Allows client access and server pub-lishing of Microsoft Windows Media MMS, ProgressiveNetworks protocol PNM or RealPlayer, and Real TimeStreaming Protocol RTSP or RealPlayer G2 and Qui
Trang 1C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 33
Bandwidth RulesBandwidth rules can set priorities for requests according to protocoldefinitions, destination sets, schedule, client address set, contentgroup, and required priority
Protocol RulesProtocol rules identify which protocols clients can use to access theInternet These rules are processed at the application level Protocoldefinitions are preconfigured, but can also be added Additional pro-tocols are be made available by installing application filters
Site and Content RulesSite and content rules define which sites, and what types of content,can be accessed They are further distinguished by definitions of des-tination sets, schedules, and users
Application FiltersApplication filters extend the firewall client access capabilities andrestrictions They can perform additional tasks such as authentica-tion or virus checking Third-party application filters can be added
The following application filters (extensions) are installed with ISAServer:
á File Transfer Protocol (FTP) access filter Dynamically
opens ports, and performs address translation for SecureNATclients
á H.323 protocol filter Uses H.323 protocol definitions
(added when the H.323 gatekeeper is installed) to allowincoming and outgoing H.323 calls, audio, video, and applica-tion sharing
á HyperText Transfer Protocol (HTTP) redirector filter.
Forwards HTTP requests from SecureNAT and firewall clients
to the Web Proxy service
á Intrusion detection filters DNS and POP intrusions
detec-tion filters
á Remote Procedure Call (RPC) filter Enables publishing of
Trang 234 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
á SOCKS filter Forwards requests from SOCKS applications to
the firewall service
á Simple Mail Transfer Protocol (SMTP) filter Accepts and
inspects SMTP traffic arriving on port 25
á Streaming media filter Allows client access and server
pub-lishing of Microsoft Windows Media (MMS), ProgressiveNetworks protocol (PNM or RealPlayer), and Real TimeStreaming Protocol (RTSP or RealPlayer G2 and QuickTime 4)
How Rules and Filters Combine to Implement Policy
Protocol rules, site and content rules and application filters mine whether a given request is allowed or denied The following listdescribes the interaction of Protocol Rules and Site and ContentRules Figure 1.14 presents the information in a flowchart
deter-1 A client requests an object using a specific protocol
2 If a protocol rule specifically denies the use of the protocol, the request is denied
3 If a protocol rule and a site and content rule allow access tothe object, the request is allowed
4 If no protocol rule exists for the protocol, the request isdenied
5 If a site and content rule exists that specifically denies therequest, the request is denied
6 If a site and content rule denies an HTTP request, the requestcan be redirected to another location
7 If no site and content rule exists matching the request, therequest is denied
Trang 3Does protocol rule deny protocol A?
Does site and content l rule deny protocol A?
Is this a request for HTTP?
Can be redirected to another location, process begins again.
Does protocol rule allow protocol A?
Does site and content l rule allow protocol A?
NO YES
F I G U R E 1 1 4 Finding the backup and restore utilities.
Trang 436 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
integrated with the Active Directory, Enterprise policy configurationdetermines the effectiveness of Array policy Where allowed, arraylevel policies can further restrict Enterprise policies Thus, a tieredpolicy can be implemented Figure 1.15 presents a logical view ofjust such a tiered policy In the Middle Earth Enterprise Policy,access to all Web sites is allowed In the Baggins array, site access isrestricted by site and content rules In the Wizards array, rules areused heavily to determine who can use which protocol to accesswhat content at what time of day
Watch What You Delete! An cation filter may add protocol defini- tions If it is later disabled, these definitions are disabled, thus any requests that use these definitions will be denied For example, if the streaming media application filter is disabled, Windows Media and Real Networks protocols are blocked.
Bandwidth Control
Bandwidth rules set priorities for all communications that passthrough the ISA Server Bandwidth priorities (see Figure 1.16)define the priority for outbound/inbound communications by set-ting a number from 1 to 200 (where 200 allows the maximumbandwidth) Bandwidth rules are applied depending on matchesbetween a combination of users, groups, destinations, protocols,schedules, and content groups If a communication fits the rule,
Trang 5C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R ? 37
the bandwidth priority assigned to the rule is assigned to the munication All requests are evaluated and bandwidth apportionedaccordingly (If no bandwidth rule fits, the default bandwidth ruleapplies)
com-Logging and Reporting
Logging can be configured to store data in a file (W3C extended logfile format, or ISA Server file format), Access, or SQL Server data-base New logs are created daily weekly, monthly, or yearly as config-ured Logging can be configured separately for
Besides the logs, ISA Server can be configured to produce a number
of predefined reports Reports include:
á Summary report Illustrates traffic usage.
á Web usage reports Top users, common responses, and
browsers
á Application usage reports Application usage by top users,
incoming and outgoing traffic, client applications, and nations
desti-á Traffic and utilization reports Total Internet usage by
appli-cation, protocol, and direction
á Security Reports Attempts to breech network security.
F I G U R E 1 1 6
A bandwidth rule can be applied to specific users, groups, destinations, protocols, band- width priorities, schedules, and content groups.
F I G U R E 1 1 7 Default log fields for packet filters.
Trang 638 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
By now you should have a fair picture of the services and featuresoffered by ISA Server At this point, it is easy to be overwhelmedwith the dizzying array of features and configuration options.However, it is not necessary to have every potential usage andarrangement figured out If you complete the exercises and questionsthroughout this book you will have ample time and exposure tosolidify your understanding What is appropriate now is that you areaware of ISA’s many facets and can therefore consider them as youapproach the next chapters on preinstallation configuration, installa-tion, and migration
• All ports scan attack
• IP half scan attack
• Land attack
• UPD bomb attack
• Enumerated port scan attack
• Windows out-of-band attack
• Ping of death attack
• Web caching server
Trang 7C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R 39
AP P L Y YO U R KN O W L E D G E
2 In your large company, users are arranged in venient workgroups The company mandaterequires that resources be as close to user commu-nities as is possible What type of caching will bebest for you?
A A public Web server
B An intranet server only used by employees atthe office
C An intranet server available to all employees
D Exchange Server
4 In a highly distributed environment wheredepartments manage their own IT resources,some departments require stricter control ofinbound and outbound access to networkresources The best solution in this case is
A An Enterprise policy that does not allowArray policies to further restrict it
B An Enterprise policy that does allow Arraypolicies to further restrict it
C An Array policy that does not allowEnterprise policies to further restrict it
D An Array policy that does allow Enterprisepolicies to further restrict it
Review Questions
1 The firewall service, firewall client and tion filters work together to handle requests forconnections with non-HTTP applications overthe Internet There is no firewall client softwarefor Unix and Macintosh systems, yet they need touse SOCKS applications How can SOCKS con-nections be handled through ISA Server?
applica-2 The XYZ company does not want to add tional client software to their systems, yet theywould like the benefits of Web caching on theirnetwork Can ISA Server perform this function?
addi-3 Chalmers Expediation Corp would like increaseavailability, efficiency, and protection for theirWeb site How can this be accomplished withISA Server?
4 How can ISA Server be tuned to assure thatupdated information from commonly used Webpages is readily available from the cache?
Exam Questions
1 Access to the Internet is provided to a large ber of people in your company IT is centralizedand all caching servers are required to be located
num-in the same location at your snum-ingle geographicalsite Which type of caching is best for you?
Trang 8Answers to Review Questions
1 SOCKS connections are filtered via a SOCKS ter The filter forwards requests to the ISA fire-wall service No additional client software isneeded See the sections “ISA Server Clients” and
fil-“ISA Server Is a Multilayered EnterpriseFirewall.”
2 Client software does not have to be installed tosupport the caching of HTTP, FTP, and HTTPSresources Clients must “point” their browser tothe ISA Server These clients are called WebProxy Clients See the section, “ISA ServerClients.”
3 Installing ISA Server in integrated mode and figuring it for reverse caching, Web server pub-lishing, and firewall protection See the sections
con-“ISA Server Is a Multilayered EnterpriseFirewall,” and “Reverse Caching.”
4 Use scheduled caching See the section,
“Scheduled Caching.”
Answers to Exam Questions
1 D, E, A Distributed caching places a number of
ISA Servers in an array and Web requests arecached in a distributed fashion amongst theservers Forward caching caches Web requests B
is for caching Web pages from a published nal Web server C allows caching or resources atmultiple geographical or workgroup locations.See the section, “ISA Server as a High-Performance Web Caching Server.”
inter-2 C, D, A Chaining allows the location of
multi-ple arrays of ISA Servers in a workgroup setting.Each array can forward its request to another inthe hierarchy and eventually requests reach theperimeter array Each ISA Server in the chain willstore the content in its cache See the section,
“ISA Server as a High-Performance Web CachingServer.”
3 A, C, D Public Web sites are perfect candidates.
They can be protected and yet external guests canaccess their resource Mail servers and intranetservers that need to be available to travelingemployees or those that telecommute will alsowork well as hosted services B is incorrect, youshould not unnecessarily expose any server to theInternet See the section, “ISA Server HostingServices.”
4 B Array polices can restrict Enterprise policies if
the Enterprise policy is written to allow this Cand D are incorrect Enterprise policies restrictarray policies, but this is not done with the arraypolicies special consent A is also incorrect
Trang 9C h a p t e r 1 I N T R O D U C T I O N : W H AT I S I S A S E RV E R 41
AP P L Y YO U R KN O W L E D G E
6 A, B, D, E Protocol, user group, IP address, and
time of day (schedule) can all be used to restrictaccess C is incorrect Users cannot “request” anamount of bandwidth See the section, “Policy-Based Access Rules.”
See the section, “ISA Server Provides Integrated,Centralized Management and Control.”
5 B, C Firewall mode provides server publishing
capabilities Integrated mode would also providethis (Web publishing is available in either fire-wall or caching mode.) A is incorrect Cachingmode alone will not provide server publishing D
is incorrect, there is no such thing See the tion, “ Firewall, Caching or Integrated Modes.”
sec-1 “Features Overview” a white paper at
Suggested Readings and Resources
Trang 11I NSTALLATION AND U PGRADE
2 Plan Before Acting: Preinstallation Activities
3 Installing ISA Server
4 Upgrading Microsoft Proxy 2.0
P A R T
Trang 13Preconfigure network interfaces.
Verify Internet connectivity before installing ISA Server
Verify DNS Name resolution
If the ISA Server installation is to succeed, stallation issues must be resolved If this server is tocontrol access between the Internet and the privatenetwork, it makes sense to configure Internet con-nectivity prior to installing ISA Server Not onlywill this allow easier post-installation configuration,but also it will eliminate the potential problem ofnon-Internet connectivity from consuming yourpost-installation troubleshooting time If you can-not access the Internet through the ISA Server afterinstallation, you do not want to be concerned thatthe related issues of network connectivity and nameresolution are the problem By verifying these itemsprior to installation, much time and trouble can besaved
Trang 14prein-ST U D Y ST R AT E G I E S
Introduction 47Network Design and Planning 47
ISA Server Mode and Array Considerations 49
Interoperation with and Requirements
Estimating Publishing Requirements 54
Additional Hardware Requirements forVPNs 56
Windows 2000 Installation and Configuration 57Preinstallation Network Configuration 58
TCP/IP Network Card Configuration 61
If you are not comfortable with Windows 2000DNS dependencies, this is a good time toassure your understanding If the Windows
2000 system selected for the ISA Server lation cannot access Web sites on the Internet,what makes you feel that it will be able to afterinstallation?
instal- The ISA Server has multiple Windows 2000requirements and suggested setup guidelines.This is the time to make sure you are familiarwith them
Approach preinstallation guidelines with an eye
to creating your own checklist Include network,client, and server preparation steps
Think about the differences that a large tion would create In a large enterprise, muchmore planning will go into such a major networkconnectivity change Do you understand why?
Trang 15installa-C h a p t e r 2 P L A N B E F O R E AC T I N G : P R E I N S TA L L AT I O N AC T I V I T I E S 47
There is a lot more to installing any software product than just theinstallation The wise administrator plans thoroughly so the actualinstallation process goes smoothly Then, like a pilot before take-offshe performs a preflight check Assured that all the necessary stepshave been taken, she will find installation to be effortless, results, inmost cases, excellent, and any troubleshooting made easier by firmknowledge of the system and network Finally, post-installation configuration and client setup will be swifter if planning has beenprecise
This chapter documents the network, and system requirements to bemet before installing ISA Server Client concerns are discussed, but afull discussion on client configuration and/or the configuration ofauto-discovery is discussed in Chapter 13, “Planning and DeployingClients.”
ISA Server can be used in multiple ways Prior to installation youshould have determined the role(s) it will play, and mapped a strat-egy for its installation and implementation Your planning shouldencompass not just the installation of the product, but also consider:
á Network size
á User needs
á Installation options
á ISA Server mode and array considerations
á Active Directory integration needs
á Interoperation with, and requirements for, other services
á Hardware choices
á Changes that must take place for clients