Contents Overview 1 Access Policy and Rules Overview 2 Creating Policy Elements 6 Configuring Access Policies and Rules 18 Configuring Bandwidth Rules 24 Using ISA Server Authentication 28 Lab A: Enabling Secure Internet Access 35 Review 52 Module 3: Enabling Secure Internet Access Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr. Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 3: Enabling Secure Internet Access iii Instructor Notes This module provides students with the knowledge and skills to configure access policies for enabling secure Internet access for client computers. After completing this module, students will be able to:  Explain the use of access policies and rules to enable Internet access.  Create policy elements.  Configure access polices and rules.  Configure bandwidth rules.  Explain the use of authentication for outgoing Web requests. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft ® PowerPoint ® file 2159A_03.ppt. Preparation Tasks To prepare for this module, you should:  Read all of the materials for this module.  Complete the lab.  Study the review questions and prepare alternative answers to discuss.  Anticipate questions that students may ask. Write out the questions and provide the answers.  Read “Configuring Policy Elements,” “Configuring Access Policy,” and “Configuring Bandwidth“ in ISA Server Help. Presentation: 50 Minutes Lab: 60 Minutes iv Module 3: Enabling Secure Internet Access Module Strategy Use the following strategy to present this module:  Access Policies and Rules Overview Describe the components of access policies. Use the slide graphic to explain how Microsoft Internet Security and Acceleration (ISA) Server 2000 processes outgoing Web requests. Focus on protocol rules and site and content rules. Mention that Internet Protocol (IP) packet filters and routing rules are covered in later modules. Emphasize the importance of proper planning before creating the rules for access policies.  Creating Policy Elements Explain that before you can configure an access policy, you must create the associated policy elements that you will use when defining the rules. Describe each policy element.  Configuring Access Polices and Rules Explain that proper planning helps to ensure that you configure rules that are appropriate for your organization. Emphasize that ISA Server processes Web requests only if a protocol rule permits the use of the protocol and a site and content rule allows access to the site. Demonstrate the procedure that you use to create a protocol rule to show students how protocol rules use policy elements. Demonstrate the procedure that you use to create a site and content rule to show students how site and content rules use policy elements  Configuring Bandwidth Rules Explain that ISA Server uses bandwidth rules to determine how to process client requests when your network is congested. Mention that ISA Server only applies bandwidth rules when there is insufficient bandwidth to process all of the user requests. Demonstrate the procedure that you use to create a bandwidth rule to show students how bandwidth rules use policy elements.  Using ISA Server Authentication Explain that that way that you configure authentication for ISA Server depends on the type of client. Mention that requiring authentication for all Web Proxy clients enables you to configure access rules that are based on users and group membership. Mention that authentication also enables you to include information about user Web activity in ISA Server logs. Describe the types of authentication that are available for each type of client. Describe the types of authentication that ISA Server supports. Explain the use of listeners and the procedures that you use to configure authentication. Module 3: Enabling Secure Internet Access v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The labs in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Lab Setup The following list describes the setup requirements for the lab in this module. Setup Requirement 1 The lab in this module requires that ISA Server be installed on all ISA Server computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Perform a full installation of ISA Server manually. Setup Requirement 2 The lab in this module requires that the ISA Server administration tools be installed on all of the ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the ISA Server administration tools manually. Setup Requirement 3 The lab in this module requires that the Firewall Client be installed on all of the ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the Firewall Client manually. Important vi Module 3: Enabling Secure Internet Access Setup Requirement 4 The lab in this module requires that all of the ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure the default gateway manually. Setup Requirement 5 The lab in this module requires that Microsoft Internet Explorer be configured on all of the student computers to use the ISA Server computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure Internet Explorer manually. Setup Requirement 6 The lab in this module requires that Internet Information Services (IIS) be configured on all of the ISA Server computers to use Transmission Control Protocol (TCP) port 8008 as the default Web site. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure IIS manually. Lab Results Performing the lab in this module introduces the following configuration changes:  The following policy elements are created on the ISA Server computer for each student: • A schedule that is called x High Network Utilization (where x is the student’s assigned student number). • A destination set that is called x Contoso Sports Site (where x is the student’s assigned student number). • A client address set that is called x Accounting Department (where x is the student’s assigned student number). • A protocol definition that is called x LoB Application (where x is the student’s assigned student number). • A content group that is called x New Graphics Format (where x is the student’s assigned student number). • A bandwidth priority that is called x High Priority (where x is the student’s assigned student number). Module 3: Enabling Secure Internet Access vii  The following protocol rules are created on the ISA Server computer for each student: • A protocol rule that is called x Allow HTTP, HTTP-S, and FTP (where x is the student’s assigned student number). • A protocol rule that is called x Allow Access to LoB Application (where x is the student’s assigned student number).  The following site and content rules are created on the ISA Server computer for each student: • A site and content rule that is called x Deny Access to Sports Site (where x is the student’s assigned student number). • A site and content rule that is called x Deny Access to Pictures (where x is the student’s assigned student number).  A bandwidth rule that is called x High Priority for Microsoft Windows Media ™ (where x is the student’s assigned student number) is created on the ISA Server computer for each student:  ISA Server is configured for an effective bandwidth of 256 kilobits per second (Kbps).  Authentication for outgoing Web requests uses Basic and Integrated authentication. ISA Server asks unauthorized users for authentication. Module 3: Enabling Secure Internet Access 1 Overview  Access Policies and Rules Overview  Creating Policy Elements  Configuring Access Policies and Rules  Configuring Bandwidth Rules  Using ISA Server Authentication ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Microsoft ® Internet Security and Acceleration (ISA) Server provides policy- based access control that enables organizations to securely control outbound access. Network administrators can configure access policies to specify which content and sites are accessible, whether a particular protocol is available for outgoing Internet requests, and during which times access is allowed. In addition, network administrators can configure authentication to restrict access on a per-user basis or on a per-group basis. After completing this module, you will be able to:  Explain the use of access policies and rules to enable Internet access.  Create policy elements.  Configure access polices and rules.  Configure bandwidth rules.  Explain the use of authentication for outgoing Web requests. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about configuring access policies to enable secure Internet access for client computers. 2 Module 3: Enabling Secure Internet Access    Access Policy and Rules Overview  Understanding Access Policy Components  Processing Outgoing Client Requests  Planning an Access Policy Strategy ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** One of the primary functions of ISA Server is connecting your internal network to the Internet while implementing your organization’s policies that define the type of Internet access that you allow. By creating an access policy and associated rules, you can allow or deny users access to specific protocols, Internet sites, and content. When ISA Server processes an outgoing request, it uses the access policy to determine if access should be allowed or denied. It is important to plan a strategy before creating an access policy to ensure that the rules that you create meet the needs of your organization. Topic Objective To list the topics related to access policies and rules. Lead-in One of the primary functions of ISA Server is connecting your internal network to the Internet while protecting your internal users from inappropriate or malicious content. [...].. .Module 3: Enabling Secure Internet Access 3 Understanding Access Policy Components Topic Objective To describe the components of an access policy Lead-in Access Policy Access Policy An access policy consists of several components Protocol Rule Protocol Rule Site and Content Site and Content Rule... rules, you use policy elements to define the rules Test rules Ensure that the rules allow the required access for your users, without providing more access than necessary Ensure that you test all of the rules before allowing users to gain access to the Internet 6 Module 3: Enabling Secure Internet Access Creating Policy Elements Topic Objective To identify the topics related to creating policy elements... use to create rules for your access policy Important Policy elements do not define any access policy by themselves Rather, you use policy elements as components of rules that control access Module 3: Enabling Secure Internet Access 7 Policy Element Overview Topic Objective To describe the policy elements that are available in ISA Server Lead-in Before you can configure an access policy, you must create... HTTP requests from all client types and to FTP requests from Web Proxy clients 18 Module 3: Enabling Secure Internet Access Configuring Access Policies and Rules Topic Objective To identify the topics related to configuring access policies and rules Planning Access Policies Lead-in Creating Protocol Rules ISA Server access policies and rules help an organization meet specific security and performance... content rules In addition, ISA Server uses bandwidth rules to determine which connections get priority Module 3: Enabling Secure Internet Access 19 Planning Access Policies Topic Objective To describe the process that is used to plan access policies Lead-in 1 Determine the policy structure 2 Access Policy Access Policy Protocol Rule Protocol Rule Gather organizational support Site and Content Rule Site... Finish Module 3: Enabling Secure Internet Access 17 Creating Content Groups Topic Objective To describe the procedure that you use to create content groups Lead-in In addition to limiting access to particular destinations, you can apply rules to specific content groups ISA Management Action View Name Tree Internet Security and Acceleration Server Servers and Arrays LONDON Monitoring Computer Access. .. rule named "Allow Rule" allows access to all content on all sites by default However, because ISA Server contains no protocol rules by default, no traffic is allowed to pass until you define at least one protocol rule Module 3: Enabling Secure Internet Access 5 Planning an Access Policy Strategy Topic Objective To identify the tasks that you must perform to plan an access policy strategy Determine... Dial-up entries Specify how the ISA Server computer will connect to the Internet The dial-up entry includes the name of the network dial-up connection that is configured for the remote access server and the user name and password for a user who has permissions to gain access to the dial-up connection 8 Module 3: Enabling Secure Internet Access Creating Schedules Topic Objective New schedule To describe... policy: • Allow all access with the exception of specific rules that deny access This policy is best suited for an organization that makes Internet access freely available and that has few reasons to restrict Internet access of any kind by employees • Deny all access except the type of access that you specifically allow This policy is best suited for an organization that uses the Internet for only a... do not conflict with each other 20 Module 3: Enabling Secure Internet Access Creating Protocol Rules Topic Objective To describe the key steps that you perform to create protocol rules Start Start Name the Rule Name the Rule Lead-in Specify the Rule Action Specify the Rule Action Protocol rules determine the protocols that clients can use to gain access to the Internet Select the Protocol(s) Select . ISA Server Authentication 28 Lab A: Enabling Secure Internet Access 35 Review 52 Module 3: Enabling Secure Internet Access Information in this document. Stewart Module 3: Enabling Secure Internet Access iii Instructor Notes This module provides students with the knowledge and skills to configure access policies