Microsoft ISA Server Step by step by doanhungit

VIEWS: 751 PAGES: 22

Microsoft ISA Server, ISA Server, ISA Server 2006, Microsoft Forefront, Management Gateway, Exchange Server, Enterprise Edition, Exchange 2007, web server,

More Info
									Microsoft ISA Server, Part I –
introduction, installation, configuration,
Web caching and Internet access
What happened before ISA Server?
The history of ISA Server goes back to a product named Proxy Server 1.0. At the time,
the m fast and secure Internet access market saw one more player - the Microsoft
Corporation. Proxy Server 1.0, however, was merely a means for the effective
conduct of initial market research. The market responded favourably to this product
being integrated within the existing Windows NT 4.0 enterprise networking systems.
The first edition of MS Proxy Server had many limitations. It supported only a few
basic Internet protocols and its implemented security tool functions were rather
obsolete.



Microsoft‟s second try at a Proxy Server 2.0 was a natural evolution with many useful
and expected functions. One great application of this tool is to use Windows NT
account databases. Therefore, user management within the enterprise has been
considerably simplified. Many more protocols are supported, as well as caching
services, packet filtering capability and considerably enhanced security performance
have also been incorporated. Although it was an improved version, Proxy Server 2.0
still suffered from a limited range of functions compared to third-party products.



This is surely not Microsoft‟s last word. In the time of Windows NT 4.0 successors,
i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows
XP, new possibilities have emerged in the sphere of implementation of the
technologies they incorporate.


New concepts created by ISA Server
ISA Server carries new terms that need to be understood before attempting product
deployment on the network.

· Array – a group of ISA computers that are located close together, for example a
department, office, and region. There are two types of arrays:

Domain Arrays – that use Active Directory. A domain array can encompass
computers located within a single domain.
Independent Arrays – allow storage of information not in the Active Directory, but
in a local configuration database. This array is mainly used in NT 4.0 based networks.

· Rule – with rules, the system administrator can set up a series of protocols to govern
sites, contents, protocols, and IP packet filters.

· Array policy – a set of rules that define the array policy. Such a policy can be
applied to any specific (and single) array.

· Enterprise policy – enterprise-level policies contain similar rules to those
established in array policies but they are applied to multiple arrays.
With ISA Server, array policies can be used to modify enterprise policies making
them more restrictive. However, it is not possible for an array policy to ease
restrictions imposed by the enterprise policy.


ISA Server Components
ISA Server supports many more functions than its predecessor. The following options
are available with this new product:

      Firewall – the Firewall client is an extension to the ISA Server that
       features an enhanced set of functions allowing it to compete with
       other similar products available on the IT market. With Firewall
       client, Active Directory can be supported from Windows 2000 (or
       the SAM databases from NT). These are used to provide specific
       security functions at user or group level. This feature is not
       supported by a majority of third-party products that use either
       separate user databases or IP addressing. Firewall functions are
       enhanced to support so called stateful packet inspection, i.e. a
       solution for improved security where data packets passing through
       the firewall are intercepted and analyzed at either a protocol or
       connectivity level.
      Policy-based administration – ISA Server lets the administrators
       manage using predefined policy rules. Policies can include a set of
       consistent rules regarding users, groups of users, protocols etc. A
       specific policy may apply to a single array or globally, to the whole
       enterprise. For businesses that use networks with Active Directory
       enhancements, multi-tiered enterprise policies are those that match
       their needs to have a comprehensive IT system, to facilitate
       management of the entire enterprise and its infrastructure.
      Virtual Private Network Support – ISA Server provides an easy
       solution to create VPN – based networks. The wizards supplied
       with ISA Server help to configure VPN tunneling and may activate
       the RRAS service if not already initialized.
      Dynamic IP filtering – depending on the security policy used, an
       enterprise can dynamically open firewall ports for authorized
       Internet users on a session-by-session basis. This considerably
       simplifies the administrator‟s duties in situations where there are
       applications that frequently change ports though they communicate
       with each other.
      IDS (Intrusion Detection System) – Microsoft has equipped the
       ISA Server with an Intrusion Detection System. This module had
       been purchased from Internet Security Systems, the leading
       developer in these IT solutions. Thus, ISA offers out-of-box
       support for preventing several types of attacks including WinNuke,
       Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan
       Attack. Once an attack has been detected and identified, ISA may
       decide either to disable the attack or notify administrators about the
       event.
      Web Cache – ISA Server provides fast Web caching performance.
       Administrators are allowed to automatically refresh frequently
       requested www pages on reverse and scheduled caching basis.
      Reports – the major point of contrast between ISA and its
       predecessor i.e. Proxy Server 2.0 is that ISA features numerous
       report generating possibilities. By scheduling report generation
       connected. for example, with the users‟ actions or security related
       events, managing ISA Server based networks is a simple task.
      Gatekeeper H.323 – this component allows ISA Server to manage
       IP telephony calls or H.323-based VoIP applications (for example
       Microsoft NetMeeting 3.0). The DNS SRV record must be
       registered in order to have gatekeeper enabled.
      Client Deployment – with SecureNAT (Network Address
       Translation) feature, ISA Server delivers to clients and servers a
       transparent and secure access to the Internet with no need to
       configure extra software on client machines. SecureNAT allows
       monitoring of all traffic in ISA Server.

Therefore, instead of being a simple product improvement, Microsoft Internet
Security and Acceleration Server fills a gap in the range of this type of products
available at the Redmond colossus and is trying to jump aggressively into the mass
market sector associated with Web security and fast Web access. The new potential
implemented in ISA Server is expected to allow Microsoft to compete effectively in
this business area.

It should be noted that Microsoft‟s engineers carefully integrate all products together
to bring the Company‟s vision of a .NET platform to businesses.


Software and hardware requirements
The minimum hardware requirements recommended by Microsoft for this product are:

      300MHz or higher Pentium II compatible CPU,
      256 MB of RAM,
      2 GB hard-disk space on NTFS formatted partition,
      200 MB of available hard-disk space for installation.

ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or
greater.

Problems with insufficient server capacity may occur with this type of configuration.
Thus, for various ISA Server usage scenarios, the hardware should be adequately
strengthened.

If ISA Server is to be used as a firewall, one will need to consider how powerful the
CPU should be in terms of throughput requirements.

Throughput requirements       Recommended CPU
Less than 25 Mbyte/s          Pentium II 300 MHz – 500 MHz
From 25 Mbyte/s to 50 Mbyte/s Pentium III 550 MHz or better
More than 50 Mbyte/s          Pentium III 550 MHz or better for each 50Mb
Table 1 CPU capacity requirements vs. throughput

Obviously these values can only be used as a reference when planning the ISA
Server‟s hardware to meet the expected load. This may vary in function or various
usage scenarios (such as the type of transmitted data).

In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate
CPU capacity consider also requirements for RAM and high free disk space available
for caching purposes.

Number of                            Minimal RAM          Recommended disk space
             Recommended processor
users                                capacity (Mb)        allocated for caching
Up to 250    Pentium II 300 MHz      256                  4 GB
250 – 2000   Pentium III 550 MHZ     256                  10 GB
More than    Pentium III 550 MHz for 256 for every
                                                          10 GB for every 2,000 users
2000         every 2,000 users       2000 users

Table 2 – Capacity planning for forward caching server applications

If you want to use ISA Server in Integrated Mode (see Installation), these values will
be further augmented. Therefore, the performance of any computer intended to
operate as an ISA server will be completely utilised.

Installing ISA Server
A Windows 2000 Server with a full implementation of Active Directory is the
minimum on which it is possible to install Microsoft ISA Server. Before installing
ISA Server, one must configure Active Directory (adding required classes and
selecting object properties).




    Fig. 1 ISA Server setup screen with selected AD schema modification option
Before the system attempts to update the schema you will be warned that this action is
not reversible.




               Fig. 2 Active Directory’s modification-related warning

When modifying the schema, it is necessary to determine what the intended extent of
modifications to the existing policies integrated in AD would be. In case of problems
with the modification of Active Directory, one should consult the Ldif.log file.




                         Fig. 3 Modifying Active Directory

Once the Active Directory has been updated, you can attempt to install ISA Server. In
the first step, you will be requested to supply the information about the installation
mode (Typical, Full, Custom).
                        Fig. 4 ISA Server installation options

After this step, the set-up wizard checks whether Active Directory has already been
installed or not and if any settings have been modified. Next, you will be prompted to
determine if the server should be a part of a domain or be used as a standalone unit. In
the next step, select the mode of operation from the following three options:

· Firewall – with this option, ISA Server will function as a very powerful firewall,

· Web Cache – will establish the ISA Server as a cache server and give access to „Net
resources‟

· Integrated Mode – when in integrated mode, all ISA Server implemented and
initialized features will be available.
                         Fig. 5 selecting the functional mode

Once the required mode has been selected, the next dialog box stops the Internet
Information Services (if any are already installed) and prompts you to either deinstall
IIS or re-configure it not to listen in on ports 80 and 8080 that are required for ISA
Server. Despite possible joint operation, Microsoft recommends relocating the IIS
Server to another machine.

In the next step, you will be prompted to specify the cache size for the Web Cache
service.




                Fig. 6 Configuring the cache size for WWW caching

If it is a multiple-disk server, one may benefit by distributing caches onto a few disks.
This would accelerate the process of accessing cacheable information.
Having configured appropriate cache sizes for WWW Web services one may attempt
to configure LAT (Local Address Table).




                               Fig. 7 LAT setup utility

LAT (Local Address Table) – these are tables that define all internal IP address
ranges. If one selects this Table (Fig. 7), either the private IP address ranges as
defined in RFC 1918 (10.X.X.X, 172.16.X.X, 192.168.X.X) or the external Windows
2000 routing tables will be used.




                                Fig. 8 A default LAT

Once this step is successful, you will get a screen with the end of LAT configuration.
Remember to ensure that all network cards are connected to the Internet while
installing ISA Server. Should any network card be inactive, LAT tables will probably
not be created.
                    Fig. 9 Completing the LAT setup procedures

After completing the setup procedures, you can attempt to replicate the content of all
files to the ISA Server directory. After installation, the ISA Server Administration
utility will start.




   Fig. 10 Microsoft ISA Server Administrator utility and Getting Started Wizard

To manage this utility, use the Microsoft Management Console (MMC) feature. The
left dialog box contains all options that are necessary for setup whilst the right box
provides the settings available for such options.

Getting Started Wizard
Because ISA Server is completely different from Proxy Server 2.0, Microsoft
recommends that even experienced administrators become acquainted with the
Wizard that will help in the initial steps of product configuration and customization.
The Getting Started Wizard works with a set of options that will aid
users through the process of customizing the product and will also clarify the effects
of specific modifications when introduced to the ISA Server.

The Wizard is split into two sections (see Fig. 10):

      Configuring policies,
      Configuring arrays.

After you have finished the initial configuration of ISA Server with help from the
Getting Started Wizard, you can fully adapt the product to the working environment
by finally re-adjusting certain settings.


Creating protocol rules
Administering an ISA Server means creation of suitable arrays, rules and policies.
Arrays and policies have already been explained so let us examine the term “rules”.

ISA Server uses two types of rules:

      Site and content rule – determines if and when content from
       specific Internet destinations can be accessed by users,
      Protocol rule – determines which packets may or may not access
       the ISA server.

Apart from the above rules, the following rules can also be defined for ISA server:

      Bandwidth (Capacity) rule – this will prioritise different types of
       services using ISA server. This allows administrators to verify
       which specific www traffic or business-related traffic will be
       allocated to the available bandwidth.
      Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP
       requests and map them as services on the ISA Server.
      Server publishing – with this feature, clients from the public
       Internet are directed to the ISA Server instead of to the web server.
       Moreover, the ISA Server may act as the proxy for inbound and
       outbound traffic between the public Internet clients and the internal
       web server.

Web Cache functions
ISA Server features high-performance Web Cache functions. With Cache
Configuration tab the user is guided through Web service configuring. In addition to a
variety of settings, the possibility exists to set up the size of the cache memory per
hard disk and configure the schedule of caching tasks (TTL utility).
                        Fig. 11 Configuring caching services

When ISA Server is set up as a Web caching server, two situations are possible:

      Forward Web Caching Server – this is the most popular use of
       the Web caching server. Its function is as follows:




                        Fig. 12 Forward Web Caching Server

1. User No. 1 (Client 1) forwards a request to the Web server for an object;

2. The ISA Server approves the request and checks if the object already exists in the
local cache. If the content does not already exist in the cache, the ISA Server contacts
the Web server to fetch the requested object (on behalf of the user);

3. The Web server returns the object in question to the ISA Server;

4. ISA Server returns the Web object to the original client No. 1, and saves this object
to cache it locally.
5. User No. 2 forwards the request for the same Web object;

6. ISA Server will send the object cached locally to user No. 2.

      Reverse Web Caching Server – Reverse Proxy by an ISA Server
       offers security for one or more Web servers located on the internal
       network. This ensures secure Web publishing, which is of
       particular concern if sensitive data is to be sent from the servers.




                        Fig. 13 Reverse Web Caching Server

In addition to the security offered by both forward and reverse caching, ISA Server
could be configured to give administrators the possibility to manage various Web
caching solutions such as:

      Scheduled Content Download – ISA Server can be configured to
       provide tools for downloading/refreshing web pages at appropriate
       intervals. In this way, the most popular web objects may be
       refreshed at night instead of during the day without risking
       overloaded connections.
      Active caching – when active caching is used, ISA Server itself
       will evaluate and rank the cache and refresh it as necessary. This is
       a particularly useful option in situations where employees must use
       specific url sites to fetch necessary information several times
       during the day, from sites that are frequently updated, and
       especially if it is risky to fetch non updated versions.
      On Demand – the most popular configuration of a caching server:
       upon an initial request for on-demand content, the server acquires
       requested Web files and stores them locally in its cache.

Secure Internet Access through ISA Server
Secure Internet Access is one of the fundamental features provided by ISA Server. It
is increasingly necessary to improve security tools and check users that access the
network from outside, especially in a situation where the Global Web is vulnerable to
outside interference from viruses, trojan horses or hacker attacks. One may also wish
to improve security to monitor network users and protect the network from potential
Internet threats. To face this challenge and provide solutions for a broad landscape of
users, Microsoft has implemented three types of clients in ISA Server:

         Firewall clients – all computers that have Firewall Client software
          installed and active,
         SecureNat clients – all computers that do not have Firewall Client
          software installed,
         Web Proxy clients – all Web browser clients are configured to use
          ISA Server.

Feature          SecureNat Client            Firewall Client    Web Proxy Client
                 No, but some network
Installation                                                    No, requires Web
                 configuration changes       Yes
required?                                                       browser configuration
                 required
Operating        Any OS that supports        Only Windows
                                                          All platforms
System support TCP/IP                        platforms
                 Requires application                     HTTP,SHTTP,FTP,
                                             All Winsock
Protocol support filters for multi-
                                             applications
                 connection protocols                     Gopher
User-level
                 No                          Yes                Yes
authentication
                                             Requires
Server            No installation or
                                             configuration      N/A
applications      configuration required
                                             file

Table 3 Comparison of ISA Server Clients

Both Firewall and SecureNat clients include WebProxy client service, since all Web
client requests are passed to WebProxy. All other requests sent by either Firewall or
SecureNAT clients are redirected to other modules within ISA server.

Before selecting the client type to be used in a specific enterprise, it is necessary to
recognize what particular applications and protocols are to be used in the network. A
proper evaluation will help to have trouble-free use of Web services without
continuous changes to the configuration. Choosing reliable clients is also the
foundation for all network security since a more liberal access policy to Internet
facilities may threaten not only e-privacy but also e-access. It is enough to realise that
a few users who are downloading MP3 or AVI files from the Net and have a few
Internet sessions open will be sufficient to occupy an enterprise connection at nearly
100 percent utilisation.

                            Recommended
Network need                                Reason
                            client type
To avoid deploying client                   SecureNAT clients do not require any
software or configuring     SecureNAT       software or specific configuration on
client computers.                           client machines.
                                            If one uses ISA Server as a Web caching
To use ISA Server only
                            SecureNAT       server, one will not have to deploy any
for forward Web caching.
                                            special software.
One wants to create user-                   If one uses Firewall clients, one may
based access rules to                       configure access rules for non-Web
                            Firewall Client
control non-Web Internet                    sessions. However, these rules will be
access.                                     effective only if one configures ISA
                                              Server to require authentication
                                              information with each session.
                                              SecureNat clients do not support
                                              automatic discovery of ISA server. When
The network supports
                                              one configures automatic discovery,
many roaming users and        Firewall Client
                                              roaming users or computers cannot
computers.
                                              connect to the Internet server as
                                              appropriate.
The clients need access
(outside of Web browsers)
                                                 SecureNat clients do not support
to protocols with          Firewall Client
                                                 protocols with secondary connections.
secondary connections to
the Internet via FTP.
To support dial-in-                              Though SecureNat supports dial-out, only
demand for non-Web         Firewall Client       Firewall clients support dial-in-demand
sessions from the clients.                       for non-Web sessions.

Table 4 Choosing an ISA Server Client Type

Table 4 represents the choice that may be useful to benefit from a proper selection of
clients accessing the network in a specific enterprise. For more detailed specification
of the particular types of clients see the files attached to the program.


Extras
Because many extras are included with ISA Server, additional information may be
required that can be found on the Internet at the following sites

       http://www.microsoft.com/isaserver/
       http://www.isaserver.org/
       http://www.faq.net.pl/

Newsgroups:

       ms-news.pl.isa-server
       microsoft.public.isa

Microsoft Press Publishing:
MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000


Microsoft ISA Server, Part II – Firewall
Functions, Publishing Policy Rules
ISA Server Security Configuration

It is recommended to define the server security level before beginning the ISA Server security
configuration. To configure the appropriate security level, right-click the server icon in the
window:
Servers and Arrays -> Server name -> Computers and select “Secure…” to start the wizard.
After the wizard starts, a warning message will appear saying that any changes made to the
settings cannot be undone.
                      Fig. 1 ISA Server Configuration Wizard warning

There are three levels of security that are available using the wizard, so in the next step,
configure the security level that is appropriate for your ISA Server. When selecting security
options, consider primarily the service to be provided by your server, for instance, whether it is
intended to perform firewall-only services or also domain controller or file server roles.
Depending on the choice the access level will then be granted to the server.




                          Fig. 2 Choosing ISA Server security level

To configure the chosen and appropriate security level, run one of the files (templates) below
(see Table), which are available for this purpose.

Table 1 ISA Server Security scenarios

       Security Level                  Security Template           Domain Controller Security
                                                                           Template
            Secure                         Basicsv.inf                     Basicdc.inf
       Limited Services                   Securews.inf                    Securedc.inf
          Dedicated                        Hisecws.inf                     Hisecdc.inf


All these templates are available at the directory %SystemRoot%\security\Templates\. If
necessary the security scenarios can be modified. Knowledgeable administrators may try to
create their own security schemes to meet the requirements established in the company’s IT
Security Policies and provide maximum control over access to the server and to the files it
contains and manages.
Once these procedures are completed, the Active Directory schema will be updated and you will
be prompted to restart the computer.


Policy-based Access Control

As with most firewalls, ISA Server provides the administrator with the possibility to configure
detailed usage policies. These rules apply for both outgoing traffic (e.g. local users) and
incoming traffic (e.g. external users, teleworkers or potential hackers). Each packet that passes
through ISA Server can be recorded, and may then be followed by a log with details of Internet
connection usage, attack attempts etc. Prior to configuring the access policy rules, one should
define the access policy elements to be followed. These are available at the tab: Servers and
Arrays -> Server Name -> Policy Elements.

These rules include:
       Schedules – these determine when the rule is in effect. They allow configuration of a
        very flexible security policy. For example, a group of users can be restricted to access
        specific Web pages during working hours and to have full Internet access at all other
        times.
       Bandwidth priorities – to prioritize ISA Server-based network connections. There is a
        default bandwidth rule – all connections have the same priority.
       Destination sets – this set may contain the IP address, the IP range, computer name
        and a specific path on the destination server and may give access, for example, to the
        following destination only: www.faq.net.pl/binaries. You can use an asterisk (*) to
        specify a group of all computers in the domain. E.g., if there is a need to create a group
        encompassing all computers from the domain bsi.net.pl, produce the destination set
        containing “*.bsi.net.pl”. Destination sets can be further used when configuring the
        following access policy elements: Site and Content Rules, Bandwidth Rules, Web
        Publishing Rules and Routing Rules.
       Client Address Sets – the client sets containing the IP address ranges. These can also
        be used when configuring the following access policy elements: Site and Content Rules,
        Bandwidth Rules, Web Publishing Rules, Server Publishing Rules and Routing Rules.
       Protocol Definitions – these include a list of preconfigured protocol definitions
        available on ISA Server that are further used to create Protocol Rules and Server
        Publishing Rules. In addition to predefined protocols, customisable protocols can be
        created and used. In order to create a customised protocol, one must specify the
        following information: the number (between 1 and 65535) of the port that will be used
        for communication, the protocol type (TCP or UDP), and the direction of the traffic
        (Inbound or Outbound). There is also an option called “secondary connections”, which is
        the range of port numbers, protocol, and direction used for additional connections or
        packets that follow the initial connection.
       Content Groups – include groups of file types subdivided in eleven categories:
        Applications, Application Data Files, Audio, Compressed Files, Documents, HTML
        Documents, Images, Macro Documents, Text, Video, and VRML.
       Dial-Up Entries – these specify the connectivity between the ISA Server computer and
        the Internet (or other Dial-Up servers) for dial-up connections. In order to configure
        this feature properly, specify the name of the Windows 2000 connection and then the
        login and the password of the authorized user.

Once these policy elements have been defined, one can attempt to configure the access rules
that are provided in the “Access Policy” tab and include the following three elements:
       Site and Content Rules – which control access to specific destination servers and
        certain contents, objects and locations,
       Protocol Rules – define which protocol clients can use to access the Internet,
       IP Packet Filters – rules that govern packet filtering.
Fig. 3 when configuring Access Rules one will go through Policy Elements and Access
                                    Policy tabs


Site and Content Rules

With these rules, the network administrator determines access to contents outside the firewall.
They include information about if and when a client/user, or a client set can access certain
destination sets.

One can allow or deny access to the Internet by creating site and content rules as appropriate.
ISA Server by default disables the use of any protocol.

The illustration below is an example configuration for rules that allow the internal network users
to access the URL: www.securitynet.pl during office hours (09.00-17.00).

Prior to attempting to configure access rules, one must create the following three access policy
elements:
       Client Address Sets,
       Destination Sets,
       Schedules.

All three elements are to be created using a wizard that appears after opening the “Policy
Elements” menu. Right-click “Site and Content Rules” and select “New” to start the New Site
and Content Wizard allowing easy creation of a new filter.


The New Site and Content Wizard

1. Rule Action screen. One can select either of two possible server actions in relation to an
event:
       Allow – permits to access the external sites,
       Deny – clients using that definition will be denied access to the external sites. For HTTP
        contents there is the possibility to redirect requests on another server, specifying also
        the reasons one cannot access the site.

In this example, Allow will be selected:
2. How to apply the rule. There are four options to select from:
       Allow access based on destination,
       Allow access only on certain times,
       Allow some clients access to all external sites,
       Custom – allows for a detailed definition of all three parameters contained in a single
        access rule.

In this example, Custom will be selected:
3. Destination Sets screen. There are three options to select from:
       All destinations,
       All internal destinations,
       All external destinations,
       Specified destination sets – (from the drop-down box select the destination set created
        in the policy elements).
       All destinations except selected sets.

From the drop-down box select the destination set corresponding to the address
www.securitynet.pl.

4. Schedule screen. – to define the times when the user will have access to the specified
external sites. At this point, select the option from the drop-down box, as appropriate (same as
“Destination Sets”).




                                  Fig. 4 Scheduling access times

5. Client type screen. There are two options to select from:
       Any request,
       Specific computers (client address sets) – one must specify IP addresses of the
        computers, the rule you create will apply to,
       Specific users and groups – one must specify users from a group of users (through
        Active Directory), and the rule you create will apply.

6. Determining the external sites to which the rule applies. In ISA Server, these sites are
subdivided in eleven groups:
       Application,
       Application Data Files,
       Audio,
       Compressed Files,
       Documents,
       HTML Documents,
       Images,
       Macro Documents,
       Text,
       Video,
       VRML.

The contents for individual groups can be viewed at Policy Elements -> Content Groups.
Right-click the tab and select “New” to start the wizard and customize the group “Content”.
Specify the set of documents accessible by the external users.
    Fig. 5 On the Content Groups screen one can specify the types to which the rule
                                  created will apply.


Protocol Rules

Protocol rules the types of Internet connections that clients are allowed to make. One must
adhere strictly to the configuration principles when defining rules of communication with
external networks. When a client requests communication with a specific object in the external
network, ISA Server checks whether the rule allowing communication based on this specific
protocol, has been created or not. If such a rule does not exist or permission to access a
particular protocol is denied, the request will be rejected. Otherwise, the server will check if the
administrator has permitted the user to access this specific site (in the Site and Content Rules).
Since the protocol rules and the content rule work hand in hand, the user will be allowed to
access the site, if both “agree”.

When creating rules be aware that the sequence in which they appear is irrelevant, however the
rules that deny protocols are processed before the rules that allow access. More specifically, if
you configure two conflicting rules, one that allows access and the other that denies access
along SMTP protocol, the whole SMTP traffic will be disabled.

Note also, that selecting “All protocols” means that only the protocols defined in the Protocol
Definitions will be selected. In other words, if any non-standard protocols are used in the
network, they must be added to the protocol definitions. Otherwise, even with “All Protocols” a
non-standard protocol will be denied.


Creating Rules

Continuing on the previous example, if one wants to allow the users to enter the site
www.securitynet.pl. Then the HTTP protocol must be enabled.

Following that step, proceed as follows:
     1. Start the “Protocol Rules” wizard,
     2. Select the specific users to (Allow), or (Deny) using the protocol,
     3. Select the protocol.
        Fig. 6 Configuring the protocol to which the rule applies
    4.   On the Schedule screen, select the times for accessing the protocol, for example from
        09.00 a.m. to 05.00. p.m.
   5. Similarly to Site and Content Rules, select users or groups of computers to access the
        protocol.
Once the above filters are properly configured, the users will be allowed to access the site
www.securitynet.pl.


IP Packet Filters

The last group of filters available for the Microsoft ISA Server administrator are Packet Filters. IP
packet filters combined with IP packets routing allow creation of a secure perimeter network
(also known as a DMZ, DeMilitarized Zone). As in the previous two types of rules, there is a
wizard available to help with the configuration.

    1.    When creating an IP packet, one must first set the criteria for packets transferred
         through the firewall:
         - Allow packet transmission,
         - Block packet transmission.
    2.    In “Filter Type” dialog box select either a predefined filter suitable for a few basic
         communication purposes or click “Custom”.
    3.    In the “Filter Settings” box set the following parameters:
         - IP Protocol
             i. Custom Protocol – one must specify a protocol number,
             ii. Any (encompasses all protocols),
             iii. ICMP,
             iv. TCP,
             v. UDP.
         - Direction
             i. Both,
             ii. Inbound,
             iii. Outbound.
         - Local Port
             i. All Ports,
             ii. Fixed Port,
             iii. Dynamic Ports.
         - Remote Port
             i. All Ports,
             ii. Fixed Port,
             iii. Dynamic Ports.
    4.    Specify the IP address of the computer to which the rule will apply. One may select
         from the following options:
         - Default IP addresses for each external interface on the ISA Server computer,
         - This ISA server’s external IP,
         - This computer (on the perimeter network) - (DMZ).
    5.    In the final step, one must define remote computers or a range of remote computers to
         which the rule you create will apply.

Publishing Policy Rules
Nowadays, having a registered web site and email facility is becoming a standard for all types of
businesses throughout the world. Many organisations decide to outsource networking services
from ISPs assuming that such services are always secure and always available. However, such a
solution may be somewhat inconvenient for the users. If, for example, one needs a new email
account, a specific request should be made and sent to the ISP for this service. However, it
seems that just for this reason, there is a tendency among network managers in many
companies, to relocate servers to their corporate networks, but few are aware of how
threatening such a decision may be. A server – whether a Web server, email server or any other
service, is as secure for publishing policy as the system administrator is capable of defining the
ports, over which a specific service is to be passed. With ISA Server, publishing policy rules
consist of two categories of rules that allow information to be securely published to the external
Internet:
        Web Publishing Rules – for publishing Web servers only
        Server Publishing Rules – for publishing other Web sites.

In line with Microsoft’s tendency for newly introduced products, the configuration procedure is
simplified by providing suitable wizards.
There are built-in three configuration wizards:


Web Publishing Rule wizard.

    1.    In order to create a Web publishing rule, right-click Servers & Arrays -> Server Name -
         > Publishing -> Web Publishing Rules and from the context menu select New -> Rule.
    2.    In the next step, select the destination set to which the rule you are creating will apply.
         If this is a corporate network Web server, select the computer in the internal network to
         make it available to the hosts.
    3.    Next, one must configure the hosts, which will provide the requests that are to be
         governed by the rule being created. For instance, in the case of a Web server where the
         organisation’s web site is published, select “Any request”. If it is an Intranet service
         that will be accessed by remote users, one may define the range of IP addresses to
         which the rule will apply, or select users that, after authentication, will be allowed to
         access the Web server.
    4.    In the final step, one must define what would happen when a request matches the
         parameters mentioned above. For example, one may define that such a request would
         be ignored, or decide on which server located behind the ISA Server computer such a
         request would be redirected to. Once this rule is created, any incoming requests sent on
         the ISA Server address as HTTP requests, will be redirected to a corporate Web server.
         This will enhance security because Internet users will be not allowed to access the Web
         server directly. ISA Server will cache all requests.




                           Fig. 7 The Web Publishing Rules Wizard


The Secure Mail Server Wizard.

    1.   In order to configure a secure email internal server, on the “Servers & Arrays ->
         Server Name -> Publishing -> Server Publishing Rules” tab, right-click “Secure Mail
         Server”.
    2.    In the next step, define communication protocols (SMTP incoming, SMTP outgoing,
         Exchange/Outlook, IMAP, POP, NNTP) and the certificate for authenticating to the SSL
         server (no encryption or SSL encrypted).
    3.    Next, specify the IP internal address (from those IP addresses that belong to the ISA
         Server), to redirect requests to the internal server.
    4.    In the final step, one must specify the IP address of the internal server (located behind
         the ISA Server computer) to handle requests defined in 2 above.




                      Fig. 8 The Secure Server Publishing Rules Wizard

Naturally, it is not necessary to place all these services on a single ISA Server, although the
Internet is only aware of one IP address through the connection.


The New Server Publishing Rules Wizard

    1.    Using the server publishing service, allow an internal server to be accessible to external
         clients. To start the configuration, on the “Servers & Arrays -> Server Name ->
         Publishing -> Server Publishing Rules” tab, right-click “New -> Rule”.
    2.    Specify two IP addresses, one for the IP server in the internal network (IP address of
         internal server), and one for the IP address of the ISA Server that will be visible to
         external Internet clients, for whom the service you create will be available.
    3.    In the final step, one must define the protocol that will followed by the external
         Internet clients when accessing the internal server located behind a firewall. From the
         default menu in a drop-down box, you can select any filter that is predefined in the
         “Protocol Rules” tab and is marked “Inbound” in the “Direction” tab.

								
To top