Windows Server 2003 interview and certification questions
By admin | December 7, 2003
1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini
timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.
2. What do you do if earlier application doesn’t run on Windows Server 2003?When an application that ran on an earlier legacy version of Windows cannot be
loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup
program and selecting Properties –> Compatibility –> selecting the previously supported operating system.
3. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade
from ME and 98 to Windows Server 2003.
4. How do you get to Internet Firewall settings? Start –> Control Panel –> Network and Internet Connections –> Network Connections.
5. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box.
Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B
moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search
panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M
undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
6. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to
authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers,
documents, and devices. Each object has certain attributes and its own security access control list (ACL).
7. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory
replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
8. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site
immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and
modifications to the Local Security Authority (LSA).
9. What’s new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation
Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs
debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records.
The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with
the Active Directory Installation Wizard.
10. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand
names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint
ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
11. How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a
server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in
another forest; and (4) user principal name (UPN) credentials.
12. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager
(optional, available from adminpak)
13. What types of classes exist in Windows Server 2003 Active Directory?
Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created.
Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary
classes. Think of abstract classes as frameworks for the defining objects.
Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined
alternative by applying a combination of attributes with a single include action.
88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract,
and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.
14. How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active
Directory.
15. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one
GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
16. How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security
identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which
determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user
attempts to access.
17. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you
delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
18. What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a
consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a
secure store of user credentials that includes passwords and X.509 certificates.
19. Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab
Options, since the Macs only store their passwords that way.
20. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.
21. Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on
the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a
new system the logon process may take some time, depending on how large his profile folder is.
22. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users
23. What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
Technical Interview Questions – Networking
What is an IP address?
A unique string of numbers separated by periods that identifies each computer attached to the Internet
What is a subnet mask?
A subnetwork, or subnet, is a logically visible, distinctly addressed part of a single Internet Protocol network.RFC 950, Internet Standard Subnetting Procedure, J.
Mogul, J. also called netmask
What is ARP?
What is ARP Cache Poisoning?
ARP stands for Address Resolution Protocol.
Every computer in a LAN has 2 identifiers: IP and MAC address. IP is either entered by the user or dynamically allocated by a server. But the MAC
address is unique for any Ethernet card. For example, if you have 2 ethernet cards, one for wired and the other for WiFi, you have 2 MAC addresses on
your machine. The MAC address is a hardware code for your ethernet card.
The communications between computers is done on the IP level. Means that if you want to send a file to a computer, you need to know the other
computer IP.
Now, ARP is the protocol that matches every IP with a certain MAC address in ARP table that is saved on your switch in your LAN.
ARP cache poisoning is changing this ARP table on the switch.
For Normal case, when a machine tries to connect to another machine. The first machine goes to the ARP table with the other machine IP, the ARP
table provide the MAC address for the other machine and the communication starts.
But if someone plays with the table, the first machine goes with the IP and the ARP table will provide a faulty MAC address to a 3rd machine who wants
to intrude through your communication.
This Kind of attach is known as "Man in the Middle".
What is the ANDing process?
What is the ANDing process?
When a source host attempts to communicate with a destination host, the source host uses its subnet mask to determine whether the destination host is on the local
network or a remote network. This is known as theANDing process.
The AND function has the following properties:
1. If the two compared values are both 1, the result is 1.
2. If one of the values is 0 and the other is 1, the result is 0.
3. If both of the compared values are 0, the result is 0.
What is a default gateway? What happens if I don't have one?
A Default gateway is a node (a router) on a TCP/IP Network that serves as an access point to another network.a default geteway is used by a host when the
ip's packet destination address belongs to someplace outside the local subnet,
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as a router or firewall to
communicate with internet.
***********************************************
Without default gateway you cannot browse internet. It doesnt matter if you are on public or private network. Default Gateway is
required to route your IP packets from your network to the other networks
What is a subnet?
What is APIPA?
Automatic Private IP Addressing
is a feature used in Windows operating systems. It comes into action only when DHCP (Dynamic Host Configuration Protocol) servers are available. When the
DHCP client first comes on, it will try to establish a connection with the DHCP server in order to get an IP address. It is when this server is (or at a later point
becomes) unavailable, that APIPA will kick in.
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
A Request For Comments (RFC) document defines a protocol or policy used on the Internet. An RFC can be submitted by anyone. Eventually, if it gains
enough interest, it may evolve into an Internet Standard Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to
an original RFC are assigned a new RFC number.
What is RFC 1918?
What is CIDR?
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the Internet addresses used in inter-domain routing
more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly
increased. CIDR is now the routing system used by virtually all gateway hosts on the Internet's backbone network. The Internet's regulating authorities now
expect every Internet service provider (ISP) to use it for routing.
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will
you use?
If you need to divide it up into the maximum number of subnets containing at least 500 hosts each, you should use a /23 subnet mask. This will provide you
with 128 networks of 510 hosts each. If you used a /24 mask, you would be limited to 254 hosts. Similarly, a /22 mask would be wasteful, allowing you 1022
hosts.
You need to view at network traffic. What will you use? Name a few tools
winshark or tcp dump
You can use Network Monitor. http://support.microsoft.com/kb/148942 You can also use Etheral
How do I know the path that a packet takes to the destination?
What does the ping 192.168.0.1 -l 1000 -n 100 command do?
What is DHCP? What are the benefits and drawbacks of using it?
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address
configuration
2. Reduced network administration.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configurationDHCP minimizes configuration errors caused by manual IP address
configuration
2. Reduced network administration.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and
therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
Describe the steps taken by the client and DHCP server in order to obtain an IP address.
This process of assigning the IP addresses by the DHCP server also known as DORA (Discover Offer Request and Acknowledgement).
1. Client makes a UDP Broadcast to the server about the DHCP discovery.
2. DHCP offers to the client.
3. In response to the offer Client requests the server.
4. Server responds all the Ip Add/mask/gty/dns/wins info along with the acknowledgement packet.
What is the DHCPNACK and when do I get one? Name 2 scenarios.
What ports are used by DHCP and the DHCP clients?
Requests are on UDP reversed port 68
&
Server replies on UDP reversed port 67
Describe the process of installing a DHCP server in an AD infrastructure.
What is DHCPINFORM?
Describe the integration between DHCP and DNS.
What options in DHCP do you regularly use for an MS network?
What are User Classes and Vendor Classes in DHCP?
How do I configure a client machine to use a specific User Class?
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
DNS zones – describe the differences between the 4 types.
DNS record types – describe the most important ones.
Describe the process of working with an external domain name
Describe the importance of DNS to AD.
Describe a few methods of finding an MX record for a remote domain on the Internet.
What does "Disable Recursion" in DNS mean?
What could cause the Forwarders and Root Hints to be grayed out?
What is a "Single Label domain name" and what sort of issues can it cause?
What is the "in-addr.arpa" zone used for?
What are the requirements from DNS to support AD?
How do you manually create SRV records in DNS?
Name 3 benefits of using AD-integrated zones.
What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
What are the benefits and scenarios of using Stub zones?
What are the benefits and scenarios of using Conditional Forwarding?
What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use?
How do I work with the Host name cache on a client computer?
How do I clear the DNS cache on the DNS server?
What is the 224.0.1.24 address used for?
What is WINS and when do we use it?
Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS?
Describe the differences between WINS push and pull replications.
What is the difference between tombstoning a WINS record and simply deleting it?
Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.
Describe the role of the routing table on a host and on a router.
What are routing protocols? Why do we need them? Name a few.
What are router interfaces? What types can they be?
In Windows 2003 routing, what are the interface filters?
What is NAT?
What is the real difference between NAT and PAT?
How do you configure NAT on Windows 2003?
How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
What is IAS? In what scenarios do we use it?
What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?
What is the "RAS and IAS" group in AD?
What are Conditions and Profile in RRAS Policies?
What types or authentication can a Windows 2003 based RRAS work with?
How does SSL work?
How does IPSec work?
How do I deploy IPSec for a large number of computers?
What types of authentication can IPSec use?
What is PFS (Perfect Forward Secrecy) in IPSec?
How do I monitor IPSec?
Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
What can you do with NETSH?
How do I look at the open ports on my machine?
The next article in this series will cover Active Directory questions!
Windows Server 2003 Active Directory and Security questions
By admin | December 7, 2003
1. What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native
mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take
priority.
9. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–> User Configuration–>
Windows Settings–> Remote Installation Services–> Choice Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
11. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software
Installer, rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it
uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to
modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is
removed or changed, the user preference will persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those
who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS
provides extensive permission control on both remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which
he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he
can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive?Permissive, if at least one group has Allow permission for the file/folder, user
will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at least one group has Deny permission for the file/folder, user
will be denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory
tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-
tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple
connections to the same data residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access
Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain
controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS,
changing the contents and then saving. Only one file will be propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with
the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash
Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate
request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any
account that’s part of the Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically
the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
1. What are the ways to configure DNS & Zones?
2. What are the types of backup? Explain each?
3. What are Levels of RAID 0, 1, 5? Which one is better & why?
4. What are FMSO Roles? List them.
5. Describe the lease process of the DHCP server.
6. Disaster Recovery Plan?
7. What is scope & super scope?
8. Differences between Win 2000 Server & Advanced Server?
9. Logical Diagram of Active Directory? What is the difference between child domain & additional domain server?
10. FTP, NNTP, SMTP, KERBEROS, DNS, DHCP, POP3 port numbers?
11. What is Kerberos? Which version is currently used by Windows? How does Kerberos work?
1. GAL, Routing Group, Stm files, Eseutil & ininteg - what are they used for?
2. What is MIME & MAPI?
3. List the services of Exchange Server 2000?
4. How would you recover Exchange server when the log file is corrupted
1. Group Policies - how to apply and order in which they apply.
2. Global catalog servers - how many is a specific two plus site implementation
3. Describe different zones and a scenario in which you would use them
4. What is the system state?
5. What is a Global Catalog server?
6. What is an OU?
7. What Ms tools (standard) are used to troubleshoot AD issues?
What tools from the Support kit and resource kit can aid troubleshooting?
What the standard mistakes made when setting up Ms products?
8. What do you have to do to secure a Exchange server from being a relay?
9. When a full backup runs what does it do to the log files?
10. What the basic steps to recovering a Lost Exchange/DC server?
11. How do you build redudancy in to DNS?
12. How can you secure AD DNS?
ISA Server (Internet Security and Acceleration Server)
Even after all these years that the ISA Firewall has been out in the wild, I’m surprised to hear from people who have never heard of it, or more
surprisingly, aren’t sure what the ISA Firewall is all about. I suppose I shouldn’t be that surprised – just because I work with the ISA Firewall
everyday doesn’t mean that anyone else should necessarily know anything about it. I’m sure that Office Communications Server MVPs would be
shocked by my lack of knowledge on their product
But even people who have heard of the ISA Firewall aren’t completely sure what it’s all about. If you go to thewww.microsoft.com/isaserver site you
won’t find a good description of what the ISA Firewall is, and even if you look around here at www.isaserver.org, you’ll find plenty of articles on how
to make the ISA Firewall work, but there’s really nothing here that provides a good Q & A about the ISA Firewall that would allow someone new to it
to have a good idea of what it’s all about.
To help solve this problem, I’ve put together a table of questions and answers that help clarify what the ISA Firewall is, what it isn’t, and most
importantly, what the ISA Firewall can do to help secure your organization.
Frequently Asked Questions
Question Answer
Is ISA 2006 primarily a firewall, a ISA 2006 can be configured as an integrated firewall and Web proxy and caching solution,
Web proxy and caching server, or a or can be deployed as a locked-down firewall only.
remote access VPN server and site to
site VPN gateway? Organizations require a robust firewall solution. The ISA 2006 firewall secures networks
with ISA Server 2006 stateful packet inspection, application layer inspection, and intrusion
detection and prevention.
Unlike ISA Server 2000, ISA Server 2006 does not include a caching-only mode. However,
like ISA 2004 the new ISA firewall can be configured in single-NIC Web proxy and caching
mode. However, the firewall components are not eliminated and the stateful packet and
application layer inspection features are used to create robust protection for the ISA firewall
device itself.
ISA 2006 can also be configured as a remote access VPN server allowing users to connect to
the ISA firewall to access corporate resources and granular control can be enforced on what
remote access VPN users can access through the VPN link. The site to site VPN feature
allows the ISA firewall to connect to other VPN gateways (either ISA firewall based VPN
gateways or third party VPN gateways) to connect entire networks to one another.
ISA Server 2006 is always a sophisticated, hardened and secure firewall, regardless of the
deployment options you choose.
Does implementing the Web proxy No. The cache is a sophisticated memory and disk based storage engine that allows
and caching function compromise the improved network access performance by storing frequently retrieved objects.
security of ISA 2006 as a firewall?
The Web proxy and cache features are integrated into the firewall engine and provides
Hypertext Transfer Protocol (HTTP) connectivity, application layer inspection capabilities
and security-related tasks such as content screening, Uniform Resource Locator (URL)
blocking and HTTP protocol inspection.
Can I migrate from Proxy Server 2.0 There is no upgrade path from Proxy 2.0 and ISA Server 2000 to ISA Server 2006.
or ISA Server 2000 to ISA Server
2006? There is a supported upgrade path from ISA 2004 to ISA Server 2006.
More information on upgrading from ISA 2004
Must I buy Windows Server 2003 to You can install ISA Server 2006 only Windows Server 2003. Minimum system
run ISA Server 2006, or will it run on requirements are: 300MHz or better processor, 256MB of RAM, 20MB of disk space (for
Windows 2000? Do I have to buy a the OS; this does not include disk space for caching); one network adapter for each network
super powerful computer to run it on? connected to the ISA server, including the default Internal Network.
You must have one partition formatted in NTFS. However, some ISA firewall functions,
such as application layer inspection, are processor or memory intensive, so you’ll want more
than the minimum supported configuration. ISA server 2006 will run very well on any
modestly configured current PC (1GHz processor or above, 512MB of RAM).
Does the ISA Firewall computer have To act as a network firewall, the ISA Firewall needs at least two NICs (multi-homed
to have multiple network interface machine).
cards?
ISA 2006 can be installed on a single-homed machine (one NIC) to act as a Web proxy and
caching only server. The single-homed ISA 2006 can be placed on the internal network or a
perimeter network and proxy requests for both internal and external network clients.
This is a popular configuration for publishing Outlook Web Access, Exchange ActiveSync,
and SharePoint Portal Server sites for organizations that already have a well-established
firewall infrastructure in place.
Is Active Directory required to run No. If you do have Active Directory deployed on your network, the ISA 2006 firewall can
ISA 2006? leverage users and groups contained in the Active Directory to provide granular inbound and
outbound access control in a way that no other firewall on the market can provide. However,
you do not have to have an Active Directory or NT domain to benefit from an ISA Server
2006 firewall.
ISA Server 2006 does not need to be a domain member computer to benefit from the Active
Directory user database. ISA 2006 introduces LDAP authentication, so that a non-domain
member ISA firewall can benefit from user/group authentication for incoming connections.
Does ISA Server 2006 support reverse Yes. Reverse caching means placing a cache in front of a Web server or e-commerce
caching? application. This is called reverse because the decision to cache or distribute content from
the servers or to offload processing is implemented by the administrators of the Web servers,
rather than by the clients.
ISA 2006 supports reverse caching, allowing Web managers to cache and distribute content,
therefore improving user response time.
Does ISA 2006 support stateful packet Yes. Stateful packet inspection allows the ISA firewall to perform all the network layer
inspection? protection provided by traditional “hardware” firewalls. Stateful packet inspection is able to
determine the validity of packets based on the information contained with the IP and
transport later headers.
I already have a non-Microsoft ISA 2006 works well with all firewalls and I would never suggest that a “rip and replace”
firewall at the Internet edge. Can I still approach is best.
use ISA 2006 in conjunction with it?
How would the multiple firewalls be The ISA 2006 firewall can be placed on the Internet edge in front of your current firewall
deployed? What are the advantages of installation, it can be placed at the corporate LAN, or it can be placed between your current
doing this? Internet edge and LAN firewalls.
In addition, the ISA 2006 firewall can be placed at branch offices. The branch office can
connect to the main office VPN gateway using an ISA 2006 site to site link. This link can be
created with virtually any site to site VPN gateway using ISA 2006’s support for IPSec
tunnel mode.
In addition, in the branch office scenario, the ISA firewall can leverage it’s support for BITS
caching and QoS to significantly improve performance over the site to site VPN link.
What protocols does ISA Server 2006 ISA Server 2006 can evaluate and control virtually all protocols. These include
support? Transmission Control Protocol (TCP), User Datagram Protocol (UDP), ICMP and IP-based
(such as GRE and ESP).
The firewall is pre-loaded with an extensive list of predefined protocols (e.g., HTTP, SMTP,
POP3, GRE) and allows administrators to easily add to this list. Complex protocols
requiring secondary connections require either the firewall client software or an application
filter.
ISA 2006 includes many built-in application filters for the most popular protocols, enabling
additional functionality such as allowing highly secure access to Exchange RPC services,
filtering HTTP connections, or SMTP content inspection to attacks against mail servers.
Does ISA 2006 inspect encrypted ISA 2006 inspects encrypted content at several levels. ISA 2006 can help you set up a
content? secure, encrypted VPN channel to remote networks. The channel then can transport any data
in a secure manner and all content moving over remote access and site to site VPN
connections are exposed to the ISA firewall stateful packet and application layer inspection
engines.
ISA 2006 can enforce the use of encrypted Web access (i.e., SSL) on incoming Web
requests and can serve as an end point of an encrypted SSL session. This enables the ISA
firewall to provide secure, encrypted SSL sessions from end to end and perform both stateful
packet and application layer inspection on the session contents.
Internal network clients can establish an end to end secure SSL tunnel to an Internet Web
server and the ISA firewall can provide application layer inspection on the outbound SSL
connections using an add-in named ClearTunnel fromCollective Software
Can ISA 2006 use the Network Load Yes, ISA 2006 takes advantage of Network Load Balancing (NLB) in Windows Server 2003
Balancing (NLB) services? for increased scalability, performance and availability.
ISA 2006 Enterprise Edition integrates with the Windows NLB service to provide
bidirectional affinity for all Networks. Integrated NLB is also Firewall service and NIC
aware so that if one of the members of the enterprise array is dysfunctional, the
dysfunctional server is removed from the NLB array until it become functional again.
Does ISA 2006 work with streaming ISA 2006 includes application filters that manage complex media streaming connections. It
media? specifically supports Microsoft Windows Media–based streaming, RealAudio and Apple
QuickTime.
Can I place a VPN server behind the Yes. You can publish non-TCP/UDP protocols using ISA 2006. You can publish a PPTP or
ISA Server 2006 firewall? NAT-T compliant L2TP/IPSec VPN server located behind the ISA Server 2006 firewall. In
fact, you can make the ISA Server 2006 firewall a VPN server itself and publish a VPN
server located behind the ISA Server 2006 firewall. You can also place third party IPSec
tunnel mode servers behind the ISA firewall, as long as they are RFC NAT-T compliant.
How does using ISA 2006’s caching The Web Proxy and caching features of ISA 2006 offers a cache of Web objects that fulfills
functionality improve network client requests from the cache. If the request cannot be fulfilled from the cache, a new
performance? request is initiated on behalf of the client. When the Internet Web server responds to the ISA
Firewall, the ISA Server caches the response to the original client request. Then the client
receives a response. Fast RAM caching allows the ISA Firewall to keep most frequently
accessed items in memory. This optimizes response time by retrieving items from memory
rather than from disk. ISA 2006 gives you an optimized disk cache store that minimizes disk
access for both read and writes operations. These techniques optimize response time and
your overall system performance.
Table 1: Frequently Asked Questions about ISA 2006
Summary
In this article we went back to basics to help our brethren better understand the ISA Firewall and its features and capabilities. If you ever run into someone who doesn’t know about the ISA Firewall,
send them over to this article and hopefully they’ll have their questions answered. If there are most questions, just click on the discussion board link in this article and I’ll be alerted to the question
and will answer it as soon as possible. Thanks! –Tom.
Bit - a single binary unit, 1 or 0
Byte - a group of eight bits
IP Address - an Internet Protocol Address. Usually seen as an IP version 4 address, a series of 4 bytes, usually shown in decimal and separated by a full stop (.).
According to the OSI Model of networking, this is a Layer 3 address.
MAC Address - a Machine Access Control Address. A 6 byte address, usually expressed in hexadecimal and separated by a colon (:). The first three bytes are specific
to a manufacturer, and the last three specific to a device produced by that manufacturer. According to the OSI Model, this is a Layer 2 address
Packet - a collection of bits sent from one computer to another
Frame - a packet which is completely assembled for transfer (containing all the necessary headers)
Header - a set of bits containing information about a specific property of the packet
Datagram - a packet sent via an unreliable protocol (such as UDP)
ICMP - Internet Control Message Protocol, the standard Ping protocol
Default Gateway - an IP designation for allowing a computer off its own network
OSI Model - The Open Systems Intercommunication Model of Networking is well described by sas01 in another thread