server publishing rules, Web ing rules Protocol Definitions Characteristics that Protocol rules, publish-define available server publishing protocols via port, rules, bandwith protocol t
Trang 1C ACHING M ODECaching can be implemented in the following ways:
á Reverse caching
á Forward caching
á Scheduled caching
á Distributed caching
á Hierarchical caching or chaining
ISA S ERVER E DITIONSISA Server is available in two editions Significant dif-ferences exist between the editions (detailed in Table 7)
Integrated modes Yes Yes Bandwidth control Yes Yes Logging and reporting Yes Yes Packet filtering Yes Yes
If Active Directory integration is desired, two factorsaffect your planning and preinstallation activity:
á First, you must have Schema Admin andEnterprise Admin membership before you canuse the ISA Server Active Directory Initializationutility
á Second, you must wait until the schema cation replicates to all domain controllers It isonly necessary to apply the utility once in theenterprise, but it may take some time beforechanges are replicated throughout the forest
modifi-P OLICYISA Server policy is created by creating access rules.Rules are made up of policy elements (Note that inorder to allow access to the Internet a protocol rule and
a site and content rule must exist that match the client,site and protocol.)
Default Rules
Some default rules exist:
á ICMP outbound Allow all ICMP outbound
from the ISA Server’s default IP addresses on theexternal interface to all remote computers (TheISA computer can send ICMP messages.)
á ICMP ping response(in) To the default IP
address on the external computer from all remotecomputers (The ISA Server can receive inboundping responses.)
á ICMP source quench From outside to the
default IP addresses on the external interface.(The ISA Server receives instructions to slow itspacket sending rate.)
Trang 2S U M M A RY TA B L E 8
PO L I C Y EL E M E N T S
Schedules Identifies the hours Protocol rules, site
of the day and the and content rules, days of the week that bandwith rules the rule is in effect
Bandwidth Priorities Identifies an inbound Bandwidth rules
and outbound priority number from 1–200
The numbers establish
a relative percentage of the available bandwidth that can be applied to the traffic identified by the rule
Destination Sets Identifies the computers Site and content
and potentially the rules, bandwidth directories and files on rules, Web those computers which publishing rules, can or cannot be routing rules accessed
Client Address Sets A collection of one Protocol rules, site
or more computers and contest rules, identified by IP bandwidth rules, address server publishing
rules, Web ing rules Protocol Definitions Characteristics that Protocol rules,
publish-define available server publishing protocols via port, rules, bandwith protocol type, and rules
direction
Content Groups Arranges content Site and content
definitions by rules, bandwith MIME type or rules
extension
Dial-Up Entries Specific dial-up Routing rules,
information such firewall chaining
as account information
á ICMP timeout (in) To the default IP address on
the external interface computer from all remotecomputers (The ISA Server can receive messagesrelating to timeouts, for example, of pingrequests.)
á ICMP unreachable To the default IP address on
the external interface from all remote computers
(The ISA Server can receive notice of an able address.)
unreach-á DHCP Client Allows the external interface to
act as a DHCP client This rule is disabled bydefault
á DNS filter DNS lookup (Requests for DNS
lookup can pass.)When multiple rules exist they are processed in the following manner:
1 First, protocol rules are examined to determine ifthe protocol being used is defined in one of therules If it is, and the protocol is allowed, notdenied, processing continues
2 Next, site and content rules are applied Does asite and content rule exist which matches therequest and no other site and content rule deniesit? Processing continues
3 Third, IP Packet filters are checked to determine
if a blocking filter exists Is the communicationprotocol used blocked explicitly?
4 If all answers have been affirmative, ISA Serverchecks its routing rules or its firewall chainingsetup to find out how the message should be sent
Trang 3L OGS AND R EPORTSYou will, over time, use gathered performance data andreports to
á Understand server workload
á Understand impact of workload on responses
á Track trends
á Follow results of changes
á Tune configuration
Logs
The following log files are created by ISA Server:
á IPPDyyyykmmdd.log Information on blocked
(by default) and allowed (if configured) packets
To enable the logging of “allowed” packets checkthe Log Packets from Allow Filters check box onthe IP Packet Filters property page
á Summary report Illustrate traffic usage.
á Web usage reports Top users, common
responses, browsers
á Application usage reports Application usage by
top users, incoming and outgoing traffic, clientapplications, and destinations
á Traffic and utilization reports Total Internet
usages by application, protocol, direction
á Security reports Attempts to breech network
security
It is important to note that report summaries are ated every day at 12:30 A.M This means that data inthe reports are not compiled in real-time In fact, it isfrom at least the day before
gener-Cache Adjustments
What if your efforts to justify more powerful hardware
or another server in the array fail? What then? Thereare several areas of cache configuration that can aideperformance The cache configuration pages can beused to make some adjustments For example, you can:
á Reduce the size of the maximum URL cached inmemory
á Use scheduled downloads instead of activecaching
á Do not cache objects larger than
á Do not cache dynamic content
You may use various authentication modes as part ofaccess rules Pay particular attention to how yourauthentication requirements and the ISA client usedmay impact the function of these rules
Trang 4S U M M A RY TA B L E 9
AU T H E N T I C AT I O N PR O C E S S E S
Basic Credentials sent in Users with accounts on
encoded text the ISA Server comput characters (easily er or trusted domain read—no encryption) of the ISA Server Digest Credentials modified User with accounts
with values that in a trusted domain of identify user, com- the ISA Server puter, and domain
are time stamped and then are hashed to create a message digest (the result of this one- way encryption process;
by one-way it is meant that the product cannot
be decrypted)
Integrated Integrated windows Windows user accounts.
authentication Can use Kerberos if (Authentication W2K domain user protocol is dependent accounts are being
on OS and client used from a W2K account membership domain member com- involved.) puter Kerberos cannot
be used in a through scenario Pass-through ISA Server can pass Outgoing and incoming
pass-a client pass-authenticpass-ation Web requests.
information to the destination server
Certificates Certificate Authority Clients Servers
issued certificates are used for authentication
Authentication to external sources may also be an issue
One such problem can be solved by installing theIdentd service When a client operates behind a firewall
it cannot respond to some types of requests for cation from Internet servers The Identd simulation ser-vice, when installed on an ISA Server can respond tothe Internet server on behalf of the client
identifi-Client authentication before a requested access is
grant-ed is requirgrant-ed in the following circumstances:
á When rules are configured to require membership
in specific groups, or the participation of specificusers, the ISA Server requires client authentica-tion so it can determine if access is allowed bythat user
á If the HTTP protocol is requested by Web proxy
or firewall clients, ISA Server determines if therule allows anonymous access If this is so, and noother configuration blocks the access, then access
is allowed However, if no rule allows anonymousaccess to HTTP, the ISA Server requires authenti-cation
á If a firewall client requests access to some otherprotocol and rules have been configured thatrequire membership in a group, or access is spe-cific to certain users, then authentication isrequired
á ISA Server has been configured to always requireauthentication
Remote Access Authentication
Authentication choices are defined in Table 9
Trang 5Chained Authentication
When a client request is passed from one ISA Server toanother, authentication information can also be trans-ferred However, in some cases the upstream servermight not be able to determine the client that isrequesting the object This might be because theupstream server requires that the downstream server use
an account in order to connect In this case, it is thisaccount information that is passed to the upstreamserver Otherwise, the client’s authentication informa-tion will be passed to the upstream server If authenti-cation information is not required for all clients, then it
is possible that access rules that rely on user tion may not be processed in the manner that yourequire
Server interoperability with services that may already
be employed in the network should be explored
Information on common network services and ISAServer is detailed here:
á Windows NT 4.0 domains ISA can be installed
on a standalone Windows 2000 server in aWindows NT 4.0 domain
á ISA Server arrays in a Windows NT 4.0 domain An ISA Server array requires a Windows
2000 domain However, this domain be joined in
a trust relationship with a Windows NT 4.0domain in order to provide services to Window
NT 4.0 clients
á Routing and Remote Access ISA Server
pro-vides remote connectivity and extends RRAS ISAcan use the dial-up entries configured for RRAS(RRAS can run on the ISA Server) You shouldallow ISA packet filtering to replace RRAS packetfiltering and allow the ISA Server to provide
remote connectivity for internal clients
á IIS Server IIS server is not required on an ISA
Server It can run on one However, you shouldconfigure Web-publishing rules if you wish toallow public users to access the Web server Setthe IIS Server to listen on a port different thanport 80, as ISA Server listens for inbound Webrequests on that port
á Internet Connection Sharing (ICS) ISA Server
replaces the need to run Internet Connectionsharing
á IPSec ISA Server can be configured as an
IPSec/L2TP VPN server
á Terminal services May be installed on the ISA
Server for remote administration purposes
á SNMP May be installed if required to support
network Server interoperability with services thatmay already be employed in the network
á Other applications and services Running other
applications on the ISA Server can be done bycreating packet filters which allow their servicesaccess However, if the ISA Server is acting as afirewall, you should avoid statically opening ports(that is, via creating packet filters) In most cases,
it is not a good idea to enable additional tions on the ISA Server
Differences between the standard and enterprise tions often come down to the ability to configure enter-prise and array level policies, and the ability to createarrays
Trang 6edi-Array Types
Hierarchical arrays are chains of ISA Servers and can beestablished for Standard and Enterprise edition ISAServers It is a simple matter of configuring the server
to forward requests to other ISA Servers, instead ofdirectly to the requested source Chains of distributedarrays are also possible
Distributed arrays are collections of Enterprise editionISA Servers and are managed by assigning Enterpriseand Array policies They can only be created using theEnterprise Edition of ISA Server They offer multipleadvantages including centralized management, fault tol-erance, and improved processing efficiency
Three basic policy scopes exist:
á Combined Array and Enterprise policy.
Management is potentially split between prise and array level policies
enter-á Array Policy Only The enterprise policy gives
control to the managers of array level policy
á Enterprise Policy Only All policies are set at the
enterprise level
Promotion
If an enterprise license is obtained, or if an enterpriseedition ISA Server was installed in standard mode, anISA Server can be promoted to an array Changes topolicy will occur as defined in Table 11
rules that to all arrays, restrict however, array enterprise policies may policy contain and
enforce more restrictive settings
Allow Publishing rules 1 and 2 4 publishing can be created to
rules allow access to
internal Web servers from the public network
Force packet Packet filtering 1 and 2 5 filtering on will be used to
this array restrict entry By
default, no access
is allowed until rules and policies are configured
Trang 73 The primary network address of each ISA Servercomputer’s internal interface adapter will use thiscluster address All ISA Server computers willhave the same primary address in the NLB con-figuration.
4 Assign a unique priority to each machine in theNLB cluster
5 Set the dedicated IP address to the IP address ofthe ISA Server’s internal network adapter (Thisaddress can be used to individually address a sin-gle server.)
6 If a server has two internal network adapters, theone which receives the dedicated address, shouldhave the lower metric value (higher priority) thanthe adapter with the cluster address
7 If a server has one internal network adapter, thededicated address should be ordered first
8 The default gateway for SecureNAT clients will
be the cluster IP address Thus, all SecureNATrequests are handled by Network Load Balancing
C LIENTSISA Server listens for client requests on port 8080 (Itlistens for Web server requests on port 80.) If an ISSServer is present on the same machine and has notbeen configured to use different ports, there will bepossible conflicts In addition, Web Proxy clients willeither need to do autodiscovery, or be configured to useport 8080 (Proxy Server 2.0 listened on port 80 forclient requests.) This is also why during installation, if
an IIS is installed on the same machine, its WWWpublishing service is stopped After installation, the IISshould be removed or its listening port changed beforethe service is restarted (An IIS on the ISA Server can
be published via the Web publishing rules or by using
IP packet filters.)
S U M M A RY TA B L E 1 1
AR R AY PO L I C Y MO D I F I C AT I O N DU R I N G
PR O M O T I O N
Enterprise Policy Setting Change in Policy
Policy Managed entirely by arrays No changes Policy Managed entirely by Enterprise Delete all array policies Policy Managed by enterprise and array Delete all “allow” policies Publishing Allowed?—Yes Publishing rules retained Publishing Allowed?—No Publishing rules deleted
CARP is enabled in array properties However, forCARP to work, listeners on each server must be config-ured to use an address for intra-array communications
You may also want to balance the “load factor” onservers within the array
Network Load Balancing
To plan and implement network load balancingrequires that you:
1 Verify that ISA Servers which will be in the ter are installed in the same mode
clus-2 Assign a unique IP address to the cluster andassign a fully qualified domain name for thisaddress
Trang 8of routers that must be configured and the complexity
of this configuration change
If Web proxy or firewall clients need to be configuredfor automatic discovery, you might need to configureDHCP and/or DNS servers to provide information onwhere to locate the ISA Server The protocol used inthe Win Proxy Automatic Discover (WPAD) protocol
Many installations of Proxy 2.0 will eventually bemigrated to ISA Server It is important to know whatwill happen to current settings when this is done Firsthowever, remember that the steps you take duringmigration are dictated by the variables in Table 13
Then, review the setting modifications explained inTable 14
be directly visited then you must budget your time andcost accordingly In a larger environment, however,SecureNAT clients may already be pointed to networkrouters for internal routing These routers will need to
be configured to route Internet requests to the ISAServer Your time and cost will depend on the number
S U M M A RY TA B L E 1 2
DI S T I N G U I S H I N G CL I E N T TY P E S
Client Type Client Configuration Protocols that Can Be Used Client OS Requirements Requirements
SecureNAT Possible – client Requires ISA Server application Any TCP/IP; Firewall,
Web Proxy Configure Brower HTTP; HTTPs, FTP, Gopher Most any Web application Caching,
can be configured integrated,
to use proxy firewall Firewall Install client Winsock applications Win32 Configuration file Firewall,
integrated
Trang 9S U M M A RY TA B L E 1 3
MI G R AT I O N PAT H VA R I A B L E S
Is the Proxy Server a Remove the Proxy Server from the member of an array? array prior to the migration
Is the Proxy Server on a No additional steps necessary
a Domain Admin or Schema.
Enterprise Admin?) Will the ISA Server system Join the Windows 2000 system to
be a domain member? the proper domain
Does the Proxy 2.0 NT 4.0 If the Proxy 2.0 system does not computer meet minimal meet the minimum requirements and appropriate specification for Windows 2000, you will for Windows 2000? need to upgrade the hardware prior
to continuing the migration
Changes necessary after migration are
á Because ISA Server and Proxy Server listen ondifferent ports for HTTP requests, downstreambrowsers will have to be reconfigured
á All network configurations on the ISA Servershould be checked for correctness
á Web publishing under ISA Server doesn’t requirechanges to the published server; however, theserver may have had changes configured whichnow need to be removed
á SOCKS rules from Proxy Server 2.0 are notmigrated, ISA Server uses SOCKS application fil-ters You may need to configure, or adjust these.ISA Server listens on port 1080 for SOCKSrequests This can be changed
á ISA Server installs with only Windows integratedauthentication This will have the affect that pre-viously supported requests from non-I.E
browsers will be rejected You will need to ure basic authentication for Web requests
config-S U M M A RY TA B L E 1 4
PR E M I G R AT I O N VA R I A B L E EF F E C T O N PR O X Y CO N F I G U R AT I O N MI G R AT I O N
Install to Existing ISA Array Install to New ISA Array Install ISA Standalone Server
Proxy Server 2.0 standalone ISA Enterprise configuration ISA Enterprise configuration set Retains most Proxy Server 2.0
determines final configuration during installation determines configuration
final configuration Proxy Server 2.0 Array member ISA Enterprise configuration Can utilize array settings from Because Proxy Server removed
determines final configuration Proxy Server 2.0 array from array before installation,
most settings from array
Trang 10SSL Bridging
If a published Web server requires SSL access you mayneed to make some choices and configure SSL bridg-ing Your choices are defined in Table 16
S U M M A RY TA B L E 1 6
S S L BR I D G I N G CH O I C E S
Redirection Choice Description
Redirect HTTP HTTP No mystery here.
requests as: requests
SSL request Use this choice to secure HTTP
communications between the ISA Server and the internal Web server
Redirect SSL HTTP The SSL secure channel ends at requests as: request the ISA Server Communications
between the ISA Server an the Web serer would be unencrypted SSL request While the SSL channel terminates
at the ISA Server (the client versation is secured between itself and the ISA Server.); this option requires a new SSL channel be established between the ISA Server and the Web server Require secure No conversation takes place if SSL channel (SSL) cannot be established
con-Require The ISA Server must have the 128-bit high-encryption pack for encryption Windows 2000 installed to use
this feature
Use a certificate If an SSL channel is required
to authentication between the ISA Server and the
to the SSL Web Web server, check this box and server identify the certificate to be used
Keeping Web and other externally accessed serversbehind a firewall is a good thing To make their con-tents available externally use publishing Web publish-ing configuration is listed in Table 15
Web Publishing
S U M M A RY TA B L E 1 5
CO N F I G U R I N G WE B PU B L I S H I N G
Configure Web Assure that the public Yes site domain Web server address is registerd resolution in DNS with the address of
the ISA Server that will perform the Web hosting
Configure The destination set includes No destination sets the external IP address or
to identify the names of ISA Servers that ISA Servers that will route the request to the will be configured internal Web server You can for publishing choose to use more general
terms instead of explicitly identifying the firewall
listener on the external interface
of the firewall
Configure client Client types include No access types to ranges of IP addresses, and
restrict access specific user accounts.
publishing rule
Trang 11Publishing Servers on a Perimeter Network
Packet filters must be configured to publish serverswhich exist on a perimeter network
H.323
The H.323 Gatekeeper Service is installed as a separatecomponent of ISA Server Once installed and config-ured, it provides H.323 Gatekeeper services for regis-tered clients
The registration database holds the aliases and theirmatching IP addresses and allows the H.323Gatekeeper to translate between the two Connections
to those addresses registered in the database are trolled and managed by the gatekeeper using rulesdefined for the service
con-You do not need to use the H.323 Gatekeeper or theregistration database to access H.323 services throughthe ISA Server However, clients must be registered inthe registration database for two types of H.323 com-munication:
á First, to receive inbound calls through the keeper service to a well-known alias (A well-known alias can be an email address.)
gate-á Second, if translation services are needed to placeoutgoing calls Translation services provide thecapability to reference H.323 services that maynot have a registered DNS address—for example,
a personal email address, a Plain Old TelephoneSystem (POTS) device phone number, and so on
H.323 RAS alias addressing supported by the H.323Gatekeeper is of three types from two versions of theprotocol (Table 17) Aliases consist of a type and aname
á Endpoint Q931 (IP address plus port) addressees
á H.323 RAS addresses for the endpoint
á List of aliasesSeveral ports are used by this service They are listed inTable 18
389 (TCP) Internet Locator Server
522 (TCP) User Location Service
1503 (TCP) T.120 For H.323 proxies outside your organization to locate the ISA Server which hosts the H.323 Gatekeeper service, you must configure a DNS service location resource record The port number required is
1720
Trang 12VPN SISA Server can be configured to be a client endpoint in
a client to server VPN Two ISA Servers can create agateway to gateway VPN tunnel Wizards assist theprocess
Client to Server VPN Wizard
In the client connection VPN the following packet filters are created (see Table 20)
If the ISA Server will not be the VPN endpoint, or ifinternal clients need to connect to external VPN end-points, you must create packet filters which allow theseprotocols to pass through the ISA Server You mightalso want to create specific site and content rules andprotocol rules to restrict their use
Gateway to Gateway VPN
Two wizards simplify this setup Before proceeding tothe remote computer to install the remote gateway,examine the changes made on the local ISA Server.Changes are made to the ISA Server system in threeareas
á Computer Management\Users and Groups\Users Note that a new user has been
added with the name of the interface created bythe wizard This new user is configured with
“Allow dial-up access” and “Password neverexpires.” The User Must Change Password atNext Logon check box has been cleared The wiz-ard assigns a strong password to this account andtransfers that information to the VPN file
using the specified the request.
requested action
Any version of the Even expired content is object If none exists, is returned before requests retrieve the request are routed.
using the specified request action
Any versions of the You get the object if its requested object there, otherwise tough Never route the luck.
No content is ever Nothing is cached.
cached
Trang 13á Routing and Remote Access A demand-dial
interface is created and named with the interfacename Inspect the demand dial interface proper-ties to verify that the remote computer’s IPaddress is correctly configured Check the optionsand see that no callback has been configured
Security is configured behind the Advanced ton Note that the check box mandating dataencryption is checked
but-á ISA Server Management Console Packet filters
for PPTP and/or IPSec have been created
Examine each packet filter to see that the priate local computer address (the external IPaddress of the local ISA Server) and the remotecomputer address (the external IP address of theremote ISA Server) have been entered
appro-3-H OMED ISA S ERVERThe 3-homed firewall presents a special challenge For
it, only the interface directly connected to the internalnetwork should be included in the LAT The address ofthe card connected to the perimeter network shouldnever appear in the LAT So, both the external interfaceand the perimeter interface are not in the LAT
In a 3-homed configuration, both the Internet interfaceand the perimeter network are considered to be exter-nal networks The Web proxy service can route requestsfrom the internal network to the Internet, but to routeInternet requests to the perimeter network requires IProuting You will create packet filters to allow routingfor desired traffic to each server in the perimeter net-work
T ESTING T OOLSAlthough it is not the best tool for detecting openTCP/IP ports on all systems, the netstat command pro-vides a simple way to use the system console to catalogthem Issuing netstat –na from a command promptlists all client to server connections and listening ports.Other netstat parameters can be used to obtain statis-tics or to see information on a per protocol (TCP,UDP, ICMP, IP) basis
A simple way to test ports on a remote system is byusing the telnet command (It’s also a good way to testyour alerts.) The telnet command, when a port number
is appended, attempts to start a session with a service
If the service is listening, it answers and now that anattacker has identified an open port he can thenattempt a service specific attack on your system To test
a port, you type the telnet command followed by a host
S U M M A RY TA B L E 2 0
V P N CL I E N T CO N N E C T I O N PA C K E T FI LT E R S
Allow L2TP protocol IKE UDP protocol number 17; Default IP address on external All remote computers packets port 500; both directions interfaced
Allow L2TP protocol packets UDP protocol number 17; Default IP address on external All remote computers
port 1701 both directions interfaced Allow PPTP protocol Predefined filter: PPTP call; Default IP address on external All remote computers packets (client) protocol 47 interfaced
Allow PPTP protocol packets Predefined filter: PPTP receive; Default IP address on external All remote computers
Trang 15These study and exam prep tips provide you with somegeneral guidelines to help prepare for the exams Theinformation is organized into two sections The firstsection addresses your pre-exam preparation activitiesand covers general study tips Following this are sometips and hints for the actual test-taking situation.
Before tackling those areas, however, think a little bitabout how you learn
To better understand the nature of preparation for theexams, it is important to understand learning as aprocess You probably are aware of how you best learnnew material You may find that outlining works bestfor you, or you may need to “see” things as a visuallearner Whatever your learning style, test preparationtakes place over time Obviously, you cannot startstudying for these exams the night before you takethem; it is very important to understand that learning
is a developmental process And as part of that process,you need to focus on what you know and what youhave yet to learn
Learning takes place when we match new information
to old You have some previous experience with puters, and now you are preparing for these certifica-tion exams Using this book, software, and supplemen-tary materials will not just add incrementally to whatyou know; as you study, you will actually change theorganization of your knowledge as you integrate thisnew information into your existing knowledge base
com-This will lead you to a more comprehensive standing of the tasks and concepts outlined in theobjectives and of computing in general Again, thishappens as a repetitive process rather than a singularevent Keep this model of learning in mind as you pre-pare for the exam, and you will make better decisionsconcerning what to study and how much more study-ing you need to do
under-Study and Exam
Prep Tips