INTRODUCTION 3 • Key terms. A list of key terms appears at the end of most chapters. • Notes. These appear in the margin and con- tain various kinds of useful information, such as tips on technology or administrative prac- tices, historical background on terms and technologies, or side commentary on industry issues. • Warnings. When using sophisticated informa- tion technology, there is always the potential for mistakes or even catastrophes that can occur because of improper application of the technology. Warnings appear in the margin to alert you to these potential problems. • In the field. These more extensive discussions cover material that might not be directly rele- vant to the exam but that is useful as refer- ence material or in everyday practice. These tips might also provide useful background or contextual information necessary for under- standing the larger topic under consideration. • Exercises. Found at the end of the chapters in the “Apply Your Knowledge” section, exercises are performance-based opportunities for you to learn and assess your knowledge. Solutions to the exercises, when applicable, are provided later in a separate section titled “Answers to Exercises.” á Extensive practice test options. This book pro- vides numerous opportunities for you to assess your knowledge and to practice for the exam. The practice options include the following: • Review Questions. These open-ended ques- tions appear in the “Apply Your Knowledge” section at the end of each chapter. They allow you to quickly assess your comprehension of what you just read in each chapter. Answers to the questions are provided later in a sepa- rate section titled “Answers to Review Questions.” • Exam Questions. These questions also appear in the “Apply Your Knowledge” section. Use them to help you determine what you know and what you need to review or study further. Answers and explanations for exam questions are provided in a separate section titled “Answers to Exam Questions.” • Practice Exam. A practice exam is included in the “Final Review” section. The “Final Review” section and the practice exam are discussed later in this list. • ExamGear. The special Training Guide ver- sion of the ExamGear software included on the CD-ROM provides further opportunities for you to assess how well you understand the material in this book. á Final Review. This part provides you with three valuable tools for preparing for the exam: • Fast Facts. This condensed version of the information contained in this book will prove extremely useful for a last-minute review. • Study and Exam Prep Tips. Read this section early on to help you develop study strategies. This section also provides you with valuable exam-day tips and information on exam/ question formats, such as adaptive tests and case study-based questions. • Practice Exam. A practice exam is included in this section. Questions are written in styles similar to those used on the actual exam. Use this to assess your understanding of the material in this book. This book contains several other features, including a section titled “Suggested Readings and Resources” at the end of each chapter that directs you toward fur- ther information that could aid you in your exam preparation or your actual work. Valuable appendixes 01 mcse Intro 6/5/01 11:53 AM Page 3 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 4 MCSE TRAINING GUIDE (70-227): ISA SERVER Installing ISA Server Preconfigure network interfaces. á Verify Internet connectivity before installing ISA Server. á Verify DNS name resolution. Install ISA Server. á Construct and modify the local address table (LAT). á Calculate the size of and configure the cache. á Install an ISA Server computer as a member of an array. Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server. á Back up the Proxy 2.0 Server configuration. Troubleshoot problems that occur during setup. Configuring and Troubleshooting ISA Server Services Configure and troubleshoot outbound Internet access. Configure ISA Server hosting roles. á Configure ISA Server for Web publishing. á Configure ISA Server for server proxy. á Configure ISA Server for server publishing. Configure H.323 Gatekeeper for audio and video conferencing. á Configure gatekeeper rules. Rules include tele- phone, email, and Internet Protocol. á Configure gatekeeper destinations by using the Add Destination Wizard. are also included, as well as a glossary (Appendix D), an overview of the Microsoft certification process (Appendix E), and a description of what is on the CD-ROM (Appendix F). For more information about the exam or the certifica- tion process, contact Microsoft: Microsoft Education: 1-800-636-7544 Internet: ftp://ftp.microsoft.com/Services/MSEdCert World Wide Web: http://www.microsoft.com/train_cert CompuServe Forum: GO MSEDCERT W HAT THE I NSTALLING , C ONFIGURING , AND A DMINISTERING M ICROSOFT I NTERNET S ECURITY AND A CCELERATION (ISA) S ERVER E XAM (70-227) C OVERS á Installing ISA Server á Configuring and Troubleshooting ISA Server Services á Configuring, Managing, and Troubleshooting Policies and Rules á Deploying, Configuring, and Troubleshooting the Client Computer á Monitoring, Managing, and Analyzing ISA Server Use Before taking the exam, you should be proficient in the job skills represented by the following units, objectives, and subobjectives. 01 mcse Intro 6/5/01 11:53 AM Page 4 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. INTRODUCTION 5 Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connec- tions. á Set up and verify routing rules for static IP routes in Routing and Remote Access. Configure Virtual Private Network (VPN) access. á Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard. á Configure the ISA Server computer for VPN pass-through. á Configure multiple ISA Servers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP). Configuring, Managing, and Troubleshooting Policies and Rules Configure and secure the firewall in accordance with corporate policies. á Configure the packet filter rules for different levels of security, including system hardening. á Create and configure access control and band- width policies. á Create and configure site and content rules to restrict Internet access. á Create and configure protocol rules to restrict Internet access. á Create and configure routing rules to restrict Internet access. á Create and configure bandwidth rules to control bandwidth usage. Troubleshoot access problems. á Troubleshoot user-based access problems. á Troubleshoot packet-based access problems. Create new policy elements. Elements include sched- ules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. Manage ISA Server arrays in an enterprise. á Create an array of proxy servers. á Assign an enterprise policy to an array. Deploying, Configuring, and Troubleshooting the Client Computer Plan the deployment of client computers to use ISA Server services. Considerations include client authenti- cation, client operating system, network topology, cost, complexity, and client function. Configure and troubleshoot the client computer for secure network address translation (SecureNAT). Install the Firewall client software. Considerations include the cost and complexity of deployment. á Troubleshoot autodetection. Configure the client computer’s Web browser to use ISA Server as an HTTP proxy. Monitoring, Managing, and Analyzing ISA Server Use Monitor security and network usage by using logging and alerting. á Configure intrusion detection. á Configure an alert to send an email message to an administrator. 01 mcse Intro 6/5/01 11:53 AM Page 5 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 6 MCSE TRAINING GUIDE (70-227): ISA SERVER á Automate alert configuration. á Monitor alert status. á Troubleshoot problems with security and network usage. á Detect connections by using Netstat. á Test the status of external ports by using Telnet or Network Monitor. Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. á Analyze the performance of the ISA Server computer by using Performance Monitor. á Analyze the performance of the ISA Server computer by using reporting and logging. á Control the total RAM used by ISA Server for caching. H ARDWARE AND S OFTWARE Y OU ’ LL N EED As a self-paced study guide, MCSE Training Guide: Installing, Configuring, and Administrating Microsoft Internet Security and Acceleration (ISA) Server is meant to help you understand concepts that must be refined through hands-on experience. To make the most of your studies, you must have as much background on and experience with all versions of Windows 2000 (Professional, Server, and Advanced Server) as possible, and with running ISA Server in standalone and array- based scenarios. The best way to do this is to combine studying with work on ISA Server installations. This section gives you a description of the minimum com- puter requirements that you need to enjoy a solid prac- tice environment. á At least two Windows 2000 Servers and at least two client machines. More server computers and more clients allow you a richer set of study sys- tems with which to deploy typical scenarios. á All computers running Windows 2000 should be, or their components should be, on the Microsoft Hardware Compatibility List. á Pentium II (or better) processor. á 2GB (or larger) hard disk. á VGA (or Super VGA) video adapter and monitor. á Mouse or equivalent pointing device. á CD-ROM drive. á All clients should have a Network Interface Card (NIC). á Ideally, both servers should have two Network Interface Cards, and one should have a modem á Alternatively, the modem on one server can serve as the second interface, but both servers should have two networking interfaces. á Presence on a test network. This can be created using multiple small hubs. Exercises for VPN are best experienced with the creation of three physi- cal subnets within the test network. It is not advisable to perform ISA Server exercises on a production network. á Internet access is not required, but can be advent- ageous in many exercises. Otherwise you can sim- ulate access to Web sites by placing a test Web server on the external side of the ISA Server in the test network. á 128MB of RAM on each server (256MB recommended). 01 mcse Intro 6/5/01 11:53 AM Page 6 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. INTRODUCTION 7 á Windows 2000 SP 1 or latest service pack. á Hotfix rollup for ISA Server is required prior to the release of SP 2. It is fairly easy to obtain access to the necessary com- puter hardware and software in a corporate business environment. It can be difficult, however, to allocate computers to a test network and to allocate enough time within the busy work day to complete a self-study program. Most of your study time will occur after nor- mal working hours, away from the everyday interrup- tions and pressures of your regular job. A DVICE ON T AKING THE E XAM More extensive tips are found in the “Final Review” section titled “Study and Exam Prep Tips,” but keep this advice in mind as you study: á Read all the material. Microsoft has been known to include material not expressly specified in the objectives. This book has included addi- tional information not reflected in the objectives in an effort to give you the best possible prepara- tion for the examination—and for the real-world experiences to come. á Do the Step by Step tutorials and complete the Exercises in each chapter. They help you gain experience using the specified methodology or approach. All Microsoft exams are task- and experienced-based and require you to have expe- rience actually performing the tasks on which you will be tested. á Use the questions to assess your knowledge. Don’t just read the chapter content; use the ques- tions to find out what you know and what you don’t. You also need the experience of analyzing case studies. If you are struggling at all, study some more, review, and then assess your knowl- edge again. á Review the exam objectives. Develop your own questions and examples for each topic listed. If you can develop and answer several questions for each topic, you should not find it difficult to pass the exam. Remember, the primary object is not to pass the exam—it is to understand the material. After you understand the material, passing the exam should be simple. Knowledge is a pyramid; to build upward, you need a solid foundation. This book and the Microsoft Certified Professional programs are designed to ensure that you have that solid foundation. Good luck! N EW R IDERS P UBLISHING The staff of New Riders Publishing is committed to bringing you the very best in computer reference mate- rial. Each New Riders book is the result of months of work by authors and staff who research and refine the information contained within its covers. As part of this commitment to you, the NRP reader, New Riders invites your input. Please let us know if you enjoy this book, if you have trouble with the infor- mation or examples presented, or if you have a sugges- tion for the next edition. Please note, however, that New Riders staff cannot serve as a technical resource during your preparation for the Microsoft certification exams or for questions about software- or hardware-related problems. Please refer instead to the documentation that accompanies the Microsoft products or to the applications’ Help systems. If you have a question or comment about any New Riders book, there are several ways to contact New Riders Publishing. We respond to as many readers as we can. Your name, address, or phone number will never become part of a mailing list or be used for any 01 mcse Intro 6/5/01 11:53 AM Page 7 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 8 MCSE TRAINING GUIDE (70-227): ISA SERVER purpose other than to help us continue to bring you the best books possible. You can write to us at the following address: New Riders Publishing Attn: Al Valvano 201 W. 103rd Street Indianapolis, IN 46290 If you prefer, you can fax New Riders Publishing at 317-581-4663. You also can send email to New Riders at the following Internet address: nrfeedback@newriders.com NRP is an imprint of Pearson Education. To obtain a catalog or information, contact us at nrmedia@newrid- ers.com . To purchase a New Riders book, call 1-800- 428-5331. Thank you for selecting MCSE Training Guide: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server. 01 mcse Intro 6/5/01 11:53 AM Page 8 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O BJECTIVES 1 CHAPTER Introduction: What Is ISA Server? This chapter does not fulfill a specific Microsoft- specified objective for the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam; however, it does lay a solid foundation on which to approach the objec- tives and other chapters in this book. 02 mcse CH01 6/5/01 11:54 AM Page 9 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. S TUDY S TRATEGIES O UTLINE Introduction 11 Architecture Overview 12 ISA Server Clients 15 Web Proxy Clients 15 Firewall Clients 15 SecureNAT Clients 15 ISA Server Is a Multilayered Enterprise Firewall 16 Packet Filtering 17 Circuit-Level Filtering 17 Application-Level Filtering 17 Stateful Inspection 18 Built-In Intrusion Detection 18 System Hardening Templates 19 Virtual Private Networking 19 ISA Server Is a High-Performance Web Caching Server 19 Reverse Caching 20 Forward Caching 21 Scheduled Caching 22 Distributed Caching 23 Hierarchical Caching or Chaining 24 ISA Server Hosting Services 27 ISA Server Provides Integrated, Centralized Management and Control 28 Enterprise or Standard Editions 29 Firewall, Caching, or Integrated Modes 30 Policy-Based Rules 31 Bandwidth Rules 33 Protocol Rules 33 Site and Content Rules 33 Application Filters 33 How Rules and Filters Combine to Implement Policy 34 Tiered Policies: Both Enterprise and Array Level 35 Bandwidth Control 36 Logging and Reporting 37 Chapter Summary 38 Apply Your Knowledge 39 Review Questions 39 Exam Questions 39 Answers to Review Questions 40 Answers to Exam Questions 40 . Use this section as an introduction to ISA Server concepts, vocabulary, and features. . As you review the material, focus on where you might use an ISA Server. . If you have knowledge of how Proxy Server 2.0 works, see if you can identify key differences in the two products. You should realize that ISA Server is not Proxy 3.0. . If you have knowledge of competing firewalls and caching servers, identify advantages and disadvantages of these systems versus ISA Server. 02 mcse CH01 6/5/01 11:54 AM Page 10 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? 11 I NTRODUCTION This chapter, while it does not speak directly to a particular exam objective, helps you identify exactly what ISA Server is by presenting a broad overview of its features and capabilities. Microsoft Internet Security and Acceleration Server is an engaging combination of a firewall and caching server. It can be used to pro- tect the enterprise from external access while allowing internal users access to the Internet. It can be used to improve Web access perfor- mance by caching downloaded Web information. These modes—firewall and caching—can be implemented separately or integrated. Either way, a rich collection of features awaits the curious administrator or engineer. But even more exciting, the Enterprise edition can provide centralized administration and enter- prise policy implementation. No longer must a panoply of firewalls be uniquely configured one at a time and laboriously checked for the maintenance of correct settings. Enterprisewide imperatives can be configured once, and their implementation and maintenance ensured on all servers. It is important, before you delve into the study of this product, to briefly explore the range and extent of features available, and to explore the concepts that will form the basis of your understanding. This chapter will fulfill these goals. In short it covers: á Architecture overview á ISA Server clients á ISA Server as a multilayered Enterprise firewall á ISA Server as a high-performance Web-caching á ISA hosting services á ISA Server provides integrated, centralized management and control á ISA Server versions 02 mcse CH01 6/5/01 11:54 AM Page 11 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 12 Part I INSTALLATION AND UPGRADE A RCHITECTURE O VERVIEW Despite being multifaceted, all ISA Server services have a common goal: Protecting an internal, private network from an external net- work while allowing efficient access of the external network from the internal one. In English: Web surfing allowed and network penetra- tion prevented. The architecture that enables this is composed of four parts: á Core services. The Web Proxy service for outbound access and the Firewall service for in-bound protection and the manage- ment of protocol specific filters. á Clients and servers on the private network that desire access to the public network such as • Web proxy clients • SecureNAT clients • Firewall clients • Web servers, and other servers such as mail servers and databases á Clients and servers on the private network that want no access, either inbound or outbound with the public network. á The rest of the world represented by the Internet in most examples. Figure 1.1 illustrates this overview. This is the world as we would like to see it, with the firewall protecting the internal network. Figure 1.2 is more representative, indicating that the ISA Server can only afford protection for and from those communications that must pass through it. 02 mcse CH01 6/5/01 11:54 AM Page 12 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... the workgroup ISA Servers have access to the Internet, they refer their requests to the perimeter ISA Server Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 02 mcse CH01 6/5/01 11:54 AM Page 27 Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? Perimeter ISA Server Workgroup 2 Workgroup 1 Public Network ISA Workgroup 1 FIGURE 1.11 Workgroup ISA Server chaining ISA SERVER HOSTING... scheduled download of content Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 02 mcse CH01 6/5/01 11:54 AM Page 23 Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? Distributed Caching ISA Servers are automatically installed in arrays, or collections of ISA Servers Arrays can be composed of a single ISA Server or of multiple ISA Servers Multiservers in a single array use the Cache... address of the ISA Server on the Peachweaver.com network in Grain Valley, MO 9 The request is sent to the ISA Server 10 The ISA Server finds the Web page in its cache and returns this to Bill The internal server is not contacted at all Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 02 mcse CH01 6/5/01 11:54 AM Page 21 Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? ISA Server DNS... ISA Server on his network 3 The ISA Server routes the request to the array in Grain Valley 4 An ISA Server in Grain Valley makes a request on the Internet 5 DNS resolves the request and the Microsoft home page is retrieved and returned to the ISA Server in Grain Valley 6 The ISA Server in Grain Valley places the content in its cache 7 The ISA Server in Grain Valley forwards the content to the ISA Server. .. purchase PDF Split-Merge on www.verypdf.com to remove this watermark 02 mcse CH01 6/5/01 11:54 AM Page 19 Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? System Hardening Templates An ISA Server Security Configuration Wizard can be used to apply system security settings to all servers in an array Three security levels exist: á Secure For ISA Servers combined with other servers such as IIS, SMTP, or database servers... the URL to the IP address of the ISA Server on the Peachweaver.com network in Grain Valley, MO 3 The request is sent to the ISA Server 4 The ISA Server forwards the request to the actual Web server within the Peachweaver.com network (Web hosting settings on the ISA Server are established to forward port 80 requests to this server) 5 The home page is returned to the ISA Server and placed in its cache... filtering Yes Yes Firewall, Caching, or Integrated Modes Either version of ISA Server can be installed in one of three modes: á Firewall ISA Server is installed as a firewall á Caching ISA Server is installed as a caching server á Integrated ISA Server is both a firewall and a caching server Table 1.2 lists the features of ISA Server and identifies which features are available with each mode TABLE 1.2... ISA Server array in Grain Valley has a direct connection to the Internet The ISA Server in Independence routes its requests to the ISA Server array in Grain Valley Stu enters the URL for Microsoft in his browser Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 25 02 mcse CH01 26 6/5/01 11:54 AM Page 26 Par t I INSTALLATION AND UPGRADE 2 Stu’s request is forwarded to the ISA. .. caching allows objects such as Web pages requested from internal servers by external clients to be stored on the ISA Server The internal server is “published” or advertised to the public network through an option on the ISA Server All requests for Web pages from the server come to the ISA Server and are forwarded to the internal Web server Reverse caching is illustrated in Figure 1.4 and by the listing... for The New York Times in her browser 2 Her request is forwarded to the ISA Server on her network 3 The ISA Server issues a request for The New York Times home page 4 DNS resolves the request and The New York Times home page is retrieved and returned to the ISA Server 5 The ISA Server places the content in its cache 6 The ISA Server forwards the content to Mary 7 John also wants to read The New York . overview á ISA Server clients á ISA Server as a multilayered Enterprise firewall á ISA Server as a high-performance Web-caching á ISA hosting services á ISA Server. Installing ISA Server Preconfigure network interfaces. á Verify Internet connectivity before installing ISA Server. á Verify DNS name resolution. Install ISA Server.