Tài liệu Configuring ISA Server 2000 Building Firewalls for Windows 2000 docx

Contents xvEnterprise Core Services andProtocols 84The Enterprise Networking Model 85 ISA Server Design Considerations 91 Understanding Multiserver Management 104Backing Up the Array Con

ISA Server 2000

Everything You Need to Deploy ISA Server in the Enterprise

• Step-by-Step Instructions for Planning and Designing Your

ISA Installation and Deployment

• Hundreds of Authentication Methods, Firewall Features, and

Security Alerts Explained

• Bonus: ISA Server/Exchange 2000 DVD Mailed to You

Dr Thomas W Shinder

Debra Littlejohn Shinder

Martin Grasdal

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening.

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author”™ customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the imum value from your investment We’re listening

max-www.syngress.com/solutions

s o l u t i o n s @ s y n g r e s s c o m

ISA SERVER 2000:

BUILDING FIREWALLS FOR WINDOWS 2000

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold

AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other dental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

inci-You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc.“Career Advancement Through Skill Enhancement®,”“Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Configuring ISA Server 2000: Building Firewalls for Windows 2000

Copyright © 2001 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed

in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-29-6

Technical edit by: Martin Grasdal Copy edit by: Darlene Bordwell

Co-Publisher: Richard Kristof Index by: Jennifer Coker

Project Editor: Maribeth Corona-Evans Page Layout and Art by: Shannon Tozier

Distributed by Publishers Group West

Acknowledgments

We would like to acknowledge the following people for their kindness and support

in making this book possible

Richard Kristof and Duncan Anderson of Global Knowledge, for their generousaccess to the IT industry’s best courses, instructors and training facilities

Ralph Troupe, Rhonda St John, and the team at Callisma for their invaluable insightinto the challenges of designing, deploying and supporting world-class enterprise networks

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, BillRichter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing theirincredible marketing experience and expertise

Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, JonathanBunkell, and Klaus Beran of Harcourt International for making certain that ourvision remains worldwide in scope

Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm withwhich they receive our books

Kwon Sung June at Acorn Publishing for his support

Ethan Atkin at Cranbury International for his help in expanding the Syngress program

Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help

v

A lot of blood, sweat, and tears (not to mention gallons and gallons of caffeine)went into the making of this book Our goal was to create the definitive guide toMicrosoft’s ISA Server, a reference that can be consulted by network professionals asthey roll out ISA on their production networks, a supplement to the formal studyguides used by MCP/MCSE candidates in preparation for Exam 70-227, and an

“interpreter” for those who find the sometimes overly technical jargon in theMicrosoft documentation difficult to understand It also serves as a record of ourongoing saga of discovery, frustration, confusion, and triumph as we worked with theproduct and struggled to master its intricacies

There are many who contributed to the cause, without whose help the book couldnot have been written.We especially want to recognize and thank the following:Martin Grasdal, of Brainbuzz.com, our technical editor Although we moaned andgroaned and cursed his name each time we received our chapters back with his manysuggestions for wonderful improvements that would take days of work and adddozens of pages, the book would not be half as good (and perhaps not half as long)without his much-appreciated input

Stephen Chetcuti, of isaserver.org, who provided encouragement, enthusiasm, and

a forum in which we were able to promote both the product and this book, and get

to know other ISA Server enthusiasts from all over the world

Joern Wettern, of Wettern Network Solutions and Technical Lead in developingthe Microsoft Official Curriculum for Course 2159A, Deploying and ManagingMicrosoft ISA Server 2000, who provided invaluable help and served as the “officialword” on those perplexing questions that did not seem to have an answer

Sean McCormick, of Brainbuzz.com, technical consultant/writer/Chief

Executive Flunkie (CEF) and friend, who provided emotional and psychological port through the dark days (and nights!) when it seemed we might still be working

sup-on this book at the turn of the next century

We also must thank literally dozens of participants in the Microsoft public ISAServer newsgroup and the discussion mailing list and message boards sponsored byisaserver.org In particular, our gratitude goes to: Rob Macleod, Nathan Mercer, JasonRigsbee,Trevor Miller, Slav Pidgorny (MVP), Ellis M George, Jake Phuoc Trong Ha,Terry Poperszky,Vic S Shahid,Tim Laird, Nathan Obert,Thomas Lee, John Munyan,Wes Noonan, Allistah, Eric Watkins, Rick Hardy,Tone Jarvis, Dean Wheeler, StefanHeck, Charles Ferreira, Phillip Lyle, Sandro Gauci, Jim Wiggins, Regan Murphy,Nick Galea, Ronald Beekelaar, Russell Mangel, Hugo Caye, and Jeff Tabian Ourapologies for anyone we may have inadvertently left out

All of the above were instrumental in the development of this book, but anyerrors or omissions lie solely on the heads of the authors.We have tried hard to makethis manuscript as mistake-free as possible, but human nature being what it is, perfec-tion is hard to achieve

We want to send a very special message of thanks to Maribeth Corona-Evans,our editor Her patience and understanding in the face of our weeping and wailingand gnashing of teeth has earned her a permanent place in our hearts

And finally, to Andrew Williams, our publisher, whose e-mail queries regardingwhen the final chapters were going to be finished demonstrated the utmost in tactand diplomacy—even if undeserved on our part

Dr.Thomas W Shinder

Debra Littlejohn Shinder

Contributors

Thomas Shinder, M.D (MCSE, MCP+I, MCT) is a technology

trainer and consultant in the Dallas-Ft.Worth metroplex He has sulted with major firms, including Xerox, Lucent Technologies, and FINAOil, assisting in the development and implementation of IP-based com-munications strategies.Tom is a Windows 2000 editor for Brainbuzz.comand a Windows 2000 columnist for Swynk.com

con-Tom attended medical school at the University of Illinois in Chicagoand trained in neurology at the Oregon Health Sciences Center inPortland, Oregon His fascination with interneuronal communication ulti-mately melded with his interest in internetworking and led him to focus

on systems engineering.Tom and his wife, Debra Littlejohn Shinder,design elegant and cost-efficient solutions for small- and medium-sizedbusinesses based on Windows NT/2000 platforms.Tom has contributed

to several Syngress titles, including Configuring Windows 2000 Server

Security (ISBN: 1-928994-02-4) and Managing Windows 2000 Network Services (ISBN: 1-928994-06-7), and is the co-author of Troubleshooting Windows 2000 TCP/IP (1-928994-11-3).

Debra Littlejohn Shinder (MCSE, MCT, MCP+I), is an independent

technology trainer, author, and consultant who works in conjunction withher husband, Dr.Thomas Shinder, in the Dallas-Ft.Worth area She hasbeen an instructor in the Dallas County Community College Districtsince 1992 and is the Webmaster for the cities of Seagoville andSunnyvale,Texas

Deb is a featured Windows 2000 columnist for Brainbuzz.com and aregular contributor to TechRepublic’s TechProGuild She and Tom haveauthored numerous online courses for DigitalThink (www.digitalthink.com) and have given presentations at technical conferences on Microsoftcertification and Windows NT and 2000 topics Deb is also the SeriesEditor for the Syngress/Osborne McGraw-Hill Windows 20000 MCSEstudy guides She is a member of the Author’s Guild, the IEEE IPv6 TaskForce, and local professional organizations

Deb and Tom met online and married in 1994.They opened a working consulting business and developed the curriculum for the MCSEtraining program at Eastfield College before becoming full-time tech-

net-nology writers Deb is the co-author of Syngress’s Troubleshooting Windows

2000 TCP/IP (ISBN: 1-928994-11-3) and has contributed to Managing Windows 2000 Network Services (ISBN: 1-928994-06-7) and Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4) She is the proud

mother of two children Daughter Kristen is stationed in Sardinia, Italywith the U.S Navy and son Kristoffer will enter college this fall on achess scholarship

This book is dedicated to:

Our families, who believed in us and helped us to believe in ourselves: both Moms,Rich and D, and Kris and Kniki

The friends and colleagues, many of whom we’ve never “met,” with whom we workand talk and laugh and cry across the miles through the wonder of technology thatallows us to building a meeting place in cyberspace

We also dedicate this book to each other It is a product of the partnership that is ourmarriage, our livelihood, and—we hope—our legacy

DLS & TWS

Technical Editor

Martin Grasdal (MCSE+I, MCT, CNE, CNI, CTT, A+), Director of

Cramsession Content at Brainbuzz.com, has worked in the computerindustry for over eight years He has been an MCT since 1995 and anMCSE since 1996 His training and networking experience covers abroad range of products, including NetWare, Lotus Notes,Windows NTand 2000, Exchange Server, IIS, and Proxy Server Martin also worksactively as a consultant His recent consulting experience includes contractwork for Microsoft as a Technical Contributor to the MCP Program onprojects related to server technologies Martin lives in Edmonton, Alberta,Canada, with his wife Cathy and their two sons

xiii

Introduction Chapter 1 Introduction to

Why “Security and Acceleration” Server? 3

The History of ISA: Microsoft Proxy Server 9

In the Beginning: Proxy Server,

ISA Server Installation Modes 18

Understand how ISA

Server fits into NET

Just as Proxy Server was

considered a member of

the Microsoft BackOffice

Family, ISA Server also

belongs to a new

Microsoft "family," the

members of which are

designed to work with

Windows 2000 in an

enterprise environment.

This group of enterprise

servers is now called the

Microsoft.Net family, or

simply ".Net" (pronounced

dot-net) servers.

xiv Contents

The Microsoft.Net Family of EnterpriseServers 19The Role of ISA Server in

An Overview of ISA Server Architecture 22

ISA Server Authentication 38

Firewall Features Overview 44

Integrated Intrusion Detection 49

Internet Connection-Sharing Features 52Unified Management Features 52Extensible Platform Features 55Who This Book Is For and What It Covers 56Summary 60

Introduction 70

Reliability 71Scalability 72

Designing Enterprise Solutions 83General Enterprise Design Principles 84

INTERNET

ISA Server Workstation Workstation Workstation

ISA Server ISA Server ISA Server

Contents xv

Enterprise Core Services andProtocols 84The Enterprise Networking Model 85

ISA Server Design Considerations 91

Understanding Multiserver Management 104Backing Up the Array Configuration

Information 105

Planning Policy Elements 108Understanding ISA Server Licensing 110Summary 113

Chapter 3 Security Concepts

Introduction 122

Defining Basic Security Concepts 123

Removing Intrusion Opportunities 126

Addressing Security Objectives 129Controlling Physical Access 130Physical Access Factors 130Physical Security Summary 139Preventing Accidental Compromise

Preventing Intentional Internal

Hiring and Human ResourcePolicies 142Detecting Internal Breaches 142

xvi Contents

Preventing Intentional InternalBreaches 145Preventing Unauthorized External

External Intruders with InternalAccess 146

Other Protocol Exploits 165System and Software Exploits 165Trojans,Viruses, and Worms 166Categorizing Security Solutions 168Hardware Security Solutions 168Hardware-Based Firewalls 168Other Hardware Security Devices 168Software Security Solutions 169Windows 2000 Security Features 169

Designing a Comprehensive Security Plan 170

Assessing the Type of Business 172Assessing the Type of Data 172Assessing the Network Connections 173Assessing Management Philosophy 173Understanding Security Ratings 174

Designating Responsibility for NetworkSecurity 176Responsibility for Developing

the Security Plan and Policies 176

See how to

incorporate ISA Server

in your security plan

ISA Server’s firewall

function prevents

unauthorized packets from

entering your internal

network ISA also provides

monitoring of intrusion

attempts as well as

allowing you to set alerts

to notify you when

intrusions occur This

chapter also covers system

hardening, Secure Sockets

Layer, SSL tunneling, and

SSL bridging.

Issues 182Incorporating ISA Server into Your

ISA Server Intrusion Detection 182Implementing a System-Hardening

System-Hardening Goals andGuidelines 185Using the Security Configuration

Wizard 186Using SSL Tunneling and Bridging 187

Summary 192

Chapter 4 ISA Server Deployment

Introduction 202ISA Deployment: Planning and Designing

Issues 202Assessing Network and Hardware

Network Interface Configuration 210

xviii Contents

Active Directory Implementation 216Mission-Critical Considerations 217Hard Disk Fault Tolerance 217Mirrored Volumes (Mirror Sets) 218RAID 5 Volumes (Stripe Sets

Network Fault Tolerance 223

Bastion Host Configuration 227Planning the Appropriate Installation Mode 228Installing in Firewall Mode 229

Installing in Integrated Mode 230Planning for a Standalone or an

Planning ISA Client Configuration 233

Assessing the Best Solution for YourNetwork 236Internet Connectivity and DNS

Introduction 250Installing ISA Server on a Windows 2000

Server 250Putting Together Your Flight Plan 250Installation Files and Permissions 251

CD Key and Product License 251Active Directory Considerations 252

Disk Location for ISA Server Files 253

Contents xix

Internal Network IDs and the Local

ISA Server Features Installation 254

Installing ISA Server: A Walkthrough 255Upgrading a Standalone Server to an

Array Member: A Walkthrough 267Performing the Enterprise

Initialization 268Backing Up a Configuration and

Promoting a Standalone Server to

Changes Made After ISA ServerInstallation 278Migrating from Microsoft Proxy Server 2.0 278What Gets Migrated and What Doesn’t 278Functional Differences Between

Proxy Server 2.0 and ISA Server 281Learn the ISA Server Vocabulary 285Upgrading Proxy 2.0 on the

Introduction 300Understanding Integrated Administration 300The ISA Management Console 301Adding ISA Management to a

■ The Web cache is

stored as a single file.

■ There is no SOCKS

service.

■ The firewall client

doesn’t support 16-bit

Adding and Removing Computers 335Promoting a Standalone ISA Server 336Using Monitoring, Alerting, Logging, and

Creating, Configuring, and MonitoringAlerts 338

Creating and Configuring Alerts 338

Viewing Generated Reports 356Configuring Sort Order for

Configuring the Location for Saving

Understanding Remote Administration 365Installing the ISA Management Console 365Managing a Remote Standalone

Computer 365Remotely Managing an Array or

Enterprise 366Using Terminal Services for Remote

Everything you need

to manage ISA Server

ISA Management can be

added to a custom MMC.

Chapter 7 ISA Architecture

Introduction 378Understanding ISA Server Architecture 379

How the Firewall Service Works 382The Network Address Translation

The Scheduled Content DownloadService 385ISA Server Services Interactions 386Configuration Changes and ISA Server

Installing and Configuring ISA ServerClients 390

SecureNAT Clients on SimpleNetworks 391SecureNAT Clients on

“Not-Simple” Networks 392Limitations of the SecureNAT

Client 394Manually Configuring the

Configuring the SecureNAT

Advantages of Using the FirewallClient 398Disadvantages of Using the Firewall

Client 399

Hundreds of security

alerts, undocumented

hints, and ISA Server

mysteries make sure

you don’t miss a thing

S ECURITY A LERT !

SecureNAT clients must

be configured with the

address of a DNS server

that can resolve Internet

names You can use a

DNS server located on

the Internet (such as

your ISP’s DNS server),

or you can configure an

internal DNS server to

use a forwarder on the

Internet Unlike the

RRAS NAT Service, the

ISA server does not

per-form DNS Proxy Services

for the SecureNAT

clients.

Command-Line Parameters for a

Automatic Installation 408Configuring the Firewall Client 411Automating the Configuration

Firewall Service Client

Why You Should Configure the

DNS Considerations for the

Configuring the Web Proxy Client 430Autodiscovery and Client Configuration 433Summary 435

Chapter 8 Configuring ISA Server

Introduction 444Configuring the Server for Outbound Access 444Configuring Listeners for Outbound

Routing to a Linux Squid Server 461

Answers all your

questions about

configuring outbound

access

Q:I want to prevent users

from gaining access to

.MP3 files from the

Napster site Is there an

easy way to do this?

A:Yes Configure a site

and content rule that

prevents downloading of

.MP3 files If you are

interested in blocking only

.MP3 files, you can create

a new content group in

the Policy Elements node

and then use this content

group to create the site

and content rule to limit

the download of MP3s.

Building the Routing Table 473Configuring the Local Domain Table 475Creating Secure Outbound Access Policy 477Creating and Configuring Policy Elements 479

Creating a Site and Content Rule 509Managing Site and Content Rules 513

Protocol Rules Depend on ProtocolDefinitions 516Creating a Protocol Rule 517Creating a Protocol Rule to Allow

Multiple Protocol Definitions:

Creating a Protocol Rule to AllowAccess to Multiple Primary PortConnections 522Managing Protocol Rules 522

Understanding and Configuring the Web

Cache Configuration Elements 539Configuring HTTP Caching 539Configuring FTP Caching 541Configuring Active Caching 542Configuring Advanced Caching Options 544Scheduled Content Downloads 546Summary 551

Chapter 9 Configuring ISA Server

Introduction 558Configuring ISA Server Packet Filtering 558How Packet Filtering Works 558

When Packet Filtering Is Disabled 559Static versus Dynamic Packet Filtering 559When to Manually Create Packet Filters 560

Supporting Applications on the ISA Server 571Publishing Services on Perimeter Networks

Routing between Public and PrivateNetworks 575Packet Filtering/Routing Scenarios 576Packet Filtering Enabled with IP

Contents xxv

Enabling Intrusion Detection 580Application Filters That Affect Inbound Access 581DNS Intrusion Detection Filter 581Configuring the H.323 Filter 582POP Intrusion Detection Filter 583

Configuring the SMTP Message Screener 587Designing Perimeter Networks 595Limitations of Perimeter Networks 595Perimeter Network Configurations 596Back-to-Back ISA Server Perimeter

Networks 596Tri-homed ISA Server Perimeter Networks 599Publishing Services on a Perimeter Network 600Publishing FTP Servers on a Perimeter

Network 602Enabling Communication between

Perimeter Hosts and the InternalNetwork 603Bastion Host Considerations 604Configuring the Windows 2000

Summary 607

Chapter 10 Publishing Services

Publishing Services on a Perimeter Network 614

Bridging Secure Connections as SSLRequests 650Publishing a Secure Web Site via

Server Publishing Rules 653

Limitations of Server Publishing Rules 654You Can Publish a Service Only Once 654You Cannot Redirect Ports 655You Cannot Bind a Particular External

Address to an Internal IP Address 655Server Publishing Bypasses

SecureNAT Does Not Workfor All Published Servers 656You Cannot Use Destination

Sets in Server Publishing Rules 656Preparing for Server Publishing 656

ISA Client Configuration 657

Server Publishing Walkthrough—Basic ServerPublishing 658Secure Mail Server Publishing 662

You must configure a

packet filter for the TZO

client software to work

correctly Remember that

all applications on the ISA

server that require external

network access require

static packet filters The

packet filter settings are:

Filter type: Custom

IP protocol: TCP

Direction: Outbound

Local port: Dynamic

Remote port: Fixed Port

Remote port number:

21331

Contents xxvii

Configuring ISA Server to Support

Publishing a Terminal Server 667Terminal Server on the ISA Server 668Terminal Server on the Internal

Network and on the ISA Server 669Terminal Services Security

Considerations 671Publishing a Web Server Using Server

Publishing 672The H.323 Gatekeeper Service 674Gatekeeper-to-Gatekeeper Calling 677

NetMeeting Clients on the Internet 680Configuring the Gatekeeper 682

Configuring VPN Client Access 693Gateway-to-Gateway VPN Configuration 695Configuring the Local VPN 695Configuring the Remote VPN 700Testing the Configuration 702Summary 704

Chapter 11 Optimizing, Customizing,

Introduction 714Optimizing ISA Server Performance 714Establishing a Baseline and Monitoring

Performance 716

Defining Threshold Values 717Using the Performance Monitor Tools 717Addressing Common Performance Issues 742Addressing Network Bandwidth Issues 742Addressing Load-Balancing Issues 746

xxviii Contents

Cache Configuration Issues 748Editing the Windows 2000 Registry

to Tune ISA Performance Settings 752

Using the ISA Server Software Developer’s Kit 755

Types of Add-on Programs 758Overview of Available Add-on Programs 760Integrating ISA Server with Other Services 760Understanding Interoperability with

Standalone versus Array Member 761The Active Directory Schema 761ISA Server and Domain Controllers 762Understanding Interoperability with

Routing and Remote Access Services 762

Understanding Interoperability withInternet Information Server 764

Publishing IIS to the Internet 764Understanding Interoperability with

How IPSec Is Configured in

Integrating an ISA Server into a

Enterprise Configurations 771Backing Up and Restoring an Array

Configuration 772

Master the Windows

Messenger Service

A Network Message Is Sent

to the Specified Account

When the Alert Is Triggered

Contents xxix

Backing Up and Restoring an EnterpriseConfiguration 773Summary 775

Introduction 784Understanding Basic Troubleshooting Principles 785Troubleshooting Guidelines 786The Five Steps of Troubleshooting 786

ISA Server Exhibits Odd BehaviorWhen Windows 2000 NAT Is Installed 803Internal Clients Are Unable to Access

External Exchange Server 804Initial Configuration Problems 804Unable to Renew DHCP Lease 804Failure of Services to Start After

Completing Installation 805Inability to Join Array 805Inability to Save LAT Entry 806ISA Server Control Service Does

Ability of Clients to Continue Using aSpecific Protocol After Disabling of Rule 813

Inability of ISA Server to Dial Out to

Dial-up Connection Is Dropped 814Inability of PPTP Clients to Connect

Troubleshooting ISA Client Problems 815Client Performance Problems 815Slow Client Connection: SecureNAT

Clients 815Slow Internal Connections: Firewall

Clients 816Client Connection Problems 816Inability of Clients to Connect via

Modem 817Inability of SecureNAT Clients to

Connect to the Internet 817Inability of Clients to Connect to

Inability of SecureNAT Clients toConnect Using Computer Names 819Inability of SecureNAT Clients to

Connect to a Specific Port Due to

Security is a significant concern for any organization If the organization has to have

a presence on or a connection to the Internet, it will also have special needs to tect itself from unwanted intrusion and attacks from malicious and hostile sources.The growth of the Internet has been accompanied by the growth in the numbersand sophistication of hackers and the tools available to them As many organizationsand home users who have a permanent connection to the Internet can attest, there is

pro-no shortage of people who want to scan ports or break into systems.The wide ability of inexpensive, high-bandwidth connections, such as cable modems and

avail-ADSL, has resulted in large increases in the number of people who are continuouslyconnected to the Internet, thus increasing their risk for attack

High-bandwidth connections have also made many forms of hacking a lot easierfor more people.The wide availability of software designed to compromise the secu-rity of systems connected to the Internet is making the risks even greater Malicioususers do not now have to be particularly talented or knowledgeable to compromisesystems that lack strong protection

It is against this background that the market for firewall products has exploded.Five or ten years ago, there were relatively few players in the firewall market, andmost of the products were expensive, some costing tens of thousands of dollars.Today,there are many firewall products on the market In response to a real need, firewallproducts are widely used by almost every kind of user connected to the Internet,from home users to large corporations

Internet Security and Acceleration Server (ISA Server) is Microsoft’s latest entryinto the firewall market Its opening debut was impressive: within less than 30 days ofits release in late 2000, it had already achieved ICSA Labs Certification for firewalls.For anyone familiar with ISA Server’s predecessors, Proxy Server 1.0 and 2.0, theywill recognize that ISA Server represents a significant improvement and advance onthose products

Introduction

—Martin Grasdal, MCSE+I, MCT, CNE, CNI, CTT, A+ Director, Cramsession Content, BrainBuzz.com

xxxiii

xxxiv Introduction

ISA Server shares most of the features and strengths of Proxy Server, but it alsobuilds on them.The result is a scalable, enterprise-ready product that will be widelyadopted by many corporations Although easy to install, ISA Server is also a complexproduct that requires skill and knowledge to implement properly It is also a veryserious product that plays a critical role in your network infrastructure ISA Server isnot the kind of product you set up on your production network to play with or takelightly Nor is it the kind of product that is necessarily easy to use or implement; it iscertainly not the kind of product that is going to give you everything you wantsimply by virtue of having it installed and connected to your network

One of the primary goals of Configuring ISA Server 2000: Building Firewalls for

Windows 2000 is to give readers information that will assist them in deploying and

configuring ISA with the security and performance needs of their networks in mind.Microsoft released Proxy Server 1.0 in November 1996 I first became familiarProxy Server 1.0 in the late Fall of that year when I attended one of the first T-Preps(Trainer Preparation courses) on the product to qualify me to teach the officialMicrosoft course for it.There was a great deal of excitement in that classroom aboutthe product Here was a product that had some of the desirable characteristics of afirewall, such as circuit layer and application layer security, combined with the notableadvantages of content caching

At the time, the Winsock Proxy client seemed almost revolutionary It workedextremely well in providing transparent access to Internet resources other than Webpages And, the fact that you could, with some effort, configure Proxy Server 1.0 toact as an IPX to IP gateway seemed to make it a great solution for providing a com-fortable level of security, if that was your primary concern

However, it soon became apparent that the product had some way to go in order

to win acceptance as a solution for securing networks Although Proxy Server 1.0 didprovide security at the circuit and application layer, it did not provide packet fil-tering, alerts, or the ability to provide detailed logs.Thus, it could not be considered afirewall product, even though it did provide a fair degree of protection on the

perimeter of the network

What Proxy Server 1.0 did provide that made it attractive to corporate users wasits ability to provide content caching and to control access to Internet sites.Withcontent caching, Proxy Server 1.0 was able to create savings on the use of bandwidthwhile making the apparent speed of Web access faster

In 1996, good bandwidth to the Internet was relatively expensive As a result,content caching became very attractive to many companies interested in keepingcosts down But, even in this area, Proxy Server 1.0 fell short for larger corporations

Proxy Server 2.0 also provided real-time alerts so that administrators could benotified when attempts to penetrate the network were made SOCKS support wasadded so that non-Microsoft clients, such as Unix workstations that could not use theWinsock Proxy client, would not be limited to using CERN-compliant Web

browsers for Internet access Proxy Server 2.0 also introduced the ability to publishinternal Web servers and to do server proxying.With this functionality, it was nowpossible to make most services running on your internal network available to users

on the Internet

Like its predecessor, Proxy Server 2.0 provided content caching Here, Microsoftalso made a number of significant improvements Content caching was now scalableacross multiple servers using either distributed or hierarchical caching.With dis-tributed caching, administrators could create a content cache that was distributed in

an array of multiple servers without duplicating any content among the cachingservers Caching arrays provided both fault tolerance and load balancing

With hierarchical caching, administrators could connect proxy servers in a chainfor content caching Hierarchical caching was ideal for companies that had branchoffices If content could not be found in the cache of the local branch office ProxyServer, the request for content could be subsequently routed to the Proxy Server atthe main office Another significant improvement was the addition of active caching,which allowed the Proxy Server to automatically refresh commonly requested objects

in the cache during periods when the server was relatively idle.This provided evenbetter caching performance

In spite of these improvements, Proxy Server 2.0 was not without its critics or itsshortcomings For one thing, server hosting was complicated and somewhat unreli-able.To allow your internal Exchange Server, for example, to receive mail from theInternet, you had to install the Winsock Proxy client on the Exchange Server andthen configure a WSPCFG.INI file with the proper settings that would “bind” a lis-tening port for SMTP traffic on the external interface of the Proxy Server

Introduction xxxv

xxxvi Introduction

This created a configuration in which the Proxy Server would listen for SMTPrequests on behalf of the internal Exchange server It also required that a controlchannel be constantly maintained between the Exchange and the Proxy server If thechannel were lost for any reason, you would not be able to receive SMTP mail Inorder to regain SMTP functionality after losing the control channel, the only solu-tions were to reinitialize services or reboot the computers Although this kind of situ-ation did not happen very often, it happened often enough to cause me to havesome serious reservations about using Proxy Server 2.0 in large-scale deploymentsthat required 7x24 SMTP functionality

But, perhaps the most significant perceived shortcoming of Proxy Server 2.0 wasits lack of ICSA Labs Certification for firewalls Because Proxy Server 2.0 did nothave ICSA Labs Certification, many people inferred that it could not, as a conse-quence, be considered a firewall or that it did not provide a high degree of protec-tion.These inferences were perhaps unwarranted and unfair

What prevented Proxy Server 2.0 from achieving the ICSA Labs Certificationmay have had little to do with the amount of security that it did or did not provide.Rather, the inability to achieve ICSA certification may have had more to do with thefact that proprietary client software, such as the Winsock Proxy client, was required

to provide inbound and outbound traffic for some of the required services.The ICSAcertification criteria are strict and explicit in this regard: no special or proprietaryclient software is allowed to provide inbound and outbound access for the requiredprotocols, which include DNS, SMTP, HTTP(S),TELNET, and FTP

The lack of ICSA Labs Certification no doubt hurt sales of Proxy Server 2.0.Many companies had policies in place that prevented them from even considering afirewall product unless it had ICSA certification If you were to review newsgroupposts leading up to the release of ISA, you would find that one of the most commonquestions about ISA Server was whether it had ICSA certification

ISA Server achieved the ICSA Labs Certification in January of 2001.The speed

at which Microsoft was able to achieve ICSA certification was unusually fast As aresult of the ICSA certification and the fact that ISA Server is able to provide thesame degree of security that people have come to expect from products that havehad ICSA certification, ISA Server is likely to be adopted on a much wider scalethan Proxy Server 2.0

It should be noted, however, that in order to configure ISA Server to conform

to the ICSA 3.0a criteria for firewall testing, you will have to do things like disablethe Web Proxy service.You will find information in this book that will help you in

One of the key differences is that ISA Server now comes in two editions,Standard and Enterprise.The Standard edition is a good, economical choice forsmaller companies that have no need for caching arrays consisting of multiple servers,nor the need to control enterprise-wide array policies through Active Directory.Larger companies may wish to purchase the more expensive Enterprise edition inorder to take advantage of the centralized policy administration that integration withActive Directory makes possible.

Another significant change and improvement is that ISA Server supportsSecureNAT (Network Address Translation).This means that it is no longer necessary

to install the Winsock Proxy client in order to use protocols other than HTTP(S)and FTP through the ISA Server.The result is that you no longer need to configureSOCKS to provide Internet access for your Macintosh and Unix clients

You will find, as a consequence, that SOCKS support is significantly scaled back

in ISA Server Even though you no longer need to install the Firewall client in order

to provide access to Internet resources, you may nonetheless want to install it inorder to control outbound access by user and group name

This book provides you with lots of information on the advantages and tages of configuring your internal computers as SecureNAT or Firewall clients, andwhen it is appropriate to configure clients as either one or the other

disadvan-Providing access to internal Web servers and other services has also changed agreat deal from Proxy Server 2.0.There are special wizards for publishing Web andMail servers Server Publishing is now accomplished through SecureNAT ServerPublishing no longer requires that you install the Winsock Proxy client on aninternal server and configure a WSPCFG.INI file to bind the appropriate ports tothe external interface of the ISA Server However, ISA Server still supports thismethod of Server Publishing for backward compatibility and to provide a means forpublishing applications that use secondary connections and for which you wouldotherwise require an application filter

www.syngress.com

xxxviii Introduction

You will find that ISA Server comes with a number of application filters to handleinbound and outbound access for a number of protocols It includes an applicationfilter for handling FTP traffic It also includes application filters for SMTP, HTTP redi-rection, DNS intrusion detection, Streaming Media, and H.323, among others

ISA Server provides an H.323 Gatekeeper and Gateway to provide registrationand calling services for H.323 compliant clients, such as Netmeeting.With the H.323Gatekeeper and Gateway, Netmeeting clients can use full audio and video to com-municate with one another on the internal network and on the Internet Calls fromthe Internet can also be placed to internal Netmeeting clients that are registered withthe Gatekeeper

Understanding and configuring these components will challenge a number ofadministrators.This book provides some clear explanations and demonstrations ofworking configurations of the H.323 components In fact, we found the H.323 func-tionality of ISA Server helpful in facilitating our own communication during thewriting of this book

Like Proxy Server 2.0, ISA Server supports VPNs However, unlike its cessor, ISA Server now makes it possible for internal clients to connect to VPNservers on the Internet.This will come as a welcome improvement to many Anotherimportant improvement is the introduction of wizards to help step you through thecreation of VPN configuration If you want to create a demand-dial VPN connectionwith a remote ISA Server, for example, you will find that the VPN wizards do asuperb job of making the setup straightforward.The ISA Server wizards are, in fact, abig improvement in comparison to the Routing and Remote Access wizards

prede-You will find that this book contains a good balance of explanations and practicalwalk-throughs that will step you through various configurations of ISA Server.Although many of the wizards, in particular the VPN wizards, greatly help to simplythe administration and configuration of ISA Server, wizards are not always helpful forproviding the conceptual background to what you are doing

Wizards make it easy for you to accomplish the steps in a process that will result

in a complete and successful configuration But, often, people perform the steps aspart of a sequence of individual steps, each of which appears in isolation and not as

part of a contextual whole It is helpful to know why you are performing a particular

step and to place that step properly into the larger context of the goal.We hope thatyou find the many walk-throughs in this book do just that: provide explanations thatwill help to deepen your understanding of the product and that will make it easierfor you to see your actions in the context of a wider whole

Introduction xxxix

In writing this book, the authors were always aware that both inexperienced andexperienced administrators alike would read it So, you will find that this book con-tains a good deal of background exposition on important topics, such as security.Chapter Three, for example, is entirely devoted to explaining important and relevantsecurity concepts Here you will learn what “Spoofing” is and what comprises a

“Smurf ” attack Plus, the authors, one of whom has experience in law enforcement,discuss at length some of the security precautions you should take that go beyond themere configuration of your ISA Server

Protecting yourself against Social Engineering is important and should not beignored, as the people at Versign discovered when they inadvertently gave Microsoft’sdigital certificates to an imposter.You will also find that the book provides some verygood background information on concepts that are germane to firewall design andmanagement For example, the authors provide a thorough explanation of theDepartment of Defense TCP/IP and the OSI models in the context of firewalls.These explanations serve to help clarify some of the terms connected with firewalls,such as “circuit filtering” and “application filtering.”

Installing and implementing ISA Server on your network is no trivial matter andshould be undertaken only after careful and thoughtful consideration Consequently,you will also find plenty of information in this book to help you deploy ISA Server

so that your network will benefit from both the security and the performanceimprovements it provides Because ISA Server is appropriate for both small and largenetworks, the book also provides information for planning to install ISA Server as astandalone server and as an Enterprise Array that requires either centralized or dis-tributed administration

The book’s length is a reflection of the complexity of the product and the

amount of detail we felt it necessary to provide.You will find that Configuring ISA

Server 2000: Building Firewalls for Windows 2000 is systematically organized and that it

provides a thorough and detailed exploration of the product

The first chapter begins by providing information on the features of ISA Serverand then discusses its scalability as an enterprise product.This chapter also providesdetailed information on Active Directory concepts In the second chapter, we pro-vide a detailed discussion of security concepts.This is followed by a chapter on plan-ning for ISA Server, in which you will find information on both hardware andinfrastructure considerations

We recognize that you need to plan for a secure configuration for the Windows

2000 Server on which you will install ISA Server, so we provide detailed information

www.syngress.com