Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER 123 á SOCKS rules from Proxy Server 2.0 are not migrated, ISA Server uses SOCKS application filters. You may need to con- figure, or adjust these. ISA Server listens on port 1080 for SOCKS requests. This can be changed. á ISA Server installs with only Windows integrated authentica- tion. This means that previously supported requests from non- IE/browsers are rejected. You need to configure basic authentication for Web requests. Information on how to do many of these post-installation configura- tion items is located in Chapter 5, “Outbound Internet Access,” and Chapter 6, “ISA Server Hosting Roles.” You will find that between the isasupgrade.log file and an examina- tion of the interface, you can quickly establish the status of migrated configurations. Many of these settings are even labeled as Proxy 2.0 related settings. Figures 4.9–4.13 show examples of migrated settings displayed in the ISA Server interface. M IGRATING THE M INDSET Proxy Server 2.0 and ISA Server use slightly different names for sim- ilar processes. Part of the migration process is that it is necessary for the administrators to get used to the new system. Two items need to be contended with: á Different names and locations for similar concepts á New features and configuration processes New features and their configuration processes can be learned by using this book and practicing with the interface on a test network. The hardest thing about migrating to a new system is learning how to do what you already know how to do. Like most major product evolutions, ISA Server requires you to learn a new vocabulary and interface to just do what Microsoft Proxy Server 2.0 allowed you to do with a less fancy toolset. ISA Server, however, also adds an incredible array of new features and a granularity of effect that was not possible with Microsoft Proxy Server 2.0. Of course you can’t expect the same dashboard on an F-111 fighter as you find on your SUV. With a little bit of help and a little bit of patience, you can FIGURE 4.11 Proxy DomainFilter. FIGURE 4.12 Proxy DenySitesSet. 06 mcse CH04 6/5/01 11:58 AM Page 123 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 124 Part I INSTALLATION AND UPGRADE learn to maneuver in either and the new interface will soon feel like home. Table 4.5 can assist with vocabulary translation. TABLE 4.5 P ROXY - TO -ISA-D ICTIONARY Proxy Server 2.0 ISA Server Comment/Where Domain filter Site and content Restrict domain-site access by clients/ rules For array policies: /Servers and Arrays/name/access policy/site and content Rules For enterprise policies: /enterprise/poli- cies/enterprise policy/site and content rules Publish HTTP Create Web /Servers and sites publishing rules Arrays/Name/Publishing/Web Publishing Rules Restrict protocols Create protocol rule For array policies: /servers and arrays/name/access policy/protocol rules For enterprise policies: /enterprise/poli- cies/enterprise policy/protocol rules Create packet Create IP Servers and arrays/name/access policies/IP filters packet filter Packet filters Create alerts Create an alert Servers and arrays/name/monitoring configuration/alerts Configure routing Configure Web Servers and arrays/name/network Proxy Service configuration/routing routing Configure LAT Configure LAT Servers and arrays/name/network configuration/Local Address Table Configure cache Configure cache Servers and arrays/name/cache configuration FIGURE 4.13 Proxy site rules. 06 mcse CH04 6/5/01 11:58 AM Page 124 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER 125 Understanding the migration process from Proxy Server 2.0 has been the goal of this chapter. Although the actual process is straight- forward, numerous variables can combine to alter the expected result. It is always wise to understand the possibilities and plan for the operation rather than subject users to longer periods of down- time. Specifically, the following items were addressed: á The migration process á What’s migrated and what’s not á Post-migration activities á Helping Proxy administrators adjust to ISA Server This completes Part I, “Installation and Upgrade.” Part II, “Configuring and Troubleshooting ISA Server Services” covers the implementation, configuration, and troubleshooting of the following: á Outing Web access á Hosting roles á The H.323 gatekeeper á Remote access á Virtual Private Network integration C HAPTER S UMMARY KEY TERMS • Stateful inspection • Migration • Upgrade • Domain filter 06 mcse CH04 6/5/01 11:58 AM Page 125 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 126 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE Exercises 4.1 Migrate a Windows NT 4.0/Proxy Server 2.0 to ISA Server This exercise will help you understand the upgrade path from Proxy Server 2.0 to ISA Server. By complet- ing it, you will be better prepared to plan and complete a migration from Proxy Server 2.0 to ISA Server. By configuring the Proxy 2.0 Server with domain filters, packet filters, and other settings, you will be able to see the transfer of configuration information from Proxy 2.0 to ISA Server. Estimated Time: 30 minutes 1. Remove the Proxy Server from the Internet and backup its configuration. 2. Disable and stop the Proxy services. 3. Install Windows 2000, SP 1 (or relevant SP) and any hotfixes. 4. Install ISA Server. Note progress reports and error messages. Review Questions 1. You currently have five Microsoft Proxy Server 2.0 systems in an array and need to upgrade them to ISA Server. Can you migrate this array while still maintaining caching services for Internet Access? How? 2. The ABC Carpet Company has a single Proxy Server 2.0 system running on Windows NT 4.0. They would like to know the preliminary steps they can do to get ready for migration. They want to minimize downtime when the actual migration takes place. What would you suggest? 3. Windows 2000 and the Active Directory have been deployed. The Proxy 2.0 system has been upgraded to Windows 2000 and the Proxy 2.0 upgrade has been installed so that Proxy 2.0 is now running correctly on a Windows 2000 server in a workgroup. What steps should be taken to upgrade the Proxy 2.0 Server to ISA Server? 4. Proxy 2.0 has been successfully upgraded to ISA Server. Where would you look to determine which configuration settings migrated? 5. Why is it important to backup the Proxy 2.0 configuration prior to beginning the migration process? 6. Why do you need to be a member of the Enterprise Admins group in order to migrate an array of Proxy 2.0 Servers to ISA Servers? 7. In the appendixes of this book are backup files and log files created during the migration of a Microsoft Proxy Server 2.0 system to ISA Server. Examine the logs and determine at least one spe- cific setting that did not migrate. Exam Questions 1. Three reasons to carefully check the newly migrated ISA Server before placing it back into service are A. Packet filters do not migrate, you will need to re-create them. B. Domain filters will need to be re-created as site and content rules. 06 mcse CH04 6/5/01 11:58 AM Page 126 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER 127 A PPLY Y OUR K NOWLEDGE C. Network configuration might have changed during the upgrade to Windows 2000. D. SOCKs rules from Proxy Server 2.0 are not migrated. E. Some alerts that are part of Proxy Server 2.0 are not part of ISA Server. 2. Your policy is to require all users to authenticate before accessing the Internet. Prior to migrating to ISA Server from Proxy 2.0 users using Netscape Navigator on Unix systems, could access the Internet. After migration, they cannot. How should this problem be resolved? A. Upgrade the Unix users to Windows 98. B. Modify ISA Server authentication to include “basic authentication.” C. Install the firewall client on the Unix systems. D. Modify ISA Server authentication to include “Digest Authentication.” 3. John is migrating six Proxy Server 2.0 systems to ISA Server. All Proxy Servers are in an array. These servers will be the first ISA Servers installed on his network. John will be creating a new array. He has initialized the Active Directory Schema with the ISA elements. He removes the a Proxy Server 2.0 system from the Proxy Server array, upgrades the system to Windows 2000, and installs ISA Server into a new array. The process completes successfully. John checks the new ISA Server to find out how its settings compare to those he configured for the Proxy Server 2.0 array. He finds the following: A. None of the Proxy Server 2.0 array settings have migrated to the new ISA Server array. B. The Proxy Server array settings have migrated to the ISA Server array (with the usual excep- tions). C. Only packet filter configuration migrates to the new array. D. Only packet filters and domain filters migrate to the new array. 4. Sally is getting ready to migrate the standalone Proxy Server 2.0 to ISA Server. Her first step is to backup the Proxy Server configuration. To do so, she A. Uses msbackup to backup the entire Proxy Server 2.0 system. B. Uses RDISK to backup the Registry because the configuration settings are in the Windows NT 4.0 Registry . C. Uses her third-party back-up system to do a backup. D. Uses the Proxy 2.0 back-up program from the Web Proxy service properties page. 5. Select the answer that lists (in the correct order) the steps to be taken to migrate from Proxy Server 2.0 to ISA Server. A. Back up Proxy Server configuration, upgrade server to Windows 2000, apply Service Pack 1, stop Proxy services, install ISA Server. B. Back up Proxy Server configuration, stop Proxy services, upgrade server to Windows 2000, install ISA Server. C. Back up Proxy Server configuration, stop Proxy services, upgrade server to Windows 2000, apply Service Pack 1, install ISA Server. 06 mcse CH04 6/5/01 11:58 AM Page 127 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 128 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE D. Stop Proxy services, Back up Proxy Server configuration, upgrade server to Windows 2000, install ISA Server, apply Service Pack 1. 6. Nancy migrates Proxy Server 2.0 to ISA Server. She examines the newly migrated ISA Server and it appears to her that none of the Proxy Server settings migrated. What two things might be the issue? A. Sometimes the settings just don’t migrate. No one knows why. It’s just a feature. B. When asked if she wanted to migrate existing policies and settings to an ISA policy, she clicked the No button. C. The ISA Server was migrated to an existing ISA Server array. The Enterprise policy selected for this array does not allow array set- tings to vary from those selected at the enter- prise level. D. Immediately after migration, before putting the server back online, you must select the Use Migrated Settings option from the ISA Server Properties/General page. Nancy hasn’t done this yet. 7. After migration to an ISA server in cache mode, no users can access the Internet (they could prior to migration). What needs to be done to correct this situation? (Select all correct answers.) A. Upgrade all users to I.E. 5.0. B. Install the ISA Server firewall client on all systems. C. If the ISA Server is configured to allow discovery, be sure clients are configured to discover. D. Change the port for the Proxy Server in the properties of the client browsers from port 80 to port 8080. Answers to Review Questions 1. To maintain caching services for Internet Access during the migration process, take one Proxy Server offline at a time and migrate it. Remove one Proxy Server from the array. Remove its access to/from the Internet. Back it up and pre- pare it for migration. Initialize the AD Schema for ISA Server. Upgrade the server to Windows 2000 sp1. Install this server as the first ISA Server in a new array. Verify settings and place the array on-line. Begin migrating clients to this new array. Continue to migrate Proxy Server’s one at a time to the new array, and switch clients as more server’s come on-line. See the section, “Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration.” 2. ABC can do three things to minimize migration downtime. • Determine if the hardware on the existing machine will support Windows 2000. If nec- essary, upgrade any hardware or move the Proxy server to a new hardware platform and stabilize it prior to upgrading to Windows 2000. This prevents server upgrade issues from meaning large downtimes during the migration process. • Carefully examine their configuration settings and the data on which settings will migrate. This way, they are better prepared to quickly examine and do any necessary configuration after migration. 06 mcse CH04 6/5/01 11:58 AM Page 128 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER 129 A PPLY Y OUR K NOWLEDGE • Configure current clients for auto discovery. After migration, configure the ISA Server to allow discovery. (These steps avoid the large amount of time right after migration that would be used to modify browser settings.) See the sections, “Post Migration Necessities” and “The Migration Process.” 3. Backup the Proxy configuration, stop Proxy ser- vices, install ISA Server. See the section, “The Migration Process.” 4. You can examine the ISA Server interface. You can also examine the isasetup.log file. See the sec- tion, “Examine the Setup Logs.” 5. You backup the Proxy 2.0 configuration for two reasons. One, if something happens and the migration fails, you can install Proxy 2.0 and restore the saved settings. Two, you can inspect the configuration backup to determine what Proxy 2.0 configuration settings were, this will aide you in determining if the settings that you need have migrated or additional work needs to be done. See the section, “Backup the Proxy Server Configuration.” 6. To migrate an array of Proxy 2.0 servers to an array of ISA Servers requires you to first modify the Active Directory Schema. You need to be a member of the Enterprise Admins group, and the Schema modification group to modify the Active Directory Schema. See the section, “Migrating an Array.” 7. Alert Disk Full, ICMP Ping Query packet filter. See the section, “Review the Setup Logs.” Answers to Exam Questions 1. C, D, E. To enable SOCKs applications to work through ISA Server you will use application fil- ters—the SOCKs rules, therefore, do not migrate. Alerts do migrate, but not all Proxy Server 2.0 alerts are configurable on ISA Server. A is incorrect, packet filters do migrate. You should check them for correctness, however, A states they do not migrate, so this is not the rea- son to check. B is incorrect, domain filters will be migrated to site and content rules on their own. See the sections, “Post Migration Necessities” and “Predetermined Migration Effects.” 2. B. Proxy Server 2.0 can be set to allow both Basic authentication (can be used by all Web browsers) and Windows Integrated authentication (can only be used by Windows clients). Authentication settings after migration are set to allow only Windows Integrated Authentication. To enable Unix systems to once again access the Internet, you must modify authentication settings to allow basic authentication. Although A would also work, it is not the best answer and is not practical in most environments. C is not correct because there is no Microsoft ISA Server firewall client product for Unix. D is not correct because Digest Authentication, while more secure is only useful for Windows 2000 domain members. See the section, “Post migration necessities.” 3. B. The array settings can be migrated to the new array from the old. Therefore A is incorrect. C and D are incorrect because more than packet filters and domain filters will migrate. See the sec- tion, “Predetermined Migration Effects.” 06 mcse CH04 6/5/01 11:58 AM Page 129 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 130 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE 4. D. Proxy Server 2.0 provides its own configura- tion backup program that is accessible from the properties page of any of its services. A and C are incorrect as they will backup the entire server; this is not necessary and may also not end up with the proxy configuration information neces- sary for a restore. B will backup the registry, but you only need the Proxy configuration informa- tion. See the section, “Backup the Proxy Configuration.” 5. C. A is incorrect. Proxy Server services should be stopped before upgrading to Windows 2000. B is incorrect. SP1 for Windows 2000 is required for installation of ISA Server. D is incorrect. SP1 should be applied before installing ISA Server. See the section, “The Migration Process.” 6. B, C. The option to not migrate existing policies is available during migration. When migrating the Proxy Server to an ISA array, the Enterprise settings that are active in the array will affect the migration of settings from Proxy. A is incorrect; settings do migrate. D Settings either migrate, or they don’t—there is no post-installation switch. See the sections, “Upgrade to Windows 2000 and Install ISA Server” and “Impact of Proxy 2.0 Array Membership and ISA Installation Selections on Migration.” 7. C, D. ISA Server listens on port 8080 for client Web requests. Proxy listens on port 80. Client browsers must be adjusted. While installing the firewall client is correct, it is not necessary. A is incorrect. Upgrading the browsers is not neces- sary and will not change the identified port. B is incorrect, the firewall client is used for accessing Winsock applications through the firewall and is not supported in caching mode. (The firewall client is not necessary for Web browsing.) See the section, “Post Migration Necessities.” 1. The following items from the ISA Server Help: • Checklist: Migrating from Microsoft Proxy Server 2.0, from the Help system of ISA Server • Migrating Microsoft Proxy Server 2.0 configuration • Microsoft Proxy Server 2.0 array considerations • Migration process • New ways to do familiar tasks 2. Run Microsoft Proxy Server 2.0 on Windows 2000—Microsoft white paper at http://www.microsoft.com/proxy/Support/win 2kwizard.asp ? 3. “Why Migrate from Microsoft Proxy Server” http://www.microsoft.com/isaserver/pro- ductinfo/whymigrate.htm 4. Knowledge Base Article “Q251143 Problems Installing Proxy Server 2.0 Update in Windows 2000”, http://support.microsoft.com/support/kb/ar ticles/Q251/1/43.ASP Suggested Readings and Resources 06 mcse CH04 6/5/01 11:58 AM Page 130 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. II C ONFIGURING AND T ROUBLESHOOTING ISA S ERVER S ERVICES 5 Outbound Internet Access 6 ISA Server Hosting Roles 7 H.323 Gatekeeper 8 Dial-Up Connections and RRAS 9 ISA Virtual Private Networks PART 07 mcse Pt 2 6/5/01 11:59 AM Page 131 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 07 mcse Pt 2 6/5/01 11:59 AM Page 132 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... folder is the correct location.) Location Alerts ISA console root\Servers and Arrays\name\Monitoring\Alerts Arrays ISA console root\Servers and Arrays\name Enterprise ISA console root\Enterprise Enterprise Policy ISA console root\Enterprise\Policies\Enterprise Policy Gatekeeper ISA console root\H.323 Gatekeepers\H.323 gatekeeper server Sessions ISA console root\Servers and Arrays\name\Monitoring\Sessions... suggests the name ISA array_name Array Servers.” 4 In the root domain, create a local group for those approved to access the ISA Server objects Microsoft suggests the name ISA Enterprise Readers.” 5 Give the groups created in Step 2, the ISA Servers in the domain, membership in ISA Enterprise Readers 6 Also make the Domain Admins group from each domain a member in this group 7 Open the ISA Management... ISA Server without enabling packet filtering Should you do this you have just established ISA Server as a router and all inbound Internet packets will be routed to your internal network 08 mcse CH05 144 6/5/01 Par t II 12:00 PM Page 144 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES á ICMP ping response(in) To the default IP address on the external computer from all remote computers (The ISA Server. .. remove this watermark 08 mcse CH05 6/5/01 12:00 PM Page 139 Chapter 5 OUTBOUND INTERNET ACCESS STEP BY STEP 5.1 Limiting Read Permissions 1 Open the Active Directory Users and Computers console 2 In each domain, create a global group to contain all the ISA Servers in that domain Microsoft suggests the name ISA Domain Servers.” 3 In each domain, create a global group for each ISA Server array Each group... Services\W3Proxy\Parameters Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 141 08 mcse CH05 142 6/5/01 Par t II 12:00 PM Page 142 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Local Access Table (LAT) If ISA Server is installed in firewall or integrated mode, the LAT must be configured The LAT enables the ISA Server firewall service to identify which communications are from its internal or private... N I N G 08 mcse CH05 By default, several packet filters do exist on ISA Server; five of them are Internet Control Message Protocol (ICMP) rules Although ICMP messages are commonly used to communicate information on an ethernet network, they can be used in a planned attack Some messages, however, are necessary to enable ISA Server to determine Internet network conditions Note that the ISA Server can send...08 mcse CH05 6/5/01 12:00 PM Page 133 OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure and troubleshoot outbound Internet access Whether ISA Server has been installed... caching or integrated mode, you should also examine the default cache settings ISA Server Object Permissions Permissions can be assigned for multiple ISA Server objects including the server, arrays, alerts, H.323 gatekeeper, enterprise polices, and sessions To examine the default settings, right-click the object in the ISA management console and select the Security tab Table 5.1 lists the objects and... policy to the ISA Enterprise Readers group 11 If additional enterprise policies are present, assign read permission to arrays that use them by assigning read permission to the respective ISA array_name Array Servers group Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 139 08 mcse CH05 140 6/5/01 Par t II 12:00 PM Page 140 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES... caching á Configure ISA network settings á Troubleshoot access issues POST-INSTALLATION DEFAULT SETTINGS If you followed the installation and verification exercises in the previous chapters, you found that the default settings on ISA Server do not allow any access to the Internet After testing the ISA Server installation, you should always remove the test settings and appropriately configure the server to provide . is migrating six Proxy Server 2.0 systems to ISA Server. All Proxy Servers are in an array. These servers will be the first ISA Servers installed on his. up Proxy Server configuration, upgrade server to Windows 2000, install ISA Server, apply Service Pack 1. 6. Nancy migrates Proxy Server 2.0 to ISA Server.