Module 3: Enabling Access to Internet
Trang 2Overview
ISA Server 2004 as a Proxy Server
Configuring Multi-Networking on ISA ServerConfiguring Access Rule Elements
Trang 3Lesson: ISA Server 2004 as a Proxy Server
How ISA Server Enables Secure Access to Internet Resources
Why Use a Proxy Server?
How Does a Forward Web Proxy Server Work?What Is a Reverse Web Proxy Server?
How to Configure ISA Server as a Proxy ServerDNS Configuration for Internet Access
How to Configure Web Chaining
Trang 4How ISA Server Enables Secure Access to Internet ResourcesISAServerISAServerWebServerWebServerProxy ServerIs the …User allowed access?
Computer allowed access?Protocol allowed?
Trang 5Why Use a Proxy Server?
Improved Internet access security:User authentication
Filtering client requestsContent inspection
Logging user access
Hiding the internal network detailsUser authentication
Filtering client requestsContent inspection
Logging user access
Hiding the internal network detailsISA Server
Improved Internet access performance
Trang 9DNS Configuration for Internet Access
Configure ISA Server clients to use an internal DNS server if the DNS server can resolve Internet addressesConfigure ISA Server clients to use an internal DNS server if the DNS server can resolve Internet addresses
If no internal DNS server is available to resolve Internet addresses, configure the ISA Server clients to use an Internet DNS server
If no internal DNS server is available to resolve Internet addresses, configure the ISA Server clients to use an Internet DNS server
ISA Server includes a DNS cache that caches the results of all DNS lookups performed through ISA Server
ISA Server includes a DNS cache that caches the results of all DNS lookups performed through ISA Server
ISA Server can proxy DNS requests for Web proxy and Firewall clients but not for SecureNAT clients
Trang 10How to Configure Web Chaining
Head OfficeBranch Office
Internet
Trang 12Practice: Configuring ISA Server as a Web Proxy Server
Configuring the proxy server settings on ISA Server
InternetDen-ISA-01
Trang 13Lesson: Configuring Multi-Networking on ISA Server
How Does ISA Server 2004 Support Multiple Networks?Default Networks Enabled in ISA Server
About Network Objects
Trang 14Internet
How Does ISA Server 2004 Support Multiple Networks?
Support any Number of NetworksVPN Networks Represented
as Networks
Dynamic NetworkMembership
Per Network RulesPer Network Policies
Network SetsLAN1
LAN2VPN
Trang 15Default Networks Enabled in ISA Server
Default NetworkIncludes
Local Host The ISA Server
Default External All IP addresses not associated with another networkInternal All IP addresses specified as internal during installationVPN Clients All IP addresses for currently connected VPN clients
Quarantined VPN Clients
All IP addresses of connected VPN clients that have not cleared
Trang 16About Network Objects
Network ObjectIncludes
Network All computers connected to a single network interfaceNetwork Set One or more networks
Computer A single computer identified by an IP address
Computer Set All computers included in specified computer, subnet or address range objects
Address Range All computers identified by continuous IP addressesSubnet All computers on a specified subnet
URL Set All specified URLs
Domain Name Set All specified domain names
Trang 17How to Create and Modify Network Objects
Click Firewall Policy, Toolbox, then Network ObjectsClick Firewall Policy, Toolbox, then Network Objects
Click Networks, then
Networks or Network SetsClick Networks, then
Trang 18What Are Network Rules?
NAT connection:
A NAT relationship is directional
Addresses from the source network are always translated when passing through ISA ServerA NAT relationship is directional
Addresses from the source network are always translated when passing through ISA ServerRoute connection:
A route relationship is bidirectional
If a routed relationship is defined from network Ato network B, a routed relationship also exists from network B to network A
A route relationship is bidirectional
Trang 19Practice: Managing Network Objects
Configuring a new network on ISA Server
Configuring a new network rule on ISA Server
Configuring a new computer networkobject on ISA Server
InternetDen-ISA-01
Trang 20Lesson: Configuring Access Rule Elements
What Are Access Rule Elements?How to Configure Protocol ElementsHow to Configure User Elements
How to Configure Content Type ElementsHow to Configure Schedule Elements
Trang 21What Are Access Rule Elements?
Access Rule ElementUsed to Configure
Protocols The protocols that will be allowed or denied by an access rule
Users The users that will be allowed or denied by an access rule
Content Types The content type that will be allowed or denied by an access rule
Schedules The time of day when Internet access will be allowed or denied by an access rule
Trang 24How to Configure Content Type Elements
Define the MIMEtypes and file
extensions to includeDefine the MIME
types and file
Trang 25How to Configure Schedule Elements
Trang 26How to Configure Domain Name Sets and URL Sets
Trang 27Practice: Configuring Firewall Rule Elements
Configuring a new user set
Configuring a new content type elementConfiguring a new schedule elementConfiguring a new URL set
InternetDen-ISA-01
Trang 28Lesson: Configuring Access Rules for Internet AccessWhat Are Access Rules?
How Network Rules and Access Rules Are AppliedAbout Authentication and Internet Access
How to Configure Access RulesHow to Configure HTTP Policy
Trang 29What Are Access Rules?AllowDenyAllowDenyUserDestination NetworkDestination IPDestination SiteDestination NetworkDestination IPDestination SiteProtocolIP Port/TypeProtocolIP Port/TypeSource networkSource IPSource networkSource IPScheduleContent TypeScheduleContent Type
Access rules always define:
Trang 31About Authentication and Internet Access
Authentication and ISA Server ClientsAuthentication Methods
Basic authentication
Digest authentication
Integrated Windows authentication
Digital certificates authentication
RADIUS authentication
Trang 34InternetDen-ISA-01
Den-DC-01
Practice: Managing Access Rules
Creating a DNS Lookup Rule
Creating a Managers Access Rule Testing Internet Access
Trang 35How to Troubleshoot Access to Internet Resources
Use ISA Server logging to determine which access rule is granting or denying access
Use ISA Server logging to determine which access rule is granting or denying access
To troubleshoot Internet access issues:Check for DNS name resolution
Determine the extent of the problem
Review access rule objects and access rule configurationReview access rule order
Check access rule authentication
Check for DNS name resolution
Determine the extent of the problem
Review access rule objects and access rule configurationReview access rule order
Trang 36Lab: Enabling Access to Internet Resources
Exercise 1: Configuring ISA Server Access Rule Elements