Tài liệu MCSE ISA Server 2000- P15 pptx

If SecureNAT clients need to be pointed directly to theinternal interface of the ISA Server that information can be provided in DHCP or manual configured for those clients with static IP

C h a p t e r 1 3 P L A N N I N G A N D D E P L OY I N G C L I E N T S 393

á Do you want to improve efficiency of the ISA Server computerfor caching? Web proxy clients will directly use the Web proxyservice SecureNAT clients and Firewall clients use the firewallservice and their HTTP requests are forwarded to the Webproxy service

á Do you have client operating systems and types other thanWindows? Other clients such as Macintosh, Unix, and Linuxcan utilize SecureNAT and Web proxy client types

á Would you like to cache FTP requests? Use Web proxy clients

FTP requests made through the Web proxy application can becached

Evaluating Network Infrastructure Changes

Installing ISA Server(s) to provide Internet access control and/orWeb caching capability can result in numerous network infrastruc-ture changes The cost and complexity of deploying and maintainingthese changes is dependent on the type of clients to be used as well

as the nature of your infrastructure

SecureNAT client’s potential entails few infrastructure changes Thisdoes not mean the cost will be low, rather that the modifications aresimple If SecureNAT clients need to be pointed directly to theinternal interface of the ISA Server that information can be provided

in DHCP or manual configured for those clients with static IPaddresses If multiple SecureNAT clients must be directly visited,then you must budget your time and cost accordingly In a largerenvironment, however, SecureNAT clients may already be pointed

to network routers for internal routing These routers must be figured to route Internet requests to the ISA Server Your time andcost is dependent on the number of routers that must be configuredand the complexity of this configuration change

con-If Web proxy or Firewall clients need to be configured for automaticdiscovery then you may need to configure DHCP and/or DNSservers to provide information on where to locate the ISA Server

The protocol used in the Win Proxy Automatic Discover (WPAD)

394 Pa r t I V D E P L OY I N G , C O N F I G U R I N G , A N D T R O U B L E S H O OT I N G T H E C L I E N T C O M P U T E R

The process of deploying ISA Server can be reduced in complexity,cost, and time by carefully evaluating client requirements The twinissues of maintenance and access troubleshooting can be more easilyenabled if a thorough knowledge and understanding of clients isavailable to planners and implementers It’s not just the configura-tion and installation steps that are important This chapter providedinsight into the knowledge base and planning decisions that arerequired while deferring the step-by-step implementation instruc-tions in the next chapter

C h a p t e r 1 3 P L A N N I N G A N D D E P L OY I N G C L I E N T S 395

AP P L Y YO U R KN O W L E D G E

TA B L E 1 3 3

SA M P L E AN S W E R TA B L E

Requirement Client Type

Authentication Web proxy, Firewall Web protocols Web proxy, Firewall,

SecureNAT Application filters Firewall, SecureNAT Caching of HTTP requests Web proxy, Firewall,

SecureNAT Caching of FTP requests Web proxy Requires the least configuration SecureNAT Fine-tuned Winsock application usage Firewall

3 Which clients use the Web proxy service? Whichones use it most efficiently?

4 Discuss two items that can increase the ity and cost of deploying the various ISA Serverclients

complex-Exam Questions

1 In a migration from Proxy Server 2.0 to ISAServer, an inventory of client status must be

made Of the clients listed here, which will not

need changes to access the Internet through ISAServer?

A Winsock Proxy clients

Exercises13.1 Planning Client DeploymentBefore clients can be deployed, you must determinewhich clients should be deployed A good understand-ing can save many hours and make maintenance andaccess troubleshooting much less demanding

Estimated Time: 10 minutes

1 Use the Table 13.2 to list the client requirements,

as you understand them, of your network

2 In the second column of the table, list the clienttype that is required to fulfill this need

3 Compare your results with the sample table thatfollows this exercise

TA B L E 1 3 2

CL I E N T RE Q U I R E M E N T S

Requirement Client Type

2 Which of the following ISA Server clients can beused to provide Internet access for Macintosh andUnix clients?

A Firewall client

B Web proxy client

C SecureNAT client

D Winsock Proxy Client

3 Various protocols and types of Web objects can

be cached Which of the following items can becached?

A HTTP and FTP requests from Firewallclients

B HTTP and FTP requests from Web proxyclients

C HTTP and FTP requests from SecureNATclients

D HTTP requests from SecureNAT clients

4 You are debating using the Firewall client or theSecureNAT client Two advantages of one overthe other are

A The Firewall client can inform the Firewallservice of the ports it needs to use

SecureNAT clients need for ports must be statically configured

B The Firewall client will always pass user dentials, thus user group membership can besuccessfully used for access control

cre-C The SecureNAT client can inform theFirewall service of the ports it needs to use.Firewall clients need for ports must be stati-cally configured

D The SecureNAT client will always pass usercredentials, thus user group membership can

be successfully used for access control

5 Which clients can be used in which modes?

A SecureNAT clients are not supported inCaching mode

B Web proxy clients are not supported inFirewall mode

C Firewall clients are not supported inIntegrated mode

D SecureNAT clients are not supported inFirewall mode

Answers to Review Questions

1 16-bit Winsock applications are only supportedfor Windows NT 4.0 clients and Windows 2000clients See the section, “Firewall Client.”

2 All clients can be used in this scenario, however,the SecureNAT is be the simplest to configure.See the section, “Using Multiple Clients on aSingle Computer.”

3 All clients use the Web proxy service SecureNATand Firewall client Web requests are forwarded tothe Web proxy service The Web proxy client usesthe Web proxy service in the most efficient man-ner See the section, “SecureNAT Client.”

4 Two items that can increase the complexity of adeployment are authentication and autodiscovery.Authentication might be required to fulfill access

C h a p t e r 1 3 P L A N N I N G A N D D E P L OY I N G C L I E N T S 397

AP P L Y YO U R KN O W L E D G E

rules written to depend on group membership

This requires a more complex deployment IfWeb proxy clients are used, then authenticationmust be required of all clients—this prevents participation by non-Windows clients

Autodiscovery can save configuration time, butcan be difficult to get right Changes to DNS andDHCP configuration may need to be made Seethe section, “Considering Cost and Complexity.”

Answers to Exam Questions

1 A, B, C D is incorrect Proxy 2.0 uses port 80 to

listen for Web requests ISA Server uses port

8080 See the section, “Migrating Proxy 2.0Clients.”

2 B, C A and D are incorrect; the firewall and

Winsock Proxy clients must be installed andthere is no version for non-Windows operatingsystems See, “Introducing ISA Server ClientTypes.”

3 B, D A is incorrect; only HTTP requests from

Firewall and SecureNAT clients are cached See,

“Using Multiple Clients on the Same Computer.”

4 A, B C and D are incorrect See, “Using

Multiple Clients on the Same Computer.”

5 A, B Firewall clients are supported in integrated

mode and SecureNAT clients are supported inFirewall mode See, “Introducing ISA Server

Riders Publishing ISBN: 157870166X

3 Roberta Bragg, Windows 2000 Security.

Chapters 4 and 17, 2000, New RidersPublishing ISBN: 0735709912

4 “Windows 2000 Certificate Services,” a whitepaper at http://www.microsoft.com/

WINDOWS2000/library/operations/security/

Suggested Readings and Resources

OB J E C T I V E S

14

C H A P T E R

Installing and Configuring Client

Options

This chapter covers the following Microsoft-specifiedobjectives for the Deploying, Configuring, andTroubleshooting the Client Computer section of theInstalling, Configuring, and Administering MicrosoftInternet Security and Acceleration (ISA) Server 2000exam:

Configure and troubleshoot the client puter for secure network address translation(SecureNAT)

com-What simple technique is used to implement theSecureNAT client? What do you have to do to cre-ate SecureNAT clients? Simple as it may seem, peo-ple have trouble with this one

Install the firewall Client software

Considerations include the cost andcomplexity of deployment

Troubleshoot autodetection

Using the firewall client brings many benefits to theuser or ISA Server services Installation is uncom-plicated, but issues do arise The client informationmust first be configured correctly on the server, orcommunications will not occur While the easiestpath may appear to be to configure auto detection,there are several steps involved How will you trou-bleshoot client issues? By knowing what’s supposed

to happen

Configure the client computer’s Web browser

to use ISA Server as an HTTP proxy

Web proxy clients are simply client computerswhose browser has been configured to point to theISA Server Instead of accessing the Internetdirectly, they send their requests to ISA Server

Configuring ISA Server Client Settings 404

Installing and Configuring Clients 407

Installing and Configuring Firewall Clients 409Using Multiple Clients on Single

Computers 411

Troubleshooting Client Trouble Spots 411

Consider the impact of having to configureand/or install hundreds of ISA Server clients.How would you do it?

Separate out for yourself, which clients are essary where, and when you would use multipleclients

nec- Consider the multiple ISA Server client ers What impact does adding the firewall client

comput-to the Web proxy have?

C h a p t e r 1 4 I N S TA L L I N G A N D C O N F I G U R I N G C L I E N T O P T I O N S 401

Now that you know which clients you will use where and haveplanned your client rollout, you need to take the steps to do so inthe most efficient way The following sections will support yourefforts:

á Configuring ISA Server and the Network to Support Clients

á Installing and Configuring Clients

á Troubleshooting Client Trouble Spots

To support ISA Server clients, it might be necessary to

á Configure ISA Server Properties

á Configure ISA Server Client Settings

Modifying RoutingModifications to routing will depend on the status of the currentnetwork routing configuration The end results should be to routeInternet requests through the ISA Server This can be accomplished

402 Pa r t I V D E P L OY I N G , C O N F I G U R I N G , A N D T R O U B L E S H O OT I N G T H E C L I E N T C O M P U T E R

In a larger environment consisting of multiple subnetworks, aclient’s default gateway will be the router interface on its subnet-work The routers then will need to be modified, if necessary to for-ward Internet requests to the ISA Server

Adding DHCP and/or DNS Settings

If the ISA Server clients will be configured to use automatic ery to find the ISA Server, and all clients are not in the same subnet-work as the ISA Server the DHCP and/or DNS Server will need to

discov-be modified to allow the ISA Server clients to find the ISA Server.This is done by adding a Web Proxy Autodiscovery Protocol(WPAD) entry to these servers DHCP can provide autodiscoveryinformation for Windows 2000, Windows ME, and Windows 98client computers DNS can provide autodiscovery information for,Windows NT 4.0, Windows 2000, Windows ME, and Windows

98 For instructions see Step by Step 14.1 (DHCP) and Step by Step14.2 (DNS)

S T E P B Y S T E P

14.1 WPAD Entries in DHCP

1 Click Start, Programs, Administrative Tools, DHCP

2 Right-click the DHCP server and select Set PredefinedOptions

3 Click Add

4 In the name box, type WPAD.

5 Type 252 for code.

6 In data type, select String Click OK

7 Enter http://computername:autodiscoveryport#/Wpad.dat (see Figure 14.1) Click OK

8 Right-click Server Options and select Configure Options

9 On the General Page, scroll down until you find 252WPAD and check the box Click OK

F I G U R E 1 4 1

Configuring DHCP for automatic discovery

C h a p t e r 1 4 I N S TA L L I N G A N D C O N F I G U R I N G C L I E N T O P T I O N S 403

S T E P B Y S T E P

14.2 WPAD Entries in DNS

1 Click Start, Programs, Administrative Tools, DNS

2 Right-click the forward look-up zone and select NewAlias

3 In the name box, type WPAD.

4 In Fully Qualified Name for Target Host, enter theFQDN of the ISA Server (see Figure 14.2)

5 Click OK

Configuring ISA Server Properties

If ISA Server Properties are properly configured and clients are figured for automatic discovery, clients in the same subnet as the ISAServer can receive a response to their broadcast request for theaddress of the proxy server To configure ISA Server to respond, youmust publish automatic discovery

con-S T E P B Y con-S T E P

14.3 Publishing Automatic Discovery

1 Right-click Internet Security and Acceleration Server,

Servers and Arrays\name, and select Properties.

2 Click the Auto Discovery tab

3 Check the Publish Automatic Discovery Information box

4 Enter the port number to use in the Use This Port forAutomatic Discovery Requests Click OK

5 At the Warning box, select Save the Changes and Restartthe Services Click OK

Which Port Should Be Used? The autodiscovery port used will be either the Outgoing Web request port, or some other port designated as the automatic discovery port When DNS is used to publish WPAD, you must use port 80 for automatic dis- covery.

F I G U R E 1 4 2

Configuring DNS for automatic discovery.

404 Pa r t I V D E P L OY I N G , C O N F I G U R I N G , A N D T R O U B L E S H O OT I N G T H E C L I E N T C O M P U T E R

Configuring ISA Server Client SettingsBefore installing firewall client software, client configuration settingsshould be made on the ISA Server Two types of settings can bemade: Properties that will be modified on the firewall client’s Webbrowser, and properties that will be made for the firewall client.These settings become part of the client configuration file that isdownloaded to the client when the client computer starts and everysix hours that system remains online The firewall client applicationcan also be used to request a download of the file, and to change theISA Server used for downloads

The file created can be edited directly, but this should only be done

on the ISA Server The client copy of the file should never be edited,

as it will be periodically overwritten Property pages in the ClientConfiguration node of the ISA Server management console offer themore common areas that may need to be changed

Web browser properties include

á The ability to specifically identify the ISA Server computer byDNS name and listening port If selected, the client Webbrowser will be hard coded with this information (see Figure14.3)

á Automatic configuration settings Web browsers can be set toautomatically discover settings, or to set Web browsers to use

an automatic configuration script

F I G U R E 1 4 3

Hard code or automatic discovery?

alterna-F I G U R E 1 4 4

Local servers and domains.

F I G U R E 1 4 5

Alternative route.

406 Pa r t I V D E P L OY I N G , C O N F I G U R I N G , A N D T R O U B L E S H O OT I N G T H E C L I E N T C O M P U T E R

Configuration of the firewall client properties allows:

á The choice of hard coding ISA Server name or IP address orenabling automatic discovery (see Figure 14.6)

á Application settings: specific, application by application tings including ports and the capability to add additionalapplications (see Figure 14.7)

Client Configuration Scripts The default configuration URL for client configuration scripts is http://computername/

array.dll?Get.Routing.Script The script is automatically generated and includes ISA Server access (if an array exists, a list of ISA Servers is included) and backup route options for Web proxy clients.

Using the script option for Web browser configuration allows you to update Web browser settings without reconfiguring each Web browser Both IE 3.02 and later and Netscape 2.0 and later can use this fea- ture You can specify a custom client con- figuration script.

config-á Configuring the SecureNAT client

á Configuring Web proxy clients

á Installing and configuring firewall clients

á Using multiple clients on a single computer

Configuring the SecureNAT ClientConfigure and troubleshoot the client computer for securenetwork address translation (SecureNAT)

To configure a client as a SecureNAT client you must configure theclient so that all requests for Internet access are routed to the inter-nal network interface of the ISA Server How this is done depends

on whether the client is on the same logical network as the ISAServer, or on some other internal network subnetwork To configurethe SecureNAT client:

á If the client is on the same logical network as the ISA Serverinternal network, use the ISA Server internal interface IPaddress as the client’s default gateway

á If the client is on a different internal network, the client’sdefault gateway should be the address of a router that has beenconfigured to forward all requests for Internet addresses to theISA Server