoring ISA Server security, see Module 8, “Monitoring and

Reporting,” in Course 2159A, Deploying and Managing Microsoft Internet

Security and Acceleration Server 2000

Document all aspects of your network configuration Maintaining documentation helps you to detect intrusion and recover from intrusion incidents

Understand the network protocols that you use with ISA Server A thorough understanding of these protocols will help to ensure that you configure ISA Server properly

Maintain physical security Anyone with physical access to the ISA Server computer can gain complete control of the computer

Topic Objective

To describe security best

practices

Lead-in

Because the ISA Server

computer is often directly

connected to the Internet, it

is important that you

adequately secure that

computer

Delivery Tip

Explain that this list is not

comprehensive, but is

meant to present guidelines

for securing the ISA Server

computer

Note

Setting System Security

Domain Controller Templates Hisecdc.inf Securedc.inf

Security Level Dedicated Limited Services

Basicdc.inf Secure

Server Templates Hisecws.inf Securews.inf Basicsv.inf

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When configuring the security settings of the ISA Server computer, you can use the ISA Server Security Configuration Wizard to increase the security of several components of Windows 2000 Securing the ISA Server computer is especially important when that computer is directly connected to the Internet You can select from one of the following security levels in the ISA Server Security Configuration Wizard:

Dedicated Use this setting when an ISA Server computer is functioning as

a dedicated firewall with no other applications

Limited Services Use this setting when the ISA Server computer is

functioning as a combined firewall and cache server An ISA Server computer can also be protected by an additional firewall

Secure Use this setting when the ISA Server computer performs other

functions, such as running a Web server, a database server, or a mail server

The ISA Server Security Configuration Wizard changes several operating system settings to pre-configured values To change all of these settings back to the original values, you must document or export the settings before running the wizard and then reconfigure all of the values ISA Server includes no automatic method of reverting back to the original values

Topic Objective

To describe the security

levels that you can set for

the ISA Server computer

Lead-in

There are three security

levels that you can apply to

an ISA Server computer

Caution

Applying Security Templates

The security template that the ISA Server Security Configuration Wizard applies depends on the security setting that you select and the type of computer that you are using

To run the ISA Server Security Configuration Wizard, the

systemroot\security\templates folder must contain the required template If the

required template is missing, the ISA Server Security Configuration Wizard fails to run To add a missing template, you must copy it from the Microsoft Windows 2000 Server compact disc to the Templates folder on your computer ISA Server uses the templates listed in the following table

Security level For a server For a domain controller Dedicated Hisecws.inf Hisecdc.inf

Limited Services Securews.inf Securedc.inf

For more information about security templates, see Module 9,

"Implementing Security in Windows 2000," in Course 2152, Implementing

Microsoft Windows 2000 Professional and Server

Use the ISA Server Security Configuration Wizard to apply system security settings to an ISA Server computer

To run the Wizard:

1 In ISA Management, in the console tree, expand your server or array, and

then click Computer or Computers

2 In the details pane, right-click the applicable server, click Secure, and then

follow the on-screen instructions to complete the wizard

Viewing Configuration Changes

When you run the ISA Server Security Configuration Wizard, ISA Server creates a log file of all of the changes ISA Server names this file securwiz.log and places it in the ISA Server installation directory You can review this file to see the actions that the wizard performed

Note

Examining Perimeter Networks

Perimeter Networks

Three-Homed Perimeter Network

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can deploy ISA Server as a firewall that acts as a secure gateway to the Internet for internal clients ISA Server protects all of the communication between the internal computers and the Internet In a simple firewall design, the ISA Server computer has two network interface cards, one connected to the local network and one connected to the Internet In more complex designs, such

as a design that includes a perimeter network with one or more published servers, you may also need to configure the ISA Server computer for IP routing

You can deploy ISA Server

as a dedicated firewall that

acts as the secure gateway

to the Internet for internal

clients

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A perimeter network, also known as a DMZ, demilitarized zone, or screened

subnet, is a small network that you set up separately from an internal network and the Internet Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network, while preventing direct access to the internal network

Perimeter Network Uses

A perimeter network is commonly used for deploying an organization’s publicly accessible servers, such as e-mail servers and Web servers Permitting access to the perimeter network does not allow access to other company data that may be available on computers in the internal network Even if an external user penetrates the perimeter network security, only the perimeter network servers are compromised

Perimeter Network Configurations

Typically, a perimeter network uses one of the following configurations:

computers on either side of the perimeter network to protect the network

For more information on how to make server resources in a back perimeter network available, see Module 7, “Configuring Access to

back-to-Internal Resources,” in Course 2159A, Deploying and Managing Microsoft

Internet Security and Acceleration Server 2000

computer with the perimeter network to protect the internal network The

ISA Server computer is three-homed, which means that it is connected to

three networks: the Internet, the perimeter network, and the internal network

Three-Homed Perimeter Network

2 3

1 ISA Server Computer

ISA Server Computer

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In a three-homed perimeter network configuration, a stand-alone ISA Server computer or an array of ISA Server computers connects the Internet, the perimeter network, and the internal network ISA Server treats both the Internet and the perimeter network as external networks, which requires that you enable

IP routing to move network packets between the networks

Setting Up the ISA Server Computer

To set up an ISA Server computer in a three-homed perimeter network configuration, install and configure each network adapter as follows:

1 Connect one network adapter to the internal network Include all of the internal IP addresses in the local address table (LAT)

2 Connect the second network adapter to the perimeter network Do not add the IP addresses of the perimeter network to the LAT

3 Connect the third network adapter to the Internet Do not add any IP addresses from the Internet to the LAT

Placing certain types of servers, especially File Transfer Protocol (FTP) servers, into three-homed perimeter network configurations may create security risks For more information about these risks, see “Three-homed perimeter network configuration” in ISA Server Help

stand-alone ISA Server

computer or an array of ISA

Server computers connects

the Internet, the perimeter

network, and the internal

network

Key Point

ISA Server treats both the

Internet and the perimeter

network as external

networks, which requires

that you enable IP routing to

move network packets

between the networks

Note

Configuring the Perimeter Network

The Microsoft Web Proxy service and the network address translation component of the Microsoft Firewall service move network packets between only an internal network and an external network or vice versa Because ISA Server treats both the Internet and your perimeter network in a three-homed perimeter network configuration as external networks, you must use IP routing

to move network packets between the Internet and the perimeter network

To set up a three-homed ISA Server computer in a perimeter network, perform the following actions:

Enable IP routing

Enable packet filtering

Create the appropriate IP packet filters to allow routing of the correct IP packets to each of the servers in the perimeter network

For example, to make a Simple Mail Transfer Protocol (SMTP) server on the perimeter network available to users on the Internet, you must enable IP routing and packet filtering You then need to create an IP packet filter that configures the ISA Server computer to route all of the required packets from the Internet to the mail server

Delivery Tip

Tell students that IP routing,

packet filtering, and IP

packet filters will be covered

later in this module

Examining Packet Filtering and IP Routing

Controlling Network Traffic

Understanding Packet Filtering

Using IP Routing and Packet Filtering

Guidelines for Using Packet Filtering and IP Routing

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can control the flow of IP packets to and from the external network interface of an ISA Server computer by using packet filtering and IP routing

By using packet filtering, you can allow IP packets or can block IP packets that are destined for the ISA Server computer or for specific computers on your perimeter network or internal network You can also use packet filtering to block packets that originate from your internal network

When you enable routing on a Windows 2000 computer, that computer routes all traffic between the Internet and your internal network In this case, the

computer acts as a router, which is a device that connects separate networks by

forwarding packets between them

By enabling both packet filtering and IP routing in ISA Server, you gain the benefits of strict policy enforcement by using packet filters and establish the correct routing behavior for protocols that use secondary network connections after establishing a primary connection

You can enable packet filtering only if you install ISA Server in Firewall mode or in Integrated mode

Topic Objective

To identify the topics related

to packet filtering and IP

routing

Lead-in

You can control the flow of

IP packets to and from an

external network interface of

an ISA Server computer by

using IP routing and packet

filtering

Important

Controlling Network Traffic

Web Proxy Service

Firewall Service Proxy

Firewall Service Routing

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can use ISA Server to control the flow of IP packets between different networks, typically your internal network and the Internet ISA Server controls

IP packets by using the following services and methods:

from internal Web Proxy clients and then forwards these requests to Web servers on the Internet The packets are never directly exchanged between the internal Web Proxy client and the Web server on the Internet

The Web Proxy service can also process incoming Web requests for

internal Web servers, which is called Web publishing For more information

about Web publishing, see Module 7, “Configuring Access to Internal

Resources,” in Course 2159A, Deploying and Managing Microsoft Internet

Security and Acceleration Server 2000

internal Firewall clients and SecureNAT clients that use the User Datagram Protocol (UDP) protocol or the Transmission Control Protocol (TCP) protocol to gain access to external network resources The Firewall service intercepts IP packets, changes the IP header information, and then sends the packets to the external server The IP packets appear to the external server

as if they originated from the ISA Server computer

between networks Routing forwards network packets between different networks without changing the IP addresses and ports in the IP packet header The Firewall service also uses rules to determine whether to route a packet You define these rules by creating IP packet filters

Slide Objective

To describe the services

and processes that ISA

Server uses to control

network traffic

Lead-in

You can use ISA Server to

control the flow of IP

packets between different

networks, typically your

internal network and the

Internet

Note

Understanding Packet Filtering

Internal Network

ISA Server

Packet Filter 131.107.1.1 131.107.2.1

Protocol Direction UDP Incoming Destination / Port

131.107.2.200/ 53

Source / Port Any / Any

Type Allow

Perimeter Network

192.168.1.1

131.107.2.200

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Packet filtering allows you to control which packets an ISA Server computer accepts on an external network interface

ISA Server treats all network interfaces that are not configured with

an IP address that is in the LAT as external If one or more of the IP addresses that are associated with a network interface are in the LAT, ISA Server treats the network interface as internal and does not apply packet filters

IP Packet Headers

You control IP packets by using the following IP packet header information:

Source IP address and port

Destination IP address and port

IP protocol information

When you create a packet filter that allows bi-directional traffic, ISA Server also dynamically opens the appropriate ports that allow packets to return to the

IP address and port of the original packet

For example, you create a packet filter that allows incoming packets to UDP port 53 on a server on your perimeter network, and a computer on the Internet sends a packet to the server ISA Server automatically allows outgoing network packets to pass from UDP port 53 on your perimeter network to the IP address and port number that initiated the connection

Dynamic packet filters that allow packets to return to the IP address and port of the original packet are in effect for only the duration of the session Also, you cannot modify a dynamic rule

Topic Objective

To describe the process of

packet filtering

Lead-in

Packet filtering allows you to

control the network packets

that an ISA Server computer

accepts on an external

network interface

Important

Important

Types of Packet Filters

You control which packets are allowed to traverse an external network interface

of the ISA Server computer by using the following types of packet filters:

accepts ISA Server accepts packets that meet the conditions of an Allow filter only

packets that meet the conditions of a Block filter, even though they may also meet the conditions of an Allow filter For example, you can create an Allow filter to permit incoming SMTP traffic to a mail server You can then create a Block filter to deny access to the mail server for an IP address that was the origin of a previous intrusion attempt You can also use packet filters to override protocol rules that allow client connections

Using IP Routing and Packet Filtering

Situations That Require IP Routing

Servers in a three-homed perimeter network

Protocols other than UDP and TCP

Situations That Require Packet Filtering

Services running on the ISA Server computer

Applications running on the ISA Server computer

Servers in a three-homed perimeter network

Protocols other than UDP and TCP

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In some situations, you must use IP routing, packet filtering, or both IP routing and packet filtering

Situations That Require IP Routing

Use IP routing for the following situations:

three-homed perimeter networks and the Internet as external networks and routes packets between them When you allow users on the Internet to connect to a server on a three-homed perimeter network, you must configure ISA Server

to perform IP routing between these networks

Allowing external users to gain access to resources on servers on a back-to-back perimeter network requires different configuration steps For more information about making servers in a back-to-back perimeter network available to the Internet, see Module 7, “Configuring Access to Internal

Resources,” in Course 2159A, Deploying and Managing Microsoft Internet

Security and Acceleration Server 2000

outgoing requests that are using the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol-Secure (HTTP-S), or FTP protocols The Firewall service handles requests from any application that uses the UDP and TCP protocols For all other protocols, ISA Server must route the packets

Topic Objective

To describe situations in

which you must use IP

routing and packet filtering

Lead-in

In some situations, you must

use IP routing, packet

filtering, or both IP routing

and packet filtering

Delivery Tip

Ensure that students

understand that the decision

to use IP routing to support

a perimeter network

depends on the type of

perimeter network Note

Situations That Require Packet Filtering

Use packet filtering for the following situations:

an ISA Server computer, you must create an IP packet filter that allows incoming packets for the port associated with that service

For example, if the ISA Server computer is also functioning as an external Domain Name System (DNS) server, you must allow incoming DNS query packets To allow the DNS query packets, create an IP packet filter that allows incoming packets to the ISA Server computer on TCP and UDP port 53

application on the ISA Server computer that needs to connect to the Internet, you must create one or more IP packet filters that allow the appropriate outgoing packets An application running on the ISA Server computer cannot use the Firewall service to connect to the Internet because configuring the ISA Server computer as a Firewall client is not supported Instead, the application must establish a direct connection to the Internet, which requires you to create packet filters that allow the appropriate network traffic

For example, to allow an e-mail client application that is running on the ISA Server computer to connect to an SMTP server, create an IP packet filter that allows packets to pass from the ISA Server computer to TCP port 25 on

a remote SMTP server

Do not create packet filters for outgoing traffic from internal clients that pass through the Firewall service or the Web Proxy service Because ISA Server automatically and dynamically opens the ports that are required to handle such communications based on the protocol rules that you configured, no packet filters are required provided that all client requests use the TCP or UDP protocol

Internet to connect to a server on a three-homed perimeter network, you must create IP packet filters to open the ports that are required for ISA Server to accept and route packets to services that are running on the server

in the perimeter network

For example, to allow external clients to connect to an SMTP server in a perimeter network, create an IP packet filter that allows incoming packets for TCP port 25 on the SMTP server

from SecureNAT clients that use protocols other than TCP or UDP, you must configure the appropriate packet filters to allow this traffic to pass through the ISA Server computer

For example, to allow clients to use the Ping utility, which uses the Internet Control Message Protocol (ICMP) protocol, create an IP packet filter that allows the predefined filter “ICMP all outbound” for internal clients

Important

Guidelines for Using Packet Filtering and IP Routing

Packet Filtering and IP Routing Not Enabled

Packet Filtering Enabled and IP Routing Not Enabled

Packet Filtering and IP Routing Enabled

Packet Filtering Not Enabled and IP Routing Enabled

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Use the following guidelines when using packet filtering, IP routing, or both

Packet Filtering and IP Routing Not Enabled

When you do not enable packet filtering or IP routing, ISA Server does not apply packet filters to incoming network traffic, which lowers the protection of the ISA Server computer Use this combination of settings only to optimize performance and when the external interface of the ISA Server computer is connected to a network that you have control over, for example, when using ISA Server to forward traffic from a branch office by using a leased line

Packet Filtering Enabled and IP Routing Not Enabled

When you enable packet filtering, ISA Server drops all of the IP packets on external network interfaces unless they are explicitly allowed by static or dynamic rules The ISA Server computer also does not forward packets directly Use this setting when:

All client connections use the UDP or TCP protocol

You do not need to forward packets between the Internet and a three-homed perimeter network configuration

Packet Filtering and IP Routing Enabled

When combining packet filtering and IP routing, you gain the security benefits

of packet filtering, the ability to route protocols other than TCP or UDP, and the ability to route between the Internet and a three-homed perimeter network Use this configuration in situations that require both security and routing

Packet Filtering Not Enabled and IP Routing Enabled

You cannot configure ISA Server to route packets without enabling packet filtering because of the low level of security that such a configuration would provide If your network configuration requires a router, evaluate the Routing and Remote Access service in Windows 2000

Topic Objective

To describe guidelines for

using packet filtering and IP

routing

Lead-in

Use the following guidelines

when using packet filtering,

IP routing, or both

Configuring Packet Filtering and IP Routing

Enabling Packet Filtering and IP Routing

Creating IP Packet Filters

Configuring Packet Filter Options

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You must enable packet filtering and IP routing to forward IP packets from one external network to another external network You can then create IP packet filters to allow incoming packets for specific ports and services To increase the security of your ISA Server computer, you can configure packet-filtering settings

You must enable packet

filtering and IP routing to

forward IP packets from one

external network to another

external network

Enabling Packet Filtering and IP Routing

IP Packet Filters Properties

General

OK Cancel

Use this page to control packet routing and packet filtering properties.

Packet Filters Intrusion Detection PPTP

Enable packet filtering

Apply

Enable Intrusion detection Enable IP routing

Select to enable packet filtering.

Select to enable

IP routing.

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When you enable packet filtering, ISA Server monitors the IP packets that pass through the external network adapter on the ISA Server computer In addition

to packet filtering, you must enable IP routing to forward IP packets from one external network to another external network, such as the Internet and a three-homed perimeter network You must also enable IP routing when client computers use network protocols other than the TCP and UDP protocols

To enable packet filtering and IP routing:

1 In ISA Management, in the console tree, expand your server or array,

expand Access Policy, right-click IP Packet Filters, and then click Properties

2 On the General tab, ensure that the Enable packet filtering check box is

selected

3 Click the Enable IP routing check box, and then click OK

Topic Objective

To describe the procedure

that you use to enable

packet filtering and IP

routing

Lead-in

Before you can use IP

packet filters, you must

enable IP packet filtering on

the ISA Server computer

Creating IP Packet Filters

Name the Filter Select the Filter Mode Select the Filter Type

Select Local IP Address Select Remote Computer(s)

Start

Finish

Configure Filter Settings

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you create an IP packet filter, you must identify the associated protocols and ports for the specified packets You must also identify the IP addresses or

IP address ranges of the computers for the source and destination

To create a new IP packet filter:

1 In ISA Management, in the console tree, expand your server or array,

expand Access Policy, click IP Packet Filters, and then in the details pane, click Create a Packet Filter

2 In the New IP Packet Filter Wizard, type a name that describes the filter, and then click Next

3 On the Filter Mode page, select Allow packet transmission or Block packet transmission, and then click Next:

4 On the Filter Type page, select Custom or Predefined to specify the type

of filter to create, and then click Next

Before creating a custom filter, always confirm that ISA Server does not include a predefined filter that meets your requirements

5 If you select a custom filter, on the Filter settings page, enter the following information, and then click Next

Topic Objective

To describe the key steps

that you perform to create IP

packet filters

Lead-in

Before you create an IP

packet filter, you must

identify the associated

protocols and ports for the

specified packets

Important

For this setting Do the following

IP protocol Select Custom protocol, Any, ICMP, TCP, or UDP If you

select Custom Protocol, provide the protocol number

Number Type the number of the IP protocol

Direction Specify the direction for the communication The settings

available in the wizard will vary depending on the IP protocol

that you select For most protocols, you can specify Inbound, Outbound, or Both

Because the UDP protocol is connectionless and requires no session establishment, the options differ for this protocol If you

select the UDP protocol, select Send only (the ISA Server

computer or computer on a perimeter network only sends

packets), Send/Receive (the ISA Server computer or computer

on a perimeter network sends packets and can receive

responses), Receive only (the ISA Server computer or

computer on a perimeter network only receives packets),

Receive/Send (the ISA Server computer or computer on a

perimeter network receives packets and can send responses), or

Both (full, bi-directional communications)

Local port Click All ports to apply the rule to all ports, click Dynamic

(1025-5000) to apply the rule to the ports that client

applications typically use to establish connections with servers,

or click Fixed port to select a specific port, such as the port on which a server listens If you select Fixed port, type the port number in the Port number box

Note: A local port is a port on the ISA Server computer or the

computer on the perimeter network This option is available with only the TCP and UDP protocols

Remote port Click All ports to apply the rule to all remote ports Click

Fixed port to select a specific port, such as the port on which a remote server listens If you select Fixed port, type the port number in the Port number box

Note: A remote port is a port on the computer that

communicates with the ISA Server computer or the computer

on the perimeter network This option is available with only the TCP and UDP protocols

Type Click All types to apply the rule to all ICMP types Click Fixed

Type to apply the rule to only a specific ICMP type, and then

type a type number

Note: This option is available with only the ICMP protocol

The ICMP protocol identifies types by a type field in an ICMP packet, such as Destination Unreachable (Type 3)

Code Click All Codes to apply the rule to all ICMP codes Click

Fixed Code to apply the rule to only a specific ICMP code, and

then type a type number

Note: This option is available with only the ICMP protocol

The ICMP protocol identifies message codes by a code field in the ICMP packet that depends on the ICMP type For example,

an ICMP packet with Type 3 can include Code 4, which

indicates Fragmentation Needed The code numbers that are

used depend on the ICMP type