Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? 33 Bandwidth Rules Bandwidth rules can set priorities for requests according to protocol definitions, destination sets, schedule, client address set, content group, and required priority. Protocol Rules Protocol rules identify which protocols clients can use to access the Internet. These rules are processed at the application level. Protocol definitions are preconfigured, but can also be added. Additional pro- tocols are be made available by installing application filters. Site and Content Rules Site and content rules define which sites, and what types of content, can be accessed. They are further distinguished by definitions of des- tination sets, schedules, and users. Application Filters Application filters extend the firewall client access capabilities and restrictions. They can perform additional tasks such as authentica- tion or virus checking. Third-party application filters can be added. The following application filters (extensions) are installed with ISA Server: á File Transfer Protocol (FTP) access filter. Dynamically opens ports, and performs address translation for SecureNAT clients. á H.323 protocol filter. Uses H.323 protocol definitions (added when the H.323 gatekeeper is installed) to allow incoming and outgoing H.323 calls, audio, video, and applica- tion sharing. á HyperText Transfer Protocol (HTTP) redirector filter. Forwards HTTP requests from SecureNAT and firewall clients to the Web Proxy service. á Intrusion detection filters. DNS and POP intrusions detec- tion filters. á Remote Procedure Call (RPC) filter. Enables publishing of RPC servers. 02 mcse CH01 6/5/01 11:54 AM Page 33 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 34 Part I INSTALLATION AND UPGRADE á SOCKS filter. Forwards requests from SOCKS applications to the firewall service. á Simple Mail Transfer Protocol (SMTP) filter. Accepts and inspects SMTP traffic arriving on port 25. á Streaming media filter. Allows client access and server pub- lishing of Microsoft Windows Media (MMS), Progressive Networks protocol (PNM or RealPlayer), and Real Time Streaming Protocol (RTSP or RealPlayer G2 and QuickTime 4). How Rules and Filters Combine to Implement Policy Protocol rules, site and content rules and application filters deter- mine whether a given request is allowed or denied. The following list describes the interaction of Protocol Rules and Site and Content Rules. Figure 1.14 presents the information in a flowchart. 1. A client requests an object using a specific protocol. 2. If a protocol rule specifically denies the use of the protocol, the request is denied. 3. If a protocol rule and a site and content rule allow access to the object, the request is allowed. 4. If no protocol rule exists for the protocol, the request is denied. 5. If a site and content rule exists that specifically denies the request, the request is denied. 6. If a site and content rule denies an HTTP request, the request can be redirected to another location. 7. If no site and content rule exists matching the request, the request is denied. 02 mcse CH01 6/5/01 11:54 AM Page 34 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? 35 Tiered Policies: Both Enterprise and Array Level Policies can be configured at both the Enterprise (Enterprise edition) and Array level. When the Enterprise edition is installed and Client request using protocol A Does protocol rule deny protocol A? Does site and content l rule deny protocol A? Is this a request for HTTP? Can be redirected to another location, process begins again. Does protocol rule allow protocol A? Does site and content l rule allow protocol A? YES NO Request Denied Request Denied NO YES Request Denied Request Denied NO YES NO Request Allowed YES NO YES FIGURE 1.14 Finding the backup and restore utilities. 02 mcse CH01 6/5/01 11:54 AM Page 35 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 36 Part I INSTALLATION AND UPGRADE integrated with the Active Directory, Enterprise policy configuration determines the effectiveness of Array policy. Where allowed, array level policies can further restrict Enterprise policies. Thus, a tiered policy can be implemented. Figure 1.15 presents a logical view of just such a tiered policy. In the Middle Earth Enterprise Policy, access to all Web sites is allowed. In the Baggins array, site access is restricted by site and content rules. In the Wizards array, rules are used heavily to determine who can use which protocol to access what content at what time of day. Watch What You Delete! An appli- cation filter may add protocol defini- tions. If it is later disabled, these definitions are disabled, thus any requests that use these definitions will be denied. For example, if the streaming media application filter is disabled, Windows Media and Real Networks protocols are blocked. WARNING Enterprise Policy - Access to all Allowed Baggins Array: Site and Content Rules Restrict Access Wizard Array: Protocol Rules; Site and Content Rules Middle Earth FIGURE 1.15 Tiered policy: a logical view of the Middle Earth Enterprise. Bandwidth Control Bandwidth rules set priorities for all communications that pass through the ISA Server. Bandwidth priorities (see Figure 1.16) define the priority for outbound/inbound communications by set- ting a number from 1 to 200. (where 200 allows the maximum bandwidth). Bandwidth rules are applied depending on matches between a combination of users, groups, destinations, protocols, schedules, and content groups. If a communication fits the rule, 02 mcse CH01 6/5/01 11:55 AM Page 36 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 INTRODUCTION: WHAT IS ISA SERVER? 37 the bandwidth priority assigned to the rule is assigned to the com- munication. All requests are evaluated and bandwidth apportioned accordingly. (If no bandwidth rule fits, the default bandwidth rule applies). Logging and Reporting Logging can be configured to store data in a file (W3C extended log file format, or ISA Server file format), Access, or SQL Server data- base. New logs are created daily weekly, monthly, or yearly as config- ured. Logging can be configured separately for á Packet filters á Firewall service á Caching service The fields that are logged depend on the service that is being logged and the selection from a list of log fields displayed in the service property pages. Figure 1.17 shows the default fields selected for the Packet filter log. Besides the logs, ISA Server can be configured to produce a number of predefined reports. Reports include: á Summary report. Illustrates traffic usage. á Web usage reports. Top users, common responses, and browsers. á Application usage reports. Application usage by top users, incoming and outgoing traffic, client applications, and desti- nations. á Traffic and utilization reports. Total Internet usage by appli- cation, protocol, and direction. á Security Reports. Attempts to breech network security. FIGURE 1.16 A bandwidth rule can be applied to specific users, groups, destinations, protocols, band- width priorities, schedules, and content groups. FIGURE 1.17 Default log fields for packet filters. 02 mcse CH01 6/5/01 11:55 AM Page 37 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 38 Part I INSTALLATION AND UPGRADE By now you should have a fair picture of the services and features offered by ISA Server. At this point, it is easy to be overwhelmed with the dizzying array of features and configuration options. However, it is not necessary to have every potential usage and arrangement figured out. If you complete the exercises and questions throughout this book you will have ample time and exposure to solidify your understanding. What is appropriate now is that you are aware of ISA’s many facets and can therefore consider them as you approach the next chapters on preinstallation configuration, installa- tion, and migration. C HAPTER S UMMARY KEY TERMS • Interna l network • External network • Private network • Public network • Web Proxy service • Firewall service • Web Proxy clients • SecureNAT clients • Firewall clients • Firewall mode • Caching mode • Integrated mode • Winsock applications • SOCKS applications • Local Address Table (LAT) • Packet filtering • Circuit-level filtering • System hardening • Virtual Private Networking • Intrusion detection • All ports scan attack • IP half scan attack • Land attack • UPD bomb attack • Enumerated port scan attack • Windows out-of-band attack • Ping of death attack • Web caching server • Reverse caching • Forward caching • Hierarchical caching • Chaining • Distributed caching • Cache Array Routing Protocol (CARP) • H.323 gatekeeper • Tiered policy • Enterprise policy • Array policy • Secure Sockets Layer (SSL) 02 mcse CH01 6/5/01 11:55 AM Page 38 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 INTRODUCTION: WHAT IS ISA SERVER 39 A PPLY Y OUR K NOWLEDGE 2. In your large company, users are arranged in con- venient workgroups. The company mandate requires that resources be as close to user commu- nities as is possible. What type of caching will be best for you? A. Scheduled caching B. Reverse caching C. Chaining D. Forward caching E. Distributed caching 3. The following servers would be good candidates for ISA Server Hosting Services. A. A public Web server B. An intranet server only used by employees at the office C. An intranet server available to all employees D. Exchange Server 4. In a highly distributed environment where departments manage their own IT resources, some departments require stricter control of inbound and outbound access to network resources. The best solution in this case is A. An Enterprise policy that does not allow Array policies to further restrict it. B. An Enterprise policy that does allow Array policies to further restrict it. C. An Array policy that does not allow Enterprise policies to further restrict it. D. An Array policy that does allow Enterprise policies to further restrict it. Review Questions 1. The firewall service, firewall client and applica- tion filters work together to handle requests for connections with non-HTTP applications over the Internet. There is no firewall client software for Unix and Macintosh systems, yet they need to use SOCKS applications. How can SOCKS con- nections be handled through ISA Server? 2. The XYZ company does not want to add addi- tional client software to their systems, yet they would like the benefits of Web caching on their network. Can ISA Server perform this function? 3. Chalmers Expediation Corp. would like increase availability, efficiency, and protection for their Web site. How can this be accomplished with ISA Server? 4. How can ISA Server be tuned to assure that updated information from commonly used Web pages is readily available from the cache? Exam Questions 1. Access to the Internet is provided to a large num- ber of people in your company. IT is centralized and all caching servers are required to be located in the same location at your single geographical site. Which type of caching is best for you? A. Scheduled caching B. Reverse caching C. Chaining D. Forward caching E. Distributed caching 02 mcse CH01 6/5/01 11:55 AM Page 39 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 40 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE 5. You need to provide server publishing. In what mode should you install ISA Server? A. Caching B. Firewall C. Integrated D. Mixed 6. Policies can be written that restrict access to Web resources by A. Protocol B. User group C. Bandwidth request D. Client IP address E. Time of day Answers to Review Questions 1. SOCKS connections are filtered via a SOCKS fil- ter. The filter forwards requests to the ISA fire- wall service. No additional client software is needed. See the sections “ISA Server Clients” and “ISA Server Is a Multilayered Enterprise Firewall.” 2. Client software does not have to be installed to support the caching of HTTP, FTP, and HTTPS resources. Clients must “point” their browser to the ISA Server. These clients are called Web Proxy Clients. See the section, “ISA Server Clients.” 3. Installing ISA Server in integrated mode and con- figuring it for reverse caching, Web server pub- lishing, and firewall protection. See the sections “ISA Server Is a Multilayered Enterprise Firewall,” and “Reverse Caching.” 4. Use scheduled caching. See the section, “Scheduled Caching.” Answers to Exam Questions 1. D, E, A. Distributed caching places a number of ISA Servers in an array and Web requests are cached in a distributed fashion amongst the servers. Forward caching caches Web requests. B is for caching Web pages from a published inter- nal Web server. C allows caching or resources at multiple geographical or workgroup locations. See the section, “ISA Server as a High- Performance Web Caching Server.” 2. C, D, A. Chaining allows the location of multi- ple arrays of ISA Servers in a workgroup setting. Each array can forward its request to another in the hierarchy and eventually requests reach the perimeter array. Each ISA Server in the chain will store the content in its cache. See the section, “ISA Server as a High-Performance Web Caching Server.” 3. A, C, D. Public Web sites are perfect candidates. They can be protected and yet external guests can access their resource. Mail servers and intranet servers that need to be available to traveling employees or those that telecommute will also work well as hosted services. B is incorrect, you should not unnecessarily expose any server to the Internet. See the section, “ISA Server Hosting Services.” 4. B. Array polices can restrict Enterprise policies if the Enterprise policy is written to allow this. C and D are incorrect. Enterprise policies restrict array policies, but this is not done with the array policies special consent. A is also incorrect. 02 mcse CH01 6/5/01 11:55 AM Page 40 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 INTRODUCTION: WHAT IS ISA SERVER 41 A PPLY Y OUR K NOWLEDGE 6. A, B, D, E. Protocol, user group, IP address, and time of day (schedule) can all be used to restrict access. C is incorrect. Users cannot “request” an amount of bandwidth. See the section, “Policy- Based Access Rules.” See the section, “ISA Server Provides Integrated, Centralized Management and Control.” 5. B, C. Firewall mode provides server publishing capabilities. Integrated mode would also provide this. (Web publishing is available in either fire- wall or caching mode.) A is incorrect. Caching mode alone will not provide server publishing. D is incorrect, there is no such thing. See the sec- tion, “ Firewall, Caching or Integrated Modes.” 1. “Features Overview” a white paper at http://www.microsoft.com/isaserver/ productinfo/features.htm . 2. “Microsoft’s New Firewall: Just Where Do You Think You’re Going Today?” a GIGA Information Group document by Steve Hunt available at http://www.microsoft.com/isas- erver/productinfo/ISAGiga.pdf . Suggested Readings and Resources 02 mcse CH01 6/5/01 11:55 AM Page 41 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 02 mcse CH01 6/5/01 11:55 AM Page 42 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... remove this watermark 59 04 mcse CH02 60 6/5/01 11:56 AM Page 60 Par t I INSTALLATION AND UPGRADE Internet ISA Server ISA Server ISA Server FIGURE 2.3 Hierarchical caching Internet ISA Server Array ISA Server Array ISA Server Array FIGURE 2.4 Combination hierarchical and distributed caching Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 04 mcse CH02 6/5/01 11:56 AM Page... segment, and do so before installing ISA Server software If you will be publishing internal Web servers or other servers, verify connectivity between these servers and the ISA Server computer prior to installing ISA Server These servers should also have static IP addresses Verify Internet Connectivity Verify Internet connectivity before installing ISA Server ISA Server does not create a connection to... integrate ISA Server in an Active Directory domain to benefit from its use ISA Server can be installed as a standalone server without AD integration Domain membership of the Windows 2000 server on which ISA Server will reside is not necessary if ISA Server will be installed as a standalone server However, if the Windows 2000 server is a domain member, this will not prevent the installation of ISA Server in... UPGRADE á Routing and Remote Access ISA server provides remote connectivity and extends RRAS ISA can use the dial-up entries configured for RRAS (RRAS can run on the ISA Server) You should allow ISA packet filtering to replace RRAS packet filtering and allow the ISA server to provide remote connectivity for internal clients á IIS Server IIS server is not required on an ISA Server It can run on one However,... public users to access the Web server Set the IIS Server to listen on a port different than port 80, as ISA Server listens for inbound Web requests on that port á Internet Connection Sharing (ICS) ISA Server replaces the need to run Internet Connection sharing á IPSec ISA Server can be configured as an IPSec/L2TP VPN server á Terminal services may be installed on the ISA Server for remote administration... Options.” NOTE 04 mcse CH02 Identd When a client operates behind a firewall it cannot respond to some types of requests for identification from Internet servers The Identd simulation service, when installed on an ISA Server can respond to the Internet server on behalf of the client ISA Server Mode and Array Considerations What will be the role of the ISA Server? Will it act as a firewall, Web caching server, publishing... not a good idea to enable additional applications on the ISA Server According to a Microsoft publication, “Deployment of ISA Server at Microsoft: Planning, Deploying and Lessons Learned” available at http://www.microsoft.com/isaserver/techinfo/itgdeploy.htm the following services should be disabled on the ISA Server because they are not necessary Disabling unnecessary services is a good security practice... publishing server, H.323 Gateway, or a combination of these features? When you consider the role of the ISA Server, go beyond the three basic role choices of firewall, caching, and integrated and explore features that each will allow Will several ISA Servers be installed into an array? Into multiple arrays? Are ISA Server or Microsoft Proxy Server 2.0 systems or arrays already in place? Will Proxy Server. .. Hardware Checksum á SMTP service In order to install the ISA Server Message screener option, you need to install the Windows 2000 SMTP service á IIS Generally, you should not install IIS on the Windows computer on which you will be installing ISA Server IIS is not required for ISA Server á Domain membership/ server role It is recommended that ISA Server not be installed on a Windows 2000 domain controller... objectives for the “Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam Preconfigure network interfaces Verify Internet connectivity before installing ISA Server Verify DNS Name resolution If the ISA Server installation is to succeed, preinstallation issues must be resolved If this server is to control access . 2000 server on which ISA Server will reside is not necessary if ISA Server will be installed as a standalone server. However, if the Windows 2000 server. Options.” ISA Server Mode and Array Considerations What will be the role of the ISA Server? Will it act as a firewall, Web caching server, publishing server,