Tài liệu MCSE ISA Server 2000- P1 pdf

No part of this book may be reproduced or trans-mitted in any form or by any means, electronic or mechanical, includ-ing photocopying, recording, or by any information storage andretriev

ii M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

MCSE TRAINING GUIDE (70-227):

First Printing: July 2002All rights reserved No part of this book may be reproduced or trans-mitted in any form or by any means, electronic or mechanical, includ-ing photocopying, recording, or by any information storage andretrieval system, without written permission from the publisher, exceptfor the inclusion of brief quotations in a review

International Standard Book Number: 0-7357-1092-9Library of Congress Catalog Card Number: 00110877

05 04 03 02 01 7 6 5 4 3 2 1Interpretation of the printing code: The rightmost double-digit num-ber is the year of the book’s printing; the rightmost single-digit num-ber is the number of the book’s printing For example, the printingcode 01-1 shows that the first printing of the book occurred in 2001

Composed in Garamond and MCPdigital by New Riders Publishing

Printed in the United States of America

Trademarks

All terms mentioned in this book that are known to be trademarks orservice marks have been appropriately capitalized New RidersPublishing cannot attest to the accuracy of this information Use of aterm in this book should not be regarded as affecting the validity ofany trademark or service mark

Warning and Disclaimer

This book is designed to provide information about the ISA Serverexam Every effort has been made to make this book as complete and

as accurate as possible, but no warranty or fitness is implied

The information is provided on an as-is basis The authors and NewRiders Publishing shall have neither liability nor responsibility to anyperson or entity with respect to any loss or damages arising from theinformation contained in this book or from the use of the discs or pro-grams that may accompany it

P U B L I S H E R David Dwyer

A S S O C I AT E P U B L I S H E R

Al Valvano

E X E C U T I V E E D I T O R Stephanie Wall

M A N AG I N G E D I T O R Gina Brown

P R O D U C T M A R K E T I N G M A N AG E R Stephanie Layton

P U B L I C I T Y M A N AG E R Susan Nixon

AC Q U I S I T I O N S E D I T O R S Jeff Riley

Deborah Hittel-Shoaf

D E V E L O P M E N T E D I T O R Christopher Morris

M E D I A D E V E L O P E R Jay Payne

T E C H N I C A L R E V I E W E R S Emmett Dulaney

Richard D Coile

P R O J E C T E D I T O R Linda Seifert

I N D E X E R Brad Herriman

M A N U FAC T U R I N G C O O R D I N AT O R Jim Conway

B O O K D E S I G N E R Louisa Klucznik

C OV E R D E S I G N E R Aren Howell

P R O O F R E A D E R Sheri Replin

C O M P O S I T I O N Gina Rexrode

Contents at a Glance

1 Introduction: What Is ISA Server? 9

Part I Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities 45

3 Installing ISA Server 71

4 Upgrading Microsoft Proxy 2.0 109

Part II Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access 133

6 ISA Server Hosting Roles 181

7 H.323 Gatekeeper 205

8 Dial-Up Connections and RRAS 235

9 ISA Virtual Private Networks 265

Part III Configuring, Managing, and Troubleshooting Policies and Rules 10 Firewall Configuration 309

11 Manage ISA Server in the Enterprise 337

12 Access Control in the Enterprise 361

Part IV Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients 383

14 Installing and Configuring Client Options 399

iv M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Part V Monitoring, Analyzing, and Optimizing ISA Server

15 Monitoring Network Security and Usage 421

16 Performance Analysis and Optimization 449

Part VI Final Review Fast Facts 477

Study and Exam Prep Tips 497

Practice Exam 503

Part VII Appendixes A Microsoft Proxy Server 2.0 Configuration Backup 531

B ISA Setup Log 539

C ISA Upgrade Log 599

D Glossary 611

E Overview of the Certification Process 619

F What’s on the CD-ROM 625

G Using the ExamGear, Training Guide Edition Software 627

Index 653

Table of Contents

Introduction 1

Notes on This Book’s Organization .1

How This Book Helps You .2

What the Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server Exam (70-227) Covers .4

Installing ISA Server .4

Configuring and Troubleshooting ISA Server Services .4

Configuring, Managing, and Troubleshooting Policies and Rules .5

Deploying, Configuring, and Troubleshooting the Client Computer .5

Monitoring, Managing, and Analyzing ISA Server Use .5

Hardware and Software You’ll Need .6

Advice on Taking the Exam 7

New Riders Publishing .7

1 Introduction: What Is ISA Server? 9 Introduction 11

Architecture Overview 12

ISA Server Clients .15

Web Proxy Clients .15

Firewall Clients 15

SecureNAT Clients .15

ISA Server Is a Multilayered Enterprise Firewall .16

Packet Filtering 17

Circuit-Level Filtering .17

Application-Level Filtering .17

Stateful Inspection .18

Built-In Intrusion Detection 18

System Hardening Templates .19

Virtual Private Networking 19

ISA Server Is a High-Performance Web Caching Server .19

Reverse Caching .20

Forward Caching .21

Scheduled Caching .22

vi M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Distributed Caching .23

Hierarchical Caching or Chaining .24

ISA Server Hosting Services 27

ISA Server Provides Integrated, Centralized Management and Control .28

Enterprise or Standard Editions .29

Firewall, Caching, or Integrated Modes .30

Policy-Based Rules .31

Tiered Policies: Both Enterprise and Array Level .35

Bandwidth Control 36

Logging and Reporting 37

Review Questions .39

Exam Questions .39

Answers to Review Questions .40

Answers to Exam Questions .40

Part I: Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities 45 Introduction 47

Network Design and Planning .47

Network Size .48

User Needs .48

Installation Options .48

ISA Server Mode and Array Considerations .49

Active Directory Integration Needs .50

Interoperation with and Requirements for Other Services .51

Making Hardware Choices .53

Client Considerations .56

Windows 2000 Installation and Configuration .57

Preinstallation Network Configuration .58

Server Placement .58

Verify Network Connectivity .58

Verify Internet Connectivity .62

Verify Name Resolution .63

Exercises 65

Review Questions .65

Exam Questions .65

Answers to Review Questions .67

Answers to Exam Questions .68

Introduction 74

Installation Processes Common to Several Configurations 74

Constructing and Modifying the Local Address Table (LAT) .75

Configuring the Cache .77

ISA Server Installation .79

Installation Defaults .80

Standard Edition Generic Instructions .81

Enterprise Edition .83

Installing the ISA Server Schema in the Active Directory .83

Install ISA Server Enterprise Edition .85

Unattended Setup 91

Installing Additional ISA Servers in an Array .93

Troubleshooting the Installation .95

Failed Installation .95

Was Installation Successful? .97

Uninstalling ISA Server .99

Exercises 101

Review Questions .103

Exam Questions .104

Answers to Review Questions .107

Answers to Exam Questions .108

4 Upgrading Microsoft Proxy 2.0 109 Introduction 111

Reasons for Upgrading .111

The Migration Process 112

Back Up the Proxy Server Configuration .114

Stop and Disable Proxy Server Services 115

Upgrade to Windows 2000 and Install ISA Server .116

Review the Setup Logs .117

Array Migration .118

Proxy Configuration Migration Results .120

Predetermined Migration Effects .120

Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration .121

Post Migration Necessities .122

Migrating the Mindset .123

viii M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Exercises 126

Review Questions .126

Exam Questions .126

Answers to Review Questions .128

Answers to Exam Questions .129

Part II: Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access 133 Introduction 136

Post Installation Default Settings 136

ISA Server Object Permissions .137

Service Permissions .141

Local Access Table (LAT) .142

Policy Settings .142

Packet Filtering 143

Routing 144

Caching 145

Publishing 145

Alerts 146

Configuring Access Rules and Tools .146

Understanding and Configuring Outgoing Web Request Properties 147

How Are Rules Evaluated? .149

Creating Policy Elements .149

Configuring Site and Content Rules 153

Configuring Protocol Rules .154

Authentication and Rules .158

Custom HTML Error Messages .158

Configuring a Single System Versus an Array .160

Configuring Caching 161

Standalone Cache .161

Configuring Hierarchical Access .161

Configuring CARP 163

Configuring Network Settings 163

Bandwidth Rules .164

LAT and Local Domain Tables .166

Configuring Routing Rules 167

Configuring ISA Server Chains 168

Troubleshooting Client Access Problems .169

A Protocol Rule Exists for a Protocol Definition, but Clients Cannot Use It 169 Clients Can’t Use a Specific Protocol .170

Clients Cannot Browse External Web Sites 170

Clients Receive a 502 Error Every Time They Attempt to Browse the Web 171

Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled .171

All Other Errors Including Intermittent Issues .172

Exercises 174

Answers to Exercises .175

Review Questions .175

Exam Questions .177

Answers to Review Questions .179

Answers to Exam Questions .179

6 ISA Server Hosting Roles 181 Introduction 183

Configuring ISA Server for Web Publishing .184

Configuring Destination Sets .186

Configuring Listeners .186

Creating Web Publishing Rules .187

Enabling CARP .188

Configuring Server Certificates and Authentication Methods .189

Redirecting HTTP and SSL Requests 190

Configuring ISA Server for Server Proxy .193

DNS and Mail Proxy .194

The Mail Server Security Wizard .194

Content Filtering .195

Configuring ISA Server for Server Publishing .197

Creating Server Publishing Rules .197

Publishing Servers on a Perimeter Network .199

Exercises 201

Review Questions .201

Exam Questions .201

Answers to Review Questions .203

Answers to Exam Questions .203

x M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Introduction 208

What Is an H.323 Gatekeeper? .208

What Is the H.323 Protocol? .209

Where Does T-120 Fit In? .210

What’s the Difference Between a Gatekeeper and a Gateway? .211

How Does the Gatekeeper Work? 211

H.323 Gatekeeper Limitations and Other Considerations .216

How to Add an H.323 Gatekeeper to ISA .217

Enabling and Configuring H.323 Protocol Access .218

Configuring DNS 220

Adding the H.323 Gatekeepers .221

Enabling Fast Kernel Mode and Data Pumping .222

Gatekeeper Administration .222

Configuring Gatekeeper Call Routing Rules .223

Configuring Destinations .224

Configuring Phone Number Rules .224

Configuring Email Address Rules .225

Configure IP Address Rules .226

H.323 Gatekeeper Scenarios .227

Exercises 231

Review Questions .231

Exam Questions .232

Answers to Review Questions .233

Answers to Exam Questions .233

8 Dial-Up Connections and RRAS 235 Introduction 238

Dial-on-Demand Connections .238

Configure Network and Dial-Up Connections .239

Create a Dial-Up Entry .240

Create a Dial-Up Routing Rule .240

Enable Dial-Up Entry in Firewall Chaining Configuration .242

Managing and Limiting ISA Dial-Up Connections .243

Troubleshooting ISA Server Dial-Up Connections .243

Routing and Remote Access Service Versus ISA Server .245

Routing 246

Connecting Remote Clients .246

Static Routes 247

Using RRAS for Dial-on-Demand Connections .249

Troubleshooting Common RRAS Problems .250

Remote Administration .253

Using ISA Management Console from a Remote Computer .253

Using Terminal Services to Manage ISA Server 254

Exercises 256

Review Questions .256

Exam Questions .258

Answers to Review Questions .261

Answers to Exam Questions .262

9 ISA Virtual Private Networks 265 Introduction 269

Configuring VPN Endpoint for VPN clients .269

Using the VPN Allow Wizard 270

Examining Wizard Results .270

Making Additional Configurations .272

Creating Client Connections and Testing the VPN .272

Configuring VPN Pass-Through .274

Configuring ISA Server as a VPN Endpoint .275

Using the Wizard .275

Without the VPN Wizard .284

Configuring Microsoft Certificate Services .289

Install and Configure Root CA 290

Configure Enterprise Root CA .291

Configuring the L2TP over IPSec Tunnel .292

Requesting Certificates from a Standalone CA .292

Verifying Server Certificates .296

The L2TP/IPSec VPN .297

Exercises 299

Review Questions .300

Exam Questions .301

Answers to Review Questions .303

Answers to Exam Questions .304

xii M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Part III: Configuring, Managing, and Troubleshooting Policies and Rules

Introduction 311

Understanding Packet Filters .312

Configuring Packet Filter Rules .312

Examining Default Packet Filters .313

Configuring New Packet Filters .314

Configuring/Enabling IP Packet Filter Properties .316

Configuring and Using Application Filters/Extensions .318

FTP Access Filter .318

HTTP Redirector Filter .319

RPC Filter .320

SOCKS V4 Filter .321

Configuring for System Hardening .321

Pre-Installation Considerations, Lifetime Chores .321

Authentication Rules .322

The ISA Server Security Configuration Wizard .325

Special Considerations for Perimeter Networks .328

Configuring the LAT .329

Publishing Perimeter Network Servers .330

Troubleshooting Access .330

Exercises 332

Review Questions .332

Exam Questions .332

Answers to Review Questions .334

Answers to Exam Questions .334

11 Manage ISA Server in the Enterprise 337 Introduction 339

Managing and Configuring Arrays .339

Understanding Hierarchical and Distributed Arrays .340

Understanding Enterprise Policy Scope .340

Managing ISA Server Arrays .342

Configuring for Scalability .350

Configuring Cache Array Routing Protocol (CARP) .350

Configuring Network Load Balancing (NLB) 352

Exercises 356

Review Questions .356

Exam Questions .357

Answers to Review Questions .359

Answers to Exam Questions .359

12 Access Control in the Enterprise 361 Introduction 364

Determining Where to Do It: An Access Policy Functional Framework .364

Determining Who Can Do It: An Access Policy Permissions Framework .368

Applying Access Policy: An Access Policy Strategy for the Enterprise .369

Creating Policy Elements .369

Creating Rules .370

Putting Together an Implementation Plan .371

Troubleshooting Access Problems .372

Investigation Via Rule Processing Order .372

Identifying the Problem as Being User- or Packet-Based 373

Exercises 377

Answers to Exercise Questions .377

Review Questions .377

Exam Questions .378

Answers to Review Questions .379

Answers to Exam Questions .379

Part IV: Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients 383 Introduction 385

Considering Current Infrastructure Issues .385

Introducing ISA Server Client Types .386

Using Multiple Clients on a Single Computer .389

Migrating Proxy 2.0 Clients .389

xiv M C S E TR A I N I N G GU I D E ( 7 0 - 2 2 7 ) I S A SE R V E R 2 0 0 0

Considering Cost and Complexity .390

Considering Authentication Issues .390

Assessing General Client Needs .392

Evaluating Network Infrastructure Changes .393

Exercises 395

Review Questions .395

Exam Questions .395

Answers to Review Questions .396

Answers to Exam Questions .397

14 Installing and Configuring Client Options 399 Introduction 401

Configuring ISA Server and the Network to Support Clients .401

Modifying Routing 401

Adding DHCP and/or DNS Settings .402

Configuring ISA Server Properties .403

Configuring ISA Server Client Settings .404

Installing and Configuring Clients .407

Configuring the SecureNAT Client .407

Configuring Web Proxy Clients .408

Installing and Configuring Firewall Clients .409

Using Multiple Clients on Single Computers .411

Troubleshooting Client Trouble Spots .411

Troubleshooting Client Installation .412

Troubleshooting Autodetection 412

Troubleshooting Authentication .413

Exercises 415

Review Questions .415

Exam Questions .416

Answers to Review Questions .417

Answers to Exam Questions .417

Part V: Monitoring, Analyzing, and Optimizing ISA Server 15 Monitoring Network Security and Usage 421 Introduction 423

Monitoring Security and Network Usage with Logging and Alerting .423

Configuring Logs .424

Configuring Intrusion Detection .429

Configuring Alerts .433

Automating Alert Configuration .435

Monitoring Alert Status 435

Troubleshooting Problems with Security and Network Usage .436

Confirming Configuration with Security Configuration and Analysis .436

Detecting Connections with Netstat 438

Testing External Port Status with Telnet and Network Monitor .440

Exercises 444

Review Questions .444

Exam Questions .444

Answers to Review Questions .446

Answers to Exam Questions .446

16 Performance Analysis and Optimization 449 Introduction 451

Analyzing ISA Server Performance Using Reports .451

Summary Reports .455

Web Usage .455

Application Usage 456

Traffic and Utilization 457

Security 458

Optimizing Performance .459

Using the Registry to Optimize Performance .459

Analyzing Performance Using Performance Monitor .460

Analyzing Performance Using Reporting and Logging .468

Controlling RAM Used by Caching .469

Exercises 471

Review Questions .471

Exam Questions .471

Answers to Review Questions .472

Answers to Exam Questions .473

Part VI: Final Review Fast Facts 477 Install .477

PreInstallation Process .478