Enabling VPN connectivity requires a complex interplay between several server components such as the ISA Server configuration and the RRAS configuration. In addition, you have several configuration options such as authentication methods and tunneling protocols. All these components and options must be configured correctly to allow users to connect to the ISA Server computer using a VPN.
Use the following guidelines when troubleshooting VPN client connections:
1- The most common problems with VPN connections are user authentication problems.Start by checking the user configuration. Does the user have permission to dial in? Is the user part of a group that has permission to use VPN on the ISA Server computer? Is the user account locked out? Is the user using the correct password?
2- If the user account is not the problem, then check the authentication method configuration.If the user is connecting to a PPTP connection, ensure that the client and server share an authentication method. By default, ISA Server only enables MS-CHAP v2 authentication, so if users are using an older Windows client such as Windows 98 or Windows NT, they may not be able to support the authentication method. The best solution in this case is to install the appropriate security patches
on the clients so they support MS-CHAP v2 authentication.
3- If the users are connecting to an L2TP/IPSec connection, ensure that the client has the correct certificate installed or is configured to use the appropriate pre-shared key.
4- L2TP/IPSec clients may also not be able to authenticate if ISA Server is configured to block IP fragments. In this scenario, users will get an error message that indicates that the security negotiation timed out. IPSec uses the Internet Key Exchange (IKE) protocol for mutual computer authentication and for the exchange of session keys in an L2TP VPN connection. The IKE negotiation information cannot fit inside an MTU. Because of this, the IKE negotiation packet is fragmented into
smaller packets. When you filter fragmented packets in ISA Server, the IKE negotiation packets are dropped by ISA Server. Therefore, the VPN connection cannot be completed successfully. To enable client connections, you must configure ISA Server not to block IP fragments.
5- If the users can connect to the VPN remote-access server and authenticate, but cannot get access to any network resources, check the name resolution for the VPN clients. The VPN clients must be configured with a DNS server (and possibly a WINS server) address to resolve server names on the internal network.
6- If the DNS configuration is accurate, check the configuration of the access rules defined on the ISA Server computer. Remember that the VPN Clients network is used by ISA Server like any other network, so you must configure access rules in order to enable network traffic to flow between networks.
Guidelines for Troubleshooting VPN Client Connections
Configuring ISA Server as a Proxy Server
How Does a Reverse Web Proxy Server Work?
A reverse Web proxy server operates in much the same way as a forward Web proxy server. However, instead of making Internet resources accessible to internal clients, reverse proxy makes internal resources accessible to external clients.
The following steps outline how a reverse Web proxy server works:
1. A user on the Internet makes a request for an object located on a Web server that is on an internal network protected by a reverse proxy server. The client computer performs a DNS lookup using the fully qualified domain name (FQDN) of the hosting server. The DNS name will resolve to the IP address of the external network interface on the proxy server.
2. The client application sends the request for the object to the external address of the proxy server.
3. The proxy server checks the request to confirm that the URL is valid and to ensure that there is a policy in place that allows access to the requested content.
4. The proxy server also checks whether the requested object already exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the object is not in the cache, the proxy server sends the request to the appropriate server on the internal network.
5. The Web server response is sent back to the proxy server.
6. The object is returned to the client application that made the original request.
You can deploy ISA Server 2004 as a Web proxy and a Winsock proxy server. In fact,as soon as you enable access to Internet resources for internal clients, ISA Server begins to operate as a Web proxy server. However, there are also several Web proxy server settings that you can modify on ISA Server.
You can configure several Web proxy settings on ISA Server. To do so, perform the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and select Networks.
2. Click the network whose Web access properties you want to configure. If you are configuring access to the Internet for internal clients, select the Internal network.Click Edit Selected Network.
3. Click the Web Proxy tab to configure the Web Proxy settings for ISA Server. The interface is shown in Figure 5-3. First, ensure that Enable Web Proxy Clients is selected. This is selected by default.
On the Web Proxy tab, you can choose to enable or disable HTTP connections on the specified port number. You can also enable or disable Secure Sockets Layer (SSL) connections. If you select this option, ISA Server will listen for HTTPS connections on the port specified. If you enable SSL, you must also configure a certificate that will be used for SSL authentication and encryption. Web browsers cannot use this setting for Internet access, but it can be used for Web chaining scenarios.
4. To configure the Advanced Settings, click Advanced. The interface is shown in Figure 5-4. On this tab, you can configure the number of connections, which will limit the number of users that can connect to the ISA Server at one time. You can also specify a connection timeout value, which sets a timeout limit for idle connections.
5. To configure ISA Server as a Winsock proxy server, you must configure the Internal network properties so that Firewall clients are supported. To configure this, click the Firewall Client tab on the Internal network properties and ensure that Enable Firewall Client Support For This Network is selected.
Lesson 2: Configuring ISA Server as a Proxy Server
What Is a Proxy Server?
A proxy server is a server that is situated between a client application, such as a Web browser or a Winsock application, and a server to which the client connects. All client requests are sent to the proxy server. The proxy server creates a new request and sends the request to the specified server. The server response is sent back to the proxy server, which then replies to the client application. A proxy server can provide enhanced security and performance for Internet connections.
The most important reason for using a proxy server is to make the user’s connection to the Internet more secure. Proxy servers make the Internet connection more secure in the following ways:
1- User authentication When a user requests a connection to an Internet resource, the proxy server can require that the user authenticate, either by forcing the user to enter a user name and password or by using the cached credentials stored on the client computer. The proxy server can then grant or deny access to the Internet resource, based on the authenticated user.
2- Filtering client requests The proxy server can use multiple criteria to filter client requests. In addition to filtering the request based on the user making the request, the proxy server can filter requests based on the IP address, the protocol or application that is being used to access the Internet, the time of day, and the Web site the user requests.
3- Content inspection Proxy servers can inspect all traffic to and from the Internet connection and determine if there is any traffic that should be denied. This may include examining the traffic content for inappropriate words, scanning for viruses, or scanning for file extensions.
4- Logging user access Because all traffic flows through the proxy server, the server can log whatever the user does. For HTTP requests, this can include logging every URL visited by each user. The proxy server can be configured to provide detailed reports of user activity that can be used to ensure compliance with the organization’s Internet usage policies.
5- Hiding the internal network details Because all requests for Internet resources come from the proxy server rather than from the internal client computer, the details of the internal network are hidden from the Internet. In almost all cases, no client computer information, such as computer name or IP address, is sent to the Internet resource. In some cases, such as when creating a Remote Desktop Protocol connection to a server on the Internet, the client computer name is transmitted on the Internet.
Another benefit of using a proxy server is to improve Internet access performance. The Web proxy server improves performance by caching requested Internet pages on the Web proxy server’s hard disk. When another user requests the same information, the proxy server provides the page from the cache rather than retrieving it from the Internet.
How Proxy Servers Work
Proxy servers can be used to secure both inbound and outbound Internet access. When a proxy server is used to secure outbound Internet access, it is configured as a forwarding proxy server. When a proxy server is used to secure inbound Internet access, it is configured as a reverse proxy server.
How Does a Forward Proxy Server Work?
Forward proxy servers are usually located between a Web or Winsock application running on a client computer on the internal network and an application server located on the Internet. The proxy server may be running at the connection point between the Internet and the internal network. In this case, the client computers may have no physical connection to the Internet other than through the proxy server. In other cases, a firewall may be deployed between the Internet and the proxy server, but all client computers will still be configured to use the proxy server.
The following steps outline how a forward Web Proxy server works for a Web application:
1. A client application, such as a Web browser, makes a request for an object located on a Web server. The client application checks its Web proxy configuration to determine whether the request destination is on the local network or on an external network.
2. If the requested Web server is not on the local network, the request is sent to the proxy server.
3. The proxy server checks the request to confirm that there is no policy in place that blocks access to the requested content.
4. If caching is enabled, the proxy server also checks if the requested object exists in its local cache. If the object is stored in the local cache and it is current, the proxy server sends the object to the client from the cache. If the page is not in the cache or if the page is out of date, the proxy server sends the request to the appropriate server on the Internet.
5. The Web server response is sent back to the proxy server. The proxy server filters the response based on the filtering rules configured on the server.
6. If the content is not blocked and it is cacheable, ISA Server saves a copy of the content in its cache and the object is then returned to the client application that made the original request.
Enabling Secure Internet Access with ISA Server 2004
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use of the Internet as a source of information and e-mail as a communication tool means that most organizations cannot afford to be without access to the Internet. At the same time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet access for users in an organization means the following:
1- Users can access the resources that they need. To do their jobs, users in many organizations must be able to use a Web browser or other application to access Internet resources.
2- The connection to the Internet is secure. Users must be reasonably sure that they will not be attacked through the Internet connection. Ideally, the connection to the Internet should not reveal any information about the internal system that can be used to launch an attack against the client computer. Information about the computer, such as the computer name, user logon name, and shared folders, as well as details about the network configuration for the client computer, such as the client Internet Protocol (IP) address, should be hidden.
3- The data that users transfer to and from the Internet is secure. In some cases, users might send confidential personal information such as credit card information to the Internet or they might send private or confidential organizational information such as client data to the Internet. This data must be secured when it leaves the organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
4- Users cannot download malicious programs from the Internet. One of the ways attackers gain access to your network is by getting users to download malicious content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s
security or Internet usage policy. This means the following:
1- Only users who have permission to access the Internet can access the Internet.
2- These users can use only approved protocols and applications to access Internet resources.
3- These users can gain access only to approved Internet resources, or these users cannot gain access to denied Internet resources.
4- These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access is permitted.
Installing and Managing ISA Server Clients
Client computers that do not have Firewall Client software are secure network address translation, or SecureNAT, clients. SecureNAT clients do not require any software installation or configuration, but the clients must be able to route requests for Internet resources through the ISA Server computer. To enable this, you must configure the default gateway on the SecureNAT clients and configure network routing, so that all traffic destined to the Internet is sent through the ISA Server computer.
When a SecureNAT client connects to the ISA Server computer, the request is directed first to the NAT driver, which substitutes the external IP address of the ISA Server computer for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine whether access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Because SecureNAT clients require no software deployment and configuration, SecureNAT clients are the easiest to deploy. SecureNAT clients have other advantages:
1- SecureNAT clients also provide almost as much functionality as Firewall clients. For example, because SecureNAT client requests are passed through the Firewall Service, almost all options for filtering Internet requests apply to SecureNAT clients. If you block access to a specific Web site, or enable access for a specific protocol such as DNS, these rules will also be applied to SecureNAT clients.
2- Requests from SecureNAT clients can be passed to application filters, which can modify the requests to enable handling of complex protocols. For example, the FTP application filter in ISA Server manages the secondary connections for SecureNAT clients as well as for Firewall clients.
3- SecureNAT can use the Web Proxy service for Web access filtering and caching.The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.
4- Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) can be configured as a SecureNAT client.
SecureNAT clients have two primary limitations:
1- You cannot control access to Internet resources based on users and groups.SecureNAT clients cannot pass authentication credentials to the ISA Server computer, so users cannot be uthenticated. This means that if you configure access rules that require authentication, SecureNAT clients cannot access the resources enabled by the rule.
2- SecureNAT clients may not be able to use all protocols. Some protocols and applications require secondary connections. For example, when you use FTP, by default, the client initiates a primary connection to the server and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter
and an H.323 filter. If ISA Server does not include the appropriate application filter for a protocol or an application, SecureNAT clients cannot use this protocol or application.
Installing and Managing ISA Server Clients
ISA Server Client Options :
An ISA Server client is a client computer that connects to resources on another network by going through the ISA Server computer. In most cases, ISA Server clients are used to provide access to the Internet for users on the Internal network. The type of client you use on your network depends primarily on your security requirements and on whether you want to deploy Firewall Client software to each client computer on your network.
ISA Server supports three types of clients:
1- Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.
2- SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.
3- Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy–compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA
Server computer.
Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.
What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application must be installed on each client computer.
Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers. Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this case, the socket includes the IP address of the destination computer, the protocol used (TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.
The Firewall Client application changes how a client computer connects to resources on the Internet using Winsock applications. After you install the Firewall Client, when the client computer initiates a Winsock application, the Firewall Client intercepts the application calls. The Firewall Client checks the destination computer name or IP address and determines whether to route the request to the ISA Server computer or to a server on the local network. If the destination computer is not local, the request is sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server responds to the ISA Server computer, which then replies to the client computer.
Maintaining ISA Server 2004
How to Implement Remote Administration :
In most organizations, you will not perform ISA Server administration directly from the ISA Server computer console. The ISA Server computer should be located in a physically secure server room and you should administer the server from your client computer. If your organization has multiple locations with ISA Servers installed in each location, you may need to manage all the servers from your desktop. Remote administration enables you to administer ISA Server in all these cases.
You have two options for remotely administrating ISA Server. You can use a Terminal Services or Remote Desktop connection to administer the server, or you can install the ISA Server Management Console on another computer and use it to manage the ISA Server computer.
If you have installed ISA Server on a server running Windows 2000, you can use Terminal Services to manage the ISA Server computer. If ISA Server is installed on a computer running Windows Server 2003, you can use Remote Desktop in the same way. When you use Terminal Services or Remote Desktop to administer the ISA Server computer, you can view the desktop of the ISA Server computer as if you were in front of the monitor attached to the ISA Server computer. The advantage of using Terminal Services or Remote Desktop to administer ISA Server is that you can manage virtually all the settings on the server, not just ISA Server.
To enable remote administration of ISA Server on computers running Windows Server 2003, you must be a member of the Administrators group or Remote Desktop Users group on the ISA Server computer, or be granted permission to use Remote Desktop to connect to the server. To enable remote administration of ISA Server running on a Windows 2000 computer, you must install Terminal Services on the server in either Application or Remote Administration mode. Then the user properties must be configured to allow remote connections using Terminal Services.
To run ISA Server Management, you need the following:
1- A personal computer with a 300-megahertz (MHz) or higher, Pentium II–compatible CPU
2- Windows Server 2003, Windows 2000 Server or Windows 2000 Professional, or Windows XP
3- 256 megabytes (MB) of memory
4- 19 MB of available hard-disk space.
When you install ISA Server, the default system policy allows remote administration from all members of a computer set named Remote Management Computers. This computer set is used to assign remote access permissions in both the MMC system policy configuration group and the Terminal Services configuration group. By default, no computers are in this group, so no computers can connect to the ISA Server computer for remote management. To enable remote management on the ISA Server computer, you must configure remote administration by editing the appropriate MMC or Terminal Server configuration group in the System Policy editor.
Key Terms
administrative role Used to assign permissions on ISA Server. Each administrative role has a predefined set of permissions that allow the user to perform specific tasks on the ISA Server computer.
firewall access rule A configuration object on ISA Server that defines what types of network traffic will be allowed on the ISA Server computer. By default, all network traffic is blocked unless a firewall access rule allows the specific traffic.
Remote Management Computers A computer set that is used to provide remote management access to ISA Server. This computer set should include all the IP addresses of the computers that are used to perform remote administration on the ISA Server computer.
system policy A set of firewall access rules that controls how the ISA Server computer communicates with computers on the attached networks.
Maintaining ISA Server 2004
Importing the ISA Server Configuration :
When you import a previously exported file, all properties and settings defined in the file are imported, overwriting the current configuration on the ISA Server computer. However, if you export only a specific component, such as a specific firewall rule, the file import overwrites only that particular rule.
To import the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object whose settings you want to import. You must select the correct type of object for the configuration file that you are using.
3. On the Tasks tab, click the import task. The exact name for the task will vary,depending on the type of object that you selected.
4. Select the exported .xml file and click Import.
5. Click Apply to apply the changes and click OK when the changes have been applied.
How to Back Up and Restore the ISA Server Configuration :
ISA Server 2004 also includes backup and restore features that enable you to save and restore the ISA Server configuration information. The backup procedure also stores the configuration information in an .xml file.
The primary use of the backup and restore option in ISA Server is for disaster recovery. You should regularly back up the configuration on the ISA Server computer so that you can restore the computer with the same settings in case of a computer failure. The backup functionality saves the appropriate information to ensure that an identical configuration can be restored.
Backing up an ISA Server configuration backs up all configuration options on the server. This includes firewall policy rules, rule elements, alert configuration, cache configuration, system policy and VPN configuration. One of the differences between backing up the server configuration and exporting the configuration is that you can only back up the entire ISA Server configuration, not individual components or groups of components.
The restore process reconstructs the configuration information that was backed up. By restoring a backup, you can rebuild the ISA Server configuration or restore it after a configuration error.
To back up and restore the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management and click the server name. The option to back up and restore the ISA Server configuration is available only when you select the server name.
2. On the Tasks tab, click Backup This ISA Server Configuration.
3. Enter a file name for the backup file and click Backup.
4. You must provide a password for the ISA Server backup
5. To restore the backup, click the server name in ISA Server Management. Then click Restore this ISA Server Configuration and select the appropriate ISA Server backup file.
6. Click Apply to apply the changes and click OK when the changes have been applied.
Maintaining ISA Server 2004
Among the new features in ISA Server 2004 is the option to export and import the ISA Server configuration. With this option, you can save and restore the ISA Server configuration information. When you use the ISA Server export feature, the configuration parameters are exported and stored in an .xml file. The import and export features are useful in several scenarios:
1- Cloning a server You can export a configuration from one ISA Server computer and then import the settings on another computer, thereby easily duplicating a server configuration. For example, after configuring an ISA Server computer at one branch office, you can export the configuration to an .xml file. Then you can import the file on a computer running ISA Server at another branch office. The two ISA Server computers will have a duplicate configuration.
2- Saving a partial configuration You can export and import any part of the ISA Server configuration. For example, you can export a single rule, an entire policy, or an entire configuration. This is helpful when you want to copy all the firewall policy rules, but not the monitoring configuration, from one ISA Server to another. This is also useful when you want to modify a specific rule. You can export that rule and have the exported configuration available in case you need to roll back the rule modification.
3- Sending a configuration for troubleshooting You can export your configuration information to a file and send it to support professionals for analysis and troubleshooting.
4- Rolling back a configuration change As a best practice, before modifying any ISA Server settings you should export the specific component that you are modifying. If your modification is not successful, you can easily restore the previous configuration by importing the policy file.
You can export the entire ISA Server configuration, or just parts of it, depending on your specific needs. You can export the following objects:
1- The entire ISA Server configuration
2- All the connectivity verifiers, or one selected connectivity verifier
3- All the networks, or one selected network
4- All the network sets, or one selected network set
5- All the network rules, or one selected network rule
6- All the Web chaining rules, or one selected Web chaining rule
7- Cache configuration
8- All the content-download jobs, or one or more selected content-download jobs
9- The entire firewall policy, or one selected rule.
When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can choose to export user permission settings and confidential information such as user passwords. Confidential information included in the exported file is encrypted.
To export the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object the settings of which you want to export. Remember if you select
a container object (such as the Firewall Policy), all the objects in the container will be exported.
3. On the Tasks tab, click the Export task. The exact name for the task will vary depending on the type of object that you select.
4. Enter a file name for the exported .xml file and click Export.
How to Secure the ISA Server Configuration
After securing the computer running ISA Server, the next step is to ensure that your ISA Server configuration is as secure as possible. After installation, ISA Server, Standard Edition, starts with a default configuration that provides a high level of security. As an ISA Server administrator, you must understand what the default configuration is and how you may need to modify it to provide additional security or functionality.
The ISA Server Default Configuration
After a standard installation, ISA Server starts with a default configuration. This configuration provides a high level of security because it does not allow access to any Internet or internal resources through the ISA Server computer. However, the default configuration also includes several other settings.
The default configuration of a newly installed ISA Server means that traffic can occur between the ISA Server computer and other networks. For example, Lightweight Directory Access Protocol (LDAP) traffic is permitted from the ISA Server computer to the internal network. This enables the ISA Server computer to operate as a member of an Active Directory domain. However, by default, no traffic is permitted through the ISA Server computer from one network to another.
Configuring System Policies
When ISA Server 2004 is installed, a default system policy is configured on the server.This system policy includes a variety of access rules that provide an initial configuration for ISA Server 2004. Depending on your organization’s requirements, you may need to modify the system policy configuration, either by disabling some of the rules or enabling and modifying the rules.
System policy rules are used to define what traffic is allowed between the ISA Server computer and the connected networks. All the system policies define access between the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks.
System Policy Settings A default system policy is applied when you install ISA Server 2004. This policy enables the functionality needed to manage the ISA Server computer and provide network connectivity.
Modifying System Policy After installing ISA Server, you should analyze the default system policy configuration and modify the policy to meet your organization’s requirements.The default system policy enables more options than are required for most organizations. If your organization does not require a specific type of functionality enabled by a system policy rule, then disable the rule. For example, the default system policy enables both RADIUS and Active Directory authentication, and most organizations will use one or the other. If you are using only one type of authentication, then disable the rule pertaining to the other.
Modify the default system policy settings to match your organization’s requirements.First, identify the functionality that you require on the ISA Server computer. Then reviewthe system policy settings and disable all the system policy rules that you do not require.For example, if no users will ever access ISA Server using Remote Desktop, then disablethe Terminal Server system policy that enables Remote Desktop connections.
Another component to securing the ISA Server computer is to configure the ISA Server administrative permissions. As a general rule, user accounts should always be configured with the minimum privileges necessary to perform a specific task. You can use role-based administration to organize your ISA Server administrators into separate,defined roles, each with its own set of privileges and corresponding tasks. The rolesassigned in ISA Server are based on Windows users and groups. If the ISA Server computeris a member of a domain, these users and groups can be either local accounts ordomain accounts. If the ISA Server computer is not a member of a domain, you must assign local users and groups to the roles.
ISA Server includes three administrative roles that are defined in advance:
1- ISA Server Basic Monitoring Users and groups assigned this role can monitor the ISA Server computer and network activity, but cannot configure specific monitoring functionality.
2- ISA Server Extended Monitoring Users and groups assigned this role can perform all monitoring tasks, including log configuration, alert-definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring role.
3- ISA Server Full Administrator Users and groups assigned this role can perform any ISA Server task, including rule configuration, application of network templates, and monitoring.
Securing and Maintaining ISA Server 2004
Security templates are the ideal means to configure the security settings on an ISA Server computer. By applying these templates, you can ensure a consistently high level of security on the ISA Server computer. To apply the security templates to the ISA Server computer, perform the following steps:
1. Using the Security Templates MMC snap-in, analyze the security templates included with the Windows Server 2003 Security Guide and determine which template most closely meets your organization’s requirements. Modify those parts of the template that do not match your requirements.
2. Apply the security templates to your ISA Server computer or computers. If your ISA Server computers are members of an Active Directory domain, create an OU that contains only the ISA Server computers and then create a Group Policy Object (GPO) to apply the security template to the servers. If your ISA Server computer is not a member of the domain, use the Security Analysis and Configuration tool to apply the security policy to the ISA Server computer.
Applying Security Updates :
Another critical component in keeping the computer running ISA Server secure is to ensure that all security updates and patches are applied. Security updates are product updates that eliminate known security vulnerabilities. To keep ISA Server secure, you must ensure that the security updates for both ISA Server and the operating system are current by installing the latest fixes. If the operating system is vulnerable, ISA Server is also vulnerable. When a security update becomes available, quickly evaluate your system to determine if the update is relevant to your current situation.
Monitor and install security patches for multiple components for the computer running ISA Server. These include the latest updates for the operating system, for ISA Server, and for other components installed by ISA Server, including Microsoft SQL Server 2000 Desktop Engine (MSDE) and Office Web Components 2002 (OWC).
Securing and Maintaining ISA Server 2004
Managing System Services on the ISA Server Computer :
A second step in securing the computer running ISA Server is to disable all services on the computer that are not required. Several core services are required for ISA Server to run properly, and additional services can be enabled depending on the functionality required. All other services should be disabled.
To manage system services on the computer running ISA Server, follow this procedure:
1. Open the Services console from the Administrative Tools folder.
2. Right-click the service that you are configuring and click Properties.
3. On the service Properties page, on the General tab, select the Startup type. You can also start, stop, pause, or resume the service.
Using Security Templates to Manage Services :
You can manage the system services manually on the computer running ISA Server 2004. However, if you have multiple computers running ISA Server, you should automate the process of managing the services. One option for managing the system services is to use security templates. Security templates are preconfigured sets of security settings that can be applied to users and computers. Security templates can be used to configure the following:
1- Audit Policy settings These settings specify the security events that are recorded in the Event Log. You can monitor security-related activity such as who accesses or attempts to access an object, when a user logs on or logs off a computer, or when changes are made to an Audit Policy setting.
2- User Rights Assignment These settings specify which users or groups have logon rights or privileges on the member servers in the domain.
3- Security Options These settings are used to enable or disable security settings for servers, such as digital signing of data, administrator and guest account names, driver installation behavior, and logon prompts.
4- Event Log settings These settings specify the size of each event log and actions to take when each event log becomes full.
5- System services These settings specify the startup behavior and permissions for each service on the server.
Implementing Security Templates
If your computer is a member of an Active Directory directory service domain, you can apply security templates using Group Policy at a domain or organizational unit (OU) level. If your computer is not a member of a domain, you can use the Security Configuration and Analysis Microsoft Management
Console (MMC) snap-in or the Secedit command-line tool.
Microsoft has released the Windows Server 2003 Security Guide, which includes several templates that you can use to secure servers on your network. The templates are grouped into three categories:
1- Enterprise Client templates are designed for most networking environments that contain only Windows 2000 or later computers.
2- Legacy Client templates are designed for networking environments that contain older computers.
3- High Security templates are designed to be deployed only in networks that require very high security.
Securing and Maintaining ISA Server 2004
Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.
How to Harden the Server :
ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.
How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.
Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:
1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.
Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.
MCP 70-350 : Installing ISA Server 2004
Dynamic Host Configuration Protocol Requirements :
DHCP is not required to support an ISA Server infrastructure, but it is highly recommended to simplify network management. Even on relatively small networks of 250 or fewer computers, you will benefit from reduced administrative effort by configuring a DHCP server on your network. The advantage of using DHCP is that it can provide the IP configuration for all the client computers on your network automatically. This can make your ISA Server deployment much more efficient. For example, if you need to reconfigure the default gateway for all your client computers to point to the new ISA Server computer or to a new DNS server for Internet name resolution, you can just change the scope setting on the DHCP server and all the clients will be reconfigured automatically.
DHCP is also used to support VPN remote access connections to ISA Server. By default, ISA Server will use DHCP to assign IP addresses to all VPN clients. When you enable remote VPN client access on ISA Server, it will obtain a set of IP addresses from the DHCP server and assign the IP address to the VPN clients. By default, ISA Server 2004 will also assign DNS or WINS server addresses based on the DHCP scope information.
MCP 70-350 : Installing ISA Server 2004
Lesson 1: Planning an ISA Server Deployment
The ISA Server Deployment Planning Process :
Most organizations install ISA Server to address security requirements. ISA Server is a firewall that is likely to be among the critical components to ensuring that your organization’s network is secure. In addition, the ISA Server computer is likely to be the primary connection point for all internal network traffic to access the Internet. This means that when you design your ISA Server deployment, you must consider a wide variety of security and functional requirements. The following is an overview of the process of planning an ISA Server deployment.
1. Understand the current network infrastructure. The first step in planning an ISA Server deployment is to understand the current networking environment. When you start planning, collect network diagrams that provide details on the network infrastructure. These diagrams should include the Internet Protocol (IP) networks, router configurations, and client and server networking configuration.
Collect information on the current configuration of network services. For example, all internal clients must be able to resolve Domain Name System (DNS) names on the Internet to connect to Internet resources. You need to understand how clients do this now. Also collect information about other network services such as Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS) if you have Microsoft Windows NT or Microsoft Windows 2000 clients.
Collect information about the current domain structure. ISA Server can be integrated with Active Directory directory service to enable authentication.
2. Review company security policies. Every organization should have security policies. These policies usually include general security requirements such as Internet or e-mail usage policies. The policies can also be very specific and define what protocols are not allowed through the firewall, what Web sites users can access, and what types of information can be sent from the internal network to the Internet. For example, most organizations have policies defining what types of customer information can be sent in an e-mail.
3. Plan the required network infrastructure. For your ISA Server installation to meet the company requirements, you must plan for some specific network infrastructure components. For example, if the ISA Server computer is an Internet-edge firewall and is the only access point to the Internet, you must ensure that all client computers can connect to the ISA Server computer. If you have a single network, this solution can be as simple as configuring the default gateway on each client computer to use the internal network interface on the server running ISA Server. If you have multiple locations within your organization, or if you deploy multiple ISA Servers, this solution can be more complex.
Your ISA Server implementation may also depend on additional network infrastructure components such as DNS, DHCP, and Certificate Services. These components must be taken into account when planning an ISA Server installation.
4. Plan for branch office installations. If your organization has more than one location, you must also plan for how the branch office networks will be integrated with the main office. In some cases, you may have existing wide area network (WAN) connections between the offices with routing already in place. In other cases, you may plan to replace the WAN link with a site-to-site virtual private network (VPN) or plan to deploy an ISA Server in each branch office.
6. Plan for access to the Internet. Most companies that deploy ISA Server use it as a proxy server for users to access the Internet. Some organizations enable full access to the Internet so that all users can use all protocols to access any Internet resource. Other organizations limit access based on protocols or applications, and users or groups, and they also limit users’ access to Web sites.
Once you have gathered your organization’s requirements for granting Internet access, you can plan the ISA Server access rule configuration to meet the organization’s Internet access and caching requirements.
7. Plan the ISA Server client implementation and deployment. An essential part of deploying an ISA Server infrastructure is to plan for ISA Server client configuration and deployment. ISA Server supports three clients: SecureNAT clients, Web Proxy clients, and Firewall clients. The use of each client has advantages and disadvantages. As part of your ISA Server deployment, you must know why you use each client and how to configure each client.
8. Plan for server publishing. Most organizations also publish some internal resources to the Internet. Because this allows network traffic from the Internet to your internal network, it is essential that the connection between the internal servers is as secure as possible.
9. Plan for VPN deployment. ISA Server can operate as a VPN remote access server for external clients and as a VPN gateway for site-to-site VPNs. If you plan to deploy ISA Server in either configuration, include this in your planning. An extra level of planning is required if you choose to implement VPN network quarantine. With VPN network quarantine, you can restrict access to the internal network until the VPN clients pass a security configuration check. To perform the security configuration check, you must run a script or application on the client computer. The script can check for virtually any setting on the computer. In your planning, therefore, you must decide which security settings you will check on the client computer. This can be complicated. For example, you may decide that all clients that connect to your network must have an antivirus application installed, and that the virus detection files must be up to date. However, if you allow users to use any antivirus software, the script must check for all acceptable antivirus applications.The script that checks the security configuration on the client computer can become very complicated, so you must plan to have very competent scripting help available.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as an Internet-Edge Firewall :
One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.
How ISA Server Works as a Back-End Firewall :
In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.
For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.
MCP 70-350 : Introduction to ISA Server 2004
ISA Server 2004 is a valuable component in an overall plan to secure an organization’s network. Because ISA Server is deployed at the connecting point between an internal network and the Internet, ISA Server’s role is critical. Almost all organizations provide some level of access to the Internet for its users. ISA Server can be used to enforce security policies dealing with the types of access users should have to the Internet. At the same time, many organizations also allow remote users some type of access to internal servers. For example, almost all organizations allow e-mail servers on the Internet to connect to internal e-mail servers to send Internet e-mail. Many companies also host internal Web sites, or want employees to be able to access internal resources
from the Internet. ISA Server 2004 can be used to ensure that access to these internal resources is secure.
How ISA Server Works—An Overview
ISA Server is designed to secure the perimeter of an organization’s network. In most cases, this perimeter is between the organization’s internal local area network (LAN) and a public network such as the Internet.
The internal network, or protected network, is usually located on an organization’s premises and is under the control of the organization’s IT staff. The internal network is considered to be relatively
secure; that is, normally only authorized users have physical access to the internal network.
Also, the IT staff have a great deal of control over the types of traffic that are allowed on the internal network.
An organization has no control over who is accessing the Internet or over the security of network traffic on the Internet. Anyone in the world with an Internet connection can locate and access any other Internet connection using almost any application or protocol. Also, network packets sent via the Internet are not secure because they can be captured and inspected by anyone running a packet sniffer on an Internet network segment. A packet sniffer is an application that can be used to capture and view all the network traffic on a network. In order to capture network traffic, the packet sniffer must be connected to a network segment located between two routers.
How ISA Server Works as a Firewall
A firewall is a device that is located between one segment of a network and another, and allows only authorized traffic to pass between the segments. The firewall is configured with traffic filtering rules that define the types of network traffic that will be allowed to pass through. A firewall may be positioned and configured to protect an organization from the Internet, or it may be positioned internally to protect specific sections of an organization’s corporate network.
In most cases, firewalls are deployed at the network perimeter. The primary purpose of a firewall in this configuration is to ensure that no traffic from a publicly accessible network like the Internet can enter an organization’s internal network unless it has been explicitly permitted. For example, the organization may have an internal Web server that needs to be accessible to Internet users. The firewall can be configured to allow Internet traffic to access only that Web server.
ISA Server 2004 provides firewall functionality. By default, when you deploy ISA Server, it will block all traffic between networks that are attached to the server, including internal networks, perimeter networks (also known as demilitarized zones, or DMZs), and the Internet. ISA Server 2004 uses three types of filtering rules to block or allow network traffic: packet filtering, stateful filtering, and application-layer filtering.
Packet Filtering
Packet filtering works by examining the header information for each network packet that arrives at the firewall. When the packet arrives at the ISA Server network interface, ISA Server opens the packet header and checks information such as the source and destination addresses and the source and destination ports. ISA Server compares this information against its firewall rules that define which packets are allowed. If the source and destination addresses are allowed, and if the source and destination ports are allowed, the packet passes through the firewall to the destination network. If the addresses and the ports are not explicitly allowed, the packet is dropped and not forwarded through the firewall.
Stateful Filtering
Stateful filtering uses a more thorough examination of the network packet to make decisions on whether to forward it or not. When ISA Server uses a stateful inspection, it examines the Internet Protocol (IP) and the Transmission Control Protocol (TCP) headers to determine the state of a packet within the context of previous packets that have passed through ISA Server, or within the context of a TCP session. For example, a user on the internal network may send a request to a Web server on the Internet. The Web server sends a reply to that request. When the reply packet arrives at the firewall, the firewall inspects the TCP session information that is part of the packet. The firewall
determines that the packet is part of a currently active session that was initiated by the internal user, so the packet is forwarded to the user’s computer. If a user from outside the network attempts to connect to a computer inside the organization’s network, the firewall determines that the packet is not part of a currently active session and the packet is dropped.
Application-Layer Filtering
ISA Server also uses application-layer filtering to determine whether a packet is allowed or not. Application-layer filtering examines the actual content of a packet to determine if the packet can be forwarded through the firewall. An application filter opens the entire packet and examines the actual data in it before making a forwarding decision. For example, a user on the Internet may request a page from the internal Web server using the Hypertext Transfer Protocol (HTTP) GET command. When the packet arrives at the firewall, the application filter inspects the packet and detects the GET command. The application filter checks its policy to determine if the GET command is allowed. In most cases, the GET command is allowed and the packet is forwarded to the internal Web server.
70-299 : Module 12 : Securing Remote Access
Windows Server 2003 provides two main types of remote access methods: dial-up and VPN. For each remote access type, there are several authentication and encryption protocols to choose from. You will have to choose the remote access type and security protocols based on the clients that will be connecting to your internal network and based on your existing infrastructure. This lesson will describe the two remote access methods and the various encryption and authentication protocols to allow you to make educated recommendations.
Remote Access Methods :
There are two primary methods for connecting remote users to a private network: dialup networking and virtual private networking. Dial-up networking enables a remote access client to establish a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone lines, Integrated Services Digital Network (ISDN), or X.25. The most common use of dial-up networking is that of a dial-up networking client that dials the phone number of a modem attached to the remote access server. This establishes a circuit
between the two devices.
Virtual private networking is the creation of an encrypted, authenticated point-to-point connection across a public network such as the Internet. A VPN client uses special network protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server.
VPN Protocols :
Windows Server 2003 supports two VPN protocols: PPTP and L2TP. In most circumstances,either protocol will work equally well. They both provide similar levels of privacy and data integrity because they support the same authentication and encryption standards. They primarily differ in stability and compatibility. PPTP is more mature, but it is not an Internet standard. L2TP is relatively new, but it might be supported by a wider variety of non-Microsoft clients because it is an Internet standard.
11 Deploying, Configuring, and Managing SSL Certificates
Lesson 2: Configuring SSL for IIS
The most common use of SSL is to authenticate Web servers and to encrypt communications
between Web browsers and Web servers. SSL, when used to protect HTTP, is referred to as Hypertext Transfer Protocol Secure (HTTPS). HTTPS is used by virtually every e-commerce Web site on the Internet to protect private information about end users and to protect end users from submitting private information to a rogue server impersonating another server.
Internet Information Services (IIS) 6.0, included with Windows Server 2003, supports both server and client SSL certificates. Configuring these certificates is simple when you are managing a single Web site with a single server certificate. However, managing certificates can be complicated when a server has multiple certificates or when you are using client certificates for authentication.
You can use SSL certificates to allow users to verify the identity of your Web site and to encrypt traffic sent between the client and the Web site. It is important to understand that an SSL certificate identifies a Web site, and not a Web server. A single Web server can host multiple Web sites. Alternatively, a single Web site can be hosted on multiple Web servers to provide redundancy and scalability.
For example, an Internet service provider (ISP) that hosts Web sites for 20 customers on a single Web server needs 20 SSL certificates to allow each site to use encryption. Alternatively, if an ISP stores a copy of a Web site on 10 different servers to allow the Web site to remain online in the event of a hardware failure, the same certificate can be installed on all 10 servers.
SSL certificates use the fully qualified domain name (FQDN) to identify the Web site.When the client retrieves the site’s SSL certificate, the client checks the FQDN of the Web site against the subject name, also known as the common name, listed in the certificate. Checking the name used to identify the site against the name listed in the certificate prevents a rogue Web site from intercepting traffic destined for a different site.
The Web Server Certificate Wizard :
Using HTTPS on an IIS Web server requires the server to have a certificate installed and configured. The exact process you will use to configure the certificate varies depending on the source of the certificate; however, you will always use the Web Server Certificate Wizard to perform the configuration. To launch the Web Server Certificate Wizard:
1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand the computer name, and then expand Web Sites. Right-click the Web site for which you want to configure an SSL certificate, and then click Properties.
3. Click the Directory Security tab, and then click the Server Certificate button. The Web Server Certificate Wizard appears.
You can use the Web Server Certificate Wizard to request a new certificate, assign an existing certificate, renew a certificate, and delete a certificate, as described in the following sections.
11 Deploying, Configuring, and Managing SSL Certificates
Like any other public key certificate, each SSL certificate has a lifetime. At some point in the future, the certificate will expire. You should plan to renew the certificate three to six months prior to the expiration to ensure that there is no period during which the certificate is invalid.
The specific process you use for renewing the certificate will vary. If you are using a certificate issued by a public CA, the CA will provide a renewal process. If you are using a certificate issued by Certificate Services, you can renew the certificate by using Web enrollment, the Certificates snap-in, or the Web Server Certificate Wizard.
Configuring Firewalls :
Applications use a unique port number for SSL-protected communications. As a result,you must change your firewall configuration to allow the encrypted traffic.
There are two approaches to allowing SSL traffic through a firewall. The first approach is to open the firewall to allow all traffic with a designated port. The typical ports that various applications use for SSL are listed in Table 11.2. Although this will allow SSL sessions to be established through the firewall, the firewall will not be able to analyze the contents of the SSL-encrypted packets. As a result, the firewall will be able to use only the origin and destination of the packet to determine whether to let packets through.
