Tài liệu MCSE ISA Server 2000- P13 docx

Assign an enterprise policy to an array A major advantage of ISA Server Enterprise edition is the ability to centrally manage multiple ISAServer computers by placing them in an array ora

AP P L Y YO U R KN O W L E D G E

2 Information Systems Auditing has asked that areport be made for the next month that includesinformation on all packets that touch the firewall

What step(s) do you need to take?

A Nothing; ISA Server is already recordinginformation on every packet that touches it

B Configure the IP packet filter property Logpacket from “allow.” The ISA Server normallydoesn’t log these packets but using this optionmakes it do so

C Make the Registry key entry listed in the helpunder logging packets

D Be sure disk capacity supports the increasedlog size necessary to record these events

3 You want to configure FTP, download only,access for some SecureNAT clients (Select thebest two.)

A Create packet filters that allow outboundaccess to ports 21 and 20

B Only allow access to known sites whichrestrict access to download

C Enable the FTP application filter

D Create a protocol rule that allows the FTPclient read only protocol for SecureNATclients (by client address set)

4 Carrie has configured the firewall client on hersystem in preparation for doing some testing ofthe ISA Server She does not set her browser toretrieve requests from the ISA Server She has anaccount in the domain to which the ISA Servercomputer belongs She writes rules that denyaccess to certain sites However, when sheattempts to visit these sites, she finds she can

What is happening? (Select the best two.)

A She must be logged on using the wrong useraccount

B The ISA Server does allow unauthenticatedaccess

C Because the HTTP filter is redirecting thefirewall client, but not passing authenticationinformation, the net effect is that there is noway to check which user is making therequest

D This is a known bug in HTTP access usingthe firewall client

5 John has run the Security Configuration Wizardand now many clients that could access resourcesthrough the ISA Server cannot What should he do?

A Reinstall, the wizard is irreversible

B Examine the changes made by using theSecurity Configuration and Analysis (SCA)console He can analyze the current configu-ration against the default server configurationand possible determine what has been modi-fied that would affect this change

C Check the LM authentication method inSecurity Options The Limited Servicesoptions of the wizard change this to useNTLM only By default Windows 95/98clients use LM for network authentication

D Install the AD Client for Windows 9x

6 To make the authentication process more secure,which authentication method(s) should beavoided?

A Digest

B Certificates

C Integrated

AP P L Y YO U R KN O W L E D G EAnswers to Review Questions

1 Packet filters statically open ports Other ods open the ports dynamically, only when therequest is made It is always preferable to haveports only open when needed See the section,

meth-“Configuring New Packet Filters.”

2 Use standard hardening efforts to secure the OS

Apply service packets, security hot-fixes UseNTFS Use strong passwords Use the SecurityConfiguration Wizard to help harden the system

See the section, “The ISA Server SecurityConfiguration Wizard.”

3 The firewall is only as strong as the system onwhich it is built Compromise the underlying OSand you can forget the firewall See the section,

“The ISA Server Security Configuration Wizard.”

4 This is common practice for firewalls You do notwant anything to pass the boundary, unless youhave specifically allowed it to do so See the sec-tion “Configuring Packet Filter Rules.”

5 The ISA Server needs to know the status of thenetwork on which it operates See the section,

“Examining Default Packet Filters.”

6 The DHCP client filter allows the ISA Server toaccept an assigned IP address from an ISP for itsexternal network interface See the section,

“Examining Default Packet Filters.”

7 Basic, Digest, Integrated, Certificates See the section, “Authentication Rules.”

Answers to Exam Questions

1 C Streaming video may include fragmented

packets A and B may also be a problem, or theymight not be, we have no way of telling, and we

do have another good reason D is incorrect This

is not a reason to not use this feature See the tion, “Configuring/Enabling IP Packet FilterProperties.”

sec-2 B, D To capture all packets you must “allow”

allowed packets to be logged You need extra diskspace to do this A and C are incorrect ISAServer is not recording “allows.” There is noRegistry key listed in help See the section,

“Configuring/Enabling IP Packet FilterProperties.”

3 C, D A and B do not restrict FTP users to

download only You cannot rely on sites to vent this See the section, “FTP Access Filter.”

pre-4 B, C A could be true, but it is the incorrect

answer because if she is using her real account thesame thing will happen D is incorrect See thesection, “HTTP Redirector Filter.”

5 B, C, D He may need to examine the changes

made, the SCA will help him do so It is also sonable to expect that because Windows 9xclients use LM, that this parameter change is theproblem If LM is the issue, adding the LM clientwill allow him to configure these clients to useNTLM A is incorrect Never reinstall as a firstchoice when problems occur See the section,

rea-“The Security Configuration Wizard.”

6 D Basic authentication is not encrypted See the

section, “Authentication Rules.”

AP P L Y YO U R KN O W L E D G E

1 Comer, Douglas Internetworking with TCP/IP

Vol I: Principles, Protocols, and Architecture.

Prentice Hall; ISBN: 0130183806

2 Lee, Thomas, Davies, Joseph Microsoft

Windows 2000 TCP/IP Protocols and Services Technical Reference 2000, Microsoft Press;

ISBN: 0735605564

Suggested Readings and Resources

Administering Microsoft Internet Security andAcceleration (ISA) Server 2000 exam:

Manage ISA Server arrays in an enterprise

Create an array of proxy servers Assign an enterprise policy to an array

A major advantage of ISA Server Enterprise edition

is the ability to centrally manage multiple ISAServer computers by placing them in an array orarrays and setting enterprise and array level policies

Each array can have a different policy and, thus, atiered policy can be created to effectively manageboth centralized and decentralized IT environ-ments

Configure multiple ISA Server computers forscalability Configurations include NetworkLoad Balancing (NLB) and Cache ArrayRouting Protocol (CARP)

Once servers are combined in arrays, they can beconfigured for efficiency, scalability, and fault toler-ance Cache Array Routing Protocol (CARP) cancreate one logical cache out of multiple ISA Servercomputers in an array and Network Load Balancingcan maximize throughput and provide added faulttolerance

Introduction 339

Managing and Configuring Arrays 339

Understanding Hierarchical and DistributedArrays 340

Configuring for Scalability 350

Configuring Cache Array Routing Protocol(CARP) 350

Configuring Server Listeners and LoadFactors 352

Haul out the test boxes, dump the standaloneISA Servers, and install at least two systems in

an array

Concentrate your efforts on determining howpolicies are defined, created, and assigned to

an array

2000 Help as well as other documentation Ifyou are comfortable with this software-basedclustering feature on its own, you will be betterequipped to understand how it can mesh withISA Server

I NTRODUCTIONEver since man has been able to afford two computers been he haslooked for ways to make them work as one There have been manyattempts and successes at harnessing the combined power of multi-ple systems, but many of the most useful, efficient, and least expen-sive strategies have been software-based algorithms that distributethe workload between systems These efficient algorithms that seek

to scale systems and multiply processing power, also, in many cases,provide fault tolerance for distributed systems Because the systemsare inexorably linked, when one system fails, the other is available

This is achieved for ISA Server by arranging servers in distributedand hierarchical arrays and by utilizing the twin scalability solutions:

Cache Array Routing Protocol (CARP) and Network LoadBalancing (NLB)

To understand and use these algorithms, it is essential to understandthe basic policy structure of the Enterprise edition of ISA Server

The basic management element of the Standard edition ISA Server

is the server Policies are developed and used at the server level

There is no way to write one policy and have it impact multipleservers In the Enterprise edition, multiple tiers of ISA Servers can

be arranged and managed comprehensively The following structuresare possible:

á Enterprise level policies are assigned to arrays of ISA Servers

á Multiple enterprise policies and multiple arrays can coexist

á Enterprise level policies determine the ability of array policies

to modify enterprise policy at the array level

á Array level modifications can only further tighten security, notreduce it

Just as the basic level of management and control in the Standardedition is the server, the basic level of control in the Enterprise edi-tion is the array This is why any study of enterprise policy, is ulti-mately a study of arrays This study involves:

á Understanding Hierarchical and Distributed Arrays

á Understanding Enterprise Policy Scope

á Managing ISA Server Arrays

Understanding Hierarchical and Distributed Arrays

For ISA Server two array-based solutions exist: hierarchical and tributed These array types are distinct Do not get them confused Hierarchical arrays are chains of ISA Servers and can be establishedfor Standard and Enterprise edition ISA Servers It is a simple matter

dis-of configuring the server to forward requests to other ISA Servers,instead of directly to the requested source Chains of distributedarrays are also possible Hierarchical arrays were discussed in Chapter

5, “Outbound Internet Access.”

Distributed arrays are collections of Enterprise edition ISA Serversand are managed by assigning enterprise and array policies They canonly be created using the Enterprise edition of ISA Server Theyoffer multiple advantages including centralized management, faulttolerance, and improved processing efficiency

Understanding Enterprise Policy ScopePolicies are created at the enterprise level but assigned to individualarrays The true meaning of any policy exists in its focus of control

or scope To manage and control distributed arrays of ISA Servers:

á Define enterprise policies

á Assign enterprise policies to arrays

á Write rules and apply filters at the enterprise policy level

á If allowed, write rules and apply filters at the array level

Connect To… It is possible to age multiple standard edition ISA Servers from one location In the ISA Server Management console, right-click the Internet Security and Acceleration Server icon and select Connect To, then select the server to manage You are, however, really only managing one server at a time You cannot write a policy that controls multiple servers automatically.

Because multiple enterprise policies can exist, and because the prise policy assigned to an array determines what options are avail-able at the array level, it is important to understand the types ofenterprise policies that can be developed, and the scope of theirpower.

enter-Three basic policy scopes exist:

á Combined Array and Enterprise Policy Management is

potentially split between enterprise and array level policies

á Array Policy Only The “enterprise policy” gives control to

the managers of array level policy

á Enterprise Policy Only All policies are set at the enterprise

level

The type of policy applied at the array level is first determined ing ISA Enterprise Initialization (see Figure 11.1) This policy isapplied to the array created during the installation of the first ISAServer in the forest Because multiple enterprise policies can be cre-ated, as well as multiple arrays, the initial policy does not control thefinal management of policy After installation, you can create newpolicies and assign them to arrays as required

dur-By applying a variety of enterprise policies, with and withoutoptions for management at the array level, a tiered policy can bedeveloped in which enterprise administrators (those in theEnterprise Admins group) manage the overall policies for all ISAServer controlled access between internal and external networks, andarray administrators (those in the Domain Admins group) restrictarray level policies further where allowed

Using Array Policy Only

If this enterprise policy is chosen, rules are not written at the prise level All rules are written at the array level This distributescontrol of ISA Servers to administrators closer to the area where theISA Servers are located This is suitable and desirable in an organiza-tion where IT is itself decentralized No all-encompassing policy ormanagement structure exists to centrally control all ISA Servers,instead, each array can be managed on its own Management is simi-lar to the management of a single ISA Server, except policies createdare applied to all ISA Servers in the array

enter-F I G U R E 1 1 1

Initial enterprise policy.

TE Restricting ISA Server Management

You might want to restrict ISA Server prise or array management to select adminis- trators To do so, create Active Directory groups and assign appropriate permissions

enter-on ISA Server objects An outline of the process was described in Chapter 3,

“Installing ISA Server.”

Using This Enterprise Policy

An initial enterprise policy is created and assigned to the first ISAServer array The first ISA Server array is created during the installa-tion of the first ISA Server in the forest The first enterprise policy istherefore created during the initialization of the Active Directoryschema by the ISA Enterprise initialization tool

During initialization, the following choices can be made:

á A name for the policy

á Allow array-level access policy rules that restrict enterprise icy Array policy rules can never be weaker than the enterprisepolicy rules

pol-á Allow publishing rules Publishing rules are created at the arraylevel

á Force packet filtering on the array This prevents an array leveladministrator from configuring IP routing without packet fil-ters By default, all packets are dropped at the external inter-face unless rules exist which allow other action

Managing ISA Server ArraysManage ISA Server arrays in an enterprise

All Enterprise edition ISA Servers installed in an ISA Server updatedActive Directory have the choice of being installed into an array oracting as a standalone ISA Server To participate in centralized man-agement, and to benefit from the Active Directory environment,they should be installed in an array Standalone ISA Servers can bepromoted to array membership at a later time

ISA Servers are managed then by:

á Creating arrays

á Creating and assigning enterprise policies to arrays

á Configuring policies

á Storing and backing up array and enterprise configurations

á Promoting standalone servers to array membership

Creating Arrays

Create an array of proxy servers

During each Enterprise edition ISA Server installation, there is anopportunity to install the ISA Server into an array (see Figure 11.2)

You then have the opportunity to name the array (the default is thecomputer name) or choose an existing array (see Figure 11.3) If youdecide to use a new array, you must select an enterprise policy toapply or configure a new one Only enterprise administrators canuse anything other than the default enterprise policy settings Allarray members must be installed in the same mode

After installation, new arrays can be created (see Step by Step 11.1)and ISA Enterprise edition servers can be moved between arrays

S T E P B Y S T E P

11.1 Creating a New Array

1 Right-click on Internet Security and AccelerationServer\Servers and Arrays and select New Array

2 Enter a name for the array and click Next

3 Select the Windows 2000 Site in which this server exists(see Figure 11.4)

4 Select the Windows 2000 domain for this server ClickNext

5 Create a totally new array, or copy the configuration of anexisting array (see Figure 11.5) Click Next

6 If Copy is chosen, skip to the end of Step by Step Thereare no further choices to be made

7 Select Enterprise Policy settings (see Figure 11.6) ClickNext

8 Specify array policy options at the enterprise level (seeFigure 11.7) Click Next

9 Specify array type (see Figure 11.8) Click Next

10 Review choices and click Finish

Creating and Assigning Enterprise Policies

Assign an enterprise policy to an array

Policies are assigned to arrays during array creation, or from theArrays Property page of the policy (see Figure 11.9)

be part of arrays that match their tion mode.

To create new policies follow, Step by Step 11.2.

S T E P B Y S T E P

11.2 Creating New Enterprise Policies

1 Right-click on the Internet Security and AccelerationServer \Enterprise\Policies node (see Figure 11.10) andselect New Policy

2 Name the policy and click Next

3 Click Finish

4 Open the Properties page of the new policy

5 On the Array page, select the arrays to which to assignthis policy (refer to Figure 11.9)

influ-á Will the enterprise policy rule, or are only array policiesallowed?

á If enterprise policies set the rules, will array policies be allowed

to further restrict them?

á Are publishing rules allowed?

á Is packet filtering forced on the array?

F I G U R E 1 1 9

Assigning an enterprise policy to an array.

F I G U R E 1 1 1 0

After a policy has been assigned to an array, some items may be figured and rules must be written at the enterprise or (if allowed)array level Chapter 12, “Access Control in the Enterprise” describesthe process Figure 11.11 illustrates the locations used to configureenterprise policy site and content rules and protocol rules and arraylevel access policy.

con-Backing Up Array and Enterprise Configurations

Array and enterprise configuration information is stored in theActive Directory for array members A backup utility is provided toback up enterprise and array information to files This requires twoseparate procedures Server, specific information, such as cache con-tent, activity logs, reports, and enterprise policy is not backed up Toback up enterprise configuration, right-click the enterprise object inthe ISA Management console and select Back UP Identify the fileand path to save the configuration and click OK Backing up arrays

is outlined in Step by Step 11.3

Array configuration information consists of:

á Access policy rules

• The first step in creating enterprise policy is accomplished during the ini- tialization of the schema.

• This policy can be modified when arrays are created.

• New enterprise policies can be created.

• Policies are further defined by writing rules at the enterprise and array level.