á Install an ISA Server computer as a member of Configure and troubleshoot outbound Internet access.. For more information about the exam or the tion process, contact Microsoft: certific
Trang 1I N T R O D U C T I O N 3
• Key terms A list of key terms appears at the
end of most chapters
• Notes These appear in the margin and
con-tain various kinds of useful information, such
as tips on technology or administrative tices, historical background on terms andtechnologies, or side commentary on industryissues
prac-• Warnings When using sophisticated
informa-tion technology, there is always the potentialfor mistakes or even catastrophes that canoccur because of improper application of thetechnology Warnings appear in the margin toalert you to these potential problems
• In the field These more extensive discussions
cover material that might not be directly vant to the exam but that is useful as refer-ence material or in everyday practice Thesetips might also provide useful background orcontextual information necessary for under-standing the larger topic under consideration
rele-• Exercises Found at the end of the chapters in
the “Apply Your Knowledge” section, exercisesare performance-based opportunities for you
to learn and assess your knowledge Solutions
to the exercises, when applicable, are providedlater in a separate section titled “Answers toExercises.”
á Extensive practice test options This book
pro-vides numerous opportunities for you to assessyour knowledge and to practice for the exam
The practice options include the following:
• Review Questions These open-ended
ques-tions appear in the “Apply Your Knowledge”
section at the end of each chapter They allowyou to quickly assess your comprehension ofwhat you just read in each chapter Answers
to the questions are provided later in a rate section titled “Answers to Review
sepa-Questions.”
• Exam Questions These questions also appear
in the “Apply Your Knowledge” section Usethem to help you determine what you knowand what you need to review or study further.Answers and explanations for exam questionsare provided in a separate section titled
“Answers to Exam Questions.”
• Practice Exam A practice exam is included in
the “Final Review” section The “FinalReview” section and the practice exam arediscussed later in this list
• ExamGear The special Training Guide
ver-sion of the ExamGear software included onthe CD-ROM provides further opportunitiesfor you to assess how well you understand thematerial in this book
á Final Review This part provides you with three
valuable tools for preparing for the exam:
• Fast Facts This condensed version of the
information contained in this book will proveextremely useful for a last-minute review
• Study and Exam Prep Tips Read this section
early on to help you develop study strategies.This section also provides you with valuableexam-day tips and information on exam/question formats, such as adaptive tests andcase study-based questions
• Practice Exam A practice exam is included in
this section Questions are written in stylessimilar to those used on the actual exam Use this to assess your understanding of thematerial in this book
This book contains several other features, including asection titled “Suggested Readings and Resources”
at the end of each chapter that directs you toward ther information that could aid you in your exampreparation or your actual work Valuable appendixes
Trang 2fur-4 M C S E T R A I N I N G G U I D E ( 7 0 - 2 2 7 ) : I S A S E RV E R
Installing ISA Server
Preconfigure network interfaces
á Verify Internet connectivity before installing ISAServer
á Verify DNS name resolution
Install ISA Server
á Construct and modify the local address table(LAT)
á Calculate the size of and configure the cache
á Install an ISA Server computer as a member of
Configure and troubleshoot outbound Internet access Configure ISA Server hosting roles
á Configure ISA Server for Web publishing
á Configure ISA Server for server proxy
á Configure ISA Server for server publishing Configure H.323 Gatekeeper for audio and video conferencing
á Configure gatekeeper rules Rules include phone, email, and Internet Protocol
tele-á Configure gatekeeper destinations by using theAdd Destination Wizard
are also included, as well as a glossary (Appendix D),
an overview of the Microsoft certification process(Appendix E), and a description of what is on the CD-ROM (Appendix F)
For more information about the exam or the tion process, contact Microsoft:
certifica-Microsoft Education: 1-800-636-7544Internet:
ftp://ftp.microsoft.com/Services/MSEdCert
World Wide Web:
http://www.microsoft.com/train_cert
CompuServe Forum: GO MSEDCERT
á Installing ISA Server
á Configuring and Troubleshooting ISA ServerServices
á Configuring, Managing, and TroubleshootingPolicies and Rules
á Deploying, Configuring, and Troubleshooting the Client Computer
á Monitoring, Managing, and Analyzing ISAServer Use
Before taking the exam, you should be proficient in thejob skills represented by the following units, objectives,and subobjectives
Trang 3I N T R O D U C T I O N 5
Set up and troubleshoot dial-up connections andRouting and Remote Access dial-on-demand connec-tions
á Set up and verify routing rules for static IP routes
in Routing and Remote Access
Configure Virtual Private Network (VPN) access
á Configure the ISA Server computer as a VPNendpoint without using the VPN Wizard
á Configure the ISA Server computer for VPNpass-through
á Configure multiple ISA Servers for scalability
Configurations include Network Load Balancing(NLB) and Cache Array Routing Protocol(CARP)
Configuring, Managing, and Troubleshooting Policies and Rules
Configure and secure the firewall in accordance withcorporate policies
á Configure the packet filter rules for different levels of security, including system hardening
á Create and configure access control and width policies
band-á Create and configure site and content rules torestrict Internet access
á Create and configure protocol rules to restrictInternet access
á Create and configure routing rules to restrictInternet access
á Create and configure bandwidth rules to controlbandwidth usage
Troubleshoot access problems
á Troubleshoot user-based access problems
á Troubleshoot packet-based access problems Create new policy elements Elements include sched-ules, bandwidth priorities, destination sets, clientaddress sets, protocol definitions, and content groups Manage ISA Server arrays in an enterprise
á Create an array of proxy servers
á Assign an enterprise policy to an array
Deploying, Configuring, and Troubleshooting the Client Computer
Plan the deployment of client computers to use ISAServer services Considerations include client authenti-cation, client operating system, network topology, cost,complexity, and client function
Configure and troubleshoot the client computer forsecure network address translation (SecureNAT) Install the Firewall client software Considerationsinclude the cost and complexity of deployment
á Configure intrusion detection
á Configure an alert to send an email message to an
Trang 46 M C S E T R A I N I N G G U I D E ( 7 0 - 2 2 7 ) : I S A S E RV E R
á Automate alert configuration
á Monitor alert status
á Troubleshoot problems with security and network usage
á Detect connections by using Netstat
á Test the status of external ports by using Telnet
or Network Monitor
Analyze the performance of ISA Server by usingreports Report types include summary, Web usage,application usage, traffic and utilization, and security
Optimize the performance of the ISA Server computer
Considerations include capacity planning, allocationpriorities, and trend analysis
á Analyze the performance of the ISA Server computer by using Performance Monitor
á Analyze the performance of the ISA Server computer by using reporting and logging
á Control the total RAM used by ISA Server forcaching
As a self-paced study guide, MCSE Training Guide:
Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server is meant
to help you understand concepts that must be refinedthrough hands-on experience To make the most ofyour studies, you must have as much background onand experience with all versions of Windows 2000(Professional, Server, and Advanced Server) as possible,and with running ISA Server in standalone and array-based scenarios The best way to do this is to combinestudying with work on ISA Server installations This
section gives you a description of the minimum puter requirements that you need to enjoy a solid prac-tice environment
com-á At least two Windows 2000 Servers and at leasttwo client machines More server computers andmore clients allow you a richer set of study sys-tems with which to deploy typical scenarios
á All computers running Windows 2000 should be,
or their components should be, on the MicrosoftHardware Compatibility List
á Pentium II (or better) processor
á 2GB (or larger) hard disk
á VGA (or Super VGA) video adapter and monitor
á Mouse or equivalent pointing device
á Alternatively, the modem on one server can serve
as the second interface, but both servers shouldhave two networking interfaces
á Presence on a test network This can be createdusing multiple small hubs Exercises for VPN arebest experienced with the creation of three physi-cal subnets within the test network It is notadvisable to perform ISA Server exercises on aproduction network
á Internet access is not required, but can be ageous in many exercises Otherwise you can sim-ulate access to Web sites by placing a test Webserver on the external side of the ISA Server inthe test network
advent-á 128MB of RAM on each server (256MB recommended)
Trang 5I N T R O D U C T I O N 7
á Windows 2000 SP 1 or latest service pack
á Hotfix rollup for ISA Server is required prior tothe release of SP 2
It is fairly easy to obtain access to the necessary puter hardware and software in a corporate businessenvironment It can be difficult, however, to allocatecomputers to a test network and to allocate enoughtime within the busy work day to complete a self-studyprogram Most of your study time will occur after nor-mal working hours, away from the everyday interrup-tions and pressures of your regular job
More extensive tips are found in the “Final Review”
section titled “Study and Exam Prep Tips,” but keepthis advice in mind as you study:
á Read all the material Microsoft has been
known to include material not expressly specified
in the objectives This book has included tional information not reflected in the objectives
addi-in an effort to give you the best possible tion for the examination—and for the real-worldexperiences to come
prepara-á Do the Step by Step tutorials and complete the Exercises in each chapter They help you gain
experience using the specified methodology orapproach All Microsoft exams are task- andexperienced-based and require you to have expe-rience actually performing the tasks on whichyou will be tested
á Use the questions to assess your knowledge.
Don’t just read the chapter content; use the tions to find out what you know and what youdon’t You also need the experience of analyzingcase studies If you are struggling at all, studysome more, review, and then assess your knowl-edge again
ques-á Review the exam objectives Develop your own
questions and examples for each topic listed Ifyou can develop and answer several questions foreach topic, you should not find it difficult to passthe exam
Remember, the primary object is not to pass theexam—it is to understand the material After youunderstand the material, passing the exam should besimple Knowledge is a pyramid; to build upward, youneed a solid foundation This book and the MicrosoftCertified Professional programs are designed to ensurethat you have that solid foundation
Good luck!
The staff of New Riders Publishing is committed tobringing you the very best in computer reference mate-rial Each New Riders book is the result of months ofwork by authors and staff who research and refine theinformation contained within its covers
As part of this commitment to you, the NRP reader,New Riders invites your input Please let us know ifyou enjoy this book, if you have trouble with the infor-mation or examples presented, or if you have a sugges-tion for the next edition
Please note, however, that New Riders staff cannotserve as a technical resource during your preparationfor the Microsoft certification exams or for questionsabout software- or hardware-related problems Pleaserefer instead to the documentation that accompaniesthe Microsoft products or to the applications’ Help systems
If you have a question or comment about any NewRiders book, there are several ways to contact NewRiders Publishing We respond to as many readers as
we can Your name, address, or phone number willnever become part of a mailing list or be used for any
Trang 68 M C S E T R A I N I N G G U I D E ( 7 0 - 2 2 7 ) : I S A S E RV E R
purpose other than to help us continue to bring youthe best books possible You can write to us at the following address:
New Riders PublishingAttn: Al Valvano
201 W 103rd StreetIndianapolis, IN 46290
If you prefer, you can fax New Riders Publishing at317-581-4663
You also can send email to New Riders at the followingInternet address:
nrfeedback@newriders.com
NRP is an imprint of Pearson Education To obtain acatalog or information, contact us at nrmedia@newrid- ers.com To purchase a New Riders book, call 1-800-428-5331
Thank you for selecting MCSE Training Guide:
Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server.
Trang 8Microsoft-ST U D Y ST R AT E G I E S
OU T L I N EIntroduction 11
ISA Server Is a High-Performance
Hierarchical Caching or Chaining 24
ISA Server Provides Integrated,
Enterprise or Standard Editions 29Firewall, Caching, or Integrated Modes 30
Use this section as an introduction to ISAServer concepts, vocabulary, and features As you review the material, focus on where youmight use an ISA Server
If you have knowledge of how Proxy Server 2.0works, see if you can identify key differences inthe two products You should realize that ISAServer is not Proxy 3.0
If you have knowledge of competing firewallsand caching servers, identify advantages anddisadvantages of these systems versus ISAServer
Trang 9C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 11
This chapter, while it does not speak directly to a particular examobjective, helps you identify exactly what ISA Server is by presenting
a broad overview of its features and capabilities
Microsoft Internet Security and Acceleration Server is an engagingcombination of a firewall and caching server It can be used to pro-tect the enterprise from external access while allowing internal usersaccess to the Internet It can be used to improve Web access perfor-mance by caching downloaded Web information
These modes—firewall and caching—can be implemented separately
or integrated Either way, a rich collection of features awaits thecurious administrator or engineer But even more exciting, theEnterprise edition can provide centralized administration and enter-prise policy implementation No longer must a panoply of firewalls
be uniquely configured one at a time and laboriously checked forthe maintenance of correct settings Enterprisewide imperatives can
be configured once, and their implementation and maintenanceensured on all servers
It is important, before you delve into the study of this product, tobriefly explore the range and extent of features available, and toexplore the concepts that will form the basis of your understanding
This chapter will fulfill these goals In short it covers:
á Architecture overview
á ISA Server clients
á ISA Server as a multilayered Enterprise firewall
á ISA Server as a high-performance Web-caching
á ISA hosting services
á ISA Server provides integrated, centralized management andcontrol
á ISA Server versions
Trang 1012 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
Despite being multifaceted, all ISA Server services have a commongoal: Protecting an internal, private network from an external net-work while allowing efficient access of the external network from theinternal one In English: Web surfing allowed and network penetra-tion prevented The architecture that enables this is composed offour parts:
á Core services The Web Proxy service for outbound access andthe Firewall service for in-bound protection and the manage-ment of protocol specific filters
á Clients and servers on the private network that desire access tothe public network such as
• Web proxy clients
Trang 11C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 13
Internally, as pictured in Figure 1.3, the two services act in concertwith each other and with protocol specific filters to provide connec-tions between the private and public network Think of the two ser-vices and the filters as composing the “meat and cheese” of asandwich with the packet filtering posing as the wrapper or bread
External to this, like a loose wrapping of waxed paper is an IntrusionDetection (ID) and alerting mechanism If entrance into and out ofthe network must pass through the ISA Server, then all traffic mustpenetrate the packet filter If attacks are defined in the ID engine,then alerts will be generated when they are used against the system
(like the loosely wrapped sandwich, the ID protected network not prevent all intrusions and leakages from occurring.)
can-Big Bad Internet
InternalNetwork
InternalNetwork
WarDialers
Telecomm uters
Trang 1214 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
Outbound HTTP requests may be satisfied by the Web Proxy cache,
or passed through a Web filter and then to the pubic network TheWeb proxy service manages this traffic Protocol specific filters man-age other types of outbound requests The firewall service in turnmanages these filters
Inbound requests for hosted services (Web servers, mail servers,other types of hosted servers) are regulated by the firewall service All other inbound requests can be both blocked by protection mech-anisms (packet filters, stateful inspection, and so on) and potentiallytrigger alerts or other intrusion detection responses
ISA Server can be installed to handle all these functions, or can bededicated to either being a firewall or a caching server These choicesare defined during installation by selecting one of three installationmodes:
á Firewall Control inbound access and outbound access via
filters, rules and settings
á Caching Manage outbound access via rules and by caching
downloaded data for repeated access
á Integrated A combination of firewall and caching modes
Web proxy client
Firewall client
SecureNAT client
NAT driver
Web proxy service http redirector
Firewall service Filters
P u b l i c N e t w o r k
Packet filters
F I G U R E 1 3
Architectural viewpoint.
Trang 13C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 15
Three types of clients on the private network can use the ISA Serverservices:
á Web proxy clients
á Firewall clients
á SecureNAT clients Only one of these clients, the firewall client, requires the installation
of a specific, ISA provided client application
Web Proxy Clients
Clients whose Web browsers can be pointed at a proxy server canuse the Web proxy service to access the Internet No additional soft-ware is required In addition, requests for Web pages are cached forefficient servicing of subsequent requests
Firewall Clients
Firewall clients have the ISA Server “firewall client” applicationinstalled The firewall client software runs a subset of Winsock appli-cations Winsock applications must be able to use the ISA firewallservice A local address table (LAT) on the client specifies whichaddress ranges exist on the local network If a requested location lies
on the external network, then the firewall client forwards the request
to the ISA Server The firewall client can only be used by Windows
ME, Windows 9x, Windows NT 4.0, and Windows 2000
Trang 1416 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
á Other requests may use firewall service managed applicationfilters
á Servers may be published as SecureNAT clients
á SecureNAT enforces ISA Server policies as an extension ofWindows 2000 NAT
Every network that allows access to the Internet should have a wall protecting the avenue of access In the simplest of scenarios, anISA Server is outfitted with two network interfaces: one to connect
fire-it to the public network and one to the private network While inmost cases, these two networks are represented by the Internet (thepublic network) and the internal, company network (the private net-work), this might not always be the case Thus, the ISA Server is inthe position to screen all communication between the two networks
A business’s security policy can be implemented by putting ISAServer Enterprise and/or array policies into place These policies con-sist of rules and filters that limit inbound and outbound access.Several technologies are used, to implement the desired actions ofpreventing unauthorized access to the network and preventing thedelivery of malicious content to it, while allowing granular out-bound access controls to specify schedules, destinations, type of traf-fic, and application
The best defense is defense in depth Rather than rely on one nology, ISA Server’s firewall strategy combines the best of modernfirewall techniques These include:
Trang 15C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 17
á System hardening templates
á Virtual Private Networking
Packet Filtering
The header of each packet is inspected by ISA Server Because theprotocol, port, destination, and source address can be determined bythis inspection, packets can be passed to their destination, ordropped before they enter the network
Circuit-Level Filtering
Each application request is redirected by the firewall service to theISA Server—no application-specific gateway is necessary
Applications that do not support a proxy can be accessed this way
Access to Windows applications (using Winsock for tions over the Internet) are supported for client machines that havethe Firewall Client software installed These requests can beinspected per session, versus at the time of connection or by merepacket level filtering Circuit-level filtering supplies built-in supportfor protocols with secondary connections
communica-SOCKS connections can be filtered at the circuit-level via a communica-SOCKSfilter, which forwards requests to the ISA firewall service SOCKSsupports client platforms such as Unix and Macintosh
Application-Level Filtering
Application-level filtering analyzes a data stream for an applicationand can inspect, screen, block, redirect, or modify data as it passesthrough the firewall ISA Server uses application-level filtering toprotect against unsafe SMTP commands or DNS server attacks Inaddition, third-party tools for content screening, virus detection, lex-ical analysis, and site categorization can apply application and Webfilters