drive letter and mount it to an NTFS folder. Editin g the Windows 2000 Re g istry to Tune ISA Performance Settin g s S everal settings can be used to fine-tune performance that cannot be configured via the I SA interface. Changing these settings requires that you edit the Windows 2000 Registry. SECURITY ALERT! It is always imperative that you exercise caution when making any changes to the Registry. Incorrectly editing the Registry can create serious problems or even render your system unbootable. It is wise to back up valuable data prior to modifying the Registry. To make these changes, you can use either of two Registry editing tools provided w ith Windows 2000: Regedit or Regedt32. You can start either one by typing its name a t the Run prompt. The Registry keys that you can edit to tune the performance of your ISA Server are located in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services path, shown in Figure 11.19. Fi g ure 11.19 The Re g istry Keys Used to Tune ISA Performance Are Found Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services The following keys can be configured for ISA performance optimization: · \W3Proxy\Parameters\OutstandAccept The value set for this key controls the number of accepted pending connections before new connection requests are rejected. A high value minimizes the number of rejected connection requests. · \Tcpip\Parameters\MaxUserPort The value set in this key controls the number of TCP/IP ports that can be allocated by a client making a connection request. Setting the value to 0000ffff in hexidecimal (65,535 in decimal) sets the range for client port numbers to the maximum. The following keys can be added (Edit | New | Key in the Registry Editor menu) a nd configured for optimum performance: · \W3PCache\Parameters\TZPersistIntervalThreshold This key can be used to set a maximum time interval in minutes that will be lost when cache is recovered after the W3Proxy service is stopped unexpectedly. · \W3Cache\Parameters\RecoveryMruSizeThreshold You can use this key to set a time interval in minutes in which the content cached will be recovered first from the time the W3Proxy service is stopped unexpectedly. · \W3Proxy\Parameters\MaxClientSession You can use this key to control the size of the pool for the client session object. A client session object will be freed and its memory returned to system memory management only if the pool has a number of objects that exceeds this value. Freeing objects is time consuming, so you can cause objects to be freed less frequently by setting this key to a high value. · \Tcpip\Parameters\TcpTimedWaitDelay This value sets a time interval in seconds that will pass before a socket is reused for a new connection. NOTE In most cases, after you make a change to Registry settings, you must restart the computer in order for the changes to be applied. For general information on the TCP/IP Registry keys and what they do, see the Microsoft white paper entitled MS Windows 2000 TCP/IP Implementation Details on the Microsoft Web site at www.microsoft.com/technet/win2000/win2ksrv/technote/tcpipimp.asp. There are also a number of Web sites that provide information on how to tweak Registry settings to provide for higher performance with cable modems and DSL connections. Some vendors provide optimization software that can be used to change these settings using a friendly interface. For example, Accelerate 2000 (www.webroot.com) helps you optimize MTU and other TCP/IP settings for maximum connection speed. Customizing ISA Server ISA Server’s functionality can be enhanced in several ways. Microsoft provides the ISA Server Software Developer’s Kit (SDK), which allows developers to extend ISA by creating components that are built on or that work with ISA Server. Several third-party software vendors have already developed add-on products that add flexibility to the ISA product. In this section, we take a look at the SDK and a few of the available third-party add-ons. Using the ISA Server Software Developer’s Kit The ISA Server SDK is a comprehensive collection of development tools and sample scripts that can be used to build new, custom features that enhance ISA’s firewall, caching, and management functionality. The SDK comes with the ISA Server software. It includes full API documentation as well as useful sample extensions such as management tools, application and Web filters, and user interface extensions. Administration Scripts Administration scripts can simplify and automate administrative tasks. Developers can create custom administration scripts, or administrators can use the sample scripts included with the SDK. Sample Administration Scripts Sample administration scripts provided with the ISA SDK include: · Add_Dod A VBScript sample that demonstrates how to add a new Dialup Entry and set the Dialup Entry Credentials. · AdditionalKey A VBScript script that demonstrates how to change an additional key. · AddLATEntry A VBScript script that demonstrates how to add an IP range to a LAT. · AddScheduledContentDownload A VBScript that receives an array name, a URL, and a job name and adds a scheduled content download job. · ApplicationFilterList A script that prompts the user to enter an array, then lists the application filters of the selected array. · CacheSettings A script that prompts the user to enter the name of an array, then displays the cache settings of that array. · ConstructLAT A script that demonstrates how to construct the LAT of an array based on its NICs. · DisableScheduledContentDownloads A VBScript that disables all prefetcher jobs on Monday and Wednesday on a given array. · Enterprise_Destination A VBScript that adds a new destination set to the Enterprise, sets the array policy to use Array and Enterprise Policies, and configures the new rule to use the Enterprise destination. (Can be run only by an enterprise administrator.) · FetchUrl A VBScript script that causes the Web proxy to fetch an object and store it in the Web proxy’s cache. The cached object can be stored under a different name than the source object. · ListServers A script that lists all the servers in a given array through the name property of the FPCArray object. · FindScheduledContentDownload A VBScript that receives an array name and a URL and checks to see if any job includes that URL. · SetCache A VBScript sample that configures cache settings. · SetUpstreamRouting A VBScript script that demonstrates how to set up upstream routing to another server using the RoutingRules collection and the RouteEntity object. · ShowAllProtocolRules A script that lists all the protocol rules of an array by looping through the PrxProtocolRules collection. · ShowAllRoutingRules A VBScript script that lists all the routing rules of an array by looping through the RoutingRules collection. The script also lists whether or not each routing rule is enabled or disabled and the action that the rule follows. · StaticFilter A VBScript script that demonstrates how to add a static packet filter that allows NTP communication from the ISA server to the Internet. Running Administration Scripts You can run the sample scripts simply by double-clicking the script name in the sdk\samples\admin\Scripts directory, located on the ISA Server CD. You can also run a script by typing its full path at the Run prompt. Some scripts might prompt you to enter information before performing their tasks. For example, when you run the CacheSettings script, you will be asked to enter an array name (or you can leave the field blank and click OK to specify the first array listed in the ISA Server management console), as shown in Figure 11.20. Figure 11.20 The CacheSettings Script Prompts You to Specify an Array Name When you enter the information or click OK, the script will run and display its results, as shown in Figure 11.21. Figure 11.21 The Script Runs and Displays the Results NOTE Some of the sample admin scripts are provided in both Visual Basic Script (VBS) and Java Script (JS) versions; others are provided only in VBS. Sample Filters In addition to the sample scripts, Microsoft has provided in the SDK a number of sample filters to demonstrate how to create firewall, Web, and application filters. A readme.txt file is supplied with each sample filter, an example of which is shown in Figure 11.22. Figure 11.22 Each Sample Filter Includes a Readme File That Provides More Information The readme.txt file provides additional information about the filter and the purpose of each file included in the sample. The following are descriptions of included sample filters: · Connector A console application that emulates an application protocol with a primary connection for control and secondary connections for data. The secondary connections can be inbound or outbound and can use either UDP or TCP. · ConnectorFilter Enables a complex protocol that requires secondary connections on random ports and makes it possible for the Connector sample to work through Microsoft Proxy for PNAT clients and WinSock clients. · DbgDump Registers for notifications on all possible events and installs data filters on all connections, then outputs information about the events to the debugger. · ExeBlock Demonstrates the use of data filters and hooking into the proxy thread pool. · ServerSplit Demonstrates the use of connection emulation for inbound connections. · SMTPFltr Captures and analyzes data sent by external clients using the SMTP protocol. The proxy attaches a new instance of the data filter to every inbound port 25 TCP session. The filter can be configured to look for a particular string in the SMTP message. · SOCKS 4/4a Demonstrates the use of SOCKS protocol version 4/4A. · SOCKS 5 Demonstrates the use of the SOCKS 5 protocol. Using Third-Party Add-ons Even before Microsoft released the final version of ISA Server, several third-party vendors had begun to develop solutions to customize and enhance ISA’s features and functionality. In many cases, Microsoft has partnered with these companies to provide complementary products for ISA. Third-party add-ons include tools to add security features such as virus scanning, additional intrusion detection filters, integrated access control solutions, more comprehensive reporting and monitoring tools, and enhancements to simplify administrative tasks. Types of Add-on Programs The available add-on tools can generally be categorized as follows: · Administration and management tools · Reporting tools · Monitoring tools · Content security tools · Access control tools · Intrusion detection tools · Network protocol tools In many cases, a vendor provides one tool that incorporates two or more of these functions. Most tools provide a user-friendly graphical interface. For example, GFI LANguard, shown in Figure 11.23, creates a custom console that includes the ISA Management snap-in along with the LANguard configuration tools. It links into ISA Server as an ISAPI extension so that alerting and reporting functions of ISA are integrated. Figure 11.23 GFI LANguard Is a Third-Party Add-on That Creates a Custom Console, Which Includes the ISA Management Snap-in Some of the features of LANguard include virus protection (scanning of HTTP and FTP files) with automatic virus signature updates, monitoring of Internet usage (including notification to administrators when users access undesirable sites or blocking users from accessing those sites) based on keywords in the URL or Web page. Word macros can be automatically removed from communications, and potentially dangerous file types (executables, Word documents, and the like) can be “quarantined.” LANguard can even verify that a file is of the type that its extension indicates (for example, it can verify that a file with the .AVI extension is in fact a video file). LANguard offers very granular control; the program retrieves a list of users and groups from your network and allows you to specify particular users when you create a rule. Overview of Available Add-on Programs Other add-on programs provide functionalities similar to those of LANguard. Some of the add-ons that are available or will soon be available include: · btPatrol from Burst Technology A real-time monitoring tool. More information is available at www.burstek.com/isaserver. · LANguard from GFI Content filtering and antivirus protection. More information is available at www.gfi.com/isaserver. · WebTrends firewall suite Analyzes ISA Server activity and generates custom reports. More information is available at www.webtrends.com/isaserver. · SmartFilter for ISA from Secure Computing Allows you to control Internet access in a manner tailored to your network’s needs. More information is available at www.securecomputing.com/isaserver. · AppManager for ISA Server from NetIQ Monitors ISA modules and services. More information is available at www.netiq.com/isaserver. · SuperScout for ISA Server from SurfControl Enhances management of Internet access in the corporate environment. More information is available at www.surfcontrol.com/isaserver/. · RealSecure from ISS Enhances the ISA intrusion detection filters. More information is available at www.iss.net/isaserver. Additional information about third-party add-ons is available on the Microsoft Website at www.microsoft.com/isaserver/thirdparty/offerings.htm and at www.isaserver.org. Integrating ISA Server with Other Services ISA Server software does not operate in a vacuum; it must interoperate with other services and applications on the computer and on your network. In this section, we take a look at some common interoperability and integration issues. Specifically, we examine how ISA works in conjunction with: · Windows 2000 Active Directory Services · Windows 2000 Routing and Remote Access Services (RRAS) · Internet Information Server (IIS) · The IP Security protocol (IPSec) · Windows NT 4.0 domains It is also important to be aware of those services with which ISA Server cannot peacefully coexist. For example, you cannot use Internet Connection Sharing or the Windows 2000 Network Address Translation (NAT) functions to provide Internet connectivity on a computer that is running ISA Server. ISA replaces ICS/NAT, providing translation services along with security and caching. Understanding Interoperability with Active Directory The Windows 2000 Active Directory is a hierarchical database that is stored on Windows 2000 domain controllers. It holds information about objects on the network (users, groups, computers, printers, files, and other network resources). The Active Directory controls logon authentication, serving the same function as the Security Accounts Management (SAM) database in Windows NT. Active Directory Services provides for easy accessibility to network resources by authorized users. Standalone vs. Array Member The way in which ISA Server interacts with the Windows 2000 Active Directory is dependent on how ISA is installed: as a standalone server or as a member of an array. When ISA is installed as a standalone system, its configuration information is saved to the Registry on the local machine. However, if you install ISA as an array member (or promote a standalone server to array membership status), the ISA configuration information is then stored in Active Directory. This means that information will be replicated to all domain controllers in the domain. This system obviously provides a measure of fault tolerance that a standalone server does not have. The Active Directory Schema Active Directory is governed by a set of rules called the schema, which define object classes and attributes (these are called metadata because they describe “data about data”). The content of the schema is controlled by a single domain controller that holds the role of schema master. When Windows 2000 Active Directory is installed, the schema contains a basic set of metadata. However, the schema can be extended; members of the schema administrators group can define new classes or new attributes for existing classes. The schema is also extended by some programs, which need new object classes and/or attributes in order to function. NOTE Programmers use the Active Directory Service Interfaces (ADSI), available in the Windows 2000 Software Developer’s Kit, to write programs that extend the schema. When the first member of an ISA Server array is to be installed, you must first initialize the enterprise, as discussed in Chapter 5. This automatically makes the necessary extensions to the Active Directory schema. ISA Server and Domain Controllers Although the ISA configuration is stored on the Windows 2000 domain controllers, you do not have to install ISA Server on a DC. It is actually preferable that the ISA computer not be a domain controller, for a couple of reasons: · Performance of the ISA server will be improved if the computer is not a domain controller, because DC tasks require significant resources. · Security of the domain controller is improved if you place the DC(s) behind the ISA server on the local network, thus allowing the ISA server to protect the DC (s) from unauthorized access. Because Active Directory is required in order to install ISA Server as an array member, ISA servers cannot be array members in a Window NT 4.0 domain. Understanding Interoperability with Routing and Remote Access Services Windows 2000 Routing and Remote Access Services (RRAS) provide a collection of services that allow a Windows 2000 server to function as a full-fledged software router, forwarding IP packets from one subnet or network to another, or as a dial-up server and to create and control dial-up networking policies and virtual private networking connections across WAN links. RRAS Components The RRAS console allows you to configure a number of components, including: · Enabling IP Routing to allow the server to function as a router on the local network and as a demand-dial router · Configuring the server to assign IP addresses via DHCP or a static address pool. · Enabling the remote access server service · Enabling support for multilink PPP, Bandwidth Allocation Protocol (BAP), Link Control Protocol (LCP) extensions, and/or software compression · Selecting an authentication method for remote access clients and demand-dial routers, using Windows authentication or RADIUS · Selecting one or more authentication protocols (EAP, MS-CHAPv1 or v2, CHAP, SPAP, PAP) and allowing remote access without authentication · Configure remote access logging properties · Create demand-dial routing interfaces · View remote access client connections · Configure ports (modem, PPTP/L2TP, parallel routing) · Add and configure routing protocols (IGMP, NAT, RIP, OSPF) · Configure a DHCP relay agent · Create remote access policies · Configure static routes and view the Windows 2000 routing table RRAS and ISA Server RRAS can be enabled on an ISA Server computer. The ISA server can also function as a remote access server or VPN server. However, there is one RRAS feature that is not compatible with the ISA Server software. You cannot use the NAT protocol on a server that is running ISA Server. The reason for this is that ISA Server provides its own translation service, which is more sophisticated and robust than the Windows 2000 NAT. NOTE Although the ISA address translation service provides sophisticated NAT functionality, some tasks that ISA’s S-NAT cannot do, such as port mapping, can be done using Windows 2000’s NAT. If NAT is installed on a server on which you want to install ISA, you should delete it. The same is true of Internet Connection Sharing (ICS), a “light” form of NAT that is also included with Windows 2000 Server and is configured on a connection via the Network and Dialup Connections properties. Understanding Interoperability with Internet Information Server Microsoft Proxy Server required the presence of IIS in order to function. However, ISA does not require that IIS be installed on the ISA server, although you can install IIS on your ISA computer if you desire. IIS Functionality Windows 2000 Server includes IIS 5.0, and it is installed by default when you install the operating system. However, you can elect not to install it in a custom installation, or you can remove it later using the Add/Remove Programs applet in the Control Panel. NOTE IIS 5.0 will not be installed by default if you upgraded to Windows 2000 from Windows NT 4.0 and IIS 4.0 was not installed on the NT system. IIS is Microsoft’s Web server software, which also includes NNTP, FTP, and SMTP functionality. IIS 5.0 supports Active Server Pages (ASP); Windows Media Services (WMS), which is installed separately as a Windows component from Add/Remove Programs; distributed authoring and versioning; and other advanced features. IIS can be used to make documents and Web objects available over the Internet or on an intranet. Publishing IIS to the Internet If you do choose to install IIS on the ISA computer, there are two ways you can publish IIS to the Internet: · Using Web publishing rules · Using packet filters Let’s briefly look at each of these methods. Using Web Publishing Rules The first way to publish the Web server that runs on the ISA Server computer is by configuring Web publishing rules. Chapter 10, “Publishing Servers to the Internet,” discusses in detail how Web publishing rules work. Note that you need to configure IIS not to use the ports that are used by ISA Server for outgoing and incoming Web requests (ports 8080 and 80, respectively, by default). You can also configure IIS to listen on a different IP address. NOTE When using Web publishing rules, you must associate the Web server with an internal IP address and change the port it uses to a different port number. Using Packet Filters You can allow IIS to continue using TCP port 80 to listen for Web requests if you configure an IP packet filter to map incoming requests on that port to IIS. In this case, you should ensure that ISA’s autodiscovery is not set to listen on port 80. If you use this method, you should not create Web publishing rules to publish the Web server. Note that this is not the preferred method of publishing, because it cannot take advantage of dynamic packet filtering. NOTE When you install ISA Server, the World Wide Web Publishing Service (w3svc) will be stopped. After you finish the installation, you should first change the port on which IIS will listen, and then restart the w3svc. Understanding Interoperability with IPSecurity The IP Security Protocol (IPSec) support is a new feature in Windows 2000 that was not included in Windows NT 4.0. IPSec is an Internet standard, developed by the Internet Engineering Task Force (IETF). NOTE IPSec specifications are defined in Request for Comments (RFC) 2401. IPSec provides security for data as it travels across a TCP/IP network. Although there are other methods of encrypting data, IPSec enjoys a distinct advantage: It operates at the Network layer (Layer 3) of the OSI model. This means that, unlike Application layer encryption protocol uses, there is no requirement for the network applications to be IPSec aware. IPSec uses cryptographic security services to provide for confidentiality and integrity of transmitted data and authentication of the identity of the sender. How IPSec Works To secure and authenticate transmissions, IPSec uses two protocols: · Authentication Header (AH) AH signs the entire data packet, providing authentication and integrity but not confidentiality, because it doesn’t encrypt the data. AH can be used alone when it is not necessary that the message be [...]... discussions of ISA Server: · ISA Server General Support group (microsoft.public .isa) · ISA Server Enterprise (microsoft.public .isa. enterprise) · ISA Server newsgroup (Microsoft.public.isaserver) The newsgroups often generate a very high volume of posts Most newsreaders allow you to sort posts by thread (subject line) to better organize the information, as shown in Figure 12.9 Figure 12.9 Microsoft’s ISA Server. .. One of the best third-party Web sites is www.isaserver.org This site features current ISA Server- related news, tutorials and advice on deploying ISA Server, ISA Server FAQs, pointers to relevant articles and books, the newest bug fixes, white papers, and certification information The site also provides message boards and instructions for joining an ISA Server discussion list (discussed in the “Internet... customize or enhance ISA Server: by developing extensions or writing scripts using the ISA Server Software Developers Kit (SDK) and by using third-party add-on products that integrate with ISA Server You learned that ISA Server interoperates with many other Windows 2000 services and applications, including Active Directory, Routing and Remote Access (RRAS), Internet Information Server (IIS), and the... to almost any IT (or other) topic imaginable, including ISA Server The premier ISA- specific mailing list is hosted by www.isaserver.org It is a fairly high-volume list, membership is open, and list members share their experiences installing, configuring, and using ISA Server, posting their questions and problems and assisting one another with ISA- related issues Those who don’t want to receive the large... and NAT, are not compatible with ISA Server and should be removed when you install ISA Server on a computer We also discussed how to integrate a standalone ISA Server into a Windows NT 4.0 domain, and you learned that in order to function as an array member, ISA requires the Active Directory Services of a Windows 2000 domain The final section introduced you to the ISA Server Backup feature and showed... after backing up the enterprise However, the array backup does not save some server- specific data, so you should back up each of your individual ISA servers’ server- specific information Finally, it is important as part of your network disaster protection plan that you back up missioncritical data on all servers, including your ISA servers, and use the Windows Backup utility (ntbackup.exe) to save system... the Windows 2000 Server logs (accessed via Event Viewer) and the ISA Server logs (by default, located in the ISA Server Installation folder, in the ISALogs subfolder) can provide valuable information and a starting point for troubleshooting problems An example of an IP Packet Filter log is shown in Figure 12.2 Figure 12.2 ISA Log Files Can Be Useful in Troubleshooting Various Problems ISA logging can... Web resources for each of its product lines ISA Server, as part of the Net family, is featured on its own Web site at www.microsoft.com/isaserver Here you will find information and updates about ISA Server issues Third-Party Web Resources Third-party Web sites can come and go, but a good search engine will turn up several sites that provide information on ISA Server or add-on products that work with... IP Security for Windows 2000 Server on the at www.eu.microsoft.com/windows2000/library/howitworks/security/ip_security.asp Microsoft implements IPSec in Windows 2000 via the IPSec driver Let’s take a look at this component IPSec and ISA Server The IPSec driver can be enabled on a computer running ISA Server Doing so is necessary if the ISA Server is functioning as a VPN server using the Layer 2 Tunneling... addressed ways of optimizing ISA Server s performance and customizing the product to better fit the needs of your network We discussed how ISA Server interoperates with other Windows 2000 services and applications and how to integrate a standalone ISA Server into a Windows 2000 domain We also provided information on how to back up and restore the configuration of an ISA standalone server, an array, or the . www.securecomputing.com/isaserver. · AppManager for ISA Server from NetIQ Monitors ISA modules and services. More information is available at www.netiq.com/isaserver. · SuperScout for ISA Server from. Microsoft Website at www.microsoft.com/isaserver/thirdparty/offerings.htm and at www.isaserver.org. Integrating ISA Server with Other Services ISA Server software does not operate in a vacuum;. Windows 2000 routing table RRAS and ISA Server RRAS can be enabled on an ISA Server computer. The ISA server can also function as a remote access server or VPN server. However, there is one