Chapter 5 OUTBOUND INTERNET ACCESS 153 path for the tickets directory on the computer PUFF in the peachweaver.com domain is puff.peachweaver.com/tickets/* . Click OK. 9. Click OK. Configuring Site and Content Rules Each site and content rule requires the configuration of multiple ele- ments. Some elements, such as action (allowed or denied) are config- ured directly on the property pages of the rule. Others, such as destination sets, are developed and stored for use with more than one type of rule. The process for configuring site and content rules consists of determining each element and either filling in blanks or utilizing the unique, preconfigured policy elements. You should cre- ate policy elements before starting the Rule wizard. Step by Step 5.6 details the process. STEP BY STEP 5.6 Configuring Site and Content Rules 1. Navigate to the Destination Address Sets folder at ISA Server Console Root\Servers and Arrays\name\Access Policy\Site and Content Rules. Right-click on the folder and select New Rule. 2. In the New Site and Content Rule Wizard Welcome page, enter a name for the rule, and click Next. 3. On the Rule Action page of the wizard, select the response to client requests (see Figure 5.9). Choices are allow or deny. Denied requests can be redirected to another site. 4. On the Rule Configuration page, select the application of the rule. Will it apply to destinations? Schedules? Clients, or all three? (See Figure 5.10.) 5. Depending on the answer to Step 4, the next screen(s) allow selection of specific policy elements. FIGURE 5.8 Configuring destination address sets. FIGURE 5.9 Defining the rule action. continues 08 mcse CH05 6/5/01 12:00 PM Page 153 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 154 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 6. If the choice is destination sets, the choices are • All destinations • All internal destinations • All external destinations • Specified destination set (you must have created the set prior to configuring the rule) (see Figure 5.11). • All destinations except selected set 7. If the choice is Schedule, the Schedule page allows the selection of a schedule. 8. If the choice is Clients, the Client Type page allows the selection of specific computers (client address set), or spe- cific users and groups, or the default of “Any Request.” 9. If the choice is Custom, any of these elements may be defined as well as others: • Destination • Schedule • Client address sets • Content Groups (Applications, Documents, Audio, and so on [see Figure 5.12]) • All destinations except selected set 10. Enter the choice and click Next. 11. On the Finish page, click OK. After configuring site and content rules, you should examine the Property pages to ensure that they have the proper setup. Changes to the rule can be implemented from this interface. Configuring Protocol Rules Protocol rules are defined to allow or deny access via specific proto- cols. This is useful because it allows you to control the type of access to the Internet. You might want to allow Web access and thus con- figure a rule that enables HTTP. You might want to allow only this FIGURE 5.10 Rule configuration. FIGURE 5.11 Destination choices. FIGURE 5.12 Content groups. continued 08 mcse CH05 6/5/01 12:00 PM Page 154 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 5 OUTBOUND INTERNET ACCESS 155 type of access. If you have configured only this one protocol rule, by default, no other access can occur. Thus, once a policy is established as to what protocols may be used, the process is clear—you config- ure protocol rules that allow approved protocols. The absence of a rule for other protocols will prevent their usage, however, you may explicitly deny its use by writing a deny rule. When multiple proto- col rules are present, the following conventions apply: á The absence of a protocol rule prevents that protocol from being used. Therefore, the use a protocol can be explicitly or implicitly denied. á Rules can be defined to apply to all IP traffic, to specific defin- itions, or to all IP traffic except those protocols defined. á In caching mode, the only protocol rules allowed are those that restrict HTTP, HTTPS, Gopher, and FTP. á In firewall and integrated modes, protocol rules can be applied to all IP protocols. á Rules are present for well-known protocols, but rules can be configured for any IP protocol. Figure 5.13 illustrates multiple protocol rules. If you examine the rules, you will see that they allow HTTP, HTTPS, and FTP access to the Internet while explicitly denying telnet. In this example, a separate rule is written for each protocol. A single rule can be writ- ten that encompassing all the Allow protocols by selecting Selected Protocols on the Protocols page of the wizard and then marking the protocols that you want to allow (see Figure 5.14). To configure pro- tocol rules, follow Step by Step 5.7. FIGURE 5.13 Understanding protocol rules. 08 mcse CH05 6/5/01 12:00 PM Page 155 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 156 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 5.7 Configuring Protocol Rules 1. On the ISA console, navigate to the Protocol Rules container. 2. Right-click Protocol Rules and select New. 3. On the New Protocol Rule Wizard, enter a name for the new protocol rule, and click Next. 4. On the Rule Action page, select Allow or Deny and click Next. 5. On the Protocols page, select the type of traffic (all IP, Selected Protocols, or All IP Traffic Except Selected). 6. If Selected Protocols is selected, a Protocols box appears. Select the protocols to block or allow (see Figure 5.15). 7. Select the schedule for the rule. (The rule will be enforced during the hours indicated in the schedule.) Click Next. 8. Select the Client Type. Client types are client address sets, specific users and groups, or may be represented by all users (see Figure 5.16). It is important to note that user can be defined by Windows 2000 users and groups (see Figure 5.17). 9. Click Next. At the wizard Finish screen, click Finish. See Step by Step 5.8 to modify existing rules. STEP BY STEP 5.8 Modifying Protocol Rules 1. Select the Protocol Rules folder. 2. On the View menu, be sure the Advanced item is checked. If it is not, click it to select. (Protocol rules cannot be modified in Task Pad View.) FIGURE 5.14 Using one rule for multiple protocols. FIGURE 5.15 Selecting protocols. FIGURE 5.16 Choosing client types. 08 mcse CH05 6/5/01 12:00 PM Page 156 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 5 OUTBOUND INTERNET ACCESS 157 3. In the Details pane, right-click the protocol rule to mod- ify, and choose Properties. 4. Select the tab for the item you want to modify. 5. Make the change necessary (see Table 5.6). TABLE 5.6 M ODIFY P ROTOCOL R ULES Property Tab Item to Modify General Name, description, enable, or disable Action Allow or deny Protocol Select protocols Schedule Select a new schedule or create one for this protocol (see Figure 5.18). If a schedule is defined, you can make it active or inactive. This feature allows you to temporarily test a new schedule or remove it without losing the definition. Applies to Select who this rule applies to; either all requests, or specific client address sets or Windows 2000 user and groups. FIGURE 5.17 Applying protocol rules via Windows groups. FIGURE 5.18 Creating a new schedule for a protocol rule. 08 mcse CH05 6/5/01 12:00 PM Page 157 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 158 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Authentication and Rules Client authentication before a requested access is granted is required in the following circumstances: á When rules are configured to require membership in specific groups, or the participation of specific users, the ISA Server requires client authentication so it can determine if access is allowed by that user. á If the HTTP protocol is requested by Web proxy or firewall clients, ISA Server determines if the rule allows anonymous access. If this is so, and no other configuration blocks the access, then access is allowed. á However, if no rule allows anonymous access to HTTP, the ISA Server requires authentication. á If a firewall client requests access to some other protocol and rules have been configured that require membership in a group, or access is specific to certain users, then authentication is required. á ISA Server has been configured to always require authentica- tion (see Figure 5.19). Additionally, if a firewall client requests HTTP access, the request is passed through the HTTP redirector (if it is enabled and configured) to the Web Proxy service. The client’s authentication information is not passed to the Web Proxy service. If ISA is not configured to allow anonymous access, the attempt will fail. Custom HTML Error Messages If a client attempts Web access and an error message is returned, where is the message coming from? If the client is going through the ISA Server, the error messages are returned from the ISA Server. A set of error message HTML files is stored in \ErrorHtmls folder on the ISA Server. You can develop custom error messages by modifying HTML pages provided for that purpose. FIGURE 5.19 Require authentication for all users. 08 mcse CH05 6/5/01 12:00 PM Page 158 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 5 OUTBOUND INTERNET ACCESS 159 Custom error messages can be created for both incoming and outgo- ing requests. Messages for outgoing requests (from internal clients) should have the files named error#.htm. Messages for incoming requests should be titled error#R.htm. Default Error Messages Default error messages are available for 26 common errors including the following: á 10060. Specified Web server cannot be contacted. á 11001. Specified host could not be found. á 11002. The DNS name server for the specified host could not be contacted. á 11004. Host not found. Configuring Custom Messages Custom messages are created by using default HTML files provided in the \ErrorHtmls folder. You might want to include company information, graphics, or create a more friendly or specific error message. To create a custom message follow Step by Step 5.9. Figure 5.20 displays the section of the default file that must be modified. STEP BY STEP 5.9 Creating a Custom Error Message 1. Open the \Program Files\Microsoft ISA Server\ErrorHtmls\default file. (default.htm for internal client errors and defaultR.htm for external client errors.) 2. Replace [ERRORNUM] with the error code. 3. Replace [ERRORTEXT] with the message you want to display. 4. Replace [SERVERNAME] with the name of the server that will return the html page. continues 08 mcse CH05 6/5/01 12:00 PM Page 159 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 160 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 5. Replace [VIAHEADER] with the Via header message string that the ISA Server computer receives for that error message. 6. Add any inline graphics by using fully qualified URLs to .gif or .jpg files in the error messages. (You must store these files in a separate, shared directory on the ISA Server.) 7. Save the file in the error#.htm or error#R.htm format in the \ErrorHtmls folder. C ONFIGURING A S INGLE S YSTEM V ERSUS AN A RRAY ISA Server is available in Standard and Enterprise editions. The Standard edition is designed to be used as a standalone single server system. Polices cannot be centrally configured for multiple ISA Servers, and caching arrays cannot be configured. An Enterprise edition ISA Server can be installed as a standalone server. FIGURE 5.20 Modifying the default.htm file. continued 08 mcse CH05 6/5/01 12:00 PM Page 160 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 5 OUTBOUND INTERNET ACCESS 161 All access control methods described previously in this chapter are available to configure access through the ISA Server standard edition and Enterprise editions. The difference is, on the Enterprise edition, you configure Enterprise and Array polices, while on the standard edition, you configure polices for the single server. Techniques for configuring enterprisewide and arraywide polices for access control and other processes will be more specifically address in Part III “Configuring, Managing, and Troubleshooting Policies and Rules.” C ONFIGURING C ACHING Caching can only be configured for caching or integrated mode ISA Servers. The size of the cache is first set during installation but may be modified afterward. The basics of configuring hierarchical and distributed caching is found here for more detailed information; see Chapter 11, “Manage ISA Server in the Enterprise.” Three types of forward caching are possible: á Standalone cache á Hierarchical caching á Distributed caching—the Array (CARP) Standalone Cache The Standard Edition of ISA Server allows configuration of cache. The ISA Server can never be part of an array, but can providing caching services. Configuring Hierarchical Access Hierarchical, or chained caching access is achieved by configuring an ISA Server to send requests from clients to another ISA Server instead of directly to the Internet. ISA Servers can be chained as individual servers, or as arrays. 08 mcse CH05 6/5/01 12:00 PM Page 161 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 162 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Each server in the chain between the requesting client and the Internet stores a copy of the retrieved object in its cache. The closest ISA Server that has the object in its cache fills the next request for the object. In addition, you can configure Web Proxy routing rules to condi- tionally route requests. For example, you might want to have a local ISA Server make requests of geographically close Web servers, while forwarding other requests for information on distant Web servers to ISA Servers at a location closer to them. This way, for example, an ISA Server in New York, while chained to one in San Francisco, would not forward a request for a partner’s Web site located in New Jersey to the San Francisco ISA Server. Instead, the New York ISA Server could fulfill the New Jersey request by directly accessing the Internet. Figure 5.21 illustrates this issue. In the figure, a request for newjerseysbbq.com is directly retrieved from the nearby site, while a request for seattlesbestjellybeans.com is forwarded to the ISA Server in San Francisco for retrieval. To place an ISA Server in a hierarchical chain and to learn to use Web Proxy routing rules see the “Configuring Network Settings” section that follows. I want NewJersyBBQ.com I want www.seattlesbestjellybeans.com San Franciso ISA Server Client in NY New York ISA Server NewJerseyBBQ.com Seattlesbestjellybeans.com FIGURE 5.21 Finding the backup and restore utilities. 08 mcse CH05 6/5/01 12:00 PM Page 162 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Configure ISA Server Hosting Roles Configure ISA Server for Web publishing Configure ISA Server for server proxy Configure ISA Server for server publishing To best protect Web servers, mail servers, and other servers that must be reachable from the Internet put them behind a firewall The paradox... Each location has its own ISA Server installed in caching mode B Each location has its own ISA Server installed in caching mode Each ISA Server is chained to another ISA Server in another location with the only direct Internet access being done in Kirksville, MO C Each location has its own ISA Server installed in caching mode Each ISA Server is placed in an array with the ISA Server in Kirksville, MO... to remove this watermark 08 mcse CH05 178 6/5/01 12:01 PM Par t II Page 178 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES A P P LY Y O U R K N O W L E D G E D Each location has an array of ISA Servers, which is then hierarchically chained to another ISA Server array E A hierarchical chain of ISA Servers is used, but local Web sites are accessed via the local ISA Server and requests for these... Web server See the section, “Creating Policy Elements.” Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 08 mcse CH05 180 6/5/01 Par t II 12:01 PM Page 180 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES A P P LY Y O U R K N O W L E D G E Suggested Readings and Resources 1 ISA Server Installation and Deployment Guide at http://www.microsoft.com/isaserver/techinfo/ISAdeploy.htm... Certificates and Authentication Methods Redirecting HTTP and SSL Requests 186 186 187 188 189 190 Configuring ISA Server for Server Proxy 193 DNS and Mail Proxy The Mail Server Security Wizard Content Filtering Configuring ISA Server for Server Publishing Creating Server Publishing Rules Publishing Servers on a Perimeter Network 194 194 195 Focus your attention on providing Internet-based access to a Web... Questions 1 Dave has successfully set up several Standard edition ISA Servers at other company locations In New York, he sets up an Enterprise edition ISA Server To test it, he creates a protocol rule that allows the usage of all protocols outbound He points a Windows 98 I.E 5.0 browser to use the ISA Server as a proxy using the ISA Server s IP address and port 8080 He cannot browse the Internet Why?... services on the ISA Server is one good way Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark C H A P T E R 6 ISA Server Hosting Roles 09 mcse CH06 6/5/01 12:02 PM Page 182 OUTLINE S T U DY S T R AT E G I E S Introduction 183 Configuring ISA Server for Web Publishing 184 Configuring Destination Sets Configuring Listeners Creating Web Publishing Rules Enabling CARP Configuring Server Certificates... OUTBOUND INTERNET ACCESS To fix the situation, you have some choices You can individually set each browser to look to the ISA Server at port 8080, or you can enable automatic discovery on the ISA Server and set or reset the client systems to discover the ISA Server Figure 5.31 shows the ISA Server property page location for enabling automatic discovery Client configuration is discussed in Chapter 14, “Installing... bandwidth, indications as to internal or external location for addresses, and specific routing topologies to be used by the ISA Server Bandwidth rules are configured in the Bandwidth Rules node underneath the server or array node of the ISA Server console The Network Configuration folder of the ISA Server console potentially contains three distinct configuration areas The existence of these nodes is dependent on... 5.28 Cache content Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 167 08 mcse CH05 168 6/5/01 Par t II 12:01 PM Page 168 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Configuring ISA Server Chains Each routing rule can be configured to route requests to another ISA Server Chaining can therefore be controlled and requests for local Web sites can be left for direct access . configuring an ISA Server to send requests from clients to another ISA Server instead of directly to the Internet. ISA Servers can be chained as individual servers,. through the ISA Server, the error messages are returned from the ISA Server. A set of error message HTML files is stored in ErrorHtmls folder on the ISA Server.