Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 67 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
67
Dung lượng
1,38 MB
Nội dung
Contents Overview 1 Introducing ISAServerEnterprise Edition 2 Installing ISAServer in the Enterprise 7 Using Enterprise Policies and Array Policies 19 Managing Network Connections 25 Scaling ISAServer 36 Extending and Automating ISAServer Functionality 42 Lab A: ConfiguringISAServerfor the Enterprise 47 Review 58 Module9:ConfiguringISAServerforanEnterprise Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Module9:ConfiguringISAServerforanEnterprise i Instructor Notes This module provides students with the knowledge and skills to install and configure Microsoft ® Internet Security and Acceleration (ISA) Server 2000 in anenterprise environment. After completing this module, students will be able to: Describe the use of ISAServer in anenterprise environment. Install ISAServer in anenterprise environment. Use enterprise and array policies. Scale ISA Server. Manage network connections. Extend and automate ISAServer functionality. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint ® file 2159A_09.ppt. Preparation Tasks To prepare for this module, you should: Read all of the materials for this module. Complete the lab. Study the review questions and prepare alternative answers to discuss. Anticipate questions that students may ask. Write out the questions and provide the answers. Read “Firewall client application settings,” “Using Network Load Balancing,” “Configuring Automatic Discovery,” “The Enterprise, Arrays, and Stand-Alone Servers,” and “Cache Array and Routing Protocol” in ISAServer Help. Read the section “Network Load Balancing” in the Microsoft Windows ® 2000 Server Resource Kit. Read the white papers entitled “Network Load Balancing Technical Overview” and “Cache Array Routing Protocol and Microsoft Proxy Server 2.0” under Additional Reading on the Trainer Materials compact disc. Read Module 2, “Installing and Maintaining ISA Server,” and Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Read Module 4, "Designing a Schema Policy," in Course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure. Read Module 12, "Managing Operations Masters," in Course 2154A, Implementing and Administering Microsoft Windows 2000 Directory Services. Presentation: 75 Minutes Lab: 30 Minutes ii Module9:ConfiguringISAServerforanEnterpriseModule Strategy Use the following strategy to present this module: Introducing ISAServerEnterprise Edition Explain that you can install ISAServerEnterprise Edition as a stand-alone server or as an array member. Emphasize that if you choose not to apply anenterprise policy to an array installation, the array administrator can create any rule to allow or deny access. Installing ISAServer in the Enterprise Ensure that students understand the impact that modifying the schema has on the entire Active Directory ™ directory service forest and that changes to the schema are irreversible. Explain that when you promote a stand-alone server, ISAServer may delete policy rules and publishing rules to ensure that array policies are not more permissive than an applicable enterprise policy. Using Enterprise Policies and Array Policies Emphasize that when you apply anenterprise policy to an array, ISAServer deletes all of the previously defined array-level site and content rules and protocol rules that allow access. Managing Network Connections Use the slide example to explain the use of routing rules for conditionally routing requests. Explain that firewall chaining enables requests from Firewall clients and SecureNAT clients to be routed to upstream servers. Use the animated slide to explain automatic discovery. Explain that using automatic discovery helps you to minimize the time spent troubleshooting connection problems on the client computers. Emphasize that to use the Dynamic Host Configuration Protocol (DHCP) protocol for automatic discovery, you must ensure that there is a DHCP server with a valid scope for each network segment that has ISAServer clients. Emphasize that to use Domain Name System (DNS) for automatic discovery, you must ensure that there is a Web Proxy AutoDiscovery Protocol (WPAD) entry for each DNS domain that has ISAServer clients. Scaling ISAServer Explain that to use Cache Array Routing Protocol (CARP) and to use Network Load Balancing efficiently, you must use ISAServerEnterprise Edition. Explain that by using hash-based routing instead of queries to determine the location of cached information, CARP becomes faster and more efficient as more member servers are added to the array. For more information about CARP, tell students to see the white paper “Cache Array Routing Protocol and Microsoft Proxy Server 2.0” under Additional Reading on the Student Materials compact disc. Mention that Network Load Balancing is available with Microsoft Windows 2000 Advanced Server only. Extending and Automating ISAServer Functionality Mention that you can gain benefits from using the extensibility and automation features of ISAServer whether you use the Standard Edition or the Enterprise Edition. Module9:ConfiguringISAServerforanEnterprise iii Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Lab Setup The following list describes the setup requirements for the lab in this module. Setup Requirement 1 The lab in this module requires that ISAServer be installed on all ISAServer computers. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Perform a full installation of ISAServer manually. Setup Requirement 2 The lab in this module requires that the ISAServer administration tools be installed on all ISAServer client computers. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Install the ISAServer administration tools manually. Setup Requirement 3 The lab in this module requires that the Firewall Client be installed on all ISAServer client computers. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Install the Firewall Client manually. Important iv Module9:ConfiguringISAServerforanEnterprise Setup Requirement 4 The lab in this module requires that all ISAServer client computers be configured to use the ISAServer computer’s Internet Protocol (IP) address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Configure the default gateway manually. Setup Requirement 5 The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISAServer computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Configure Internet Explorer manually. Setup Requirement 6 The lab in this module requires that Internet Information Services (IIS) be configured on all ISAServer computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Configure IIS manually. Setup Requirement 7 The lab in this module requires a protocol rule on the ISAServer computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Create the rule manually. Setup Requirement 8 The lab in this module requires that packet filtering be enabled on the ISAServer computer. To prepare student computers to meet this requirement, perform one of the following actions: Complete Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Enable packet filtering manually. Module9:ConfiguringISAServerforanEnterprise v Lab Results Performing the lab in this module introduces the following configuration changes: DHCP on the second computer in each student computer pair has DHCP option 252 enabled. DNS for the student computer zones has a WPAD entry added. The Active Directory schema update forISAServer is installed. The stand-alone ISAServer computer is promoted to an array. Anenterprise policy is created. Module9:ConfiguringISAServerforanEnterprise 1 Overview Introducing ISAServerEnterprise Edition Installing ISAServer in the Enterprise Using Enterprise Policies and Array Policies Managing Network Connections Scaling ISAServer Extending and Automating ISAServer Functionality ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Microsoft ® Internet Security and Acceleration (ISA) Server 2000 provides many features to support an enterprise-wide deployment. Some of these features are available in only the Enterprise Edition of ISA Server. The security, caching, management, performance, and extensibility capabilities of ISAServer are the same in both the Standard Edition and the Enterprise Edition. The Standard Edition, however, is limited to a stand-alone server, a local policy only, and computers with up to four processors. For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you must use the ISAServerEnterprise Edition. After completing this module, you will be able to: Describe the use of ISAServer in anenterprise environment. Install ISAServer in anenterprise environment. Use enterprise and array policies. Scale ISA Server. Manage network connections. Extend and automate ISAServer functionality. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about configuringISAServer in anenterprise environment. 2 Module9:ConfiguringISAServerforanEnterprise Introducing ISAServerEnterprise Edition Benefits of ISAServerEnterprise Edition Using ISAServerEnterprise Edition ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** There are many benefits foran organization to deploy ISAServerEnterprise Edition in anenterprise environment. When you deploy ISAServerEnterprise Edition, you must select an installation configuration and a policy configuration. Topic Objective To introduce ISAServerEnterprise Edition. Lead-in There are many benefits foran organization to deploy ISAServerEnterprise Edition in anenterprise environment. [...].. .Module 9:ConfiguringISAServerforanEnterprise 3 Benefits of ISAServerEnterprise Edition Topic Objective To describe the benefits of ISAServerEnterprise Edition Scalability Scalability Lead-in ISAServerEnterprise Edition offers several benefits to organizations that want fast, secure, and manageable Internet connectivity in anenterprise environment Scales ISAServer functionality... Datacenter Server, which supports up to 32 processors 4 Module9:ConfiguringISAServerforanEnterprise Network Load Balancing ISAServerEnterprise Edition efficiently uses Network Load Balancing, which is available in Windows 2000 Advanced Server and Windows 2000 Datacenter Server, to provide fault tolerance, high availability, efficiency, and performance through the clustering of multiple ISA Server. .. click Set as Default Policy Module 9:ConfiguringISAServerforanEnterprise 21 Changing Default Settings for the Enterprise Policy After initializing ISAServerfor the enterprise, you can change the default policies that ISAServer applies when you create a new array To change the default policies: 1 In ISA Management, in the console tree, right-click Enterprise, and then click Set Defaults 2... administrator from configuringISAServer in an insecure manner Module 9:ConfiguringISAServerforanEnterprise 23 To force packet filtering foran array: 1 In ISA Management, in the console tree, expand Servers and Arrays, rightclick the applicable array, and then click Properties 2 On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Force packet filtering... defined for the array Module 9:ConfiguringISAServerforanEnterprise Promoting a Stand-Alone Server To promote a stand-alone server: 1 In ISA Management, in the console tree, right-click the server, and then click Promote 2 Click Yes to verify that you want the ISAServer to become an array member 3 If you are not a member of the Enterprise Admins group, click Yes to confirm that the default enterprise. .. centralize management for multiple arrays in your enterprise 6 Module9:ConfiguringISAServerforanEnterprise Selecting a Policy Configuration Key Points If you choose not to apply anenterprise policy to an array installation, the array administrator can create any rule to allow or deny access When you enforce enterprise policies, an array policy can never allow any type of access that an enterprise. .. Internet Security and Acceleration Server Setup dialog box, click Yes to install ISAServer on an array member 3 In the Microsoft ISAServer Setup dialog box, click the array that you want to add the computer to, click OK, and then configure the cache settings as you would for a stand-alone server 14 Module9:ConfiguringISAServerforanEnterprise Creating and Deleting Arrays in ISA Management Topic... When you apply enterprise policies, array policies can create additional restrictions over the enterprise policies However, an array policy can never allow any type of access that anenterprise policy does not first allow Module 9:ConfiguringISAServerforanEnterprise 7 Installing ISAServer in the Enterprise Topic Objective To present the topics related to installing ISAServer in the enterprise. .. information 8 Module9:ConfiguringISAServerforanEnterprise Installing ISAServer Schema in Active Directory Topic Objective To describe the procedure that you use to install ISAServer schema in Active Directory Lead-in Before you can set up ISAServer as an array member, you must install the ISAServer schema in Active Directory ISAEnterprise Initialization Specify how to apply the enterprise. .. Important You can use ISAServer Standard Edition or ISAServerEnterprise Edition to manage network connections forISAServer However, customizing network connections yields the most benefits in an enterprise- wide installation 26 Module9:ConfiguringISAServerforanEnterprise Routing Overview Topic Objective To describe the process of routing in anISAServerenterprise environment Lead-in Array . are many benefits for an organization to deploy ISA Server Enterprise Edition in an enterprise environment. Module 9: Configuring ISA Server for an Enterprise. Configuring ISA Server for an Enterprise Introducing ISA Server Enterprise Edition Benefits of ISA Server Enterprise Edition Using ISA Server Enterprise