The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server As this chapter emphasized, there are several steps totake prior to installing ISA Server.. The p
Trang 1C h a p t e r 2 P L A N B E F O R E AC T I N G : P R E I N S TA L L AT I O N AC T I V I T I E S 63
You need to know or arrange for name resolution for these serverseither by hosting your own DNS servers or outsourcing name reso-lution with your ISP If you will be managing your own DNS serversfor purposes of Internet name resolution, be sure that you havetaken the appropriate steps to establishing those DNS servers con-nectivity with the Internet
Establishing a ConnectionAfter you have configured the Windows 2000 server on which youwill be installing ISA Server, test Internet connectivity You may beable to ping your ISPs router from the server, or request that the ISPprovide you with other tools or evidence of connectivity
Verify Name Resolution
Verify DNS name resolution
Finally, use a browser to test name resolution to the Internet From abrowser on the Windows 2000 server, enter a Web site URL If thehome page is loaded, you are successfully reaching the Internet andDNS is providing name resolution
Routing rules on the ISA Server will configure and secure routingbetween the external network and servers on the internal network Ifthe ISA Server IP address is registered in external DNS server, youshould test name resolution from the Internet to the ISA server
Although the ISA server is not installed and configured to forwardrequests to internally published server, you can verify that the serverURL is resolving to the address of the ISA Server
Trang 264 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
Computer spec’d, configured, and installed? Internet connectivityestablished and tested? Preparations for a smooth transfer locked andloaded? This chapter detailed the steps to do so Head on to the nextChapter to install ISA
• License logging service
• Distributed file system service
• Distributed link tracking service
• SMTP service
Trang 3C h a p t e r 2 P L A N B E F O R E AC T I N G : P R E - I N S TA L L AT I O N AC T I V I T I E S 65
AP P L Y YO U R KN O W L E D G E
5 You want to provide an IPSec/L2TP VPN tunnel
on the ISA Server Management speculates thatthis will produce a bottleneck What will you say?
Exam Questions
1 The following services should be enabled on theWindows 2000 server which will host the ISAServer (The message screener option is required.)Choose two correct answers
A World Wide Web
A Install Windows 2000/ sp1
B Join the Windows 2000 server to a Windows
2000 domain
C Test network connectivity
D Configure the network cards via eitherDHCP or static IP addresses
3 The ABCD Company is preparing a Windows
2000 computer for the installation of ISA Server
As this chapter emphasized, there are several steps totake prior to installing ISA Server You will want to fol-low the recommendations detailed in this chapter tosetup Windows 2000 to server as the ISA Server host
Don’t forget to verify network and Internet ity You might want to scan ahead to the exercises inChapter 3 and prepare more than one server in order
connectiv-to be ready for those tasks
Estimated Time: 60 minutes
1 Install Windows 2000 Server or Advanced serverand apply Service Pack 1 (or current servicepack)
2 Apply any recommended hotfixes
3 Configure networking using recommendationsfrom this chapter
4 Verify network connectivity
5 Verify Internet name resolution
Review Questions
1 Why should you disable unnecessary services?
2 What will be the impact of disabling File Sharing
on the external network card be?
3 Should RRAS be configured on the ISA Servercomputer?
4 You can select RAID for the ISA Server Howwill you use them?
Trang 466 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
AP P L Y YO U R KN O W L E D G E
Optional Desired Results:
The ISA Server will be part of a centrally managed array of ISA Servers
The ISA Server will provide Web caching services
Proposed Solution:
Service Pack 1 for Windows 2000 is applied tothe Windows 2000 standalone server The exter-nal network card is configured with an Internetaddressable static IP address Connectivity withthe Internet and the internal network is tested
Hard drives are formatted with the FAT file tem Recommend services are disabled or avail-able and working as prescribed
sys-Evaluation of Proposed Solution:
Which results(s) does the proposed solution duce?
pro-A The proposed solution produces the requiredresult but neither of the optional results
B The proposed solution produces the requiredresult and one of the optional results
C The proposed solution produces the requiredresult and both of the optional results
D The proposed solution does not produce therequired result
4 The ABCD Company is preparing a Windows
2000 computer for the installation of ISA Server
on its network
Required Result:
The ISA Server computer will provide firewalland server hosting services
Optional Desired Results:
The ISA Server will be part of a centrally managed array of ISA Servers
The ISA Server will provide Web caching services
exter-Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A The proposed solution produces the requiredresult but neither of the optional results
B The proposed solution produces the requiredresult and one of the optional results
C The proposed solution produces the requiredresult and both of the optional results
D The proposed solution does not produce therequired result
5 The ABCD Company is preparing a Windows
2000 computer for the installation of ISA Server
on its network
Required Result:
The ISA Server computer will provide firewalland server hosting services
Trang 5Optional Desired Results:
The ISA Server will be part of a centrally managed array of ISA Servers
The ISA Server will provide Web caching services
exter-Hard drives are formatted with the NTFS filesystem Recommend services are disabled oravailable and working as prescribed
Evaluation of Proposed Solution:
Which results(s) does the proposed solution produce?
A The proposed solution produces the requiredresult but neither of the optional results
B The proposed solution produces the requiredresult and one of the optional results
C The proposed solution produces the requiredresult and both of the optional results
D The proposed solution does not produce therequired result
6 Figure 2.5 represents the disk arrangement oncomputer A Which of the following hard diskarrangements would be preferable for an ISAServer computer?
A Operating System on C, ISA on D, Logs on E
B Operating System on C, ISA on F, Cache on
Disk 0 (C:) NTFS
(D:) NTFS
(E:) NTFS Disk 1 (F:)
NTFS Disk 2 (G:) NTFS
F I G U R E 2 5 Disk drive selection.
Answers to Review Questions
1 Removing unnecessary services improves ciency and reduces the possibility of successfulattack Every additional service has its own vul-nerabilities See the section, “Interoperation withand Requirements for Other Services.”
effi-2 Disabling File Sharing on an external networkcard will prevent external connection to the filesystem of the ISA server If an external client canconnect directly to the ISA Server file system,there is a possibility that damage could be done
to the server or the network it protects See thesection “TCP/IP Network Card Configuration.”
3 The RRAS service is compatible with ISA, in factISA extends this service However, the ISA Serverservices should be used to create Virtual PrivateNetworks, provide remote connectivity andpacket filtering features Network address transla-tion should be configured in ISA The Internet
Trang 668 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
AP P L Y YO U R KN O W L E D G EConnection Sharing service should not be config-ured on the ISA Server See the section,
“Interoperation with and Requirements for OtherServices.”
4 Configure RAID level 1 (mirror) for the ing system partition to provide redundancy
operat-Configure RAID level 5 (striping with parity) forthe logs to provide increased read performance
See the section, “Hard Disk Requirements.”
5 Special network cards are available which canoffload the IPSec encryption to their onboardprocessors Card manufacturers test results showexcellent throughput when these cards are used
IPSec/L2TP VPNs are more secure See the tion, “Additional Hardware Requirements forVPNs.”
sec-Answers to Exam Questions
1 B, C SMTP is necessary prior to the installation
of the message screener service The firewall andWeb proxy services are dependent on theTelephony service A is incorrect While you caninstall IIS on the ISA Server computer, it is notnecessary D is incorrect This service is not nec-essary See the section, “Windows 2000
Installation and Configuration,” and
“Interoperation with and Requirement for OtherServices.”
2 A, C Service Pack 1 is required Network
con-nectivity should be tested B is wrong Althoughyou may want to join the Windows 2000 server
to a Windows 2000 domain, it is not necessary
unless you require Active Directory integration
D is wrong You should not configure the work cards via DHCP See the sections,
net-“Windows 2000 Installation and Configuration”and “TCP/IP Network Card Configuration.”
3 A Although the server may require additional
steps to make it a more secure firewall, there isnothing in the initial configuration that will pre-vent ISA Server from installing and being config-ured to provide firewall services However, thetwo optional results cannot be met First, becausethe ISA server is not a member server in aWindows 2000 domain, centralized management
of an array of ISA servers cannot be plished Second, because the file system is FAT,Web caching services cannot be configured Seethe sections, “Making Hardware Choices,” and
accom-“Windows 2000 Installation and Configuration.”
4 B Now the computer is joined in a domain,
Active Directory Schema modification and theinstallation of ISA Server in an array can beaccomplished However, Web caching servicescannot be provided until NTFS formatted diskspace is available See the sections, “MakingHardware Choices,” and Windows 2000Installation and Configuration.”
5 C Now all requirements are met See the
sec-tions, “Making Hardware Choices,” andWindows 2000 Installation and Configuration.”
6 C Placing the operating system on a drive
sepa-rate from the cache or logs provides a greaterchance of recovery No other configuration heredoes that See the section, “Hard Disks.”
Trang 7C h a p t e r 2 P L A N B E F O R E AC T I N G : P R E - I N S TA L L AT I O N AC T I V I T I E S 69
AP P L Y YO U R KN O W L E D G E
1 Information on licensing and pricing at
ductinfo/pricing.htm
http://www.microsoft.com/isaserver/pro-2 Deployment of ISA Server at Microsoft:
Planning, Deploying and Lessons Learned at
info/itgdeploy.htm
http://www.microsoft.com/isaserver/tech-3 Lee, Thomas, Microsoft Windows 2000 TCP/IP
Protocols and Services Technical Services.
Microsoft Press, 2000
4 Lieu, Cricket, et all, DNS and Bind O’Reilly
& Associates, Third Edition, 1998, ISBN:1565925122
Suggested Readings and Resources
Trang 9OB J E C T I V E S
3
C H A P T E R
Installing ISA Server
This chapter covers the following Microsoft-specifiedobjectives for the Installing ISA Server section of theInstalling, Configuring, and Administering MicrosoftInternet Security and Acceleration (ISA) Server 2000exam:
Install ISA Server Installation modes includeintegrated, firewall, and cache
Construct and modify the Local Address Table(LAT)
Calculate the size of and configure the cache
There are two versions of ISA Server:
Standard This version can only be installed on a
standalone or member server It cannot be part of
an array
Enterprise The Enterprise edition can be part of
an array and take advantage of the Active Directory
to share policies
Each version can be installed in one of three modes:
Firewall ISA Server will be a dedicated firewall.
Caching Server ISA Server will be a caching server.
Requests from the private network for access topublic network services are filtered through ISAserver’s rules and policies Approved requests (unlessthey are SSL or HTTPS or otherwise configuredwill be cached on the ISA Server Subsequentapproved requests for this material are served fromthe ISA Server Additional access to the Internet isnot necessary In caching mode, the ISA server canalso be configured to forward requests from thepublic network to Web servers on the private net-work The requested pages can be cached on ISAServer and served to the public network
Trang 10OU T L I N E
OU T L I N E
Integrated In integrated mode, ISA Server is both
a firewall and a caching server
In addition to the preinstallation determinations,you must understand how the ISA Server is to beused, and configure two major parameters duringinstallation These parameters are the local LATand the cache When ISA Server is used as acaching server, the size of the cache will haveimportant implications for performance and opera-tion In the firewall mode, the LAT, or LocalAddress Table defines for ISA server which TCP/IPaddresses are considered to be on its local or privatenetwork, and which subnets are considered to be
on the public network Improper LAT tion can prevent access to the private network fromthe local network More importantly, it can be asevere security liability allowing penetration of theprivate network from the public network
configura-Troubleshoot problems that occur duringsetup
No installation process is without possibility forfailure While the ISA Server installation process isrelatively smooth and easy, there are areas wherepossible problems can occur Many of the problemscan be avoided if the installer is aware of the prob-lem areas Many of the installation failures can becorrected with the proper application of knowledge
Installation Fails to Complete—You
Event ID 14111 The ISA Server Cache
Trang 11OU T L I N E ST U D Y ST R AT E G I E S
Event ID 14176, 14164, 14172 The Disk Cache Failed to Initialize
Event ID 14010, 14063 The FirewallService Did not Start Due to
You Are Unable to Access Internet
Recognize that there are two important parts toinstalling ISA server:
• Placement of the server
• Choices made during installation Install ISA multiple times Before you decidethat, in your case, this is not necessary, con-sider the possible choices that must be madeduring installation You have to choose whether
to install in Caching mode, Firewall mode, orboth You must make decisions about the LocalAddress Table and the cache In addition, if thisISA Server is to participate in an array, youmust select the appropriate hierarchical or lateral array
During your installations, vary the options thatyou select You will, of course, need multiplesystems for this exercise If you have limitedpractice systems, a good approach is to makeyour systems dual boots of Windows 2000 andinstall a different configuration of ISA Server oneach boot so that you can return to them tocompare differences on future exercises Be especially sure to make two of your installa-tion exercises (one for caching and one for fire-wall) involve the Enterprise edition and install
an array If you leave these two serversinstalled at the finish of this chapter, you will beset to configure enterprise policies The chapterreview questions will test your knowledge ofinstallation issues
Understand which choices made during tion will impact the configuration choices youcan make after installation, as well as deter-mine if the server will meet the needs it waspurchased to meet
installa- Realize a haphazard installation can leave thenetwork more vulnerable to attack than before.(Additional risks can be added, the companythinks it is secure when it is not and thus doesnot follow previous good security practices.)
Trang 1274 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
I NTRODUCTION
If you understand the design principles behind determining where toplace the server, this will lead to the proper preconfiguration of theserver The previous chapter presented various alternatives for fire-wall and caching server placement and the network configurationprocess that follows that choice This chapter concentrates on theactual ISA Server installation steps Because there are two versions ofISA Server, and three modes, six possible scenarios exist You shouldknow how all of them work
Although client issues are covered in another chapter, you should beaware that none of the six scenarios impact whether non-Microsoftclients can benefit from the introduction of an ISA Server The ISAServer must be installed on a Windows 2000 Server, but clients ofall operating system types can benefit from the firewall
I NSTALLATION P ROCESSES C OMMON
TO S EVERAL C ONFIGURATIONS
Install ISA Server Installation modes include integrated,firewall, and cache
• Construct and modify the local address table (LAT)
• Calculate the size of and the cache and configure it
• Install ISA Server as a member of an array
Although there are many ways that ISA Server can be installed, eachinstallation has processes in common with the others Table 3.1 liststhese common installation processes that all, or some, installationsmay require
Trang 13C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 75
TA B L E 3 1
WH I C H IN S TA L L AT I O N RE Q U I R E S WH AT?
cache Update Active Enterprise Enterprise Enterprise
prior to installation Configure an Enterprise Enterprise Enterprise
Constructing and Modifying the Local Address Table (LAT)
ISA Server firewall uses the Local Address Table (LAT) to determinewhich addresses are in the internal or private network and whichaddresses are outside, in the public network The LAT should con-tain all IP address ranges that exist in the private network It mightalso contain the private IP address ranges assigned by the InternetAssigned Numbers Authority (IANA) and detailed in RFC 1918
This information is important information for these reasons:
á The firewall uses this list to determine which IP addresses arewithin its private network, and which IP addresses are public,and thus how to interpret its access rules
á The firewall client periodically downloads and always uses acopy of the LAT to determine which address to forward to thefirewall, and which to request directly
á SecureNAT clients do not have a copy of the LAT Theirrequests are forwarded to the ISA Server, which makes externalrequests for them
If you install ISA Server in either firewall mode or integrated mode,you must configure the LAT
TE IANA Private Address Rangesprivate address ranges identified by IANA areThe three
specified in RFC 1918 (RFCs, or Requests for Comments, are collaborative documents that attempt to define rules and standards to be used on the Internet For more information, or
to look up RFC 1918, visit www.ietf.org ) The private address ranges listed in this RFC are never used on the public Internet They are
10.0.0.0 to 10.255.255.255 (a single Class
A network) 192.168.0.0 to 192.168.255.255 (16 contiguous Class B networks) 172.16.0.0 to 172.31.255.255 (256 contiguous Class C networks )
Trang 1476 Pa r t I I N S TA L L AT I O N A N D U P G R A D E
Addresses are added to the LAT in several ways:
á ISA Server constructs the LAT based on the Windows 2000routing table of the network card you identify during setup asbeing on the private network
á Adding the private address ranges from RFC 1918
á Manually adding the private address ranges from your networkthat are not present in the routing table
LAT Problems
If the routing table is not constructed correctly, the LAT will bewrong If the LAT is incorrect, requests for internal objects may berouted to the Internet and vice versa This is annoying at the least,and can provide a security vulnerability
Configuring the LAT
To configure the LAT, perform the steps outlined in Step by Step 3.1
S T E P B Y S T E P3.1 Configuring the LAT
1 During installation click the Configure the LAT button.After installation, right-click the Local Address Tableobject in the ISA Management console (Servers andArrays\name\network configuration\Local Address Table)
2 To add IANA private address ranges, click the Add theFollowing Private Ranges check box
3 To add addresses using the computers routing table, clickthe Add Address Ranges Based on the Selected
Computer’s Windows 2000 Routing Table check box
4 In Select Computer, click the desired computer
5 Select the check boxes for the NIC whose address rangesare needed Skip step 6
6 To add entries click New, and then click LAT Entry Add from and to addresses to specify a range
Trang 15C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 77
Configuring the Cache
If the ISA Server is to be used as a caching server (Caching orIntegrated mode), adequate disk space must be reserved to hold dataacquired by the server and held for use by internal clients Spacemay also be needed if the ISA Server is to be used for reverse proxy(caching of internal Web pages for the use of external clients) Threeconsiderations are important:
á Cache placement
á Cache size
á Allocation of memory to be used for caching
Although there are general suggestions from Microsoft on ing cache size, the ISA Server documentation provides specificrequirements as listed in Table 3.2 for forward caching This infor-mation will help you plan ISA Server arrays by recognizing theappropriate requirements for computer hardware, RAM, and cachesize The best information will be information collected by monitor-ing your current configuration over time and applying this informa-tion to tune your ISA Servers
calculat-TA B L E 3 2
FO R W A R D CA C H I N G RE Q U I R E M E N T S
Computer Pentium II, Pentium III, Pentium III, 550 MHz configuration 300 MHz 550 MHz computer for each 2,000
users
com-puter (for each 2,000 users)
(for each 2,000 users)