How to Configure Web and Firewall Chaining
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA Server together to provide flexible Web proxy services. These servers can be chained in a hierarchical manner so that one ISA Server computer routes Internet requests to another ISA Server computer, rather than routing the request directly to the Internet. ISA Server also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer.
Why Use Web Chaining?
Web chaining is useful if your organization has multiple branch office locations, but all Internet requests are routed through one location at the head office. In this scenario, you can install ISA Server in each office and then configure ISA Server at the branch offices to route all Internet requests to the server running ISA Server at the head office.
You can also configure Web chaining so that not all Web requests are sent to the upstream server. For example, you can configure rules for conditionally routing Internet requests, depending on the destination Web server. This is useful if the head office and the branch offices are in different countries. If one of the branch offices has a direct Internet connection and many of the Web sites used by users in that branch office are in the same country as the branch office, you may choose to have the branch office ISA Server computer route all requests for specific domain names directly to the Internet. You can still have the branch office server route all other requests to the headoffice
ISA server.
One of the benefits of using Web chaining is the accumulated caching on ISA Server. If all the servers running ISA Server in the branch offices are configured to forward their requests to the head-office ISA Server, the head-office ISA Server will develop a large cache that contains many requested items. The combination of caching at the local branch office and at head office increases the chances that the Internet content can be delivered to the client with the least use of network bandwidth.
Configuring Web Chaining Rules
To configure Web chaining rules, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node, select Networks, and then click the Web Chaining tab.
2. To create a new Web chaining rule, on the Tasks tab, click Create New Web Chaining Rule.
3. On the Welcome To The New Web Chaining Rule Wizard page, in the Web Chaining Rule Name box, type a name for the Web chaining rule. Click Next.
4. On the Web Chaining Rule Destination page, click Add to specify the destinations that will be affected by this rule.
5. In the Add Network Entities dialog box, select the destinations that this rule will apply to. For example, if the rule should apply to all Internet requests, expand Networks, then click External. Click Close.
6. On the Web Chaining Rule Destination page, click Next.
7. On the Request Action page, select how the request should be processed. You have three options:
. Retrieve Requests Directly From The Specified Destination—In this case, the Web request is routed directly to the Internet.
. Redirect Requests To A Specified Upstream Server—In this case, the Web request is routed to the server that you specify.
. Redirect Requests To—In this case, the request is routed to the specified Web site.
To configure Web chaining, select Redirect Requests To A Specified Upstream Server and then click Next.
8. On the Primary Routing page, shown in Figure 5-8, in the Server box, type the name of the server to which this server will send the requests. You can also specify the port numbers for HTTP and SSL and configure an account that will be used to authenticate at the upstream ISA Server. Click Next.
9. On the Backup Action page configure what ISA Server should do if the upstream ISA Server is unavailable. You have three choices:
. Ignore Requests—In this case, ISA Server will not respond to client requests.
. Retrieve Requests Directly From The Specified Destination—In this case, ISA Server will route the request to the Internet.
. Route Requests To An Upstream Server—In this case, you can specify an alternative upstream server.
Select the option you require and then click Next.
10. On the Completing The New Web Chaining Rule Wizard page, review the configuration and then click Finish.
11. After creating the Web Chaining rule, you can configure how the ISA Server computer will bridge HTTP and HTTPS requests when using the Web chaining rule. To configure bridging, click the Web chaining rule and then, on the Tasks tab, click Define SSL Bridging For Selected Rule. On this page, you can configure how to redirect HTTP and SSL requests when sending the requests to the upstream server.
Configuring ISA Server as a Proxy Server
Configuring ISA Server as a Proxy Server
How Does a Reverse Web Proxy Server Work?
A reverse Web proxy server operates in much the same way as a forward Web proxy server. However, instead of making Internet resources accessible to internal clients, reverse proxy makes internal resources accessible to external clients.
The following steps outline how a reverse Web proxy server works:
1. A user on the Internet makes a request for an object located on a Web server that is on an internal network protected by a reverse proxy server. The client computer performs a DNS lookup using the fully qualified domain name (FQDN) of the hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server.
2. The client application sends the request for the object to the external address of the proxy server.
3. The proxy server checks the request to confirm that the URL is valid and to ensure that there is a policy in place that allows access to the requested content.
4. The proxy server also checks whether the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the object is not in the cache, the proxy server sends the request to the appropriate server on the internal network.
5. The Web server response is sent back to the proxy server.
6. The object is returned to the client application that made the original request.
You can deploy ISA Server 2004 as a Web proxy and a Winsock proxy server. In fact,as soon as you enable access to Internet resources for internal clients, ISA Server begins to operate as a Web proxy server. However, there are also several Web proxy server settings that you can modify on ISA Server.
You can configure several Web proxy settings on ISA Server. To do so, perform the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and select Networks.
2. Click the network whose Web access properties you want to configure. If you are configuring access to the Internet for internal clients, select the Internal network.Click Edit Selected Network.
3. Click the Web Proxy tab to configure the Web Proxy settings for ISA Server. The interface is shown in Figure 5-3. First, ensure that Enable Web Proxy Clients is selected. This is selected by default.
On the Web Proxy tab, you can choose to enable or disable HTTP connections on the specified port number. You can also enable or disable Secure Sockets Layer (SSL) connections. If you select this option, ISA Server will listen for HTTPS connections on the port specified. If you enable SSL, you must also configure a certificate that will be used for SSL authentication and encryption. Web browsers cannot use this setting for Internet access, but it can be used for Web chaining scenarios.
4. To configure the Advanced Settings, click Advanced. The interface is shown in Figure 5-4. On this tab, you can configure the number of connections, which will limit the number of users that can connect to the ISA Server at one time. You can also specify a connection timeout value, which sets a timeout limit for idle connections.
5. To configure ISA Server as a Winsock proxy server, you must configure the Internal network properties so that Firewall clients are supported. To configure this, click the Firewall Client tab on the Internal network properties and ensure that Enable Firewall Client Support For This Network is selected.
Lesson 2: Configuring ISA Server as a Proxy Server
What Is a Proxy Server?
A proxy server is a server that is situated between a client application, such as a Web browser or a Winsock application, and a server to which the client connects. All client requests are sent to the proxy server. The proxy server creates a new request and sends the request to the specified server. The server response is sent back to the proxy server, which then replies to the client application. A proxy server can provide enhanced security and performance for Internet connections.
The most important reason for using a proxy server is to make the user’s connection to the Internet more secure. Proxy servers make the Internet connection more secure in the following ways:
1- User authentication When a user requests a connection to an Internet resource, the proxy server can require that the user authenticate, either by forcing the user to enter a user name and password or by using the cached credentials stored on the client computer. The proxy server can then grant or deny access to the Internet resource, based on the authenticated user.
2- Filtering client requests The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user making the request, the proxy server can filter requests based on the IP address, the protocol or application that is being used to access the Internet, the time of day, and the Web site the user requests.
3- Content inspection Proxy servers can inspect all traffic to and from the Internet connection and determine if there is any traffic that should be denied. This may include examining the traffic content for inappropriate words, scanning for viruses, or scanning for file extensions.
4- Logging user access Because all traffic flows through the proxy server, the server can log whatever the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with the organization’s Internet usage policies.
5- Hiding the internal network details Because all requests for Internet resources come from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all cases, no client computer information, such as computer name or IP address, is sent to the Internet resource. In some cases, such as when creating a Remote Desktop Protocol connection to a server on the Internet, the client computer name is transmitted on the Internet.
Another benefit of using a proxy server is to improve Internet access performance. The Web proxy server improves performance by caching requested Internet pages on the Web proxy server’s hard disk. When another user requests the same information, the proxy server provides the page from the cache rather than retrieving it from the Internet.
How Proxy Servers Work
Proxy servers can be used to secure both inbound and outbound Internet access. When a proxy server is used to secure outbound Internet access, it is configured as a forwarding proxy server. When a proxy server is used to secure inbound Internet access, it is configured as a reverse proxy server.
How Does a Forward Proxy Server Work?
Forward proxy servers are usually located between a Web or Winsock application running on a client computer on the internal network and an application server located on the Internet. The proxy server may be running at the connection point between the Internet and the internal network. In this case, the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a firewall may be deployed between the Internet and the proxy server, but all client computers will still be configured to use the proxy server.
The following steps outline how a forward Web Proxy server works for a Web application:
1. A client application, such as a Web browser, makes a request for an object located on a Web server. The client application checks its Web proxy configuration to determine whether the request destination is on the local network or on an external network.
2. If the requested Web server is not on the local network, the request is sent to the proxy server.
3. The proxy server checks the request to confirm that there is no policy in place that blocks access to the requested content.
4. If caching is enabled, the proxy server also checks if the requested object exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache or if the page is out of date, the proxy server sends the request to the appropriate server on the Internet.
5. The Web server response is sent back to the proxy server. The proxy server filters the response based on the filtering rules configured on the server.
6. If the content is not blocked and it is cacheable, ISA Server saves a copy of the content in its cache and the object is then returned to the client application that made the original request.
Enabling Secure Access to Internet Resources
Guidelines for Designing an Internet Usage Policy :
One of the first steps that an organization must take, as it prepares to grant access to Internet resources, is to define an Internet usage policy. An Internet usage policy defines what actions users are allowed to perform while they are connected to the Internet. The Internet usage policy becomes the basis for configuring the ISA Server settings to provide secure access to the Internet.
Internet usage policies should do the following:
1- Describe the need for an Internet usage policy. At first, users may resist the policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the policy is being created. For many organizations, there are clear legal requirements for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding the rationale for a policy greatly decreases the resistance to the policy.
2- Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are denied by the policy.
3- Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if policy restrictions prevent users from accessing resources that they need to do their jobs, users must have the means of resolving these issues. The easiest way to ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
4- Define how violations are handled. The policy must define exactly what will happen to users who violate the security policy. Many security policies include levels of disciplinary action depending on the severity or recurrence of policy violations.
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.
Enabling Secure Internet Access with ISA Server 2004
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use of the Internet as a source of information and e-mail as a communication tool means that most organizations cannot afford to be without access to the Internet. At the same time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet access for users in an organization means the following:
1- Users can access the resources that they need. To do their jobs, users in many organizations must be able to use a Web browser or other application to access Internet resources.
2- The connection to the Internet is secure. Users must be reasonably sure that they will not be attacked through the Internet connection. Ideally, the connection to the Internet should not reveal any information about the internal system that can be used to launch an attack against the client computer. Information about the computer, such as the computer name, user logon name, and shared folders, as well as details about the network configuration for the client computer, such as the client Internet Protocol (IP) address, should be hidden.
3- The data that users transfer to and from the Internet is secure. In some cases, users might send confidential personal information such as credit card information to the Internet or they might send private or confidential organizational information such as client data to the Internet. This data must be secured when it leaves the organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
4- Users cannot download malicious programs from the Internet. One of the ways attackers gain access to your network is by getting users to download malicious content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s
security or Internet usage policy. This means the following:
1- Only users who have permission to access the Internet can access the Internet.
2- These users can use only approved protocols and applications to access Internet resources.
3- These users can gain access only to approved Internet resources, or these users cannot gain access to denied Internet resources.
4- These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access is permitted.
Installing and Managing ISA Server Clients
In addition to the Firewall Client settings that you can configure on the ISA Server computer for distribution to all clients, there are also advanced settings that you can configure on the client computer running the Firewall Client. As much as possible, use the ISA Server settings to configure the Firewall Client settings, but in some cases, you may need a unique configuration for one or more clients.
Configuring Local Addresses
One of the advanced options that you can configure is the local address table. By default, Firewall Client considers all addresses on its local network, as well as the addresses specified in the local routing table on the Firewall client computer, as local. Each time a Winsock application on that client attempts to establish a connection to an IP address, the Firewall Client uses this information plus the Internal network information on ISA Server to determine whether the IP address is on the local network. If the server IP address is local, the Firewall Client will connect to the server directly; if the
address is not local, the Firewall Client will go through the ISA Server computer to access the server.
You can modify this client behavior by creating a client computer–specific file that defines local addresses for that client. Using a text editor, you can create a custom client local address table (LAT) file named Locallat.txt and place it in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder on the Firewall client computer. You can add additional IP address ranges to the file so that the client will recognize these addresses as part of the local network. If this file exists, the client uses its own routing table, the server-specific settings, and the Locallat.txt file to determine the IP addresses that are part of the local network.
When you create the Locallat.txt file, enter IP address pairs in the file. Each address pair defines either a range of IP addresses or a single IP address. The following example shows a Locallat.txt file that has two entries. The first entry is an IP address range and the second entry is a single IP address. Note that the second entry on each line is an IP address and not a subnet mask.
10.51.0.0 10.51.255.255
10.52.144.103 10.52.144.103
Advanced Firewall Client Settings
For most Winsock applications, the default Firewall Client configuration that is downloaded from the ISA Server computer works with no further modification needed. However, in some cases, you will need to add specific client configuration information.For example, if one Firewall client computer requires an application setting that is different from all other clients, you will need to configure the application settings on that particular computer. The configuration is done by making changes to Firewall Client .ini files.
The Firewall Client configuration information is stored in a set of files, which are installed on the Firewall client computer. The following files are used to configure the local Firewall client settings:
1-Common.ini Specifies the common configuration for all applications
2-Management.ini Specifies Firewall Client Management configuration settings
3-Application.ini Specifies application-specific configurations settings The Common.ini file and the Management.ini file are created for all users logged on to the computer and can also be created manually for each specific user on the computer. By default, the Application.ini file is not created, so you must create it manually. The per-user settings override the general configuration settings. These files are created in different locations, depending on the operating system. For example, on Windows XP computers, the files may be located in one of two places:
2- \Documents and Settings\user_name\Local Settings\Application Data\Microsoft\ Firewall Client 2004 folder
The ServerName value is used to configure the ISA Server computer from which the Firewall Client should download its configuration. The Disable option specifies whether the Firewall Client is disabled, with a value of 1 indicating that it is disabled. And the Autodetection value specifies whether the Firewall Client is configured to detect ISA Servers automatically.
By default, the Management.ini file contains only a setting that specifies whether the Firewall Client is enabled to modify the Web Proxy settings on the client. The Application.ini file specifies configuration settings for specific applications and also the file that is most often modified. For example, you may have several users on your network running a Winsock application, but only a subset of those users should be able to use that application to access Internet resources. One way to enable this is to configure the Application.ini files on the client computers used by the users that should use the application to gain access to Internet resources.
Organizations that have deployed SMS 2003 can use the software distribution feature of SMS to distribute the ISA Firewall Client. Software distribution in SMS 2003 provides the ability to deploy Microsoft Windows Installer (.msi) or Package Definition Format (.pdf, .sms) files to any computer that is assigned to the SMS environment. To deploy the ISA Firewall Client using SMS, perform the following procedure:
1. Create a collection that includes any computer that is to receive the ISA Firewall Client software. A collection is a logical group of resources such as computers or users that are gathered together to be managed within SMS. You can set specific requirements such as IP address, hardware configuration, or add clients directly by name to group all resources that are to have the ISA Firewall Client installed.
2. Create an SMS package by importing the ISA Firewall Client Windows Installer file (MS_FWC.msi). The Windows Installer file automatically creates attended and unattended installation program options that can be deployed on a per-system or per-user basis. Programs are also created to uninstall the client if the need arises. The per-system programs are configured to install the client with administrative rights regardless of whether the user is logged on. The per-user programs install the client using the credentials of the logged-on user.
3. Create an SMS advertisement, which specifies the target collection and program to install. To control deployment, you can schedule a time for the program to be advertised to collection members.
How to Configure ISA Server for Firewall Clients :
When you first install the Firewall Client on a client computer, it will connect to the ISA Server computer configured during the installation to complete the Firewall Client configuration. After installation, each time a computer running the Firewall Client restarts, the Firewall Client checks for any new client configuration settings on the server. This means that you can modify the Firewall Client by configuring the settings using ISA Server Management. The settings are then applied to the client when the client connects, or updated every six hours on the client computer if the client computer remains connected.
Firewall Client Configuration Options
Almost all Firewall Client settings can be modified using ISA Server Management.
How to Configure Firewall Client Settings
The Firewall Client settings are configured in two different locations within ISA Server Management. To configure which versions of the Firewall Client are supported and to configure the application settings, use the following procedure:
1. Open ISA Server Management, expand the Configuration folder, and click General.
2. Click Define Firewall Client Settings.
3. On the Connection tab, configure whether or not earlier versions of the Firewall Client software are supported. Because older Firewall clients do not support encryption, you must enable the Allow Non-Encrypted Firewall Client Connections option.
4. On the Application Settings, configure the settings for applications that run on Firewall Clients. To configure a specific application, click the application name and then click Edit.
The application settings are used to configure how the Firewall Client will respond when specific Winsock applications are started on the client computer. Some applications require specific port number assignments. For example, the RealPlayer application from RealNetworks requires that the Firewall client use Port 7070 when connecting to RealServer streaming media servers. The streaming media server will respond on anyport between 6970 and 7170. the application settings for the
RealPlayer application (the application name in the interface is Realplay) configure the LocalBindTcpPorts key with a value of 7070 and the RemoteBindUdpPorts key with a value of 6970-7170. Other applications are disabled in the application settings. For example, the Exchng32 application, the Mapisp32 application, and the Outlook application are all disabled by default, which means that the Firewall Client cannot establish the RPC and MAPI connections required for Microsoft Outlook e-mail clients through the ISA Server computer.
Installing and Configuring the Firewall Client
When you install ISA Server, you have the option of installing the Firewall Client Share on the ISA Server computer. When you choose this option, the Firewall Client installation files are copied to the server in the C:\Program Files\Microsoft ISA Server\Clients folder. The folder is then shared with a share name of Mspclnt. Moreover, the system policy rule that enables access to the shared folder is enabled. To install the Firewall Client manually, users can connect to the share and run the setup program.
To install the Firewall Client software from a shared folder, use the following procedure:
1. Connect to the shared folder that contains the Firewall Client installation files. If you use the shared folder on the ISA Server computer, the default share name is ISA_Server_name/MSPClnt.
2. Right-click MS_FPC.msi and click Install. Alternatively, you can double-click Setup.exe.
3. On the Welcome To The Install Wizard For The Microsoft Firewall Client page, click Next.
4. On the Destination Folder page, review the default installation folder location.Click Change if you want to change the installation folder. Click Next to continue.
5. On the ISA Server Computer Select screen, you can select how the Firewall Client will locate the ISA Server. To configure the server name or IP Address manually, select Connect To This ISA Server and type the ISA Server name or the IP address. To enable Automatic Discovery of the ISA Server computer, select Automatically Detect The Appropriate ISA Server Computer. Click Next.
6. On the Ready to Install the Program page, click Install.
7. When the installation wizard finishes, click Finish.
After the installation is complete, the Firewall Client application is enabled. The Microsoft Firewall Client Management icon is added to the system tray. To modify the Firewall Client configuration on the client, right-click the icon and click Configure. On the General tab ,you can enable or disable the Firewall Client and configure it to detect the ISA Server computer automatically or configure the ISA
Server computer manually. On the Web Browser tab, you can enable or disable automatic configuration of the Web browser.
How to Automate Firewall Client Installation :
If you deploy the Firewall Client to a large number of clients, you may choose to automate the Firewall Client installation. You have several options for automating the installation of the Firewall Client. You can perform an unattended installation, use Group Policy in Active Directory, or Microsoft Systems Management Server (SMS) to automate the installation.
Performing an Unattended Installation of the Firewall Client
One option for automating the deployment of the Firewall Client is to perform an unattended installation. To perform an unattended installation, you must ensure that the Firewall Client installation files are accessible from the client computer and then run the setup program from a command prompt with the appropriate parameters.
To complete an unattended installation of Firewall Client when running the setup program from the command prompt, use the following syntax:
Path\Setup.exe /v" [SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={10}] [REFRESH_WEB_PROXY={10}] /qn"
Using Active Directory Group Policy to Distribute the Firewall Client
You can also use the Software Installation option in Active Directory Group Policy to automate the installation of the Firewall Client. To distribute the Firewall Client using this option, perform the following procedure:
1. Copy the Firewall Client installation files to a network share. You can use the Firewall Installation share on the ISA Server computer or on a file server. If you are installing the Firewall Client on a large number of client computers, use a separate file server.
2. Determine whether you wish to distribute the client software to users or computers. If you distribute the software to users, you can choose whether the software will be installed the next time the user logs on or whether the user can initiate the installation from Add/Remove Programs. If you distribute the software to computers, the software will be installed the next time the computer restarts.
3. Create a new software distribution package. Configure the software distribution package to use the installation files on the shared folder. You can also configure the distribution options for the software package.
4. When users log on or the client computers reboot, the Firewall Client is installed. The Firewall Client will then automatically discover the ISA Server computer and download the configuration information.
Installing and Managing ISA Server Clients
What Is a Web Proxy Client?
A Web Proxy client is a client computer that has an HTTP 1.1–compliant Web browser application and is configured to use the ISA Server computer as a Web Proxy server. Virtually all current Web browsers comply with this HTTP standard, so any client computer can be configured as a Web Proxy client, including computers which are SecureNAT or Firewall clients.
When a Web Proxy client tries to access resources on the Internet, the requests are directed to the Firewall service on the ISA Server computer. If the access rule is configured to require
authentication, the ISA Server computer requests authentication from the Web Proxy client. The Firewall service then determines whether the user is allowed to access the Internet and checks the access rules to determine whether the request is allowed. For example, you can configure access to rules to block access to specified sites, or to block requests with certain keywords in the client request. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
One of the advantages of using Web Proxy clients is that most client computers already run compatible Web browsers, so Web Proxy clients require no special software to be installed. However, you must configure the Web browser to use the ISA Server computer as a proxy server. In most cases, this is a simple configuration. If you install Firewall Client software, you can use it to configure the Web browser to use the ISA Server computer as a proxy server. After you have completed the initial configuration of theWeb Proxy client, you can also automate the configuration of the Web Proxy clientusing the ISA Server Management Console.
Using Web Proxy clients provides several advantages:
■ As mentioned earlier, almost all client computers already run compatible Web browsers, which means you do not need to install any software on the client computers.All you need to do is configure the software, and this can be automated.
■ Web Proxy clients support authentication, so you can restrict access to Internet resources based on users and groups.
■ Client computers can be running any operating system that supports compatible Web browsers.
■ All client requests and responses are passed through the Web Proxy filter on ISA Server. This means that you can use application layer filtering to filter all trafficfrom the Web Proxy clients to the Internet, and from the Internet to the Web Proxy clients.
Guidelines for Choosing an ISA Server Client
ISA Server clients are used to provide access to Internet resources. This means that one of the choices that you must make as you deploy ISA Server 2004 is which ISA Server client you will deploy.
Installing and Managing ISA Server Clients
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.
3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.
4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.
2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.
Installing and Managing ISA Server Clients
ISA Server Client Options :
An ISA Server client is a client computer that connects to resources on another network by going through the ISA Server computer. In most cases, ISA Server clients are used to provide access to the Internet for users on the Internal network. The type of client you use on your network depends primarily on your security requirements and on whether you want to deploy Firewall Client software to each client computer on your network.
ISA Server supports three types of clients:
1- Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.
2- SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.
3- Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy–compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA
Server computer.
Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.
What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application must be installed on each client computer.
Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers. Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this case, the socket includes the IP address of the destination computer, the protocol used (TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.
The Firewall Client application changes how a client computer connects to resources on the Internet using Winsock applications. After you install the Firewall Client, when the client computer initiates a Winsock application, the Firewall Client intercepts the application calls. The Firewall Client checks the destination computer name or IP address and determines whether to route the request to the ISA Server computer or to a server on the local network. If the destination computer is not local, the request is sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server responds to the ISA Server computer, which then replies to the client computer.
Maintaining ISA Server 2004
How to Implement Remote Administration :
In most organizations, you will not perform ISA Server administration directly from the ISA Server computer console. The ISA Server computer should be located in a physically secure server room and you should administer the server from your client computer. If your organization has multiple locations with ISA Servers installed in each location, you may need to manage all the servers from your desktop. Remote administration enables you to administer ISA Server in all these cases.
You have two options for remotely administrating ISA Server. You can use a Terminal Services or Remote Desktop connection to administer the server, or you can install the ISA Server Management Console on another computer and use it to manage the ISA Server computer.
If you have installed ISA Server on a server running Windows 2000, you can use Terminal Services to manage the ISA Server computer. If ISA Server is installed on a computer running Windows Server 2003, you can use Remote Desktop in the same way. When you use Terminal Services or Remote Desktop to administer the ISA Server computer, you can view the desktop of the ISA Server computer as if you were in front of the monitor attached to the ISA Server computer. The advantage of using Terminal Services or Remote Desktop to administer ISA Server is that you can manage virtually all the settings on the server, not just ISA Server.
To enable remote administration of ISA Server on computers running Windows Server 2003, you must be a member of the Administrators group or Remote Desktop Users group on the ISA Server computer, or be granted permission to use Remote Desktop to connect to the server. To enable remote administration of ISA Server running on a Windows 2000 computer, you must install Terminal Services on the server in either Application or Remote Administration mode. Then the user properties must be configured to allow remote connections using Terminal Services.
To run ISA Server Management, you need the following:
1- A personal computer with a 300-megahertz (MHz) or higher, Pentium II–compatible CPU
2- Windows Server 2003, Windows 2000 Server or Windows 2000 Professional, or Windows XP
3- 256 megabytes (MB) of memory
4- 19 MB of available hard-disk space.
When you install ISA Server, the default system policy allows remote administration from all members of a computer set named Remote Management Computers. This computer set is used to assign remote access permissions in both the MMC system policy configuration group and the Terminal Services configuration group. By default, no computers are in this group, so no computers can connect to the ISA Server computer for remote management. To enable remote management on the ISA Server computer, you must configure remote administration by editing the appropriate MMC or Terminal Server configuration group in the System Policy editor.
Key Terms
administrative role Used to assign permissions on ISA Server. Each administrative role has a predefined set of permissions that allow the user to perform specific tasks on the ISA Server computer.
firewall access rule A configuration object on ISA Server that defines what types of network traffic will be allowed on the ISA Server computer. By default, all network traffic is blocked unless a firewall access rule allows the specific traffic.
Remote Management Computers A computer set that is used to provide remote management access to ISA Server. This computer set should include all the IP addresses of the computers that are used to perform remote administration on the ISA Server computer.
system policy A set of firewall access rules that controls how the ISA Server computer communicates with computers on the attached networks.
Maintaining ISA Server 2004
Importing the ISA Server Configuration :
When you import a previously exported file, all properties and settings defined in the file are imported, overwriting the current configuration on the ISA Server computer. However, if you export only a specific component, such as a specific firewall rule, the file import overwrites only that particular rule.
To import the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object whose settings you want to import. You must select the correct type of object for the configuration file that you are using.
3. On the Tasks tab, click the import task. The exact name for the task will vary,depending on the type of object that you selected.
4. Select the exported .xml file and click Import.
5. Click Apply to apply the changes and click OK when the changes have been applied.
How to Back Up and Restore the ISA Server Configuration :
ISA Server 2004 also includes backup and restore features that enable you to save and restore the ISA Server configuration information. The backup procedure also stores the configuration information in an .xml file.
The primary use of the backup and restore option in ISA Server is for disaster recovery. You should regularly back up the configuration on the ISA Server computer so that you can restore the computer with the same settings in case of a computer failure. The backup functionality saves the appropriate information to ensure that an identical configuration can be restored.
Backing up an ISA Server configuration backs up all configuration options on the server. This includes firewall policy rules, rule elements, alert configuration, cache configuration, system policy and VPN configuration. One of the differences between backing up the server configuration and exporting the configuration is that you can only back up the entire ISA Server configuration, not individual components or groups of components.
The restore process reconstructs the configuration information that was backed up. By restoring a backup, you can rebuild the ISA Server configuration or restore it after a configuration error.
To back up and restore the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management and click the server name. The option to back up and restore the ISA Server configuration is available only when you select the server name.
2. On the Tasks tab, click Backup This ISA Server Configuration.
3. Enter a file name for the backup file and click Backup.
4. You must provide a password for the ISA Server backup
5. To restore the backup, click the server name in ISA Server Management. Then click Restore this ISA Server Configuration and select the appropriate ISA Server backup file.
6. Click Apply to apply the changes and click OK when the changes have been applied.
Maintaining ISA Server 2004
Among the new features in ISA Server 2004 is the option to export and import the ISA Server configuration. With this option, you can save and restore the ISA Server configuration information. When you use the ISA Server export feature, the configuration parameters are exported and stored in an .xml file. The import and export features are useful in several scenarios:
1- Cloning a server You can export a configuration from one ISA Server computer and then import the settings on another computer, thereby easily duplicating a server configuration. For example, after configuring an ISA Server computer at one branch office, you can export the configuration to an .xml file. Then you can import the file on a computer running ISA Server at another branch office. The two ISA Server computers will have a duplicate configuration.
2- Saving a partial configuration You can export and import any part of the ISA Server configuration. For example, you can export a single rule, an entire policy, or an entire configuration. This is helpful when you want to copy all the firewall policy rules, but not the monitoring configuration, from one ISA Server to another. This is also useful when you want to modify a specific rule. You can export that rule and have the exported configuration available in case you need to roll back the rule modification.
3- Sending a configuration for troubleshooting You can export your configuration information to a file and send it to support professionals for analysis and troubleshooting.
4- Rolling back a configuration change As a best practice, before modifying any ISA Server settings you should export the specific component that you are modifying. If your modification is not successful, you can easily restore the previous configuration by importing the policy file.
You can export the entire ISA Server configuration, or just parts of it, depending on your specific needs. You can export the following objects:
1- The entire ISA Server configuration
2- All the connectivity verifiers, or one selected connectivity verifier
3- All the networks, or one selected network
4- All the network sets, or one selected network set
5- All the network rules, or one selected network rule
6- All the Web chaining rules, or one selected Web chaining rule
7- Cache configuration
8- All the content-download jobs, or one or more selected content-download jobs
9- The entire firewall policy, or one selected rule.
When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can choose to export user permission settings and confidential information such as user passwords. Confidential information included in the exported file is encrypted.
To export the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object the settings of which you want to export. Remember if you select
a container object (such as the Firewall Policy), all the objects in the container will be exported.
3. On the Tasks tab, click the Export task. The exact name for the task will vary depending on the type of object that you select.
4. Enter a file name for the exported .xml file and click Export.
How to Secure the ISA Server Configuration
After securing the computer running ISA Server, the next step is to ensure that your ISA Server configuration is as secure as possible. After installation, ISA Server, Standard Edition, starts with a default configuration that provides a high level of security. As an ISA Server administrator, you must understand what the default configuration is and how you may need to modify it to provide additional security or functionality.
The ISA Server Default Configuration
After a standard installation, ISA Server starts with a default configuration. This configuration provides a high level of security because it does not allow access to any Internet or internal resources through the ISA Server computer. However, the default configuration also includes several other settings.
The default configuration of a newly installed ISA Server means that traffic can occur between the ISA Server computer and other networks. For example, Lightweight Directory Access Protocol (LDAP) traffic is permitted from the ISA Server computer to the internal network. This enables the ISA Server computer to operate as a member of an Active Directory domain. However, by default, no traffic is permitted through the ISA Server computer from one network to another.
Configuring System Policies
When ISA Server 2004 is installed, a default system policy is configured on the server.This system policy includes a variety of access rules that provide an initial configuration for ISA Server 2004. Depending on your organization’s requirements, you may need to modify the system policy configuration, either by disabling some of the rules or enabling and modifying the rules.
System policy rules are used to define what traffic is allowed between the ISA Server computer and the connected networks. All the system policies define access between the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks.
System Policy Settings A default system policy is applied when you install ISA Server 2004. This policy enables the functionality needed to manage the ISA Server computer and provide network connectivity.
Modifying System Policy After installing ISA Server, you should analyze the default system policy configuration and modify the policy to meet your organization’s requirements.The default system policy enables more options than are required for most organizations. If your organization does not require a specific type of functionality enabled by a system policy rule, then disable the rule. For example, the default system policy enables both RADIUS and Active Directory authentication, and most organizations will use one or the other. If you are using only one type of authentication, then disable the rule pertaining to the other.
Modify the default system policy settings to match your organization’s requirements.First, identify the functionality that you require on the ISA Server computer. Then reviewthe system policy settings and disable all the system policy rules that you do not require.For example, if no users will ever access ISA Server using Remote Desktop, then disablethe Terminal Server system policy that enables Remote Desktop connections.
Another component to securing the ISA Server computer is to configure the ISA Server administrative permissions. As a general rule, user accounts should always be configured with the minimum privileges necessary to perform a specific task. You can use role-based administration to organize your ISA Server administrators into separate,defined roles, each with its own set of privileges and corresponding tasks. The rolesassigned in ISA Server are based on Windows users and groups. If the ISA Server computeris a member of a domain, these users and groups can be either local accounts ordomain accounts. If the ISA Server computer is not a member of a domain, you must assign local users and groups to the roles.
ISA Server includes three administrative roles that are defined in advance:
1- ISA Server Basic Monitoring Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.
2- ISA Server Extended Monitoring Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert-definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.
3- ISA Server Full Administrator Users and groups assigned this role can perform any ISA Server task, including rule configuration, application of network templates, and monitoring.
Securing and Maintaining ISA Server 2004
Security templates are the ideal means to configure the security settings on an ISA Server computer. By applying these templates, you can ensure a consistently high level of security on the ISA Server computer. To apply the security templates to the ISA Server computer, perform the following steps:
1. Using the Security Templates MMC snap-in, analyze the security templates included with the Windows Server 2003 Security Guide and determine which template most closely meets your organization’s requirements. Modify those parts of the template that do not match your requirements.
2. Apply the security templates to your ISA Server computer or computers. If your ISA Server computers are members of an Active Directory domain, create an OU that contains only the ISA Server computers and then create a Group Policy Object (GPO) to apply the security template to the servers. If your ISA Server computer is not a member of the domain, use the Security Analysis and Configuration tool to apply the security policy to the ISA Server computer.
Applying Security Updates :
Another critical component in keeping the computer running ISA Server secure is to ensure that all security updates and patches are applied. Security updates are product updates that eliminate known security vulnerabilities. To keep ISA Server secure, you must ensure that the security updates for both ISA Server and the operating system are current by installing the latest fixes. If the operating system is vulnerable, ISA Server is also vulnerable. When a security update becomes available, quickly evaluate your system to determine if the update is relevant to your current situation.
Monitor and install security patches for multiple components for the computer running ISA Server. These include the latest updates for the operating system, for ISA Server, and for other components installed by ISA Server, including Microsoft SQL Server 2000 Desktop Engine (MSDE) and Office Web Components 2002 (OWC).
Securing and Maintaining ISA Server 2004
Managing System Services on the ISA Server Computer :
A second step in securing the computer running ISA Server is to disable all services on the computer that are not required. Several core services are required for ISA Server to run properly, and additional services can be enabled depending on the functionality required. All other services should be disabled.
To manage system services on the computer running ISA Server, follow this procedure:
1. Open the Services console from the Administrative Tools folder.
2. Right-click the service that you are configuring and click Properties.
3. On the service Properties page, on the General tab, select the Startup type. You can also start, stop, pause, or resume the service.
Using Security Templates to Manage Services :
You can manage the system services manually on the computer running ISA Server 2004. However, if you have multiple computers running ISA Server, you should automate the process of managing the services. One option for managing the system services is to use security templates. Security templates are preconfigured sets of security settings that can be applied to users and computers. Security templates can be used to configure the following:
1- Audit Policy settings These settings specify the security events that are recorded in the Event Log. You can monitor security-related activity such as who accesses or attempts to access an object, when a user logs on or logs off a computer, or when changes are made to an Audit Policy setting.
2- User Rights Assignment These settings specify which users or groups have logon rights or privileges on the member servers in the domain.
3- Security Options These settings are used to enable or disable security settings for servers, such as digital signing of data, administrator and guest account names, driver installation behavior, and logon prompts.
4- Event Log settings These settings specify the size of each event log and actions to take when each event log becomes full.
5- System services These settings specify the startup behavior and permissions for each service on the server.
Implementing Security Templates
If your computer is a member of an Active Directory directory service domain, you can apply security templates using Group Policy at a domain or organizational unit (OU) level. If your computer is not a member of a domain, you can use the Security Configuration and Analysis Microsoft Management
Console (MMC) snap-in or the Secedit command-line tool.
Microsoft has released the Windows Server 2003 Security Guide, which includes several templates that you can use to secure servers on your network. The templates are grouped into three categories:
1- Enterprise Client templates are designed for most networking environments that contain only Windows 2000 or later computers.
2- Legacy Client templates are designed for networking environments that contain older computers.
3- High Security templates are designed to be deployed only in networks that require very high security.
Securing and Maintaining ISA Server 2004
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.
How to Harden the Server :
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:
1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.
Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.
MCP 70-350 : Installing ISA Server 2004
Dynamic Host Configuration Protocol Requirements :
DHCP is not required to support an ISA Server infrastructure, but it is highly recommended to simplify network management. Even on relatively small networks of 250 or fewer computers, you will benefit from reduced administrative effort by configuring a DHCP server on your network. The advantage of using DHCP is that it can provide the IP configuration for all the client computers on your network automatically. This can make your ISA Server deployment much more efficient. For example, if you need to reconfigure the default gateway for all your client computers to point to the new ISA Server computer or to a new DNS server for Internet name resolution, you can just change the scope setting on the DHCP server and all the clients will be reconfigured automatically.
DHCP is also used to support VPN remote access connections to ISA Server. By default, ISA Server will use DHCP to assign IP addresses to all VPN clients. When you enable remote VPN client access on ISA Server, it will obtain a set of IP addresses from the DHCP server and assign the IP address to the VPN clients. By default, ISA Server 2004 will also assign DNS or WINS server addresses based on the DHCP scope information.
MCP 70-350 : Installing ISA Server 2004
Network Infrastructure Requirements :
For your ISA Server implementation to succeed, you must ensure that the network infrastructure
supports the ISA Server implementation. To support your ISA Server infrastructure, the following networking services must be installed and configured on your network:
- DNS
- Domain controllers
- DHCP
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Domain Name System Requirements
To connect to resources on the Internet, client computers must be able to resolve the DNS names for servers on the Internet to IP addresses. If you publish internal servers to the Internet, users on the Internet must be able to resolve the DNS names for the published servers to an IP address. To enable both of these scenarios, a DNS infrastructure must be in place to provide name-resolution services.
To enable access to Internet resources, ensure that all client computers can resolve Internet DNS names. At a high level, you have two options for enabling name resolution for Internet resources: You can use an internal DNS server that can resolve both internal and Internet DNS addresses, or you can use an external DNS server to resolve IP addresses on the Internet.
To Use an Internal DNS Server Many organizations have deployed DNS servers on their internal networks. If you have deployed Active Directory in Microsoft Windows 2000 Server or in Windows Server 2003, DNS is required for domain replication and user authentication, so all client computers running Windows 2000 or later must be able to resolve the DNS names for domain controllers. In this environment, the internal DNS server is configured with DNS zones for your Active Directory domains.
To allow internal users to access Internet resources, the internal DNS servers must also be configured to resolve Internet DNS names. One way to enable this is to configure the DNS servers to forward all requests for Internet name resolution to DNS servers on the Internet. When you configure a DNS server to use a forwarder, it sends to the forwarder requests for domains for which it is not authoritative.
To Use an External DNS Server Some organizations have not deployed internal DNS servers or have not configured the internal DNS servers to resolve Internet DNS addresses. In this situation, all Internet name resolution must be performed by DNS servers on the Internet. You have two options to enable this. If you use Web Proxy clients and Firewall clients, ISA Server can function as a DNS proxy server to resolve Internet DNS requests on the client’s behalf.
Domain Controller Requirements :
If you want to restrict access to Internet resources based on user accounts, or if you want to require authentication before users can access published servers, ISA Server must be able to access a directory of user accounts to determine whether the user should have access. ISA Server provides several options for authenticating the users, including Remote Authentication Dial-In User Service (RADIUS), RSA SecureID, or the local user account database on the computer running ISA Server. However, the easiest option to implement for most organizations is to use a domain directory service to authenticate the users. Most organizations already have a domain infrastructure that includes all the user accounts; in such cases, ISA Server can use this directory service to authenticate user
accounts.
You can use Windows 2000, Windows Server 2003, or Windows NT 4 domains to perform this service. To use the domain for authentication, the server running ISA Server must be a member of the domain. In addition, ISA Server must be able to communicate with the domain controllers on the internal network. If you use Active Directory in Windows Server 2003 or Windows 2000, you must configure the internal network interface on the ISA Server computer with the IP address of a DNS server that can resolve the IP addresses for the local domain controllers.
MCP 70-350 : Installing ISA Server 2004
Lesson 1: Planning an ISA Server Deployment
The ISA Server Deployment Planning Process :
Most organizations install ISA Server to address security requirements. ISA Server is a firewall that is likely to be among the critical components to ensuring that your organization’s network is secure. In addition, the ISA Server computer is likely to be the primary connection point for all internal network traffic to access the Internet. This means that when you design your ISA Server deployment, you must consider a wide variety of security and functional requirements. The following is an overview of the process of planning an ISA Server deployment.
1. Understand the current network infrastructure. The first step in planning an ISA Server deployment is to understand the current networking environment. When you start planning, collect network diagrams that provide details on the network infrastructure. These diagrams should include the Internet Protocol (IP) networks, router configurations, and client and server networking configuration.
Collect information on the current configuration of network services. For example, all internal clients must be able to resolve Domain Name System (DNS) names on the Internet to connect to Internet resources. You need to understand how clients do this now. Also collect information about other network services such as Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS) if you have Microsoft Windows NT or Microsoft Windows 2000 clients.
Collect information about the current domain structure. ISA Server can be integrated with Active Directory directory service to enable authentication.
2. Review company security policies. Every organization should have security policies. These policies usually include general security requirements such as Internet or e-mail usage policies. The policies can also be very specific and define what protocols are not allowed through the firewall, what Web sites users can access, and what types of information can be sent from the internal network to the Internet. For example, most organizations have policies defining what types of customer information can be sent in an e-mail.
3. Plan the required network infrastructure. For your ISA Server installation to meet the company requirements, you must plan for some specific network infrastructure components. For example, if the ISA Server computer is an Internet-edge firewall and is the only access point to the Internet, you must ensure that all client computers can connect to the ISA Server computer. If you have a single network, this solution can be as simple as configuring the default gateway on each client computer to use the internal network interface on the server running ISA Server. If you have multiple locations within your organization, or if you deploy multiple ISA Servers, this solution can be more complex.
Your ISA Server implementation may also depend on additional network infrastructure components such as DNS, DHCP, and Certificate Services. These components must be taken into account when planning an ISA Server installation.
4. Plan for branch office installations. If your organization has more than one location, you must also plan for how the branch office networks will be integrated with the main office. In some cases, you may have existing wide area network (WAN) connections between the offices with routing already in place. In other cases, you may plan to replace the WAN link with a site-to-site virtual private network (VPN) or plan to deploy an ISA Server in each branch office.
6. Plan for access to the Internet. Most companies that deploy ISA Server use it as a proxy server for users to access the Internet. Some organizations enable full access to the Internet so that all users can use all protocols to access any Internet resource. Other organizations limit access based on protocols or applications, and users or groups, and they also limit users’ access to Web sites.
Once you have gathered your organization’s requirements for granting Internet access, you can plan the ISA Server access rule configuration to meet the organization’s Internet access and caching requirements.
7. Plan the ISA Server client implementation and deployment. An essential part of deploying an ISA Server infrastructure is to plan for ISA Server client configuration and deployment. ISA Server supports three clients: SecureNAT clients, Web Proxy clients, and Firewall clients. The use of each client has advantages and disadvantages. As part of your ISA Server deployment, you must know why you use each client and how to configure each client.
8. Plan for server publishing. Most organizations also publish some internal resources to the Internet. Because this allows network traffic from the Internet to your internal network, it is essential that the connection between the internal servers is as secure as possible.
9. Plan for VPN deployment. ISA Server can operate as a VPN remote access server for external clients and as a VPN gateway for site-to-site VPNs. If you plan to deploy ISA Server in either configuration, include this in your planning. An extra level of planning is required if you choose to implement VPN network quarantine. With VPN network quarantine, you can restrict access to the internal network until the VPN clients pass a security configuration check. To perform the security configuration check, you must run a script or application on the client computer. The script can check for virtually any setting on the computer. In your planning, therefore, you must decide which security settings you will check on the client computer. This can be complicated. For example, you may decide that all clients that connect to your network must have an antivirus application installed, and that the virus detection files must be up to date. However, if you allow users to use any antivirus software, the script must check for all acceptable antivirus applications.The script that checks the security configuration on the client computer can become very complicated, so you must plan to have very competent scripting help available.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as a Branch Office Firewall :
A third deployment scenario for ISA Server is as a branch office firewall. In this scenario, ISA Server can be used to secure the branch office network from external threats as well as connect the branch office networks to the main office using site-to-site VPN connections.
For organizations with multiple locations, ISA Server can function as a branch office firewall in conjunction with additional ISA Servers at other locations. If a branch office has a direct connection to the Internet, ISA Server may operate as an Internet-edge firewall for the branch, securing the branch office network and also publishing server resources to the Internet. If the branch office has only a dedicated WAN connection to the other offices, ISA Server can be used to publish servers in the branch office such as Microsoft SharePoint Portal Server or a local Exchange Server.
One of the benefits of using ISA Server as a branch office firewall is that it can operate as a VPN gateway that connects the branch office network to the main office network using a site-to-site VPN connection. Site-to-site VPN provides a cost-effective and secure method of connecting offices. In this scenario, the following occurs:
1- ISA Server can be used to create a VPN from a branch office to other office locations. The VPN gateway at other sites can be either additional computers running ISA Server or third-party VPN gateways. ISA Server supports the use of three tunneling protocols for creating the VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPSec.
2- ISA Server can perform stateful inspection and application-layer filtering of the VPN traffic between the organization’s locations. This can be used to limit the remote networks that can access the local network and to ensure that only approved network traffic can access it.
How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server :
In a small or medium organization, a single ISA Server computer may provide all Internet access functionality. The ISA Server computer is used to create a secure boundary around the internal network, and to provide Web proxy and caching services for internal users.
Small or medium-size organizations often have significantly different Internet access requirements than larger organizations. Small organizations may have dial-up or other slow connections to the Internet. Almost all organizations provide at least some level of Internet access to employees, but these offices may need to limit access because of the slow connections. Small organizations frequently do not require any services published to the Internet because their ISP may be hosting both their organization’s Web site and their e-mail servers. Other organizations may have much more complex requirements, including requirements for SMTP, FTP, and HTTP server publishing as well as VPN access. Another unique situation faced by many small or medium-size organizations is that a single network administrator performs all network administration tasks. This means that the administrator is usually not a firewall or Internet security expert. ISA Server is flexible enough to meet almost any small or medium organization's requirements:
1- Configuring caching on ISA Server computers means that Web pages are cached on the ISA Server hard disk. This can reduce the use of slow Internet connections or reduce the cost of a connection where cost is based on bandwidth usage.
2- ISA Server supports the option of using dial-up connections to access the Internet or other networks. You can configure ISA Server to dial the connection automatically when a request is made for access to Internet resources.
3- Installation of ISA Server is secure out of the box. By default, ISA Server 2004 will not accept any connections from the Internet after installation. This means that if the organization does not require any resources to be accessible from the Internet, the administrator does not need to configure ISA Server to block all incoming traffic. All the administrator has to do in this scenario is configure the server to enable Internet access for internal users and the configuration is complete.
4- ISA Server provides network templates and server publishing wizards that can be used to configure most required settings. Configuring ISA Server to provide access to Internet resources can be as simple as applying a network template and using the wizard to configure the security settings. ISA Server provides several server publishing wizards that make it easy to securely publish internal servers to the Internet.
How ISA Server Works as a Proxy- and Caching-Only Server :
A final deployment scenario for ISA Server 2004 is as a proxy server and caching server only. In this scenario, ISA Server is not used to provide a secure boundary between the Internet and the internal network, but only to provide Web proxy and caching services.
In most cases, computers running ISA Server are deployed with multiple network adapters to take advantage of ISA Server’s ability to connect and filter traffic between multiple networks. However, if ISA Server is deployed as a Web proxy- and cachingonly server, it can be deployed with a single network adapter. When ISA Server is installed on a computer with a single adapter, it recognizes only one network—the internal network.
If an organization already has a firewall solution in place, it can still take advantage of the proxy and caching functionality of ISA Server. To deploy ISA Server as a proxy and caching server, you only need to configure it to allow users to access resources on the Internet. You would then configure the Web browsers on all client computers to use the computer running ISA Server as a Web proxy server.
When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:
1- Firewall and SecureNAT clients
2- Virtual private networking
3- IP packet filtering
4- Multi-network firewall policy
5- Server publishing
6- Application-level filtering
These restrictions mean that ISA Server provides very few security benefits for the network.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as an Internet-Edge Firewall :
One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.
How ISA Server Works as a Back-End Firewall :
In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.
For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.
