Tài liệu Module 9: Configuring ISA Server for an Enterprise ppt

Explain that when you promote a stand-alone server, ISA Server may delete policy rules and publishing rules to ensure that array policies are not more permissive than an applicable enter

Trang 1

Contents

Overview 1

Introducing ISA Server Enterprise Edition 2

Installing ISA Server in the Enterprise 7

Using Enterprise Policies and Array Policies 19

Managing Network Connections 25

Extending and Automating ISA Server

Trang 2

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Trang 3

Instructor Notes

This module provides students with the knowledge and skills to install and configure Microsoft® Internet Security and Acceleration (ISA) Server 2000 in

an enterprise environment

After completing this module, students will be able to:

Describe the use of ISA Server in an enterprise environment

Install ISA Server in an enterprise environment

Use enterprise and array policies

Scale ISA Server

Manage network connections

Extend and automate ISA Server functionality

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft PowerPoint® file 2159A_09.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the lab

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read “Firewall client application settings,” “Using Network Load Balancing,” “Configuring Automatic Discovery,” “The Enterprise, Arrays, and Stand-Alone Servers,” and “Cache Array and Routing Protocol” in ISA Server Help

Read the section “Network Load Balancing” in the Microsoft Windows® 2000 Server Resource Kit

Read the white papers entitled “Network Load Balancing Technical Overview” and “Cache Array Routing Protocol and Microsoft Proxy Server

2.0” under Additional Reading on the Trainer Materials compact disc

Read Module 2, “Installing and Maintaining ISA Server,” and Module 3,

“Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Read Module 4, "Designing a Schema Policy," in Course 1561B, Designing

a Microsoft Windows 2000 Directory Services Infrastructure

Read Module 12, "Managing Operations Masters," in Course 2154A,

Implementing and Administering Microsoft Windows 2000 Directory Services

Presentation:

75 Minutes

Lab:

30 Minutes

Trang 4

Module Strategy

Use the following strategy to present this module:

Introducing ISA Server Enterprise Edition Explain that you can install ISA Server Enterprise Edition as a stand-alone server or as an array member Emphasize that if you choose not to apply an enterprise policy to an array installation, the array administrator can create any rule to allow or deny access

Installing ISA Server in the Enterprise Ensure that students understand the impact that modifying the schema has

on the entire Active Directory™ directory service forest and that changes to the schema are irreversible Explain that when you promote a stand-alone server, ISA Server may delete policy rules and publishing rules to ensure that array policies are not more permissive than an applicable enterprise policy

Using Enterprise Policies and Array Policies Emphasize that when you apply an enterprise policy to an array, ISA Server deletes all of the previously defined array-level site and content rules and protocol rules that allow access

Managing Network Connections Use the slide example to explain the use of routing rules for conditionally routing requests Explain that firewall chaining enables requests from Firewall clients and SecureNAT clients to be routed to upstream servers Use the animated slide to explain automatic discovery Explain that using automatic discovery helps you to minimize the time spent troubleshooting connection problems on the client computers Emphasize that to use the Dynamic Host Configuration Protocol (DHCP) protocol for automatic discovery, you must ensure that there is a DHCP server with a valid scope for each network segment that has ISA Server clients Emphasize that to use Domain Name System (DNS) for automatic discovery, you must ensure that there is a Web Proxy AutoDiscovery Protocol (WPAD) entry for each DNS domain that has ISA Server clients

Scaling ISA Server Explain that to use Cache Array Routing Protocol (CARP) and to use Network Load Balancing efficiently, you must use ISA Server Enterprise Edition Explain that by using hash-based routing instead of queries to determine the location of cached information, CARP becomes faster and more efficient as more member servers are added to the array For more information about CARP, tell students to see the white paper “Cache Array

Routing Protocol and Microsoft Proxy Server 2.0” under Additional

Reading on the Student Materials compact disc Mention that Network

Load Balancing is available with Microsoft Windows 2000 Advanced Server only

Extending and Automating ISA Server Functionality Mention that you can gain benefits from using the extensibility and automation features of ISA Server whether you use the Standard Edition or the Enterprise Edition

Trang 5

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Perform a full installation of ISA Server manually

Setup Requirement 2

The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions:

Install the ISA Server administration tools manually

The lab in this module requires that the Firewall Client be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions:

Install the Firewall Client manually

Important

Trang 6

The lab in this module requires that all ISA Server client computers be configured to use the ISA Server computer’s Internet Protocol (IP) address on the private network as their default gateway To prepare student computers to meet this requirement, perform one of the following actions:

Configure the default gateway manually

The lab in this module requires that Microsoft Internet Explorer be configured

on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:

Configure Internet Explorer manually

The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site To prepare student computers to meet this requirement, perform one of the following actions:

Configure IIS manually

Create the rule manually

The lab in this module requires that packet filtering be enabled on the ISA Server computer To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Enable packet filtering manually

Trang 7

DNS for the student computer zones has a WPAD entry added

The Active Directory schema update for ISA Server is installed

The stand-alone ISA Server computer is promoted to an array

An enterprise policy is created

Trang 9

Overview

Introducing ISA Server Enterprise Edition

Installing ISA Server in the Enterprise

Using Enterprise Policies and Array Policies

Managing Network Connections

Scaling ISA Server

Extending and Automating ISA Server Functionality

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Microsoft® Internet Security and Acceleration (ISA) Server 2000 provides many features to support an enterprise-wide deployment Some of these features are available in only the Enterprise Edition of ISA Server The security,

caching, management, performance, and extensibility capabilities of ISA Server are the same in both the Standard Edition and the Enterprise Edition The Standard Edition, however, is limited to a stand-alone server, a local policy only, and computers with up to four processors For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you must use the ISA Server Enterprise Edition

After completing this module, you will be able to:

Describe the use of ISA Server in an enterprise environment

Install ISA Server in an enterprise environment

Use enterprise and array policies

Scale ISA Server

Manage network connections

Extend and automate ISA Server functionality

Trang 10

Introducing ISA Server Enterprise Edition

Benefits of ISA Server Enterprise Edition

Using ISA Server Enterprise Edition

There are many benefits for an organization to deploy ISA Server Enterprise Edition in an enterprise environment When you deploy ISA Server Enterprise Edition, you must select an installation configuration and a policy

Trang 11

Benefits of ISA Server Enterprise Edition

Scalability

Scales ISA Server functionality by using arrays, symmetric multiprocessing, Network Load Balancing, and CARP.

Distributed and Hierarchical Caching

Distributed and Hierarchical Caching Enhances caching performance and fault tolerance

ISA Server Enterprise Edition offers several benefits to organizations that want fast, secure, and manageable Internet connectivity in an enterprise environment

Scalability

ISA Server Enterprise Edition provides scalability by using arrays, enhanced symmetric multiprocessing support, the Network Load Balancing feature of Microsoft Windows® 2000 Advanced Server, and the Cache Array Routing Protocol (CARP) protocol

Arrays

ISA Server Enterprise Edition uses arrays to manage a group of ISA Server computers as a single, logical entity Array installations increase performance and bandwidth savings by distributing client requests between multiple ISA Server computers In addition, because the load is distributed across all of the servers in the array, you can achieve good performance even with moderate hardware Arrays also provide fault tolerance Moreover, because the array members share the same configuration, management and administration is simplified

Symmetric Multiprocessing

ISA Server uses Windows 2000 symmetrical multiprocessing (SMP) to improve performance on computers with multiple processors ISA Server Enterprise Edition uses the SMP capabilities of Windows 2000 Advanced Server, which supports up to 8 processors, and Microsoft Windows 2000 Datacenter Server, which supports up to 32 processors

Topic Objective

To describe the benefits of

ISA Server Enterprise

Edition

Lead-in

Edition offers several

Trang 12

Network Load Balancing

ISA Server Enterprise Edition efficiently uses Network Load Balancing, which

is available in Windows 2000 Advanced Server and Windows 2000 Datacenter Server, to provide fault tolerance, high availability, efficiency, and performance through the clustering of multiple ISA Server computers You can use Network Load Balancing to make multiple ISA Server computers respond to a single Internet Protocol (IP) address, which provides load balancing and fault tolerance for publishing internal resources to the Internet

CARP

ISA Server Enterprise Edition uses CARP to provide scaling and efficiency when deploying an array of ISA Server computers as forward and reverse caching servers CARP eliminates the duplication of content among array members and automatically adjusts to additions or deletions of servers in the array

Distributed and Hierarchical Caching

ISA Server Enterprise Edition uses CARP to perform distributed caching among an array of ISA Server computers to enhance the caching performance and the fault tolerance if an ISA Server computer becomes unavailable

In addition, ISA Server supports hierarchical, or chained, caching Chained caching is a hierarchical connection between individual ISA Server computers

or arrays of ISA Server computers Chained caching enables caching to take place closer to the users Client requests are sent upstream through the chain of cache servers until the requested object is found When the object is located on

an upstream server, it is cached in both the upstream server’s cache and the downstream server's cache Both the Standard Edition and the Enterprise Edition support hierarchical caching

Active Directory

ISA Server stores configuration and policy information of arrays in the Active Directory™ directory service Active Directory provides a central point for storing and gaining access to ISA Server policies and configuration settings

In addition, both the Standard Edition and the Enterprise Edition can apply access controls by using user accounts and groups that are defined in Active Directory

Tiered Policy

ISA Server Enterprise Edition supports a tiered policy, which enables you to

create access policies at both the enterprise level and the array level You can set a centralized enterprise policy that unconditionally applies to all of the arrays in the enterprise, or you can set an enterprise policy that administrators can augment at the array level

Trang 13

Using ISA Server Enterprise Edition

Use this taskpad to configure how the enterprise policy affects the array policy.

Servers and Arrays:

Welcome Servers and Arrays Enterprise Backup Monitoring Help

Configure Enterprise Policies Configure Enterprise Policy Default Settings

Set Enterprise Policy for the Selected Array

Set Defaults…

Back Up…

Restore…

View Refresh Export List…

Properties Help

You can install ISA Server Enterprise Edition as a stand-alone server or as an array member When you install ISA Server as an array member, you can select

a policy configuration that meets the needs of your organization

Selecting an Installation Configuration

When you install ISA Server Enterprise Edition as a stand-alone server, the computer does not have to belong to a Windows 2000 domain ISA Server stores the configuration information for the stand-alone server in the registry Stand-alone servers do not use array policies or enterprise policies

When you install ISA Server as an array member, the computer must be a member of a Windows 2000 domain ISA Server Enterprise Edition stores configuration information for arrays in Active Directory You can apply an enterprise policy to an array, which allows you to centralize management for multiple arrays in your enterprise

Topic Objective

To describe the topics

related to using ISA Server

Enterprise Edition

Lead-in

Edition can be installed as a

array member When you

install ISA Server as an

array member, you can

select a policy configuration

that meets the needs of your

organization

Trang 14

Selecting a Policy Configuration

When you set up ISA Server in an enterprise configuration, you must select a policy configuration to apply to the arrays in the domain You can use enterprise policies, which apply a centralized policy to arrays, or you can use array policies, which apply a policy to only the ISA Server computer in one array Each type of policy includes the following:

Enterprise Policy Includes site and content rules and protocol rules You

can create one or more enterprise policies In addition, you can configure an enterprise policy to permit an array policy to augment the enterprise policy This configuration enables administrators at branch offices and specific departments in an organization to use enterprise policies and be able to configure rules at the array level that further restrict an access policy

Array Policy Includes site and content rules, protocol rules, IP packet

filters, Web publishing rules, routing rules, and server publishing rules You select an array policy to apply a unique array policy to each array in the enterprise For example, you can allow unlimited access to the Internet for the clients that use one array and then place restrictions on the clients that use another array

If you choose not to apply an enterprise policy to an array installation, the array administrator can create any rule to allow or deny access When you apply enterprise policies, array policies can create additional restrictions over the enterprise policies However, an array policy can never allow any type of access that an enterprise policy does not first allow

Key Points

If you choose not to apply

an enterprise policy to an

array installation, the array

administrator can create any

rule to allow or deny access

When you enforce

enterprise policies, an array

policy can never allow any

type of access that an

enterprise policy does not

first allow

Important

Trang 15

Installing ISA Server in the Enterprise

Installing ISA Server Schema in Active Directory

Using Arrays

Installing ISA Server in an Array

Creating and Deleting Arrays in ISA Management

Promoting a Stand-Alone Server

Maintaining Enterprise Configurations

Before you can set up ISA Server Enterprise Edition as an array member, the ISA Server schema must be installed in Active Directory ISA Server includes

an Enterprise Initialization utility that you can use to install the ISA Server schema in Active Directory You can also promote stand-alone servers to array members When you modify an array, it is recommended that you back up the configuration information

Topic Objective

To present the topics related

to installing ISA Server in

the enterprise

Lead-in

Before you can set up

ISA Server as an array

member, the ISA Server

schema must be installed in

Active Directory

Trang 16

Installing ISA Server Schema in Active Directory

Select an option

to configure enterprise policy.

OK Cancel

Specify how to apply the enterprise policy at the array level After installation, you can modify these settings for any array in the enterprise.

When applying enterprise policy:

Use array policy only Use this enterprise policy:

ISA Enterprise Initialization

Enterprise Policy 1 Also allow array-level access policy rules that restrict enterprise policy Allow publishing rules

Force packet filtering on the array

Before you can set up ISA Server as an array member, you must install the ISA Server schema in Active Directory Installing the ISA Server schema adds new object classes and attributes to Active Directory

Applying a schema change to Active Directory is a major operation that normally requires planning Because Active Directory does not support deletion of schema objects, the enterprise initialization process is irreversible For more information about schema changes to Active Directory, see Module 4,

"Designing a Schema Policy," in Course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure

Using the Enterprise Initialization Utility

ISA Server includes an Enterprise Initialization utility that you can use to install the ISA Server schema in Active Directory After you install the ISA Server schema, all subsequent ISA Server installations to computers in the Active Directory forest can use the ISA Server schema You do not have to install the schema again

To install the ISA Server schema in Active Directory, you must be

an administrator on the local computer In addition, you must be a member of the Enterprise Admins group and the Schema Admins group In addition, the domain controller that holds the schema master role for your Active Directory forest must be available For more information about operation master roles, see

Module 12, "Managing Operations Masters," in Course 2154A, Implementing and Administering Microsoft Windows 2000 Directory Services

Topic Objective

To describe the procedure

that you use to install

ISA Server schema in

Active Directory

Lead-in

Before you can set up

ISA Server as an array

member, you must install

the ISA Server schema in

Active Directory

Key Points

Applying a schema change

to Active Directory is a

major operation that

normally requires planning

Because Active Directory

does not support deletion of

schema objects, the

enterprise initialization

process is irreversible

Caution

Delivery Tip

Ensure that students

understand the impact that

modifying the schema has

on the entire

Active Directory forest and

that changes to the schema

Trang 17

Initializing the Enterprise

To initialize the enterprise by installing the ISA Server schema:

1 At a command prompt, type path\isa\i386\msisaent.exe (where path is the

location of the ISA Server installation files) The location can be the root folder of the ISA Server CD-ROM or a shared folder on your network that contains the ISA Server files

2 In the ISA Enterprise Initialization Tool dialog box, click Yes to

acknowledge that the schema installation is not reversible

3 In the ISA Enterprise Initialization dialog box, select one of the following

policy options:

• Use array policy only Allows the array administrator to create rules for

allowing or denying access at the array level ISA Server does not apply enterprise policy to the array

• Use this enterprise policy Creates an enterprise policy with the name

that you type You can modify the policy and add additional enterprise policies after you have installed ISA Server

4 If you select to use an enterprise policy, in the ISA Enterprise

Initialization dialog box, select one or more of the following options, and

then click OK twice

Allow array administrators to create array policies that further restrict an enterprise policy

Select the Allow array-level access

rules that restrict enterprise policies

on the array check box is selected

Because of Active Directory replication latency, there may be a delay until the schema changes are applied to all domain controllers in your organization

Note

Trang 18

Using Arrays

Guidelines for Setting Up Arrays

Configuration Settings for Arrays

Permissions Required for Adding Arrays

Before you set up an array, consider the following guidelines, configuration settings, and permissions required for adding arrays

Guidelines for Setting Up Arrays

The guidelines for setting up arrays are as follows:

All of the array members must be in the same Windows 2000 domain and

on the same site

All of the array members should use the same installation mode: Cache mode, Firewall mode, or Integrated mode

All of the array members should have the same set of extensions installed

Configuration Settings for Arrays

Array members have the following configuration settings:

Policy configuration Policy configuration for arrays includes all access

policy rules, publishing rules, and bandwidth rules Similarly, the cache policies are centrally configured at the array level, and the cache policy and scheduled content download jobs apply to all computers in an array

Alert configuration Alerts can be configured for each server in the array or

for all of the servers in the array

Reports Reports display information about the activity on all of the

ISA Server computers in the array The report data is stored in a database on

a computer and in a directory that you specify By default, the report data is stored on the ISA Server computer on which you configure the report jobs

Topic Objective

To identify the topics related

to using arrays

Lead-in

Before you set up an array,

consider the following

guidelines, configuration

settings, and required

permissions

Trang 19

Cache Disk space for caching is allocated separately on each ISA Server

computer according to the amount that you specify when you install or reconfigure the cache However, all of the cache configuration properties are common for all of the servers in an array These properties include the Hypertext Transfer Protocol (HTTP) protocol caching properties, the File Transfer Protocol (FTP) protocol caching properties, and the CARP protocol properties

Permissions Required for Adding Arrays

By default, the members of the Domain Admins group for the domain and the members of the Enterprise Admins group for the Active Directory forest can create new arrays Only the members of the Enterprise Admins group are prompted to configure how the enterprise policies apply to the array because only the members of this group have the required permissions to administer enterprise policies When a user who is not a member of the Enterprise Admins group creates an array, the default enterprise policy automatically applies to the array

Trang 20

Installing ISA Server in an Array

Run Setup

Install ISA Server as an Array

Create and Name Array

Select an Enterprise Policy Setting

Start

When you install the first ISA Server computer after importing the ISA Server schema into Active Directory, the setup program provides you with additional choices that are not available before you modify the schema After you set up the first ISA Server computer in an array, when you install additional array members, these array members automatically retrieve most of the configuration information from Active Directory

Installing the First ISA Server Computer

To install ISA Server on the first computer in an array:

1 Start the Microsoft Internet Security and Acceleration Server Enterprise Edition Setup program, and choose whether to perform a typical, custom, or full installation

2 In the Microsoft ISA Server Setup dialog box, click Yes to install

ISA Server as an array member

3 If the domain already contains arrays, in the Microsoft ISA Server Setup dialog box, click New

4 In the New Array dialog box, type a name for the array that you are creating, and then click OK

5 In the Configure enterprise policy setting dialog box, select one of the

following options:

• Use default enterprise policy settings The array will use the default

enterprise policy settings These settings are normally the policy settings that you configured when you imported the ISA Server schema

• Use custom enterprise policy settings The array will not use the

default enterprise policy settings

Topic Objective

To describe the key steps to

perform when you install the

first ISA Server computer in

an array

Lead-in

When you install the first

ISA Server computer after

importing the ISA Server

schema into

Active Directory, the setup

program provides you with

additional choices that are

not available before you

modify the schema

Trang 21

6 If you chose to use a custom enterprise policy, select the appropriate policy

option and settings, and then click Continue

7 In the Microsoft ISA Server Setup dialog box, select the installation mode,

and then configure the cache settings and the Local Address Table (LAT) as you would for a stand-alone server

Installing Additional Array Members

When you install additional members of an array, the new members retrieve the existing array configuration from Active Directory

To install additional array members:

1 Start the Microsoft Internet Security and Acceleration Server Enterprise Edition Setup program, and choose whether to perform a typical, custom, or full installation

2 In the Internet Security and Acceleration Server Setup dialog box, click

Yes to install ISA Server on an array member

3 In the Microsoft ISA Server Setup dialog box, click the array that you want to add the computer to, click OK, and then configure the cache

settings as you would for a stand-alone server

Trang 22

Creating and Deleting Arrays in ISA Management

Creating New Arrays

Deleting Arrays

You can create a new array before installing ISA Server on the first computer in the array, which allows you to configure the array before you install ISA Server

on the first computer in the array When you create a new array, you can create

a new configuration or you can copy a configuration from another array After you have created an array, computers can join the array when you install ISA Server or when you promote a stand-alone server to an array member

You must be a member of the Domain Admins group or the Enterprise Admins group to create an array You must be a member of the Enterprise Admins group to configure how the enterprise policies apply

Creating New Arrays

To create a new array:

1 In ISA Management, in the console tree, right-click Servers and Arrays, point to New, and then click Array

2 In the New Array Wizard, type a name for the array, and then click Next

3 On the Domain Name page, select the site and domain in which to create the new array, and then click Next

4 On the Create or Copy an Array page, select one of the following options:

from the list, click Next, and then click Finish

Topic Objective

To describe the procedures

that you use to create and

delete new arrays in ISA

Management

Lead-in

You can create a new array

before installing ISA Server

on the first computer in the

array, which allows you to

configure the array before

you install ISA Server on the

first computer in the array

Important

Trang 23

You perform the following steps only when you are creating an array with a new configuration

5 On the Enterprise policy settings page, select one of the following options, and then click Next:

• Do not use enterprise policy

• Use default enterprise policy settings

• Use custom enterprise policy settings Use this option to specify an

enterprise policy You can also select the Allow array policy check box

6 On the Array type page, select one of the following options, and then click

• Allow publishing rules to be created on the array

• Force packet filtering on the array

8 On the Completing the New Array Wizard page, review your choices, and then click Finish

Deleting Arrays

You can delete an array in ISA Management after you uninstall ISA Server from all array members

To delete an array:

• In ISA Management, in the console tree, right-click the appropriate array,

and then click Delete

If you accidentally delete an array that has members, you must re-create the array, uninstall ISA Server on each of the members, re-create each array member, and then reinstall ISA Server on all array members

Note

Caution

Trang 24

Migrating Policy Settings

After you initialize the enterprise, you can promote stand-alone servers to array members After promoting a stand-alone server to an array, by default, the name

of the array is the same as the name of the server You can rename the array in ISA Management

You can promote stand-alone servers that belong to a Windows 2000 domain only You cannot reverse the promotion without uninstalling ISA Server

Migrating Policy Settings

When you promote a stand-alone server to an array, the new array adopts the default enterprise policy settings or another enterprise policy that you select Because array policies cannot be more permissive than enterprise policies, depending on the default enterprise policy settings, ISA Server may delete some

of the existing array policy rules as follows

If default enterprises settings Then ISA Server

access

for the array

After you initialize the

enterprise, you can promote

stand-alone servers to array

members

Delivery Tip

Explain that ISA Server may

delete policy rules and

publishing rules to ensure

that array policies are not

more permissive than an

applicable enterprise policy Note

Trang 25

To promote a stand-alone server:

1 In ISA Management, in the console tree, right-click the server, and then

click Promote

2 Click Yes to verify that you want the ISA Server to become an array

member

3 If you are not a member of the Enterprise Admins group, click Yes to

confirm that the default enterprise policy will be applied to the array

–or–

If you are a member of the Enterprise Admins group, in the Set Global

Policy dialog box, select the appropriate policy options and settings, and

then click OK

Trang 26

Maintaining Enterprise Configurations

Use this taskpad to configure how the enterprise policy affects the array policy.

Servers and Arrays:

Welcome Servers and Arrays Enterprise Backup Monitoring Help

Configure Enterprise Policies Configure Enterprise Policy Default Settings

Set Enterprise Policy for the Selected Array

Set Defaults…

Back Up…

Restore…

View Refresh Export List…

Properties Help

Backup Enterprise Configuration

Store backup configuration in this location:

OK Cancel

Browse… Comment:

Restore Enterprise Configuration

Restore configuration from the following backup (.BEF) file:

Cancel Browse…

OK

You can back up the enterprise configuration information and then store it locally in a file The backup process saves all of the enterprise-specific information, including the enterprise policies and the enterprise policy elements The backup process also saves information about the enterprise policies that the arrays are using

Because restoring an enterprise configuration may affect arrays that use enterprise policies, it is recommended that you back up an array

configuration after you back up the enterprise configuration When you restore the enterprise configuration, you can also restore all of the array configurations For information about backing up and restoring arrays, see Module 2,

“Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Backing Up an Enterprise Configuration

To back up an enterprise configuration:

1 In ISA Management, in the console tree, right-click Enterprise, and then click Back Up

2 In the Store backup configuration in this location box, type the name of the folder in which to store the backup data, and then click OK

Restoring an Enterprise Configuration

To restore an enterprise configuration:

1 In ISA Management, in the console tree, right-click Enterprise, click

Restore, and then click Yes to overwrite the existing enterprise

configuration with the backup configuration

2 In the Restore configuration from the following backup (.bef) file box,

type the path of the backup folder and the name of the backup file

Topic Objective

To describe the procedures

that you use to back up and

Trang 27

Using Enterprise Policies and Array Policies

Configuring an Enterprise Policy

Configuring an Array Policy

Combining Enterprise Policies and Array Policies

You use enterprise and array policies to specify rules for controlling how an internal network communicates with the Internet You use enterprise policies to apply a centralized set of rules to all of the arrays in the enterprise You use array policies to apply a unique set of rules to each array in the enterprise You can also combine enterprise policies and array policies

Topic Objective

To identify the topics for

using enterprise policies and

array policies

Lead-in

You use enterprise policies

or array policies to specify

rules for controlling how an

internal network

communicates with the

Internet

Trang 28

Configuring an Enterprise Policy

Using Enterprise Policy Elements

Setting a Default Enterprise Policy

Changing Default Settings for the Enterprise Policy

Applying an Enterprise Policy to Selected Arrays

An enterprise policy consists of site and content rules, protocol rules, and policy elements When you set a default enterprise policy, ISA Server applies the rules

of the default enterprise policy to all of the new arrays that you create, unless you specify a different policy If required, you can configure the default enterprise policy to apply to only selected arrays

For more information about site and content rules, protocol rules, and policy elements, see Module 3, “Enabling Secure Internet Access” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

By default, only members of the Enterprise Admins group can create, configure, and apply enterprise policies and can create and configure enterprise-wide policy elements

Using Enterprise Policy Elements

When you create policy elements for an enterprise, these policy elements are available to all of the arrays in the enterprise You can use these policy elements

in enterprise policies and in array policies

Setting a Default Enterprise Policy

To set a default enterprise policy:

• In ISA Management, in the console tree, expand Enterprise, expand

Policies, right-click the specified enterprise policy, and then click Set as Default Policy

An enterprise policy consists

of site and content rules,

protocol rules, and the

associated policy elements

Note

Trang 29

Changing Default Settings for the Enterprise Policy

After initializing ISA Server for the enterprise, you can change the default policies that ISA Server applies when you create a new array

To change the default policies:

1 In ISA Management, in the console tree, right-click Enterprise, and then click Set Defaults

2 In the Set Default Policy dialog box, select the applicable policy and settings, and then click OK

Applying an Enterprise Policy to Selected Arrays

To apply an enterprise policy to selected arrays:

1 In ISA Management, in the console tree, expand Enterprise, expand

Policies, right-click the default enterprise policy, and then click Properties

2 In the Enterprise Policy Properties dialog box, click the Arrays tab, select

the names of the arrays to which you want to apply the enterprise policy,

and then click OK

When you apply an enterprise policy to an array, ISA Server deletes all of the previously defined array-level site and content rules and protocol rules that allow access

Caution

Trang 30

Configuring an Array Policy

Configuring the Cache for an Array

Forcing Packet Filtering for an Array

Allowing Publishing Rules in an Array

Configuring Server-Specific Settings in ISA Server

Configuring an array policy is similar to configuring a policy for a stand-alone server However, there are some important differences that you must keep in mind when configuring and using an array policy

An array policy includes site and content rules, protocol rules, IP packet filters, and the associated policy elements When you configure an array policy, ISA Server applies the rules of the array policy to all of the ISA Server computers in the array You can also set an enterprise policy to require packet filtering at the array level

For more information about site and content rules, protocol rules, and policy elements, see Module 3, “Enabling Secure Internet Access,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Configuring the Cache for an Array

All of the cache configuration properties are the same for all of the servers in an array These properties include the HTTP caching properties, the FTP caching properties, and most of the CARP properties However, ISA Server separately allocates disk space for the cache on each server according to the amount that you specify when you install or reconfigure the cache on each server

Forcing Packet Filtering for an Array

You cannot enable packet filtering at the enterprise level However, an enterprise administrator can specify that packet filtering can be forced at the array level If you are a member of the Enterprise Admins group, ISA Server prompts you about whether you want to force the array to use packet filtering when you create a new array You can also change this setting after you create

an array Enforce packet filtering to prevent an array administrator from configuring ISA Server in an insecure manner

Topic Objective

To identify the topics related

to configuring array policies

Lead-in

An array policy includes site

and content rules, protocol

rules, IP packet filters, Web

publishing rules, server

publishing rules, and the

associated policy elements

Note

Trang 31

To force packet filtering for an array:

1 In ISA Management, in the console tree, expand Servers and Arrays, click the applicable array, and then click Properties

right-2 On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Force packet filtering on the array check box, and then click OK

Allowing Publishing Rules in an Array

You cannot create publishing rules at the enterprise level However, an enterprise administrator can specify whether an array is allowed to publish servers by creating Web publishing rules or server publishing rules If you are a member of the Enterprise Admins group, ISA Server prompts you about whether you want to allow publishing rules in the array when you create a new array You can also change this setting after you have created an array

To allow publishing rules for an array:

1 In ISA Management, in the console tree, expand Servers and Arrays, click the applicable array, and then click Properties

right-2 On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Allow publishing rules check box, and then click OK

Configuring Server-Specific Settings in ISA Server

Most of the settings in ISA Server apply to the entire array However, some settings are specific to each array member These settings include:

Listeners for outgoing and incoming Web requests You can set up listeners

to be active on only a single network interface You can also configure a separate listener for each network interface on each ISA Server computer

Packet filters You can configure a packet filter to apply to only a single

array member

Server publishing rules You can configure different server publishing rules

for each array member

Alerts You can configure an alert that applies to only a single array

member

Caching You can configure disk space used for caching, the load factor,

and intra-array IP address

Trang 32

Combining Enterprise Policies and Array Policies

Select this option

to allow array-level settings.

You can configure enterprise policy settings so that an administrator can configure rules for an array policy to refine the enterprise policy For example, you can create an access policy for an array to deny access to additional users, sites, content, or protocols

When you apply an enterprise policy to an array, you can no longer create site and content rules and protocol rules for the array that allows access You can create site and content rules and protocol rules for only the array that denies access Because ISA Server combines enterprise polices and array policies, you should define all of the rules that allow access in an enterprise policy and then create an array policy to further restrict the access granted by the enterprise policy

Only enterprise administrators can specify whether enterprise policies will allow array-level rules

To configure an enterprise policy to allow array-level settings:

1 In ISA Management, in the console tree, right-click the applicable array,

and then click Properties

2 On the Policies tab, select the Use custom enterprise policy settings check box, select the Allow array-level access rules that restrict enterprise

policy check box, and then click OK

Topic Objective

To describe the procedure

that you use to combine

enterprise policies and array

policies

Lead-in

You can configure

enterprise policy settings so

that an array policy can be

created to further define the

enterprise policy

Note

Trang 33

Managing Network Connections

Routing Overview

Configuring Routing for Web Proxy Client Requests

Configuring Routing for Firewall Client and SecureNAT Client Requests

Automatic Discovery Overview

Configuring Automatic Discovery

Configuring Clients for Automatic Discovery

Customizing Client Discovery Information

You can manage network connections by configuring routing rules to direct Web requests You can also use the automatic discovery feature to make the configuration of clients easier By enabling automatic discovery, Web Proxy clients and Firewall clients will automatically discover the appropriate ISA Server computer

You can use ISA Server Standard Edition or ISA Server Enterprise Edition to manage network connections for ISA Server However, customizing network connections yields the most benefits in an enterprise-wide installation

Tiêu đề	Configuring ISA Server for an Enterprise
Trường học	Microsoft Corporation
Chuyên ngành	Internet Security and Acceleration
Thể loại	Module
Năm xuất bản	2001
Thành phố	Redmond

Định dạng
Số trang	67
Dung lượng	1,38 MB