ISA Server 2000 MCSE Roberta Bragg Exam 70-227 TRAINING GUIDE 00a mcse FrontMatter 6/5/01 3:26 PM Page i Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. ii MCSE T RAINING G UIDE (70-227) ISA S ERVER 2000 MCSE T RAINING G UIDE (70-227): I NSTALLING ,C ONFIGURING , AND A DMINISTERING M ICROSOFT  I NTERNET S ECURITY AND A CCELERATION S ERVER 2000, E NTERPRISE E DITION Copyright  2002 by New Riders Publishing First Printing: July 2002 All rights reserved. No part of this book may be reproduced or trans- mitted in any form or by any means, electronic or mechanical, includ- ing photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. International Standard Book Number: 0-7357-1092-9 Library of Congress Catalog Card Number: 00110877 05 04 03 02 01 7 6 5 4 3 2 1 Interpretation of the printing code: The rightmost double-digit num- ber is the year of the book’s printing; the rightmost single-digit num- ber is the number of the book’s printing. For example, the printing code 01-1 shows that the first printing of the book occurred in 2001. Composed in Garamond and MCPdigital by New Riders Publishing Printed in the United States of America Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. New Riders Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer This book is designed to provide information about the ISA Server exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as-is basis. The authors and New Riders Publishing shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or pro- grams that may accompany it. PUBLISHER David Dwyer ASSOCIATE PUBLISHER Al Valvano EXECUTIVE EDITOR Stephanie Wall MANAGING EDITOR Gina Brown PRODUCT MARKETING MANAGER Stephanie Layton PUBLICITY MANAGER Susan Nixon ACQUISITIONS EDITORS Jeff Riley Deborah Hittel-Shoaf DEVELOPMENT EDITOR Christopher Morris MEDIA DEVELOPER Jay Payne TECHNICAL REVIEWERS Emmett Dulaney Richard D. Coile PROJECT EDITOR Linda Seifert INDEXER Brad Herriman MANUFACTURING COORDINATOR Jim Conway BOOK DESIGNER Louisa Klucznik COVER DESIGNER Aren Howell PROOFREADER Sheri Replin COMPOSITION Gina Rexrode 00a mcse FrontMatter 6/5/01 3:49 PM Page ii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. iii Contents at a Glance 1 Introduction: What Is ISA Server? 9 Part I Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities 45 3 Installing ISA Server 71 4 Upgrading Microsoft Proxy 2.0 109 Part II Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access 133 6 ISA Server Hosting Roles 181 7 H.323 Gatekeeper 205 8 Dial-Up Connections and RRAS 235 9 ISA Virtual Private Networks 265 Part III Configuring, Managing, and Troubleshooting Policies and Rules 10 Firewall Configuration 309 11 Manage ISA Server in the Enterprise 337 12 Access Control in the Enterprise 361 Part IV Deploying, Configuring, and Troubleshooting the Client Computer 13 Planning and Deploying Clients 383 14 Installing and Configuring Client Options 399 00a mcse FrontMatter 6/5/01 3:26 PM Page iii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. iv MCSE T RAINING G UIDE (70-227) ISA S ERVER 2000 Part V Monitoring, Analyzing, and Optimizing ISA Server 15 Monitoring Network Security and Usage 421 16 Performance Analysis and Optimization 449 Part VI Final Review Fast Facts 477 Study and Exam Prep Tips 497 Practice Exam 503 Part VII Appendixes A Microsoft Proxy Server 2.0 Configuration Backup 531 B ISA Setup Log 539 C ISA Upgrade Log 599 D Glossary 611 E Overview of the Certification Process 619 F What’s on the CD-ROM 625 G Using the ExamGear, Training Guide Edition Software 627 Index 653 00a mcse FrontMatter 6/5/01 3:26 PM Page iv Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. v Table of Contents Introduction 1 Notes on This Book’s Organization 1 How This Book Helps You 2 What the Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server Exam (70-227) Covers 4 Installing ISA Server 4 Configuring and Troubleshooting ISA Server Services 4 Configuring, Managing, and Troubleshooting Policies and Rules 5 Deploying, Configuring, and Troubleshooting the Client Computer 5 Monitoring, Managing, and Analyzing ISA Server Use 5 Hardware and Software You’ll Need 6 Advice on Taking the Exam 7 New Riders Publishing 7 1 Introduction: What Is ISA Server? 9 Introduction 11 Architecture Overview 12 ISA Server Clients 15 Web Proxy Clients 15 Firewall Clients 15 SecureNAT Clients 15 ISA Server Is a Multilayered Enterprise Firewall 16 Packet Filtering 17 Circuit-Level Filtering 17 Application-Level Filtering 17 Stateful Inspection 18 Built-In Intrusion Detection 18 System Hardening Templates 19 Virtual Private Networking 19 ISA Server Is a High-Performance Web Caching Server 19 Reverse Caching 20 Forward Caching 21 Scheduled Caching 22 00a mcse FrontMatter 6/5/01 3:26 PM Page v Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. vi MCSE T RAINING G UIDE (70-227) ISA S ERVER 2000 Distributed Caching 23 Hierarchical Caching or Chaining 24 ISA Server Hosting Services 27 ISA Server Provides Integrated, Centralized Management and Control 28 Enterprise or Standard Editions 29 Firewall, Caching, or Integrated Modes 30 Policy-Based Rules 31 Tiered Policies: Both Enterprise and Array Level 35 Bandwidth Control 36 Logging and Reporting 37 Review Questions 39 Exam Questions 39 Answers to Review Questions 40 Answers to Exam Questions 40 Part I: Installation and Upgrade 2 Plan Before Acting: Preinstallation Activities 45 Introduction 47 Network Design and Planning 47 Network Size 48 User Needs 48 Installation Options 48 ISA Server Mode and Array Considerations 49 Active Directory Integration Needs 50 Interoperation with and Requirements for Other Services 51 Making Hardware Choices 53 Client Considerations 56 Windows 2000 Installation and Configuration 57 Preinstallation Network Configuration 58 Server Placement 58 Verify Network Connectivity 58 Verify Internet Connectivity 62 Verify Name Resolution 63 Exercises 65 Review Questions 65 Exam Questions 65 Answers to Review Questions 67 Answers to Exam Questions 68 00a mcse FrontMatter 6/5/01 3:26 PM Page vi Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. vii 3 Installing ISA Server 71 Introduction 74 Installation Processes Common to Several Configurations 74 Constructing and Modifying the Local Address Table (LAT) 75 Configuring the Cache 77 ISA Server Installation 79 Installation Defaults 80 Standard Edition Generic Instructions 81 Enterprise Edition 83 Installing the ISA Server Schema in the Active Directory 83 Install ISA Server Enterprise Edition 85 Unattended Setup 91 Installing Additional ISA Servers in an Array 93 Troubleshooting the Installation 95 Failed Installation 95 Was Installation Successful? 97 Uninstalling ISA Server 99 Exercises 101 Review Questions 103 Exam Questions 104 Answers to Review Questions 107 Answers to Exam Questions 108 4 Upgrading Microsoft Proxy 2.0 109 Introduction 111 Reasons for Upgrading 111 The Migration Process 112 Back Up the Proxy Server Configuration 114 Stop and Disable Proxy Server Services 115 Upgrade to Windows 2000 and Install ISA Server 116 Review the Setup Logs 117 Array Migration 118 Proxy Configuration Migration Results 120 Predetermined Migration Effects 120 Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration 121 Post Migration Necessities 122 Migrating the Mindset 123 00a mcse FrontMatter 6/5/01 3:26 PM Page vii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. viii MCSE T RAINING G UIDE (70-227) ISA S ERVER 2000 Exercises 126 Review Questions 126 Exam Questions 126 Answers to Review Questions 128 Answers to Exam Questions 129 Part II: Configuring and Troubleshooting ISA Server Services 5 Outbound Internet Access 133 Introduction 136 Post Installation Default Settings 136 ISA Server Object Permissions 137 Service Permissions 141 Local Access Table (LAT) 142 Policy Settings 142 Packet Filtering 143 Routing 144 Caching 145 Publishing 145 Alerts 146 Configuring Access Rules and Tools 146 Understanding and Configuring Outgoing Web Request Properties 147 How Are Rules Evaluated? 149 Creating Policy Elements 149 Configuring Site and Content Rules 153 Configuring Protocol Rules 154 Authentication and Rules 158 Custom HTML Error Messages 158 Configuring a Single System Versus an Array 160 Configuring Caching 161 Standalone Cache 161 Configuring Hierarchical Access 161 Configuring CARP 163 Configuring Network Settings 163 Bandwidth Rules 164 LAT and Local Domain Tables 166 Configuring Routing Rules 167 Configuring ISA Server Chains 168 00a mcse FrontMatter 6/5/01 3:26 PM Page viii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. ix Troubleshooting Client Access Problems 169 A Protocol Rule Exists for a Protocol Definition, but Clients Cannot Use It 169 Clients Can’t Use a Specific Protocol 170 Clients Cannot Browse External Web Sites 170 Clients Receive a 502 Error Every Time They Attempt to Browse the Web 171 Clients Can Still Use a Protocol After the Rule for this Protocol Has Been Disabled 171 All Other Errors Including Intermittent Issues 172 Exercises 174 Answers to Exercises 175 Review Questions 175 Exam Questions 177 Answers to Review Questions 179 Answers to Exam Questions 179 6 ISA Server Hosting Roles 181 Introduction 183 Configuring ISA Server for Web Publishing 184 Configuring Destination Sets 186 Configuring Listeners 186 Creating Web Publishing Rules 187 Enabling CARP 188 Configuring Server Certificates and Authentication Methods 189 Redirecting HTTP and SSL Requests 190 Configuring ISA Server for Server Proxy 193 DNS and Mail Proxy 194 The Mail Server Security Wizard 194 Content Filtering 195 Configuring ISA Server for Server Publishing 197 Creating Server Publishing Rules 197 Publishing Servers on a Perimeter Network 199 Exercises 201 Review Questions 201 Exam Questions 201 Answers to Review Questions 203 Answers to Exam Questions 203 00a mcse FrontMatter 6/5/01 3:26 PM Page ix Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. x MCSE T RAINING G UIDE (70-227) ISA S ERVER 2000 7 H.323 Gatekeeper 205 Introduction 208 What Is an H.323 Gatekeeper? 208 What Is the H.323 Protocol? 209 Where Does T-120 Fit In? 210 What’s the Difference Between a Gatekeeper and a Gateway? 211 How Does the Gatekeeper Work? 211 H.323 Gatekeeper Limitations and Other Considerations 216 How to Add an H.323 Gatekeeper to ISA 217 Enabling and Configuring H.323 Protocol Access 218 Configuring DNS 220 Adding the H.323 Gatekeepers 221 Enabling Fast Kernel Mode and Data Pumping 222 Gatekeeper Administration 222 Configuring Gatekeeper Call Routing Rules 223 Configuring Destinations 224 Configuring Phone Number Rules 224 Configuring Email Address Rules 225 Configure IP Address Rules 226 H.323 Gatekeeper Scenarios 227 Exercises 231 Review Questions 231 Exam Questions 232 Answers to Review Questions 233 Answers to Exam Questions 233 8 Dial-Up Connections and RRAS 235 Introduction 238 Dial-on-Demand Connections 238 Configure Network and Dial-Up Connections 239 Create a Dial-Up Entry 240 Create a Dial-Up Routing Rule 240 Enable Dial-Up Entry in Firewall Chaining Configuration 242 Managing and Limiting ISA Dial-Up Connections 243 Troubleshooting ISA Server Dial-Up Connections 243 Routing and Remote Access Service Versus ISA Server 245 Routing 246 Connecting Remote Clients 246 Static Routes 247 00a mcse FrontMatter 6/5/01 3:26 PM Page x Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... conduct these tasks in order to pass the exam A The Windows 2000 server is not a domain member server B The Windows 2000 server is not a member of the original array server s domain C You have used the Standard edition ISA Server CD-ROM D The Windows 2000 server is not a member of the same site as the server which is the first member of the ISA server array Exam Questions: These questions reflect the kinds... material Control the total RAM used by ISA Server for caching If the ISA Server computer is only used as a caching server then it will use RAM as primary cache storage for more efficient service However, if the ISA Server computer is used for other services, then this characteristic, is not beneficial You can, however, throttle down the amount of RAM used by ISA Server for caching; to do so follow Step-by-Step... filtered through ISA server s rules and policies Approved requests (unless they are SSL or HTTPS or otherwise configured will be cached on the ISA Server Subsequent approved requests for this material are served from the ISA Server Additional access to the Internet is not necessary In caching mode, the ISA server can also be configured to forward requests from the public network to Web servers on the private... understanding Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 00b mcse walk through 6/5/01 3:50 PM Page xxviii Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 01 mcse Intro 6/5/01 11:53 AM Page 1 Introduction MCSE Training Guide: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server is designed for advanced... objectives for the Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Install ISA Server Installation modes include integrated, firewall, and cache Construct and modify the Local Address Table (LAT) Calculate the size of and configure the cache There are two versions of ISA Server: Objective Explanations:... Proxy Server 2.0 Configuration Backup 531 B ISA Setup Log 539 C ISA Upgrade Log 599 D Glossary 611 E Overview of the Certification Process 619 F What’s on the CD-ROM 625 G Using the ExamGear, Training Guide Edition Software 627 Index Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 00a mcse FrontMatter 6/5/01 3:26 PM Page xviii Please purchase PDF Split-Merge on www.verypdf.com... “Install ISA Server Enterprise Edition.” 3 Enterprise edition See the section, “Install ISA Server Enterprise Edition.” 4 Modify the Active Directory Schema This must be done to provide the objects and attributes necessary Active Directory is necessary to provide centralized management of multiple ISA Servers No Active Directory, no arrays, no centralized management See the section, “Installing the ISA Server. .. Firewall Chaining Configuration Using ISA Management Console from a Remote Computer 25 8 Using Terminal Services to Manage ISA Server 26 Managing and Limiting ISA Dial-Up Connections 9 Chapter Summary Exercises Troubleshooting ISA Server Dial-Up Connections 27 27 Review Questions 10 29 Exam Questions 31 Answers to Review Questions Routing and Remote Access Service Versus ISA Server Chapter Outline: Learning... Networking using ISA Server as endpoints When you have finished this section, you have toured most of the operations available to standalone ISA Servers Part III, “Configuring, Managing, and Troubleshooting Policies and Rules” continues the discussion of controlling access by defining packet filters, and then describes operations that involve the Enterprise edition of ISA Server Enterprise edition ISA Servers can... Directory for increased security and management possibilities Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 01 mcse Intro 2 6/5/01 11:53 AM Page 2 MCSE TRAINING GUIDE (70-227): ISA SERVER While simple Web-proxy configuration allows internal clients outbound access to the Internet dependent on the ISA Server policies, additional client options exist SecureNAT, Web proxy, and . ISA Server 2000 MCSE Roberta Bragg Exam 70-227 TRAINING GUIDE 00a mcse FrontMatter 6/5/01 3:26 PM Page i Please purchase PDF Split-Merge on www.verypdf.com. 68 00a mcse FrontMatter 6/5/01 3:26 PM Page vi Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. vii 3 Installing ISA Server