Enabling VPN connectivity requires a complex interplay between several server components such as the ISA Server configuration and the RRAS configuration. In addition, you have several configuration options such as authentication methods and tunneling protocols. All these components and options must be configured correctly to allow users to connect to the ISA Server computer using a VPN.
Use the following guidelines when troubleshooting VPN client connections:
1- The most common problems with VPN connections are user authentication problems.Start by checking the user configuration. Does the user have permission to dial in? Is the user part of a group that has permission to use VPN on the ISA Server computer? Is the user account locked out? Is the user using the correct password?
2- If the user account is not the problem, then check the authentication method configuration.If the user is connecting to a PPTP connection, ensure that the client and server share an authentication method. By default, ISA Server only enables MS-CHAP v2 authentication, so if users are using an older Windows client such as Windows 98 or Windows NT, they may not be able to support the authentication method. The best solution in this case is to install the appropriate security patches
on the clients so they support MS-CHAP v2 authentication.
3- If the users are connecting to an L2TP/IPSec connection, ensure that the client has the correct certificate installed or is configured to use the appropriate pre-shared key.
4- L2TP/IPSec clients may also not be able to authenticate if ISA Server is configured to block IP fragments. In this scenario, users will get an error message that indicates that the security negotiation timed out. IPSec uses the Internet Key Exchange (IKE) protocol for mutual computer authentication and for the exchange of session keys in an L2TP VPN connection. The IKE negotiation information cannot fit inside an MTU. Because of this, the IKE negotiation packet is fragmented into
smaller packets. When you filter fragmented packets in ISA Server, the IKE negotiation packets are dropped by ISA Server. Therefore, the VPN connection cannot be completed successfully. To enable client connections, you must configure ISA Server not to block IP fragments.
5- If the users can connect to the VPN remote-access server and authenticate, but cannot get access to any network resources, check the name resolution for the VPN clients. The VPN clients must be configured with a DNS server (and possibly a WINS server) address to resolve server names on the internal network.
6- If the DNS configuration is accurate, check the configuration of the access rules defined on the ISA Server computer. Remember that the VPN Clients network is used by ISA Server like any other network, so you must configure access rules in order to enable network traffic to flow between networks.
Guidelines for Troubleshooting VPN Client Connections
Configuring Virtual Private Networking for Remote Clients
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).
Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).
2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.
3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.
4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.
5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.
6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.
Configuring ISA Server as a Proxy Server
How Does a Reverse Web Proxy Server Work?
A reverse Web proxy server operates in much the same way as a forward Web proxy server. However, instead of making Internet resources accessible to internal clients, reverse proxy makes internal resources accessible to external clients.
The following steps outline how a reverse Web proxy server works:
1. A user on the Internet makes a request for an object located on a Web server that is on an internal network protected by a reverse proxy server. The client computer performs a DNS lookup using the fully qualified domain name (FQDN) of the hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server.
2. The client application sends the request for the object to the external address of the proxy server.
3. The proxy server checks the request to confirm that the URL is valid and to ensure that there is a policy in place that allows access to the requested content.
4. The proxy server also checks whether the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the object is not in the cache, the proxy server sends the request to the appropriate server on the internal network.
5. The Web server response is sent back to the proxy server.
6. The object is returned to the client application that made the original request.
You can deploy ISA Server 2004 as a Web proxy and a Winsock proxy server. In fact,as soon as you enable access to Internet resources for internal clients, ISA Server begins to operate as a Web proxy server. However, there are also several Web proxy server settings that you can modify on ISA Server.
You can configure several Web proxy settings on ISA Server. To do so, perform the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and select Networks.
2. Click the network whose Web access properties you want to configure. If you are configuring access to the Internet for internal clients, select the Internal network.Click Edit Selected Network.
3. Click the Web Proxy tab to configure the Web Proxy settings for ISA Server. The interface is shown in Figure 5-3. First, ensure that Enable Web Proxy Clients is selected. This is selected by default.
On the Web Proxy tab, you can choose to enable or disable HTTP connections on the specified port number. You can also enable or disable Secure Sockets Layer (SSL) connections. If you select this option, ISA Server will listen for HTTPS connections on the port specified. If you enable SSL, you must also configure a certificate that will be used for SSL authentication and encryption. Web browsers cannot use this setting for Internet access, but it can be used for Web chaining scenarios.
4. To configure the Advanced Settings, click Advanced. The interface is shown in Figure 5-4. On this tab, you can configure the number of connections, which will limit the number of users that can connect to the ISA Server at one time. You can also specify a connection timeout value, which sets a timeout limit for idle connections.
5. To configure ISA Server as a Winsock proxy server, you must configure the Internal network properties so that Firewall clients are supported. To configure this, click the Firewall Client tab on the Internal network properties and ensure that Enable Firewall Client Support For This Network is selected.
Enabling Secure Access to Internet Resources
Guidelines for Designing an Internet Usage Policy :
One of the first steps that an organization must take, as it prepares to grant access to Internet resources, is to define an Internet usage policy. An Internet usage policy defines what actions users are allowed to perform while they are connected to the Internet. The Internet usage policy becomes the basis for configuring the ISA Server settings to provide secure access to the Internet.
Internet usage policies should do the following:
1- Describe the need for an Internet usage policy. At first, users may resist the policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the policy is being created. For many organizations, there are clear legal requirements for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding the rationale for a policy greatly decreases the resistance to the policy.
2- Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are denied by the policy.
3- Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if policy restrictions prevent users from accessing resources that they need to do their jobs, users must have the means of resolving these issues. The easiest way to ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
4- Define how violations are handled. The policy must define exactly what will happen to users who violate the security policy. Many security policies include levels of disciplinary action depending on the severity or recurrence of policy violations.
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.
Enabling Secure Internet Access with ISA Server 2004
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use of the Internet as a source of information and e-mail as a communication tool means that most organizations cannot afford to be without access to the Internet. At the same time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet access for users in an organization means the following:
1- Users can access the resources that they need. To do their jobs, users in many organizations must be able to use a Web browser or other application to access Internet resources.
2- The connection to the Internet is secure. Users must be reasonably sure that they will not be attacked through the Internet connection. Ideally, the connection to the Internet should not reveal any information about the internal system that can be used to launch an attack against the client computer. Information about the computer, such as the computer name, user logon name, and shared folders, as well as details about the network configuration for the client computer, such as the client Internet Protocol (IP) address, should be hidden.
3- The data that users transfer to and from the Internet is secure. In some cases, users might send confidential personal information such as credit card information to the Internet or they might send private or confidential organizational information such as client data to the Internet. This data must be secured when it leaves the organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
4- Users cannot download malicious programs from the Internet. One of the ways attackers gain access to your network is by getting users to download malicious content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s
security or Internet usage policy. This means the following:
1- Only users who have permission to access the Internet can access the Internet.
2- These users can use only approved protocols and applications to access Internet resources.
3- These users can gain access only to approved Internet resources, or these users cannot gain access to denied Internet resources.
4- These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access is permitted.
Installing and Managing ISA Server Clients
What Is a Web Proxy Client?
A Web Proxy client is a client computer that has an HTTP 1.1–compliant Web browser application and is configured to use the ISA Server computer as a Web Proxy server. Virtually all current Web browsers comply with this HTTP standard, so any client computer can be configured as a Web Proxy client, including computers which are SecureNAT or Firewall clients.
When a Web Proxy client tries to access resources on the Internet, the requests are directed to the Firewall service on the ISA Server computer. If the access rule is configured to require
authentication, the ISA Server computer requests authentication from the Web Proxy client. The Firewall service then determines whether the user is allowed to access the Internet and checks the access rules to determine whether the request is allowed. For example, you can configure access to rules to block access to specified sites, or to block requests with certain keywords in the client request. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
One of the advantages of using Web Proxy clients is that most client computers already run compatible Web browsers, so Web Proxy clients require no special software to be installed. However, you must configure the Web browser to use the ISA Server computer as a proxy server. In most cases, this is a simple configuration. If you install Firewall Client software, you can use it to configure the Web browser to use the ISA Server computer as a proxy server. After you have completed the initial configuration of theWeb Proxy client, you can also automate the configuration of the Web Proxy clientusing the ISA Server Management Console.
Using Web Proxy clients provides several advantages:
■ As mentioned earlier, almost all client computers already run compatible Web browsers, which means you do not need to install any software on the client computers.All you need to do is configure the software, and this can be automated.
■ Web Proxy clients support authentication, so you can restrict access to Internet resources based on users and groups.
■ Client computers can be running any operating system that supports compatible Web browsers.
■ All client requests and responses are passed through the Web Proxy filter on ISA Server. This means that you can use application layer filtering to filter all trafficfrom the Web Proxy clients to the Internet, and from the Internet to the Web Proxy clients.
Guidelines for Choosing an ISA Server Client
ISA Server clients are used to provide access to Internet resources. This means that one of the choices that you must make as you deploy ISA Server 2004 is which ISA Server client you will deploy.
Installing and Managing ISA Server Clients
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.
3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.
4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.
2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.
Installing and Managing ISA Server Clients
ISA Server Client Options :
An ISA Server client is a client computer that connects to resources on another network by going through the ISA Server computer. In most cases, ISA Server clients are used to provide access to the Internet for users on the Internal network. The type of client you use on your network depends primarily on your security requirements and on whether you want to deploy Firewall Client software to each client computer on your network.
ISA Server supports three types of clients:
1- Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.
2- SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.
3- Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy–compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA
Server computer.
Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.
What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application must be installed on each client computer.
Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers. Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this case, the socket includes the IP address of the destination computer, the protocol used (TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.
The Firewall Client application changes how a client computer connects to resources on the Internet using Winsock applications. After you install the Firewall Client, when the client computer initiates a Winsock application, the Firewall Client intercepts the application calls. The Firewall Client checks the destination computer name or IP address and determines whether to route the request to the ISA Server computer or to a server on the local network. If the destination computer is not local, the request is sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server responds to the ISA Server computer, which then replies to the client computer.
Maintaining ISA Server 2004
How to Implement Remote Administration :
In most organizations, you will not perform ISA Server administration directly from the ISA Server computer console. The ISA Server computer should be located in a physically secure server room and you should administer the server from your client computer. If your organization has multiple locations with ISA Servers installed in each location, you may need to manage all the servers from your desktop. Remote administration enables you to administer ISA Server in all these cases.
You have two options for remotely administrating ISA Server. You can use a Terminal Services or Remote Desktop connection to administer the server, or you can install the ISA Server Management Console on another computer and use it to manage the ISA Server computer.
If you have installed ISA Server on a server running Windows 2000, you can use Terminal Services to manage the ISA Server computer. If ISA Server is installed on a computer running Windows Server 2003, you can use Remote Desktop in the same way. When you use Terminal Services or Remote Desktop to administer the ISA Server computer, you can view the desktop of the ISA Server computer as if you were in front of the monitor attached to the ISA Server computer. The advantage of using Terminal Services or Remote Desktop to administer ISA Server is that you can manage virtually all the settings on the server, not just ISA Server.
To enable remote administration of ISA Server on computers running Windows Server 2003, you must be a member of the Administrators group or Remote Desktop Users group on the ISA Server computer, or be granted permission to use Remote Desktop to connect to the server. To enable remote administration of ISA Server running on a Windows 2000 computer, you must install Terminal Services on the server in either Application or Remote Administration mode. Then the user properties must be configured to allow remote connections using Terminal Services.
To run ISA Server Management, you need the following:
1- A personal computer with a 300-megahertz (MHz) or higher, Pentium II–compatible CPU
2- Windows Server 2003, Windows 2000 Server or Windows 2000 Professional, or Windows XP
3- 256 megabytes (MB) of memory
4- 19 MB of available hard-disk space.
When you install ISA Server, the default system policy allows remote administration from all members of a computer set named Remote Management Computers. This computer set is used to assign remote access permissions in both the MMC system policy configuration group and the Terminal Services configuration group. By default, no computers are in this group, so no computers can connect to the ISA Server computer for remote management. To enable remote management on the ISA Server computer, you must configure remote administration by editing the appropriate MMC or Terminal Server configuration group in the System Policy editor.
Key Terms
administrative role Used to assign permissions on ISA Server. Each administrative role has a predefined set of permissions that allow the user to perform specific tasks on the ISA Server computer.
firewall access rule A configuration object on ISA Server that defines what types of network traffic will be allowed on the ISA Server computer. By default, all network traffic is blocked unless a firewall access rule allows the specific traffic.
Remote Management Computers A computer set that is used to provide remote management access to ISA Server. This computer set should include all the IP addresses of the computers that are used to perform remote administration on the ISA Server computer.
system policy A set of firewall access rules that controls how the ISA Server computer communicates with computers on the attached networks.
Maintaining ISA Server 2004
Importing the ISA Server Configuration :
When you import a previously exported file, all properties and settings defined in the file are imported, overwriting the current configuration on the ISA Server computer. However, if you export only a specific component, such as a specific firewall rule, the file import overwrites only that particular rule.
To import the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object whose settings you want to import. You must select the correct type of object for the configuration file that you are using.
3. On the Tasks tab, click the import task. The exact name for the task will vary,depending on the type of object that you selected.
4. Select the exported .xml file and click Import.
5. Click Apply to apply the changes and click OK when the changes have been applied.
How to Back Up and Restore the ISA Server Configuration :
ISA Server 2004 also includes backup and restore features that enable you to save and restore the ISA Server configuration information. The backup procedure also stores the configuration information in an .xml file.
The primary use of the backup and restore option in ISA Server is for disaster recovery. You should regularly back up the configuration on the ISA Server computer so that you can restore the computer with the same settings in case of a computer failure. The backup functionality saves the appropriate information to ensure that an identical configuration can be restored.
Backing up an ISA Server configuration backs up all configuration options on the server. This includes firewall policy rules, rule elements, alert configuration, cache configuration, system policy and VPN configuration. One of the differences between backing up the server configuration and exporting the configuration is that you can only back up the entire ISA Server configuration, not individual components or groups of components.
The restore process reconstructs the configuration information that was backed up. By restoring a backup, you can rebuild the ISA Server configuration or restore it after a configuration error.
To back up and restore the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management and click the server name. The option to back up and restore the ISA Server configuration is available only when you select the server name.
2. On the Tasks tab, click Backup This ISA Server Configuration.
3. Enter a file name for the backup file and click Backup.
4. You must provide a password for the ISA Server backup
5. To restore the backup, click the server name in ISA Server Management. Then click Restore this ISA Server Configuration and select the appropriate ISA Server backup file.
6. Click Apply to apply the changes and click OK when the changes have been applied.
Maintaining ISA Server 2004
Among the new features in ISA Server 2004 is the option to export and import the ISA Server configuration. With this option, you can save and restore the ISA Server configuration information. When you use the ISA Server export feature, the configuration parameters are exported and stored in an .xml file. The import and export features are useful in several scenarios:
1- Cloning a server You can export a configuration from one ISA Server computer and then import the settings on another computer, thereby easily duplicating a server configuration. For example, after configuring an ISA Server computer at one branch office, you can export the configuration to an .xml file. Then you can import the file on a computer running ISA Server at another branch office. The two ISA Server computers will have a duplicate configuration.
2- Saving a partial configuration You can export and import any part of the ISA Server configuration. For example, you can export a single rule, an entire policy, or an entire configuration. This is helpful when you want to copy all the firewall policy rules, but not the monitoring configuration, from one ISA Server to another. This is also useful when you want to modify a specific rule. You can export that rule and have the exported configuration available in case you need to roll back the rule modification.
3- Sending a configuration for troubleshooting You can export your configuration information to a file and send it to support professionals for analysis and troubleshooting.
4- Rolling back a configuration change As a best practice, before modifying any ISA Server settings you should export the specific component that you are modifying. If your modification is not successful, you can easily restore the previous configuration by importing the policy file.
You can export the entire ISA Server configuration, or just parts of it, depending on your specific needs. You can export the following objects:
1- The entire ISA Server configuration
2- All the connectivity verifiers, or one selected connectivity verifier
3- All the networks, or one selected network
4- All the network sets, or one selected network set
5- All the network rules, or one selected network rule
6- All the Web chaining rules, or one selected Web chaining rule
7- Cache configuration
8- All the content-download jobs, or one or more selected content-download jobs
9- The entire firewall policy, or one selected rule.
When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can choose to export user permission settings and confidential information such as user passwords. Confidential information included in the exported file is encrypted.
To export the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object the settings of which you want to export. Remember if you select
a container object (such as the Firewall Policy), all the objects in the container will be exported.
3. On the Tasks tab, click the Export task. The exact name for the task will vary depending on the type of object that you select.
4. Enter a file name for the exported .xml file and click Export.
How to Secure the ISA Server Configuration
After securing the computer running ISA Server, the next step is to ensure that your ISA Server configuration is as secure as possible. After installation, ISA Server, Standard Edition, starts with a default configuration that provides a high level of security. As an ISA Server administrator, you must understand what the default configuration is and how you may need to modify it to provide additional security or functionality.
The ISA Server Default Configuration
After a standard installation, ISA Server starts with a default configuration. This configuration provides a high level of security because it does not allow access to any Internet or internal resources through the ISA Server computer. However, the default configuration also includes several other settings.
The default configuration of a newly installed ISA Server means that traffic can occur between the ISA Server computer and other networks. For example, Lightweight Directory Access Protocol (LDAP) traffic is permitted from the ISA Server computer to the internal network. This enables the ISA Server computer to operate as a member of an Active Directory domain. However, by default, no traffic is permitted through the ISA Server computer from one network to another.
Configuring System Policies
When ISA Server 2004 is installed, a default system policy is configured on the server.This system policy includes a variety of access rules that provide an initial configuration for ISA Server 2004. Depending on your organization’s requirements, you may need to modify the system policy configuration, either by disabling some of the rules or enabling and modifying the rules.
System policy rules are used to define what traffic is allowed between the ISA Server computer and the connected networks. All the system policies define access between the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks.
System Policy Settings A default system policy is applied when you install ISA Server 2004. This policy enables the functionality needed to manage the ISA Server computer and provide network connectivity.
Modifying System Policy After installing ISA Server, you should analyze the default system policy configuration and modify the policy to meet your organization’s requirements.The default system policy enables more options than are required for most organizations. If your organization does not require a specific type of functionality enabled by a system policy rule, then disable the rule. For example, the default system policy enables both RADIUS and Active Directory authentication, and most organizations will use one or the other. If you are using only one type of authentication, then disable the rule pertaining to the other.
Modify the default system policy settings to match your organization’s requirements.First, identify the functionality that you require on the ISA Server computer. Then reviewthe system policy settings and disable all the system policy rules that you do not require.For example, if no users will ever access ISA Server using Remote Desktop, then disablethe Terminal Server system policy that enables Remote Desktop connections.
Another component to securing the ISA Server computer is to configure the ISA Server administrative permissions. As a general rule, user accounts should always be configured with the minimum privileges necessary to perform a specific task. You can use role-based administration to organize your ISA Server administrators into separate,defined roles, each with its own set of privileges and corresponding tasks. The rolesassigned in ISA Server are based on Windows users and groups. If the ISA Server computeris a member of a domain, these users and groups can be either local accounts ordomain accounts. If the ISA Server computer is not a member of a domain, you must assign local users and groups to the roles.
ISA Server includes three administrative roles that are defined in advance:
1- ISA Server Basic Monitoring Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.
2- ISA Server Extended Monitoring Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert-definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.
3- ISA Server Full Administrator Users and groups assigned this role can perform any ISA Server task, including rule configuration, application of network templates, and monitoring.
Securing and Maintaining ISA Server 2004
Security templates are the ideal means to configure the security settings on an ISA Server computer. By applying these templates, you can ensure a consistently high level of security on the ISA Server computer. To apply the security templates to the ISA Server computer, perform the following steps:
1. Using the Security Templates MMC snap-in, analyze the security templates included with the Windows Server 2003 Security Guide and determine which template most closely meets your organization’s requirements. Modify those parts of the template that do not match your requirements.
2. Apply the security templates to your ISA Server computer or computers. If your ISA Server computers are members of an Active Directory domain, create an OU that contains only the ISA Server computers and then create a Group Policy Object (GPO) to apply the security template to the servers. If your ISA Server computer is not a member of the domain, use the Security Analysis and Configuration tool to apply the security policy to the ISA Server computer.
Applying Security Updates :
Another critical component in keeping the computer running ISA Server secure is to ensure that all security updates and patches are applied. Security updates are product updates that eliminate known security vulnerabilities. To keep ISA Server secure, you must ensure that the security updates for both ISA Server and the operating system are current by installing the latest fixes. If the operating system is vulnerable, ISA Server is also vulnerable. When a security update becomes available, quickly evaluate your system to determine if the update is relevant to your current situation.
Monitor and install security patches for multiple components for the computer running ISA Server. These include the latest updates for the operating system, for ISA Server, and for other components installed by ISA Server, including Microsoft SQL Server 2000 Desktop Engine (MSDE) and Office Web Components 2002 (OWC).
Securing and Maintaining ISA Server 2004
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.
How to Harden the Server :
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:
1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.
Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.
MCP 70-350 : Installing ISA Server 2004
Dynamic Host Configuration Protocol Requirements :
DHCP is not required to support an ISA Server infrastructure, but it is highly recommended to simplify network management. Even on relatively small networks of 250 or fewer computers, you will benefit from reduced administrative effort by configuring a DHCP server on your network. The advantage of using DHCP is that it can provide the IP configuration for all the client computers on your network automatically. This can make your ISA Server deployment much more efficient. For example, if you need to reconfigure the default gateway for all your client computers to point to the new ISA Server computer or to a new DNS server for Internet name resolution, you can just change the scope setting on the DHCP server and all the clients will be reconfigured automatically.
DHCP is also used to support VPN remote access connections to ISA Server. By default, ISA Server will use DHCP to assign IP addresses to all VPN clients. When you enable remote VPN client access on ISA Server, it will obtain a set of IP addresses from the DHCP server and assign the IP address to the VPN clients. By default, ISA Server 2004 will also assign DNS or WINS server addresses based on the DHCP scope information.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as an Internet-Edge Firewall :
One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.
How ISA Server Works as a Back-End Firewall :
In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.
For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.
MCP 70-350 : Introduction to ISA Server 2004
ISA Server 2004 is a valuable component in an overall plan to secure an organization’s network. Because ISA Server is deployed at the connecting point between an internal network and the Internet, ISA Server’s role is critical. Almost all organizations provide some level of access to the Internet for its users. ISA Server can be used to enforce security policies dealing with the types of access users should have to the Internet. At the same time, many organizations also allow remote users some type of access to internal servers. For example, almost all organizations allow e-mail servers on the Internet to connect to internal e-mail servers to send Internet e-mail. Many companies also host internal Web sites, or want employees to be able to access internal resources
from the Internet. ISA Server 2004 can be used to ensure that access to these internal resources is secure.
How ISA Server Works—An Overview
ISA Server is designed to secure the perimeter of an organization’s network. In most cases, this perimeter is between the organization’s internal local area network (LAN) and a public network such as the Internet.
The internal network, or protected network, is usually located on an organization’s premises and is under the control of the organization’s IT staff. The internal network is considered to be relatively
secure; that is, normally only authorized users have physical access to the internal network.
Also, the IT staff have a great deal of control over the types of traffic that are allowed on the internal network.
An organization has no control over who is accessing the Internet or over the security of network traffic on the Internet. Anyone in the world with an Internet connection can locate and access any other Internet connection using almost any application or protocol. Also, network packets sent via the Internet are not secure because they can be captured and inspected by anyone running a packet sniffer on an Internet network segment. A packet sniffer is an application that can be used to capture and view all the network traffic on a network. In order to capture network traffic, the packet sniffer must be connected to a network segment located between two routers.
How ISA Server Works as a Firewall
A firewall is a device that is located between one segment of a network and another, and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be allowed to pass through. A firewall may be positioned and configured to protect an organization from the Internet, or it may be positioned internally to protect specific sections of an organization’s corporate network.
In most cases, firewalls are deployed at the network perimeter. The primary purpose of a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization’s internal network unless it has been explicitly permitted. For example, the organization may have an internal Web server that needs to be accessible to Internet users. The firewall can be configured to allow Internet traffic to access only that Web server.
ISA Server 2004 provides firewall functionality. By default, when you deploy ISA Server, it will block all traffic between networks that are attached to the server, including internal networks, perimeter networks (also known as demilitarized zones, or DMZs), and the Internet. ISA Server 2004 uses three types of filtering rules to block or allow network traffic: packet filtering, stateful filtering, and application-layer filtering.
Packet Filtering
Packet filtering works by examining the header information for each network packet that arrives at the firewall. When the packet arrives at the ISA Server network interface, ISA Server opens the packet header and checks information such as the source and destination addresses and the source and destination ports. ISA Server compares this information against its firewall rules that define which packets are allowed. If the source and destination addresses are allowed, and if the source and destination ports are allowed, the packet passes through the firewall to the destination network. If the addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall.
Stateful Filtering
Stateful filtering uses a more thorough examination of the network packet to make decisions on whether to forward it or not. When ISA Server uses a stateful inspection, it examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP) headers to determine the state of a packet within the context of previous packets that have passed through ISA Server, or within the context of a TCP session. For example, a user on the internal network may send a request to a Web server on the Internet. The Web server sends a reply to that request. When the reply packet arrives at the firewall, the firewall inspects the TCP session information that is part of the packet. The firewall
determines that the packet is part of a currently active session that was initiated by the internal user, so the packet is forwarded to the user’s computer. If a user from outside the network attempts to connect to a computer inside the organization’s network, the firewall determines that the packet is not part of a currently active session and the packet is dropped.
Application-Layer Filtering
ISA Server also uses application-layer filtering to determine whether a packet is allowed or not. Application-layer filtering examines the actual content of a packet to determine if the packet can be forwarded through the firewall. An application filter opens the entire packet and examines the actual data in it before making a forwarding decision. For example, a user on the Internet may request a page from the internal Web server using the Hypertext Transfer Protocol (HTTP) GET command. When the packet arrives at the firewall, the application filter inspects the packet and detects the GET command. The application filter checks its policy to determine if the GET command is allowed. In most cases, the GET command is allowed and the packet is forwarded to the internal Web server.
