Module 7: Configuring Access to Internal Resources Contents Overview Introduction to Publishing Configuring Web Publishing 10 Configuring Server Publishing 20 Adding an H.323 Gatekeeper 27 Lab A: Configuring Access to Internal Resources 32 Review 45 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 7: Configuring Access to Internal Resources iii Instructor Notes Presentation: 60 Minutes This module provides students with the knowledge and skills to configure access to selected internal resources Lab: 60 Minutes After completing this module, students will be able to: Explain the concepts associated with server publishing Configure Web publishing Configure server publishing Add an H.323 Gatekeeper Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the Microsoft® PowerPoint® file 2159A_07.ppt Preparation Tasks To prepare for this module, you should: Read all of the materials for this module Complete the lab Study the review questions and prepare alternative answers to discuss Anticipate questions that students may ask Write out the questions and provide the answers Read “Checklist: Publishing,” “How To Configure Publishing,” “Controlling Incoming Requests,” “Configuring Publishing,” “Using H.323 Gatekeeper,” “Web publishing scenarios,” “Exchange Server publishing Scenarios,” and “H.323 Gatekeeper deployment scenarios” in ISA Server Help Read Module 2, “Installing and Maintaining ISA Server,” Module 3, “Enabling Secure Internet Access,” Module 4, “Configuring Caching,” and Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Read Module 14, “Designing a PKI for Business Partners,” in Course 2150, Designing a Secure Microsoft Windows 2000 Network Read Module 5, “Configuring Network Security by Using Public Key Infrastructure,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure Read the \support\docs\smtpfilter.htm file, the \support\docs\smtpfilter.htm file, and the \readme.htm file on the ISA Server compact disc iv Module 7: Configuring Access to Internal Resources Module Strategy Use the following strategy to present this module: Introduction to Publishing Explain that for Web server publishing to work properly, external clients must be able to resolve the name of a published server to the Internet Protocol (IP) address of an external network adapter on the Microsoft Internet Security and Acceleration (ISA) Server 2000 computer Explain that a back-to-back perimeter network configuration allows you to control the traffic that enters the perimeter network separately from the traffic that enters the internal network Use the slide graphic to describe the steps that you use to publish servers on a perimeter network Explain that Web publishing rules allow you to specify which port the ISA Server computer uses to connect to the Web server Configuring Web Publishing Explain that unlike the destination sets that you configure for access policies, destination sets for publishing rules specify computers in your internal network to which external clients connect, such as the name or the IP address of your ISA Server computer Explain the use of listeners and the procedure that you use to configure listeners for incoming requests Mention that the authentication that you configure for the ISA Server computer is in addition to any authentication that the published Web server requires Describe the use of Secure Sockets Layer (SSL) bridging and the associated procedures Configuring Server Publishing Explain that you can configure server publishing rules to allow client connections by using any protocol that you have configured as an incoming protocol definition Run the Mail Server Security Wizard to demonstrate the procedure that you use to publish a mail server Explain the content filtering option Describe the flow of a message during the content filtering process Mention that more information about configuring the Simple Mail Transfer Protocol (SMTP) filter is available in the \support\docs\smtpfilter.htm file on the ISA Server compact disc Adding an H.323 Gatekeeper Use the animated slide to explain how the H.323 Gatekeeper service works Explain that you can use an H.323 Gatekeeper to establish incoming connections with both SecureNAT clients and Firewall clients, but you not have to create a gatekeeper to enable outgoing connections Module 7: Configuring Access to Internal Resources v Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Lab Setup The following list describes the setup requirements for the lab in this module Setup Requirement The lab in this module requires that ISA Server be installed on all ISA Server computers To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Perform a full installation of ISA Server manually Setup Requirement The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Install the ISA Server administration tools manually Setup Requirement The lab in this module requires that the Firewall Client be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Install the Firewall Client manually vi Module 7: Configuring Access to Internal Resources Setup Requirement The lab in this module requires that all of the ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Configure the default gateway manually Setup Requirement The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Configure Internet Explorer manually Setup Requirement The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Configure IIS manually Setup Requirement The lab in this module requires a protocol rule on the ISA Server computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Create the rule manually Module 7: Configuring Access to Internal Resources vii Lab Results Performing the lab in this module introduces the following configuration changes: ISA Server is configured with a listener for outgoing Web requests Web publishing rules for internal Web servers are created The ISA Server computer is published as a Network News Transfer Protocol (NNTP) server The ISA Server client computer is published as an SMTP and Internet Message Access Protocol (IMAP) server Module 7: Configuring Access to Internal Resources Overview Topic Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn about configuring access to internal resources for remote clients
Introduction to Publishing
Configuring Web Publishing
Configuring Server Publishing
Adding an H.323 Gatekeeper *****************************ILLEGAL FOR NON-TRAINER USE****************************** Microsoft® Internet Security and Acceleration (ISA) Server 2000 enables you to publish services to the Internet without compromising the security of your internal network You can use ISA Server to publish internal servers to make Web content and e-mail services available to external clients You publish servers by configuring server publishing rules to redirect requests from external clients to a server on your internal network By publishing servers and routing requests from Internet clients to an ISA Server computer, you provide an increased layer of security for your internal servers You can also use ISA Server to route incoming multimedia conferencing sessions by adding an H.323 Gatekeeper After completing this module, you will be able to: Explain the concepts associated with server publishing Configure Web publishing Configure server publishing Add an H.323 Gatekeeper Module 7: Configuring Access to Internal Resources
Introduction to Publishing Topic Objective To identify the topics related to publishing servers Lead-in Publishing servers enables you to provide access to selected resources in a secure manner
Publishing Overview
Publishing Servers on a Perimeter Network
Guidelines for Using Publishing and Routing
Publishing Rules Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** Publishing servers enables you to provide access to selected resources in a secure manner To publish a server, you must create a publishing policy Publishing policies define rules for controlling how ISA Server processes incoming requests You can create publishing policies for Web servers, mail servers, and other types of servers ... Module 7: Configuring Access to Internal Resources
Configuring Web Publishing Topic Objective To identify the topics related to configuring Web publishing Lead-in ISA Server can make internal. .. SMTP and Internet Message Access Protocol (IMAP) server Module 7: Configuring Access to Internal Resources Overview Topic Objective To provide an overview of the module topics and objectives Lead-in... of servers Module 7: Configuring Access to Internal Resources Publishing Overview Topic Objective To describe the use of published servers on an internal network Internal Internal Network Network