Configuring Virtual Private Networking for Remote Clients

How to Configure VPN Client Access
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).

Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).

2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.

3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.

4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.

5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.

6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.

Configuring ISA Server as a Firewall

Lesson 1: Introduction to ISA Server as a Firewall

Firewalls are deployed to limit network traffic from one network to another. To distinguish between network traffic that should be allowed and network traffic that should be blocked, firewalls use packet filters, stateful filters, application filters, and intrusion detection. This lesson describes this core functionality provided by firewalls and how this functionality is implemented in ISA Server 2004.

What Is Packet Filtering?
A firewall’s primary role is to prevent network traffic from entering an internal network unless the traffic is explicitly permitted. One way that a firewall ensures this is through packet filtering. Packet filters control access to the network at the network layer by inspecting and allowing or denying the Internet Protocol (IP) packets. When the firewall inspects an IP packet, it examines only information in the network and transport layer headers.

A packet-filtering firewall can evaluate IP packets using the following criteria:
1- Destination address The destination address may be the actual IP address of the destination computer in the case of a routed relationship between the two networks being connected by ISA Server. The destination may also be the external interface of ISA Server in the case of a network address translation (NAT) network relationship.
2- Source address This is the IP address of the computer that originally transmitted the packet.
3- IP protocol and protocol number You can configure packet filters for Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and any other protocol. Each protocol is assigned a number. For example, TCP is protocol 6, and the Generic Routing Encapsulation (GRE) protocol for Point-to-Point Tunneling Protocol (PPTP) connections is protocol 47.
4- Direction This is the direction of the packet through the firewall. In most cases, the direction can be defined by inbound, outbound, or both. For some protocols, such as File Transfer Protocol (FTP) or UDP, the directional choices may be Receive Only, Send Only, or Both.
5- Port numbers A TCP or UDP packet filter defines a local and remote port. The local and remote ports can be defined by a fixed port number or a dynamic port number.

Advantages and Disadvantages of Packet Filtering
Packet filtering has advantages and disadvantages. Among its advantages are the following:
1- Packet filtering must inspect only the network and transport layer headers, so packet filtering is very fast.
2- Packet filtering can be used to block a particular IP address or to allow a particular IP address. If you detect an application-level attack from an IP address, you can block that IP address at the packet-filter level. Or, if you need to enable access to your network and you know that all access attempts will be coming from a particular address, you can enable access only for that source address.
3- Packet filtering can be used for ingress and egress filtering. Ingress filtering blocks all access on the external interface of the firewall to packets that have a source IP address that is logically on the internal network. For example, if your internal network includes the 192.168.20.0 network, an ingress filter will block a packet arriving at the external interface that claims to be coming from 192.168.20.1. An egress filter prevents packets from leaving your network that have a source IP address that is not on the internal network.

Disadvantages of packet filtering are the following:
1- Packet filters cannot prevent IP address spoofing or source-routing attacks. An attacker can substitute the IP address of a trusted host as the source IP address and the packet filter will not block the packet. Or the attacker can include routing information in the packet that includes incorrect routing information for return packets so that the packets are not returned to the actual host, but to the attacker’s computer.
2- Packet filters cannot prevent IP-fragment attacks. An IP-fragment attack splits a single IP packet into multiple fragments. Most packet-filtering firewalls check only the first fragment and assume that the other fragments of the same packet are acceptable. The additional fragments may contain malicious content.
3- Packet filters are not application-aware. You may be blocking the default Telnet port (Port 23) on your firewall, but allowing access to the Hypertext Transfer Protocol (HTTP) port (Port 80). If an attacker can configure a Telnet server to run on Port 80 on your network, the packets would be passed to the server.

Configuring ISA Server as a Proxy Server

How to Configure Web and Firewall Chaining
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA Server together to provide flexible Web proxy services. These servers can be chained in a hierarchical manner so that one ISA Server computer routes Internet requests to another ISA Server computer, rather than routing the request directly to the Internet. ISA Server also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer.

Why Use Web Chaining?
Web chaining is useful if your organization has multiple branch office locations, but all Internet requests are routed through one location at the head office. In this scenario, you can install ISA Server in each office and then configure ISA Server at the branch offices to route all Internet requests to the server running ISA Server at the head office.

You can also configure Web chaining so that not all Web requests are sent to the upstream server. For example, you can configure rules for conditionally routing Internet requests, depending on the destination Web server. This is useful if the head office and the branch offices are in different countries. If one of the branch offices has a direct Internet connection and many of the Web sites used by users in that branch office are in the same country as the branch office, you may choose to have the branch office ISA Server computer route all requests for specific domain names directly to the Internet. You can still have the branch office server route all other requests to the headoffice
ISA server.

One of the benefits of using Web chaining is the accumulated caching on ISA Server. If all the servers running ISA Server in the branch offices are configured to forward their requests to the head-office ISA Server, the head-office ISA Server will develop a large cache that contains many requested items. The combination of caching at the local branch office and at head office increases the chances that the Internet content can be delivered to the client with the least use of network bandwidth.

Configuring Web Chaining Rules
To configure Web chaining rules, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node, select Networks, and then click the Web Chaining tab.
2. To create a new Web chaining rule, on the Tasks tab, click Create New Web Chaining Rule.
3. On the Welcome To The New Web Chaining Rule Wizard page, in the Web Chaining Rule Name box, type a name for the Web chaining rule. Click Next.
4. On the Web Chaining Rule Destination page, click Add to specify the destinations that will be affected by this rule.
5. In the Add Network Entities dialog box, select the destinations that this rule will apply to. For example, if the rule should apply to all Internet requests, expand Networks, then click External. Click Close.
6. On the Web Chaining Rule Destination page, click Next.
7. On the Request Action page, select how the request should be processed. You have three options:
. Retrieve Requests Directly From The Specified Destination—In this case, the Web request is routed directly to the Internet.
. Redirect Requests To A Specified Upstream Server—In this case, the Web request is routed to the server that you specify.
. Redirect Requests To—In this case, the request is routed to the specified Web site.
To configure Web chaining, select Redirect Requests To A Specified Upstream Server and then click Next.
8. On the Primary Routing page, shown in Figure 5-8, in the Server box, type the name of the server to which this server will send the requests. You can also specify the port numbers for HTTP and SSL and configure an account that will be used to authenticate at the upstream ISA Server. Click Next.
9. On the Backup Action page configure what ISA Server should do if the upstream ISA Server is unavailable. You have three choices:
. Ignore Requests—In this case, ISA Server will not respond to client requests.
. Retrieve Requests Directly From The Specified Destination—In this case, ISA Server will route the request to the Internet.
. Route Requests To An Upstream Server—In this case, you can specify an alternative upstream server.
Select the option you require and then click Next.
10. On the Completing The New Web Chaining Rule Wizard page, review the configuration and then click Finish.
11. After creating the Web Chaining rule, you can configure how the ISA Server computer will bridge HTTP and HTTPS requests when using the Web chaining rule. To configure bridging, click the Web chaining rule and then, on the Tasks tab, click Define SSL Bridging For Selected Rule. On this page, you can configure how to redirect HTTP and SSL requests when sending the requests to the upstream server.

Enabling Secure Access to Internet Resources

Guidelines for Designing an Internet Usage Policy :

One of the first steps that an organization must take, as it prepares to grant access to Internet resources, is to define an Internet usage policy. An Internet usage policy defines what actions users are allowed to perform while they are connected to the Internet. The Internet usage policy becomes the basis for configuring the ISA Server settings to provide secure access to the Internet.
Internet usage policies should do the following:
1- Describe the need for an Internet usage policy. At first, users may resist the policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the policy is being created. For many organizations, there are clear legal requirements for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding the rationale for a policy greatly decreases the resistance to the policy.
2- Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are denied by the policy.
3- Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if policy restrictions prevent users from accessing resources that they need to do their jobs, users must have the means of resolving these issues. The easiest way to ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
4- Define how violations are handled. The policy must define exactly what will happen to users who violate the security policy. Many security policies include levels of disciplinary action depending on the severity or recurrence of policy violations.

How ISA Server Enables Secure Access to Internet Resources
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.

Installing and Configuring the Firewall Client

How to Install Firewall Client :
When you install ISA Server, you have the option of installing the Firewall Client Share on the ISA Server computer. When you choose this option, the Firewall Client installation files are copied to the server in the C:\Program Files\Microsoft ISA Server\Clients folder. The folder is then shared with a share name of Mspclnt. Moreover, the system policy rule that enables access to the shared folder is enabled. To install the Firewall Client manually, users can connect to the share and run the setup program.
To install the Firewall Client software from a shared folder, use the following procedure:

1. Connect to the shared folder that contains the Firewall Client installation files. If you use the shared folder on the ISA Server computer, the default share name is ISA_Server_name/MSPClnt.
2. Right-click MS_FPC.msi and click Install. Alternatively, you can double-click Setup.exe.
3. On the Welcome To The Install Wizard For The Microsoft Firewall Client page, click Next.
4. On the Destination Folder page, review the default installation folder location.Click Change if you want to change the installation folder. Click Next to continue.
5. On the ISA Server Computer Select screen, you can select how the Firewall Client will locate the ISA Server. To configure the server name or IP Address manually, select Connect To This ISA Server and type the ISA Server name or the IP address. To enable Automatic Discovery of the ISA Server computer, select Automatically Detect The Appropriate ISA Server Computer. Click Next.
6. On the Ready to Install the Program page, click Install.
7. When the installation wizard finishes, click Finish.

After the installation is complete, the Firewall Client application is enabled. The Microsoft Firewall Client Management icon is added to the system tray. To modify the Firewall Client configuration on the client, right-click the icon and click Configure. On the General tab ,you can enable or disable the Firewall Client and configure it to detect the ISA Server computer automatically or configure the ISA
Server computer manually. On the Web Browser tab, you can enable or disable automatic configuration of the Web browser.

How to Automate Firewall Client Installation :
If you deploy the Firewall Client to a large number of clients, you may choose to automate the Firewall Client installation. You have several options for automating the installation of the Firewall Client. You can perform an unattended installation, use Group Policy in Active Directory, or Microsoft Systems Management Server (SMS) to automate the installation.

Performing an Unattended Installation of the Firewall Client
One option for automating the deployment of the Firewall Client is to perform an unattended installation. To perform an unattended installation, you must ensure that the Firewall Client installation files are accessible from the client computer and then run the setup program from a command prompt with the appropriate parameters.
To complete an unattended installation of Firewall Client when running the setup program from the command prompt, use the following syntax:
Path\Setup.exe /v" [SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={10}] [REFRESH_WEB_PROXY={10}] /qn"

Using Active Directory Group Policy to Distribute the Firewall Client
You can also use the Software Installation option in Active Directory Group Policy to automate the installation of the Firewall Client. To distribute the Firewall Client using this option, perform the following procedure:
1. Copy the Firewall Client installation files to a network share. You can use the Firewall Installation share on the ISA Server computer or on a file server. If you are installing the Firewall Client on a large number of client computers, use a separate file server.
2. Determine whether you wish to distribute the client software to users or computers. If you distribute the software to users, you can choose whether the software will be installed the next time the user logs on or whether the user can initiate the installation from Add/Remove Programs. If you distribute the software to computers, the software will be installed the next time the computer restarts.
3. Create a new software distribution package. Configure the software distribution package to use the installation files on the shared folder. You can also configure the distribution options for the software package.
4. When users log on or the client computers reboot, the Firewall Client is installed. The Firewall Client will then automatically discover the ISA Server computer and download the configuration information.

Installing and Managing ISA Server Clients

Lesson 1: Choosing an ISA Server Client :

ISA Server Client Options :

An ISA Server client is a client computer that connects to resources on another network by going through the ISA Server computer. In most cases, ISA Server clients are used to provide access to the Internet for users on the Internal network. The type of client you use on your network depends primarily on your security requirements and on whether you want to deploy Firewall Client software to each client computer on your network.

ISA Server supports three types of clients:
1- Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.

2- SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.

3- Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy–compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA
Server computer.

Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.

What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application must be installed on each client computer.

Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers. Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this case, the socket includes the IP address of the destination computer, the protocol used (TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.

The Firewall Client application changes how a client computer connects to resources on the Internet using Winsock applications. After you install the Firewall Client, when the client computer initiates a Winsock application, the Firewall Client intercepts the application calls. The Firewall Client checks the destination computer name or IP address and determines whether to route the request to the ISA Server computer or to a server on the local network. If the destination computer is not local, the request is sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server responds to the ISA Server computer, which then replies to the client computer.

Securing and Maintaining ISA Server 2004

Lesson 1: Securing ISA Server 2004

Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.

How to Harden the Server :

ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.

How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.

Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:

1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.

Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.

MCP 70-350 : Introduction to ISA Server 2004

How ISA Server Works as a Branch Office Firewall :

A third deployment scenario for ISA Server is as a branch office firewall. In this scenario, ISA Server can be used to secure the branch office network from external threats as well as connect the branch office networks to the main office using site-to-site VPN connections.

For organizations with multiple locations, ISA Server can function as a branch office firewall in conjunction with additional ISA Servers at other locations. If a branch office has a direct connection to the Internet, ISA Server may operate as an Internet-edge firewall for the branch, securing the branch office network and also publishing server resources to the Internet. If the branch office has only a dedicated WAN connection to the other offices, ISA Server can be used to publish servers in the branch office such as Microsoft SharePoint Portal Server or a local Exchange Server.

One of the benefits of using ISA Server as a branch office firewall is that it can operate as a VPN gateway that connects the branch office network to the main office network using a site-to-site VPN connection. Site-to-site VPN provides a cost-effective and secure method of connecting offices. In this scenario, the following occurs:
1- ISA Server can be used to create a VPN from a branch office to other office locations. The VPN gateway at other sites can be either additional computers running ISA Server or third-party VPN gateways. ISA Server supports the use of three tunneling protocols for creating the VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPSec.
2- ISA Server can perform stateful inspection and application-layer filtering of the VPN traffic between the organization’s locations. This can be used to limit the remote networks that can access the local network and to ensure that only approved network traffic can access it.

How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server :

In a small or medium organization, a single ISA Server computer may provide all Internet access functionality. The ISA Server computer is used to create a secure boundary around the internal network, and to provide Web proxy and caching services for internal users.

Small or medium-size organizations often have significantly different Internet access requirements than larger organizations. Small organizations may have dial-up or other slow connections to the Internet. Almost all organizations provide at least some level of Internet access to employees, but these offices may need to limit access because of the slow connections. Small organizations frequently do not require any services published to the Internet because their ISP may be hosting both their organization’s Web site and their e-mail servers. Other organizations may have much more complex requirements, including requirements for SMTP, FTP, and HTTP server publishing as well as VPN access. Another unique situation faced by many small or medium-size organizations is that a single network administrator performs all network administration tasks. This means that the administrator is usually not a firewall or Internet security expert. ISA Server is flexible enough to meet almost any small or medium organization's requirements:

1- Configuring caching on ISA Server computers means that Web pages are cached on the ISA Server hard disk. This can reduce the use of slow Internet connections or reduce the cost of a connection where cost is based on bandwidth usage.
2- ISA Server supports the option of using dial-up connections to access the Internet or other networks. You can configure ISA Server to dial the connection automatically when a request is made for access to Internet resources.
3- Installation of ISA Server is secure out of the box. By default, ISA Server 2004 will not accept any connections from the Internet after installation. This means that if the organization does not require any resources to be accessible from the Internet, the administrator does not need to configure ISA Server to block all incoming traffic. All the administrator has to do in this scenario is configure the server to enable Internet access for internal users and the configuration is complete.
4- ISA Server provides network templates and server publishing wizards that can be used to configure most required settings. Configuring ISA Server to provide access to Internet resources can be as simple as applying a network template and using the wizard to configure the security settings. ISA Server provides several server publishing wizards that make it easy to securely publish internal servers to the Internet.

How ISA Server Works as a Proxy- and Caching-Only Server :

A final deployment scenario for ISA Server 2004 is as a proxy server and caching server only. In this scenario, ISA Server is not used to provide a secure boundary between the Internet and the internal network, but only to provide Web proxy and caching services.

In most cases, computers running ISA Server are deployed with multiple network adapters to take advantage of ISA Server’s ability to connect and filter traffic between multiple networks. However, if ISA Server is deployed as a Web proxy- and cachingonly server, it can be deployed with a single network adapter. When ISA Server is installed on a computer with a single adapter, it recognizes only one network—the internal network.

If an organization already has a firewall solution in place, it can still take advantage of the proxy and caching functionality of ISA Server. To deploy ISA Server as a proxy and caching server, you only need to configure it to allow users to access resources on the Internet. You would then configure the Web browsers on all client computers to use the computer running ISA Server as a Web proxy server.
When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:

1- Firewall and SecureNAT clients
2- Virtual private networking
3- IP packet filtering
4- Multi-network firewall policy
5- Server publishing
6- Application-level filtering
These restrictions mean that ISA Server provides very few security benefits for the network.

MCP 70-350 : Introduction to ISA Server 2004

Lesson 3: Explaining ISA Server Deployment Scenarios

How ISA Server Works as an Internet-Edge Firewall :

One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.

4- All client requests for resources on the Internet pass through ISA Server. ISA Server enforces an organization’s policies defining which users are allowed to access the Internet, which applications and protocols can be used to do so, and which Web sites are permitted.

How ISA Server Works as a Back-End Firewall :

In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.

Many organizations implement a back-to-back firewall configuration. In this configuration, one network adapter on the front-end firewall is connected to the Internet while the second network adapter on the firewall is connected to the perimeter network. The back-end firewall has one network adapter that is connected to the perimeter network and a second network adapter connected to the internal network. All network traffic must flow through both firewalls and through the perimeter network to pass between the Internet and the internal network.

For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.

11 Deploying, Configuring, and Managing SSL Certificates

Renewing SSL Certificates :
Like any other public key certificate, each SSL certificate has a lifetime. At some point in the future, the certificate will expire. You should plan to renew the certificate three to six months prior to the expiration to ensure that there is no period during which the certificate is invalid.

The specific process you use for renewing the certificate will vary. If you are using a certificate issued by a public CA, the CA will provide a renewal process. If you are using a certificate issued by Certificate Services, you can renew the certificate by using Web enrollment, the Certificates snap-in, or the Web Server Certificate Wizard.

Configuring Firewalls :
Applications use a unique port number for SSL-protected communications. As a result,you must change your firewall configuration to allow the encrypted traffic.

There are two approaches to allowing SSL traffic through a firewall. The first approach is to open the firewall to allow all traffic with a designated port. The typical ports that various applications use for SSL are listed in Table 11.2. Although this will allow SSL sessions to be established through the firewall, the firewall will not be able to analyze the contents of the SSL-encrypted packets. As a result, the firewall will be able to use only the origin and destination of the packet to determine whether to let packets through.