VIEWS: 751 PAGES: 22 CATEGORY: SAT POSTED ON: 2/26/2011
Microsoft ISA Server, ISA Server, ISA Server 2006, Microsoft Forefront, Management Gateway, Exchange Server, Enterprise Edition, Exchange 2007, web server,
Microsoft ISA Server, Part I – introduction, installation, configuration, Web caching and Internet access What happened before ISA Server? The history of ISA Server goes back to a product named Proxy Server 1.0. At the time, the m fast and secure Internet access market saw one more player - the Microsoft Corporation. Proxy Server 1.0, however, was merely a means for the effective conduct of initial market research. The market responded favourably to this product being integrated within the existing Windows NT 4.0 enterprise networking systems. The first edition of MS Proxy Server had many limitations. It supported only a few basic Internet protocols and its implemented security tool functions were rather obsolete. Microsoft‟s second try at a Proxy Server 2.0 was a natural evolution with many useful and expected functions. One great application of this tool is to use Windows NT account databases. Therefore, user management within the enterprise has been considerably simplified. Many more protocols are supported, as well as caching services, packet filtering capability and considerably enhanced security performance have also been incorporated. Although it was an improved version, Proxy Server 2.0 still suffered from a limited range of functions compared to third-party products. This is surely not Microsoft‟s last word. In the time of Windows NT 4.0 successors, i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows XP, new possibilities have emerged in the sphere of implementation of the technologies they incorporate. New concepts created by ISA Server ISA Server carries new terms that need to be understood before attempting product deployment on the network. · Array – a group of ISA computers that are located close together, for example a department, office, and region. There are two types of arrays: Domain Arrays – that use Active Directory. A domain array can encompass computers located within a single domain. Independent Arrays – allow storage of information not in the Active Directory, but in a local configuration database. This array is mainly used in NT 4.0 based networks. · Rule – with rules, the system administrator can set up a series of protocols to govern sites, contents, protocols, and IP packet filters. · Array policy – a set of rules that define the array policy. Such a policy can be applied to any specific (and single) array. · Enterprise policy – enterprise-level policies contain similar rules to those established in array policies but they are applied to multiple arrays. With ISA Server, array policies can be used to modify enterprise policies making them more restrictive. However, it is not possible for an array policy to ease restrictions imposed by the enterprise policy. ISA Server Components ISA Server supports many more functions than its predecessor. The following options are available with this new product: Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of functions allowing it to compete with other similar products available on the IT market. With Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases from NT). These are used to provide specific security functions at user or group level. This feature is not supported by a majority of third-party products that use either separate user databases or IP addressing. Firewall functions are enhanced to support so called stateful packet inspection, i.e. a solution for improved security where data packets passing through the firewall are intercepted and analyzed at either a protocol or connectivity level. Policy-based administration – ISA Server lets the administrators manage using predefined policy rules. Policies can include a set of consistent rules regarding users, groups of users, protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise. For businesses that use networks with Active Directory enhancements, multi-tiered enterprise policies are those that match their needs to have a comprehensive IT system, to facilitate management of the entire enterprise and its infrastructure. Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based networks. The wizards supplied with ISA Server help to configure VPN tunneling and may activate the RRAS service if not already initialized. Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically open firewall ports for authorized Internet users on a session-by-session basis. This considerably simplifies the administrator‟s duties in situations where there are applications that frequently change ports though they communicate with each other. IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion Detection System. This module had been purchased from Internet Security Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been detected and identified, ISA may decide either to disable the attack or notify administrators about the event. Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to automatically refresh frequently requested www pages on reverse and scheduled caching basis. Reports – the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is that ISA features numerous report generating possibilities. By scheduling report generation connected. for example, with the users‟ actions or security related events, managing ISA Server based networks is a simple task. Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be registered in order to have gatekeeper enabled. Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server delivers to clients and servers a transparent and secure access to the Internet with no need to configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA Server. Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to jump aggressively into the mass market sector associated with Web security and fast Web access. The new potential implemented in ISA Server is expected to allow Microsoft to compete effectively in this business area. It should be noted that Microsoft‟s engineers carefully integrate all products together to bring the Company‟s vision of a .NET platform to businesses. Software and hardware requirements The minimum hardware requirements recommended by Microsoft for this product are: 300MHz or higher Pentium II compatible CPU, 256 MB of RAM, 2 GB hard-disk space on NTFS formatted partition, 200 MB of available hard-disk space for installation. ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or greater. Problems with insufficient server capacity may occur with this type of configuration. Thus, for various ISA Server usage scenarios, the hardware should be adequately strengthened. If ISA Server is to be used as a firewall, one will need to consider how powerful the CPU should be in terms of throughput requirements. Throughput requirements Recommended CPU Less than 25 Mbyte/s Pentium II 300 MHz – 500 MHz From 25 Mbyte/s to 50 Mbyte/s Pentium III 550 MHz or better More than 50 Mbyte/s Pentium III 550 MHz or better for each 50Mb Table 1 CPU capacity requirements vs. throughput Obviously these values can only be used as a reference when planning the ISA Server‟s hardware to meet the expected load. This may vary in function or various usage scenarios (such as the type of transmitted data). In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate CPU capacity consider also requirements for RAM and high free disk space available for caching purposes. Number of Minimal RAM Recommended disk space Recommended processor users capacity (Mb) allocated for caching Up to 250 Pentium II 300 MHz 256 4 GB 250 – 2000 Pentium III 550 MHZ 256 10 GB More than Pentium III 550 MHz for 256 for every 10 GB for every 2,000 users 2000 every 2,000 users 2000 users Table 2 – Capacity planning for forward caching server applications If you want to use ISA Server in Integrated Mode (see Installation), these values will be further augmented. Therefore, the performance of any computer intended to operate as an ISA server will be completely utilised. Installing ISA Server A Windows 2000 Server with a full implementation of Active Directory is the minimum on which it is possible to install Microsoft ISA Server. Before installing ISA Server, one must configure Active Directory (adding required classes and selecting object properties). Fig. 1 ISA Server setup screen with selected AD schema modification option Before the system attempts to update the schema you will be warned that this action is not reversible. Fig. 2 Active Directory’s modification-related warning When modifying the schema, it is necessary to determine what the intended extent of modifications to the existing policies integrated in AD would be. In case of problems with the modification of Active Directory, one should consult the Ldif.log file. Fig. 3 Modifying Active Directory Once the Active Directory has been updated, you can attempt to install ISA Server. In the first step, you will be requested to supply the information about the installation mode (Typical, Full, Custom). Fig. 4 ISA Server installation options After this step, the set-up wizard checks whether Active Directory has already been installed or not and if any settings have been modified. Next, you will be prompted to determine if the server should be a part of a domain or be used as a standalone unit. In the next step, select the mode of operation from the following three options: · Firewall – with this option, ISA Server will function as a very powerful firewall, · Web Cache – will establish the ISA Server as a cache server and give access to „Net resources‟ · Integrated Mode – when in integrated mode, all ISA Server implemented and initialized features will be available. Fig. 5 selecting the functional mode Once the required mode has been selected, the next dialog box stops the Internet Information Services (if any are already installed) and prompts you to either deinstall IIS or re-configure it not to listen in on ports 80 and 8080 that are required for ISA Server. Despite possible joint operation, Microsoft recommends relocating the IIS Server to another machine. In the next step, you will be prompted to specify the cache size for the Web Cache service. Fig. 6 Configuring the cache size for WWW caching If it is a multiple-disk server, one may benefit by distributing caches onto a few disks. This would accelerate the process of accessing cacheable information. Having configured appropriate cache sizes for WWW Web services one may attempt to configure LAT (Local Address Table). Fig. 7 LAT setup utility LAT (Local Address Table) – these are tables that define all internal IP address ranges. If one selects this Table (Fig. 7), either the private IP address ranges as defined in RFC 1918 (10.X.X.X, 172.16.X.X, 192.168.X.X) or the external Windows 2000 routing tables will be used. Fig. 8 A default LAT Once this step is successful, you will get a screen with the end of LAT configuration. Remember to ensure that all network cards are connected to the Internet while installing ISA Server. Should any network card be inactive, LAT tables will probably not be created. Fig. 9 Completing the LAT setup procedures After completing the setup procedures, you can attempt to replicate the content of all files to the ISA Server directory. After installation, the ISA Server Administration utility will start. Fig. 10 Microsoft ISA Server Administrator utility and Getting Started Wizard To manage this utility, use the Microsoft Management Console (MMC) feature. The left dialog box contains all options that are necessary for setup whilst the right box provides the settings available for such options. Getting Started Wizard Because ISA Server is completely different from Proxy Server 2.0, Microsoft recommends that even experienced administrators become acquainted with the Wizard that will help in the initial steps of product configuration and customization. The Getting Started Wizard works with a set of options that will aid users through the process of customizing the product and will also clarify the effects of specific modifications when introduced to the ISA Server. The Wizard is split into two sections (see Fig. 10): Configuring policies, Configuring arrays. After you have finished the initial configuration of ISA Server with help from the Getting Started Wizard, you can fully adapt the product to the working environment by finally re-adjusting certain settings. Creating protocol rules Administering an ISA Server means creation of suitable arrays, rules and policies. Arrays and policies have already been explained so let us examine the term “rules”. ISA Server uses two types of rules: Site and content rule – determines if and when content from specific Internet destinations can be accessed by users, Protocol rule – determines which packets may or may not access the ISA server. Apart from the above rules, the following rules can also be defined for ISA server: Bandwidth (Capacity) rule – this will prioritise different types of services using ISA server. This allows administrators to verify which specific www traffic or business-related traffic will be allocated to the available bandwidth. Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and map them as services on the ISA Server. Server publishing – with this feature, clients from the public Internet are directed to the ISA Server instead of to the web server. Moreover, the ISA Server may act as the proxy for inbound and outbound traffic between the public Internet clients and the internal web server. Web Cache functions ISA Server features high-performance Web Cache functions. With Cache Configuration tab the user is guided through Web service configuring. In addition to a variety of settings, the possibility exists to set up the size of the cache memory per hard disk and configure the schedule of caching tasks (TTL utility). Fig. 11 Configuring caching services When ISA Server is set up as a Web caching server, two situations are possible: Forward Web Caching Server – this is the most popular use of the Web caching server. Its function is as follows: Fig. 12 Forward Web Caching Server 1. User No. 1 (Client 1) forwards a request to the Web server for an object; 2. The ISA Server approves the request and checks if the object already exists in the local cache. If the content does not already exist in the cache, the ISA Server contacts the Web server to fetch the requested object (on behalf of the user); 3. The Web server returns the object in question to the ISA Server; 4. ISA Server returns the Web object to the original client No. 1, and saves this object to cache it locally. 5. User No. 2 forwards the request for the same Web object; 6. ISA Server will send the object cached locally to user No. 2. Reverse Web Caching Server – Reverse Proxy by an ISA Server offers security for one or more Web servers located on the internal network. This ensures secure Web publishing, which is of particular concern if sensitive data is to be sent from the servers. Fig. 13 Reverse Web Caching Server In addition to the security offered by both forward and reverse caching, ISA Server could be configured to give administrators the possibility to manage various Web caching solutions such as: Scheduled Content Download – ISA Server can be configured to provide tools for downloading/refreshing web pages at appropriate intervals. In this way, the most popular web objects may be refreshed at night instead of during the day without risking overloaded connections. Active caching – when active caching is used, ISA Server itself will evaluate and rank the cache and refresh it as necessary. This is a particularly useful option in situations where employees must use specific url sites to fetch necessary information several times during the day, from sites that are frequently updated, and especially if it is risky to fetch non updated versions. On Demand – the most popular configuration of a caching server: upon an initial request for on-demand content, the server acquires requested Web files and stores them locally in its cache. Secure Internet Access through ISA Server Secure Internet Access is one of the fundamental features provided by ISA Server. It is increasingly necessary to improve security tools and check users that access the network from outside, especially in a situation where the Global Web is vulnerable to outside interference from viruses, trojan horses or hacker attacks. One may also wish to improve security to monitor network users and protect the network from potential Internet threats. To face this challenge and provide solutions for a broad landscape of users, Microsoft has implemented three types of clients in ISA Server: Firewall clients – all computers that have Firewall Client software installed and active, SecureNat clients – all computers that do not have Firewall Client software installed, Web Proxy clients – all Web browser clients are configured to use ISA Server. Feature SecureNat Client Firewall Client Web Proxy Client No, but some network Installation No, requires Web configuration changes Yes required? browser configuration required Operating Any OS that supports Only Windows All platforms System support TCP/IP platforms Requires application HTTP,SHTTP,FTP, All Winsock Protocol support filters for multi- applications connection protocols Gopher User-level No Yes Yes authentication Requires Server No installation or configuration N/A applications configuration required file Table 3 Comparison of ISA Server Clients Both Firewall and SecureNat clients include WebProxy client service, since all Web client requests are passed to WebProxy. All other requests sent by either Firewall or SecureNAT clients are redirected to other modules within ISA server. Before selecting the client type to be used in a specific enterprise, it is necessary to recognize what particular applications and protocols are to be used in the network. A proper evaluation will help to have trouble-free use of Web services without continuous changes to the configuration. Choosing reliable clients is also the foundation for all network security since a more liberal access policy to Internet facilities may threaten not only e-privacy but also e-access. It is enough to realise that a few users who are downloading MP3 or AVI files from the Net and have a few Internet sessions open will be sufficient to occupy an enterprise connection at nearly 100 percent utilisation. Recommended Network need Reason client type To avoid deploying client SecureNAT clients do not require any software or configuring SecureNAT software or specific configuration on client computers. client machines. If one uses ISA Server as a Web caching To use ISA Server only SecureNAT server, one will not have to deploy any for forward Web caching. special software. One wants to create user- If one uses Firewall clients, one may based access rules to configure access rules for non-Web Firewall Client control non-Web Internet sessions. However, these rules will be access. effective only if one configures ISA Server to require authentication information with each session. SecureNat clients do not support automatic discovery of ISA server. When The network supports one configures automatic discovery, many roaming users and Firewall Client roaming users or computers cannot computers. connect to the Internet server as appropriate. The clients need access (outside of Web browsers) SecureNat clients do not support to protocols with Firewall Client protocols with secondary connections. secondary connections to the Internet via FTP. To support dial-in- Though SecureNat supports dial-out, only demand for non-Web Firewall Client Firewall clients support dial-in-demand sessions from the clients. for non-Web sessions. Table 4 Choosing an ISA Server Client Type Table 4 represents the choice that may be useful to benefit from a proper selection of clients accessing the network in a specific enterprise. For more detailed specification of the particular types of clients see the files attached to the program. Extras Because many extras are included with ISA Server, additional information may be required that can be found on the Internet at the following sites http://www.microsoft.com/isaserver/ http://www.isaserver.org/ http://www.faq.net.pl/ Newsgroups: ms-news.pl.isa-server microsoft.public.isa Microsoft Press Publishing: MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000 Microsoft ISA Server, Part II – Firewall Functions, Publishing Policy Rules ISA Server Security Configuration It is recommended to define the server security level before beginning the ISA Server security configuration. To configure the appropriate security level, right-click the server icon in the window: Servers and Arrays -> Server name -> Computers and select “Secure…” to start the wizard. After the wizard starts, a warning message will appear saying that any changes made to the settings cannot be undone. Fig. 1 ISA Server Configuration Wizard warning There are three levels of security that are available using the wizard, so in the next step, configure the security level that is appropriate for your ISA Server. When selecting security options, consider primarily the service to be provided by your server, for instance, whether it is intended to perform firewall-only services or also domain controller or file server roles. Depending on the choice the access level will then be granted to the server. Fig. 2 Choosing ISA Server security level To configure the chosen and appropriate security level, run one of the files (templates) below (see Table), which are available for this purpose. Table 1 ISA Server Security scenarios Security Level Security Template Domain Controller Security Template Secure Basicsv.inf Basicdc.inf Limited Services Securews.inf Securedc.inf Dedicated Hisecws.inf Hisecdc.inf All these templates are available at the directory %SystemRoot%\security\Templates\. If necessary the security scenarios can be modified. Knowledgeable administrators may try to create their own security schemes to meet the requirements established in the company’s IT Security Policies and provide maximum control over access to the server and to the files it contains and manages. Once these procedures are completed, the Active Directory schema will be updated and you will be prompted to restart the computer. Policy-based Access Control As with most firewalls, ISA Server provides the administrator with the possibility to configure detailed usage policies. These rules apply for both outgoing traffic (e.g. local users) and incoming traffic (e.g. external users, teleworkers or potential hackers). Each packet that passes through ISA Server can be recorded, and may then be followed by a log with details of Internet connection usage, attack attempts etc. Prior to configuring the access policy rules, one should define the access policy elements to be followed. These are available at the tab: Servers and Arrays -> Server Name -> Policy Elements. These rules include: Schedules – these determine when the rule is in effect. They allow configuration of a very flexible security policy. For example, a group of users can be restricted to access specific Web pages during working hours and to have full Internet access at all other times. Bandwidth priorities – to prioritize ISA Server-based network connections. There is a default bandwidth rule – all connections have the same priority. Destination sets – this set may contain the IP address, the IP range, computer name and a specific path on the destination server and may give access, for example, to the following destination only: www.faq.net.pl/binaries. You can use an asterisk (*) to specify a group of all computers in the domain. E.g., if there is a need to create a group encompassing all computers from the domain bsi.net.pl, produce the destination set containing “*.bsi.net.pl”. Destination sets can be further used when configuring the following access policy elements: Site and Content Rules, Bandwidth Rules, Web Publishing Rules and Routing Rules. Client Address Sets – the client sets containing the IP address ranges. These can also be used when configuring the following access policy elements: Site and Content Rules, Bandwidth Rules, Web Publishing Rules, Server Publishing Rules and Routing Rules. Protocol Definitions – these include a list of preconfigured protocol definitions available on ISA Server that are further used to create Protocol Rules and Server Publishing Rules. In addition to predefined protocols, customisable protocols can be created and used. In order to create a customised protocol, one must specify the following information: the number (between 1 and 65535) of the port that will be used for communication, the protocol type (TCP or UDP), and the direction of the traffic (Inbound or Outbound). There is also an option called “secondary connections”, which is the range of port numbers, protocol, and direction used for additional connections or packets that follow the initial connection. Content Groups – include groups of file types subdivided in eleven categories: Applications, Application Data Files, Audio, Compressed Files, Documents, HTML Documents, Images, Macro Documents, Text, Video, and VRML. Dial-Up Entries – these specify the connectivity between the ISA Server computer and the Internet (or other Dial-Up servers) for dial-up connections. In order to configure this feature properly, specify the name of the Windows 2000 connection and then the login and the password of the authorized user. Once these policy elements have been defined, one can attempt to configure the access rules that are provided in the “Access Policy” tab and include the following three elements: Site and Content Rules – which control access to specific destination servers and certain contents, objects and locations, Protocol Rules – define which protocol clients can use to access the Internet, IP Packet Filters – rules that govern packet filtering. Fig. 3 when configuring Access Rules one will go through Policy Elements and Access Policy tabs Site and Content Rules With these rules, the network administrator determines access to contents outside the firewall. They include information about if and when a client/user, or a client set can access certain destination sets. One can allow or deny access to the Internet by creating site and content rules as appropriate. ISA Server by default disables the use of any protocol. The illustration below is an example configuration for rules that allow the internal network users to access the URL: www.securitynet.pl during office hours (09.00-17.00). Prior to attempting to configure access rules, one must create the following three access policy elements: Client Address Sets, Destination Sets, Schedules. All three elements are to be created using a wizard that appears after opening the “Policy Elements” menu. Right-click “Site and Content Rules” and select “New” to start the New Site and Content Wizard allowing easy creation of a new filter. The New Site and Content Wizard 1. Rule Action screen. One can select either of two possible server actions in relation to an event: Allow – permits to access the external sites, Deny – clients using that definition will be denied access to the external sites. For HTTP contents there is the possibility to redirect requests on another server, specifying also the reasons one cannot access the site. In this example, Allow will be selected: 2. How to apply the rule. There are four options to select from: Allow access based on destination, Allow access only on certain times, Allow some clients access to all external sites, Custom – allows for a detailed definition of all three parameters contained in a single access rule. In this example, Custom will be selected: 3. Destination Sets screen. There are three options to select from: All destinations, All internal destinations, All external destinations, Specified destination sets – (from the drop-down box select the destination set created in the policy elements). All destinations except selected sets. From the drop-down box select the destination set corresponding to the address www.securitynet.pl. 4. Schedule screen. – to define the times when the user will have access to the specified external sites. At this point, select the option from the drop-down box, as appropriate (same as “Destination Sets”). Fig. 4 Scheduling access times 5. Client type screen. There are two options to select from: Any request, Specific computers (client address sets) – one must specify IP addresses of the computers, the rule you create will apply to, Specific users and groups – one must specify users from a group of users (through Active Directory), and the rule you create will apply. 6. Determining the external sites to which the rule applies. In ISA Server, these sites are subdivided in eleven groups: Application, Application Data Files, Audio, Compressed Files, Documents, HTML Documents, Images, Macro Documents, Text, Video, VRML. The contents for individual groups can be viewed at Policy Elements -> Content Groups. Right-click the tab and select “New” to start the wizard and customize the group “Content”. Specify the set of documents accessible by the external users. Fig. 5 On the Content Groups screen one can specify the types to which the rule created will apply. Protocol Rules Protocol rules the types of Internet connections that clients are allowed to make. One must adhere strictly to the configuration principles when defining rules of communication with external networks. When a client requests communication with a specific object in the external network, ISA Server checks whether the rule allowing communication based on this specific protocol, has been created or not. If such a rule does not exist or permission to access a particular protocol is denied, the request will be rejected. Otherwise, the server will check if the administrator has permitted the user to access this specific site (in the Site and Content Rules). Since the protocol rules and the content rule work hand in hand, the user will be allowed to access the site, if both “agree”. When creating rules be aware that the sequence in which they appear is irrelevant, however the rules that deny protocols are processed before the rules that allow access. More specifically, if you configure two conflicting rules, one that allows access and the other that denies access along SMTP protocol, the whole SMTP traffic will be disabled. Note also, that selecting “All protocols” means that only the protocols defined in the Protocol Definitions will be selected. In other words, if any non-standard protocols are used in the network, they must be added to the protocol definitions. Otherwise, even with “All Protocols” a non-standard protocol will be denied. Creating Rules Continuing on the previous example, if one wants to allow the users to enter the site www.securitynet.pl. Then the HTTP protocol must be enabled. Following that step, proceed as follows: 1. Start the “Protocol Rules” wizard, 2. Select the specific users to (Allow), or (Deny) using the protocol, 3. Select the protocol. Fig. 6 Configuring the protocol to which the rule applies 4. On the Schedule screen, select the times for accessing the protocol, for example from 09.00 a.m. to 05.00. p.m. 5. Similarly to Site and Content Rules, select users or groups of computers to access the protocol. Once the above filters are properly configured, the users will be allowed to access the site www.securitynet.pl. IP Packet Filters The last group of filters available for the Microsoft ISA Server administrator are Packet Filters. IP packet filters combined with IP packets routing allow creation of a secure perimeter network (also known as a DMZ, DeMilitarized Zone). As in the previous two types of rules, there is a wizard available to help with the configuration. 1. When creating an IP packet, one must first set the criteria for packets transferred through the firewall: - Allow packet transmission, - Block packet transmission. 2. In “Filter Type” dialog box select either a predefined filter suitable for a few basic communication purposes or click “Custom”. 3. In the “Filter Settings” box set the following parameters: - IP Protocol i. Custom Protocol – one must specify a protocol number, ii. Any (encompasses all protocols), iii. ICMP, iv. TCP, v. UDP. - Direction i. Both, ii. Inbound, iii. Outbound. - Local Port i. All Ports, ii. Fixed Port, iii. Dynamic Ports. - Remote Port i. All Ports, ii. Fixed Port, iii. Dynamic Ports. 4. Specify the IP address of the computer to which the rule will apply. One may select from the following options: - Default IP addresses for each external interface on the ISA Server computer, - This ISA server’s external IP, - This computer (on the perimeter network) - (DMZ). 5. In the final step, one must define remote computers or a range of remote computers to which the rule you create will apply. Publishing Policy Rules Nowadays, having a registered web site and email facility is becoming a standard for all types of businesses throughout the world. Many organisations decide to outsource networking services from ISPs assuming that such services are always secure and always available. However, such a solution may be somewhat inconvenient for the users. If, for example, one needs a new email account, a specific request should be made and sent to the ISP for this service. However, it seems that just for this reason, there is a tendency among network managers in many companies, to relocate servers to their corporate networks, but few are aware of how threatening such a decision may be. A server – whether a Web server, email server or any other service, is as secure for publishing policy as the system administrator is capable of defining the ports, over which a specific service is to be passed. With ISA Server, publishing policy rules consist of two categories of rules that allow information to be securely published to the external Internet: Web Publishing Rules – for publishing Web servers only Server Publishing Rules – for publishing other Web sites. In line with Microsoft’s tendency for newly introduced products, the configuration procedure is simplified by providing suitable wizards. There are built-in three configuration wizards: Web Publishing Rule wizard. 1. In order to create a Web publishing rule, right-click Servers & Arrays -> Server Name - > Publishing -> Web Publishing Rules and from the context menu select New -> Rule. 2. In the next step, select the destination set to which the rule you are creating will apply. If this is a corporate network Web server, select the computer in the internal network to make it available to the hosts. 3. Next, one must configure the hosts, which will provide the requests that are to be governed by the rule being created. For instance, in the case of a Web server where the organisation’s web site is published, select “Any request”. If it is an Intranet service that will be accessed by remote users, one may define the range of IP addresses to which the rule will apply, or select users that, after authentication, will be allowed to access the Web server. 4. In the final step, one must define what would happen when a request matches the parameters mentioned above. For example, one may define that such a request would be ignored, or decide on which server located behind the ISA Server computer such a request would be redirected to. Once this rule is created, any incoming requests sent on the ISA Server address as HTTP requests, will be redirected to a corporate Web server. This will enhance security because Internet users will be not allowed to access the Web server directly. ISA Server will cache all requests. Fig. 7 The Web Publishing Rules Wizard The Secure Mail Server Wizard. 1. In order to configure a secure email internal server, on the “Servers & Arrays -> Server Name -> Publishing -> Server Publishing Rules” tab, right-click “Secure Mail Server”. 2. In the next step, define communication protocols (SMTP incoming, SMTP outgoing, Exchange/Outlook, IMAP, POP, NNTP) and the certificate for authenticating to the SSL server (no encryption or SSL encrypted). 3. Next, specify the IP internal address (from those IP addresses that belong to the ISA Server), to redirect requests to the internal server. 4. In the final step, one must specify the IP address of the internal server (located behind the ISA Server computer) to handle requests defined in 2 above. Fig. 8 The Secure Server Publishing Rules Wizard Naturally, it is not necessary to place all these services on a single ISA Server, although the Internet is only aware of one IP address through the connection. The New Server Publishing Rules Wizard 1. Using the server publishing service, allow an internal server to be accessible to external clients. To start the configuration, on the “Servers & Arrays -> Server Name -> Publishing -> Server Publishing Rules” tab, right-click “New -> Rule”. 2. Specify two IP addresses, one for the IP server in the internal network (IP address of internal server), and one for the IP address of the ISA Server that will be visible to external Internet clients, for whom the service you create will be available. 3. In the final step, one must define the protocol that will followed by the external Internet clients when accessing the internal server located behind a firewall. From the default menu in a drop-down box, you can select any filter that is predefined in the “Protocol Rules” tab and is marked “Inbound” in the “Direction” tab.
Pages to are hidden for
"Microsoft ISA Server Step by step"Please download to view full document