ISA Server offerstwo ways to do this: Either configure packet filters and protocolrules, which allow access to the Web server by permitting Web pro-tocols through the firewall and direct
Trang 1I NTRODUCTION
I can remember when Web servers were not placed behind the porate firewall The rationale was that to do so would compromisethe security of the internal network Companies risked site attacksand possible downtime rather than create potential chinks in theirfirewall armor The Internet was a simpler beast then, and few werefielding Business to Business (B2B) or Business to Consumer (B2C)sites
cor-Things have changed Now, no Web master worth her salt woulddream of leaving her baby bare and exposed The challenge thenbecomes, how do I protect the Web site, or other exposed servers,allow access to it, and yet not allow hackers entrance into my inter-nal network? There are four potential answers:
á First, a Web server sits on the internal network behind the wall The firewall is configured to “host” the Web site, or act
fire-as the decontamination chamber, so to speak, for all nications between the Web server and the rest of the world
commu-á Second, a separate arrangement, where the Web server sitsbehind a firewall but is not connected to anyone’s private net-work The hosting methodology explained in this chapter will
be as useful in this scenario as it is in the first
á Third, while the Web server sits on the internal networkbehind the firewall, instead of hosting, appropriate ports areopened on the firewall to allow traffic to flow to the Web site
á Finally, a separate perimeter or demilitarized zone (DMZ) iscreated to act as the network for all Internet accessible hosts Athree-pronged approach (the firewall has three NIC cards) or aseparate, internal firewall is used to protect the internal net-work This approach, and the one mentioned previously, arecovered in more detail in Chapter 10, “Firewall
Configuration.”
Trang 2The best approach, in many cases this will be to host the serverusing ISA Hosting services To learn how to do see the following sec-tions of this chapter:
á Configuring ISA Server for Web Publishing
á Configuring ISA Server for Server Proxy
á Configuring ISA Server for Server Publishing
C ONFIGURING ISA S ERVER FOR W EB
P UBLISHING
Configure ISA Server for Web publishing
Most security experts would agree: To protect a public Web server,place it behind the firewall, and allow access in the most secure man-ner to prevent unauthorized and malicious access ISA Server offerstwo ways to do this: Either configure packet filters and protocolrules, which allow access to the Web server by permitting Web pro-tocols through the firewall and directing them to the Web server, orconfigure Web publishing rules on the firewall To configure packetfilters and protocol rules to allow access to an internal Web server,see Chapter 10 However, to follow a more secure process, configureWeb publishing rules
To allow access to the internal server via Web publishing, performthe actions listed in Table 6.1
Trang 3TA B L E 6 1
CO N F I G U R E WE B PU B L I S H I N G
Configure Web site Assure that the public Web server Yes domain resolution address is registered in DNS
with the address of the ISA server that will perform the Web hosting.
Configure destination The destination set includes the No sets to identify the ISA external IP address or names of
Servers that will be ISA Servers that will route the configured for request to the internal Web server
publishing Figure 6.1 illustrates this
configuration You can choose to use more general terms instead of explicitly identifying the firewall.
Configure a listener See Step by Step 6.1 Yes
on the external interface
DNS
Where is www.peachweaver.com?
208.43.67.12 192.168.2.10192.168
Destination set = 208.43.67.12
F I G U R E 6 1
Identifying the destination set.
Trang 4Configuring Destination SetsWhen the Web publishing rule is created, you use the defined desti-nation sets, client address sets, and rule actions to set its parameters,conditions, and actions Destination sets indicate that a request forWeb services received at these IP addresses meet that condition inthe rule Client address sets are composed of the address of clientswho may be allowed to make requests for Web objects Rule actionsdefine what happens if these conditions are met Possibilitiesinclude:
á The request is discarded (configure to explicitly prevent allaccess to internal Web servers, or more likely to explicitly denyaccess to people(s) identified in client address sets)
á The request is redirected to an internal server
á The requested object is retrieved from the server cache
Configuring ListenersListeners are the specifications that allow ISA server to link ports
on a particular external interface with the internal Web server The
“listener” identifies which network interface (IP address) is the activelocation identified as the source for Web access to the externalworld
S T E P B Y S T E P
6.1 Configuring a Listener for the Web Site
1 Open the Property page for the ISA Server by ing on the Server in the Management console and select-ing Properties
right-click-2 Select the Incoming Web Requests tab (see Figure 6.2)
3 If desired, click the radio button Configure ListenersIndividually per IP Address
F I G U R E 6 2
Identifying the Web listener.
Trang 56 Choose the external IP address to listen on from the IPAddress drop-down box.
7 Enter a friendly name for a display name
8 Configure to use server certificates (optional)
9 Configure Authentication (optional)
10 Click OK
11 Review your choices and click OK
12 Select whether to save changes and restart the service, orsave changes but not start the service (see Figure 6.3)
Changes will not take place until the service is restarted
13 Click OK
Creating Web Publishing RulesAfter the elements (listeners, destinations, and Web servers) are pre-sent, a Web publishing rule can be created to specify what actionwill be taken if a request is made The rule identifies the clients thatcan access the site, the destination for the request (the IP address ofthe external interface where the “listener” sits), and the clients thatmight use it
S T E P B Y S T E P
6.2 Configuring Web Publishing Rules
1 Navigate in the ISA Management console to Servers and
Arrays\name\Publishing\Web Publishing Rules.
2 Note that the default Web publishing rule discards allrequests
3 Right-click on the Web Publishing Rules folder and selectNew Rule
F I G U R E 6 3
Saving changes.
continues
Trang 64 Enter a name for the rule and click Next.
5 Select a preconfigured destination set or leave the defaultAll Destinations in place Click Next
6 Specify the client type Client type can be used to tively allow Web site access by business partners, telecom-muters, or traveling employees The choices are
selec-• Any request
• Specific computers (client address sets)
• Specific users and groups
of frequent requests and removes the strain from busy Web servers.You saw this feature for a single server when configuring the cacheretrieval configuration step of the routing rule for the Web publish-ing steps in Step by Step 6.2 In arrays, you want CARP configured
to act the same way To enable incoming CARP, open the Propertypages for the array and on the Incoming Web Requests page, checkthe box labeled Resolve Requests Within Array Before Routing.Members of the array can be configured to have different loads sothat requests can be spread more heavily on servers with more diskresources, for example For more information on configuring CARPsee Chapter 11 “Manage ISA Server in the Enterprise.”
F I G U R E 6 4
Selecting a rule action.
continued
Trang 7Configuring Server Certificates and Authentication Methods
To secure access to internal Web servers, authentication methods can
be configured Authentication methods include:
á Requiring server authentication via server certificates
á Basic authentication
á Digest authentication
á Windows Integrated AuthenticationThe last three types of authentication are client authentication andwere defined in Chapter 5, “Outbound Internet Access.”
Authentication of outbound access can restrict, control, and makeauditable employee access to the Internet Authentication ofinbound access establishes credentials for users who want to accessinternal resources These users might be employees who are traveling
or who work from home, business partners who require access tointernal servers, and customers who must establish identity beforeaccessing specific data on internal Web sites
Server authentication, on the other hand, can be used by the ISA Server to identify itself as the internal Web server Clients seeking secure access to internal Web sites will request server authentication via Secure Sockets Layer (SSL) certificates To proveits identity, the ISA Server must be able to fulfill this request Toconfigure the ISA Server to use certificates for Web requests followStep by Step 6.3
S T E P B Y S T E P
6.3 Configuring Server Certificates
1 In the ISA Server Management console, right-click thearray or server and click Properties
2 Select the Incoming Web Requests tab
3 Select the listener that requires a certificate
4 Click Edit to display the listener properties
TE Certificates Certificates are encrypted
digital identification They provide the ity to perform secure communications between to computers SSL certificates are used primarily by Web servers to prove their identity to clients Because the ISA Server often sits between the Web server and the client, he must be able to perform server authentication using SSL and participate in a secured (encrypted) communication with the requesting client.
capabil-continues
Trang 85 In the “Add/Edit Listeners” dialog box, check Use a ServerCertificate to Authenticate to Web Clients
6 Click Select
7 Select the server certificate to use (Server certificates must
be previously installed on the server in the server cate store For instructions on how to do so, please ask theparty from whom the certificate is received In many cases,
certifi-it may be a simple button click after the certificate isreceived In others, it requires using the Certificates snap-in
to the client communication once its received This is done by figuring a Routing Rule Routing rules determine where incomingand outgoing requests are redirected Step by Step 6.4 explains how
con-to configure a rule con-to redirect HTTP and/or SSL requests
continued
Trang 9S T E P B Y S T E P
6.4 Redirecting Incoming Web Requests
1 Navigate to Internet Security and AccelerationServer\Servers and Arrays\name\NetworkConfiguration\Routing
2 Create a new rule or modify an existing rule
3 If creating a new rule, use the New Routing RuleWizard\Request Action page to indicate the internalserver, HTTP, and SSL port to direct the request to (seeFigure 6.5) Edited rules display these choices on theAction page
4 If creating a new rule, use the New Routing RuleWizard\Cache Retrieval Configuration page to select theconditions under which requests will be routed to theWeb server (see Figure 6.6) Edited rules display thesechoices on the Cache tab
5 If creating a new rule, use the New Routing Rule\CacheContent Configuration page to indicate the conditionsunder which caching will occur Edited rules display thesechoices on the Cache tab
6 Click Finish
7 Double-click the rule to open its property pages
8 Select the Bridging tab (see Figure 6.7)
9 By default, both Redirect HTTP Requests as HTTPRequests and Redirect SSL Requests as SSL Requests areselected Additional choices can be made Table 6.2explains the ramifications
10 Click OK to close the Properties page
Trang 10TA B L E 6 2
S S L BR I D G I N G CH O I C E S
Redirection Choice Description
Redirect HTTP HTTP requests No mystery here.
requests as:
SSL request Use this choice to secure HTTP
communications between the ISA Server and the internal Web server (see Figure 6.8).
Redirect SSL HTTP request The SSL secure channel ends at the requests as: ISA Server Communications
between the ISA Server and the Web server would be unencrypted (see Figure 6.9).
SSL request While the SSL channel terminates
at the ISA Server (the client versation is secured between itself and the ISA Server.), this option requires a new SSL channel be established between the ISA Server and the Web server (see Figure 6.10).
con-Require secure No conversation will take place if channel (SSL) SSL cannot be established.
Requires 128-bit The ISA Server must have the high encryption encryption pack for Windows 2000
installed in order to use this ture.
fea-Use a certificate If an SSL channel is required
to authentication between the ISA Server and the
to the SSL Web Web server, check this box and Server identify the certificate to be used.
F I G U R E 6 7
Specifying bridging requirements.
ISA
Web Server
Trang 11C ONFIGURING ISA S ERVER FOR
S ERVER P ROXY
Configure ISA Server for server proxy
ISA Server can act as a mail server proxy if configured to “publish”
the mail server The mail server can reside on the proxy server,although this is not recommended Mail clients that use the follow-ing protocols can be accommodated:
á Post Office Protocol 3 (POP3)
á Internet Message Access Protocol 4 (IMAP4)
á Messaging Application Programming Interface (MAPI)
á Network News Transfer Protocol (NNTP)
ISA
Web Server
Internet SSL
SSL
Redirect SSL Requests as SSL
F I G U R E 6 1 0
Redirect SSL as SSL.
Trang 12It is easiest to complete this configuration by using the Mail ServerSecurity Wizard
DNS and Mail Proxy
So that clients can resolve the mail server name to the ISA Servercomputer, a DNS entry for the mail server should be made thatpoints to the ISA Server MAPI clients, HTTP clients, POP3, andIMAP4 clients can then resolve the address of the ISA Server
The Mail Server Security WizardThe Mail Server Security Wizard enables you to easily configure theISA Server to proxy requests for e-mail server access As a result, itcreates server publishing rules and protocol rules These rules, whichcan be identified by the “Mail Wizard Rule Preface” can be found inthe Publishing\Server Publishing Rules folder
To configure mail proxy, see Step by Step 6.5
S T E P B Y S T E P
6.5 Configuring Mail Proxies
1 Right-click on Publishing\Server Publishing Rules andselect Secure Mail Server Click Next
2 On the Mail Server Security Wizard\Mail ServicesSelection page check the protocols to publish and indicate
if default and/or SSL authentication is required (see Figure6.11) Click Next
3 On the Mail Server Security Wizard\ISA Servers External
IP address, enter the ISA Server’s IP address and clicknext
4 On the Mail Server Security Wizard\Internal Mail Server,enter the IP address of the mail server or select On theLocal Host if the mail server is located on the ISA server.Click Next
5 Review the configuration, and then click Finish
What’s Special About Mail Servers That Reside on the ISA Server? If the mail server resides on the ISA Server computer, packet filters, not protocol rules, are configured.
Trang 13Content Filtering
An SMTP filter, when properly configured, allows content filtering
To filter all incoming mail, you must install the SMTP filter, enableand configure it, then select this feature when running the MailServer Security Wizard
The SMTP filter intercepts SMTP traffic on port 25 and mines, based on your configuration, whether the traffic should bepassed on, generate an alert, and so on The filter provides filters byrecipient; it compares the recipient to a list of users who communi-cations will be rejected In addition, the SMTP filter can check forbuffer overrun attacks
deter-If the message screener is installed, the SMTP filter can also filtermessages by looking for configured keywords, size, name, or type ofcontent Installation of the message screener component, you mustinstall SMTP services on the ISA Server computer You can do so byusing Control Panel\Add Remove Programs The SMTP service run-ning on the ISA Server acts as a virtual server It can be used to filtercontent received on port 25 on the external interface of the ISAServer, and then relay the mail to the internally published SMTPmail server To set up the message screener requires four steps:
á Installing the SMTP service on the ISA Server Use Add
Remove Programs
á Installing the message screener component Use the ISA
Server installation program
á Publish an internal SMTP mail server to the ISA Server.
See the section, “Configuring the Mail Server SecurityWizard” earlier in this chapter
á Configure the SMTP\service and the SMTP filter See
Step by Step 6.6
F I G U R E 6 1 1
Choosing supported protocols.
TE SMTP Buffer Overrun Attacks These
are created by issuing an SMTP command with a parameter that exceeds the size of the value that is normally entered for that para- meter If the programmer of the code does not code in checks to handle this type of problem, the application can crash and potentially leave the system vulnerable to damage or other types of compromise The SMTP filter attempts to deal with this problem
by checking the size of parameter values before the command is actually run.
Trang 14S T E P B Y S T E P
6.6 Configuring the SMTP Service and Filter
1 Run the ISA Mail Server Security Wizard and specify theuse of Incoming SMTP mail and Outgoing SMTP mail
2 When running the ISA Mail Server Security Wizard,select Apply Content Filtering
3 On the ISA Server, use the IIS console, open the IISDefault SMTP virtual server properties page, and:
• On the Access tab, click Relay and select AllExcept the List Below (see Figure 6.12) This prevents mail spammers from using the virtualSMTP service as a relay
• On the Delivery tab, click Advanced, and enter thereal name of the mail server in the Smart Host box(see Figure 6.13) This configures the real mailserver as the real mail server
4 Install the ISA Server Message screener
5 If the ISA Server computer is a standalone installation on
a standalone Windows 2000 Server or the MessageScreener is installed on a computer that is not a member
of the same AD forest as the ISA computer, you must:
• Run the SMTPCred.exe utility from the ISAServer installation CD-ROM\i386 folder and enterthe name of the ISA Server, the time for informa-tion retrieval, and valid user credentials for the ISAServer
• Configure Distributed Component ObjectModeling (DCOM) on the ISA server computer toallow the Message Screener to access the ISAServer Information on configuring DCOM can befound on the ISA Server installation disk
6 Configure the SMTP filter with the list of users anddomains to reject (see Figure 6.14)
Trang 157 Configure the SMTP filter to check for attachments (seeFigure 6.15) and keywords; size, name of type of content
to hold, delete, or forward to the administrator
C ONFIGURING ISA S ERVER FOR
S ERVER P UBLISHING
Configure ISA Server for server publishing
Besides publishing internal mail servers and Web servers, ISA servercan redirect requests for specific services to internal servers You con-figure publishing rules to do so Although packet filters could also beused to provide access to internal server services from the public net-work, publishing rules are considered to be more secure becausetheir application filters can be more specific However, sometimes IPpacket filters must be used, fore example, when you are pulsingservers that are on a perimeter or DMZ network, or when publish-ing services that exist on the ISA Server
Creating Server Publishing RulesRunning the publishing wizard creates server publishing rules Youroptions are described in Step by Step 6.7
S T E P B Y S T E P
6.7 Configuring Server Publishing Rules
1 Right-click Publishing\Server Publishing Rules and selectNew Rule
2 Enter a name for the rule and click Next
3 On the New Server Publishing Rule Wizard\AddressMapping page, enter the IP address of the internal serverand the IP address of the ISA server and click Next (seeFigure 6.16)