Chapter 10 FIREWALL CONFIGURATION 333 A PPLY YOUR K NOWLEDGE 2. Information Systems Auditing has asked that a report be made for the next month that includes information on all packets that touch the firewall. What step(s) do you need to take? A. Nothing; ISA Server is already recording information on every packet that touches it. B. Configure the IP packet filter property Log packet from “allow.” The ISA Server normally doesn’t log these packets but using this option makes it do so. C. Make the Registry key entry listed in the help under logging packets. D. Be sure disk capacity supports the increased log size necessary to record these events. 3. You want to configure FTP, download only, access for some SecureNAT clients. (Select the best two.) A. Create packet filters that allow outbound access to ports 21 and 20. B. Only allow access to known sites which restrict access to download. C. Enable the FTP application filter. D. Create a protocol rule that allows the FTP client read only protocol for SecureNAT clients (by client address set). 4. Carrie has configured the firewall client on her system in preparation for doing some testing of the ISA Server. She does not set her browser to retrieve requests from the ISA Server. She has an account in the domain to which the ISA Server computer belongs. She writes rules that deny access to certain sites. However, when she attempts to visit these sites, she finds she can. What is happening? (Select the best two.) A. She must be logged on using the wrong user account. B. The ISA Server does allow unauthenticated access. C. Because the HTTP filter is redirecting the firewall client, but not passing authentication information, the net effect is that there is no way to check which user is making the request. D. This is a known bug in HTTP access using the firewall client. 5. John has run the Security Configuration Wizard and now many clients that could access resources through the ISA Server cannot. What should he do? A. Reinstall, the wizard is irreversible. B. Examine the changes made by using the Security Configuration and Analysis (SCA) console. He can analyze the current configu- ration against the default server configuration and possible determine what has been modi- fied that would affect this change. C. Check the LM authentication method in Security Options. The Limited Services options of the wizard change this to use NTLM only. By default Windows 95/98 clients use LM for network authentication. D. Install the AD Client for Windows 9x. 6. To make the authentication process more secure, which authentication method(s) should be avoided? A. Digest B. Certificates C. Integrated D. Basic 14 mcse CH10 6/5/01 12:08 PM Page 333 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 334 Part III CONFIGURING, MANAGING, AND TROUBLESHOOTING POLICIES AND RULES A PPLY YOUR K NOWLEDGE Answers to Review Questions 1. Packet filters statically open ports. Other meth- ods open the ports dynamically, only when the request is made. It is always preferable to have ports only open when needed. See the section, “Configuring New Packet Filters.” 2. Use standard hardening efforts to secure the OS. Apply service packets, security hot-fixes. Use NTFS. Use strong passwords. Use the Security Configuration Wizard to help harden the system. See the section, “The ISA Server Security Configuration Wizard.” 3. The firewall is only as strong as the system on which it is built. Compromise the underlying OS and you can forget the firewall. See the section, “The ISA Server Security Configuration Wizard.” 4. This is common practice for firewalls. You do not want anything to pass the boundary, unless you have specifically allowed it to do so. See the sec- tion “Configuring Packet Filter Rules.” 5. The ISA Server needs to know the status of the network on which it operates. See the section, “Examining Default Packet Filters.” 6. The DHCP client filter allows the ISA Server to accept an assigned IP address from an ISP for its external network interface. See the section, “Examining Default Packet Filters.” 7. Basic, Digest, Integrated, Certificates. See the section, “Authentication Rules.” Answers to Exam Questions 1. C. Streaming video may include fragmented packets. A and B may also be a problem, or they might not be, we have no way of telling, and we do have another good reason. D is incorrect. This is not a reason to not use this feature. See the sec- tion, “Configuring/Enabling IP Packet Filter Properties.” 2. B, D. To capture all packets you must “allow” allowed packets to be logged. You need extra disk space to do this. A and C are incorrect. ISA Server is not recording “allows.” There is no Registry key listed in help. See the section, “Configuring/Enabling IP Packet Filter Properties.” 3. C, D. A and B do not restrict FTP users to download only. You cannot rely on sites to pre- vent this. See the section, “FTP Access Filter.” 4. B, C. A could be true, but it is the incorrect answer because if she is using her real account the same thing will happen. D is incorrect. See the section, “HTTP Redirector Filter.” 5. B, C, D. He may need to examine the changes made, the SCA will help him do so. It is also rea- sonable to expect that because Windows 9x clients use LM, that this parameter change is the problem. If LM is the issue, adding the LM client will allow him to configure these clients to use NTLM. A is incorrect. Never reinstall as a first choice when problems occur. See the section, “The Security Configuration Wizard.” 6. D. Basic authentication is not encrypted. See the section, “Authentication Rules.” 14 mcse CH10 6/5/01 12:08 PM Page 334 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 10 FIREWALL CONFIGURATION 335 A PPLY YOUR K NOWLEDGE 1. Comer, Douglas. Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture. Prentice Hall; ISBN: 0130183806. 2. Lee, Thomas, Davies, Joseph. Microsoft Windows 2000 TCP/IP Protocols and Services Technical Reference. 2000, Microsoft Press; ISBN: 0735605564. Suggested Readings and Resources 14 mcse CH10 6/5/01 12:08 PM Page 335 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 14 mcse CH10 6/5/01 12:08 PM Page 336 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O BJECTIVES 11 CHAPTER Manage ISA Server in the Enterprise This chapter covers the following Microsoft-specified objectives for the Configuring, Managing, and Troubleshooting Policies and Rules section and the Configuring and Troubleshooting ISA Server Services section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Manage ISA Server arrays in an enterprise. . Create an array of proxy servers . Assign an enterprise policy to an array A major advantage of ISA Server Enterprise edition is the ability to centrally manage multiple ISA Server computers by placing them in an array or arrays and setting enterprise and array level policies. Each array can have a different policy and, thus, a tiered policy can be created to effectively manage both centralized and decentralized IT environ- ments. Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP). Once servers are combined in arrays, they can be configured for efficiency, scalability, and fault toler- ance. Cache Array Routing Protocol (CARP) can create one logical cache out of multiple ISA Server computers in an array and Network Load Balancing can maximize throughput and provide added fault tolerance. 15 mcse CH11 6/5/01 12:09 PM Page 337 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O UTLINE S TUDY STRATEGIES Introduction 339 Managing and Configuring Arrays 339 Understanding Hierarchical and Distributed Arrays 340 Understanding Enterprise Policy Scope 340 Using Array Policy Only 341 Using This Enterprise Policy 342 Managing ISA Server Arrays 342 Creating Arrays 343 Creating and Assigning Enterprise Policies 345 Configuring Policies 346 Backing Up Array and Enterprise Configurations 347 Promoting a Standalone Server 348 Configuring for Scalability 350 Configuring Cache Array Routing Protocol (CARP) 350 Understanding CARP 351 Enabling CARP—Array Properties 351 Configuring Server Listeners and Load Factors 352 Configuring Network Load Balancing 352 Chapter Summary 355 Apply Your Knowledge 356 Exercises 356 Review Questions 356 Exam Questions 357 Answers to Review Questions 359 Answers to Exam Questions 359 . Haul out the test boxes, dump the standalone ISA Servers, and install at least two systems in an array. . Concentrate your efforts on determining how policies are defined, created, and assigned to an array. . Examine Network Load Balancing in Windows 2000 Help as well as other documentation. If you are comfortable with this software-based clustering feature on its own, you will be better equipped to understand how it can mesh with ISA Server. 15 mcse CH11 6/5/01 12:09 PM Page 338 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 11 MANAGE ISA SERVER IN THE ENTERPRISE 339 INTRODUCTION Ever since man has been able to afford two computers been he has looked for ways to make them work as one. There have been many attempts and successes at harnessing the combined power of multi- ple systems, but many of the most useful, efficient, and least expen- sive strategies have been software-based algorithms that distribute the workload between systems. These efficient algorithms that seek to scale systems and multiply processing power, also, in many cases, provide fault tolerance for distributed systems. Because the systems are inexorably linked, when one system fails, the other is available. This is achieved for ISA Server by arranging servers in distributed and hierarchical arrays and by utilizing the twin scalability solutions: Cache Array Routing Protocol (CARP) and Network Load Balancing (NLB). To understand and use these algorithms, it is essential to understand the basic policy structure of the Enterprise edition of ISA Server. MANAGING AND CONFIGURING ARRAYS The basic management element of the Standard edition ISA Server is the server. Policies are developed and used at the server level. There is no way to write one policy and have it impact multiple servers. In the Enterprise edition, multiple tiers of ISA Servers can be arranged and managed comprehensively. The following structures are possible: á Enterprise level policies are assigned to arrays of ISA Servers. á Multiple enterprise policies and multiple arrays can coexist. á Enterprise level policies determine the ability of array policies to modify enterprise policy at the array level. á Array level modifications can only further tighten security, not reduce it. 15 mcse CH11 6/5/01 12:09 PM Page 339 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 340 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES Just as the basic level of management and control in the Standard edition is the server, the basic level of control in the Enterprise edi- tion is the array. This is why any study of enterprise policy, is ulti- mately a study of arrays. This study involves: á Understanding Hierarchical and Distributed Arrays á Understanding Enterprise Policy Scope á Managing ISA Server Arrays Understanding Hierarchical and Distributed Arrays For ISA Server two array-based solutions exist: hierarchical and dis- tributed. These array types are distinct. Do not get them confused. Hierarchical arrays are chains of ISA Servers and can be established for Standard and Enterprise edition ISA Servers. It is a simple matter of configuring the server to forward requests to other ISA Servers, instead of directly to the requested source. Chains of distributed arrays are also possible. Hierarchical arrays were discussed in Chapter 5, “Outbound Internet Access.” Distributed arrays are collections of Enterprise edition ISA Servers and are managed by assigning enterprise and array policies. They can only be created using the Enterprise edition of ISA Server. They offer multiple advantages including centralized management, fault tolerance, and improved processing efficiency. Understanding Enterprise Policy Scope Policies are created at the enterprise level but assigned to individual arrays. The true meaning of any policy exists in its focus of control or scope. To manage and control distributed arrays of ISA Servers: á Define enterprise policies á Assign enterprise policies to arrays á Write rules and apply filters at the enterprise policy level á If allowed, write rules and apply filters at the array level TIP Connect To… It is possible to man- age multiple standard edition ISA Servers from one location. In the ISA Server Management console, right-click the Internet Security and Acceleration Server icon and select Connect To, then select the server to manage. You are, however, really only managing one server at a time. You cannot write a policy that controls multiple servers automatically. EXAM 15 mcse CH11 6/5/01 12:09 PM Page 340 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 11 MANAGE ISA SERVER IN THE ENTERPRISE 341 Because multiple enterprise policies can exist, and because the enter- prise policy assigned to an array determines what options are avail- able at the array level, it is important to understand the types of enterprise policies that can be developed, and the scope of their power. Three basic policy scopes exist: á Combined Array and Enterprise Policy. Management is potentially split between enterprise and array level policies. á Array Policy Only. The “enterprise policy” gives control to the managers of array level policy. á Enterprise Policy Only. All policies are set at the enterprise level. The type of policy applied at the array level is first determined dur- ing ISA Enterprise Initialization (see Figure 11.1). This policy is applied to the array created during the installation of the first ISA Server in the forest. Because multiple enterprise policies can be cre- ated, as well as multiple arrays, the initial policy does not control the final management of policy. After installation, you can create new policies and assign them to arrays as required. By applying a variety of enterprise policies, with and without options for management at the array level, a tiered policy can be developed in which enterprise administrators (those in the Enterprise Admins group) manage the overall policies for all ISA Server controlled access between internal and external networks, and array administrators (those in the Domain Admins group) restrict array level policies further where allowed. Using Array Policy Only If this enterprise policy is chosen, rules are not written at the enter- prise level. All rules are written at the array level. This distributes control of ISA Servers to administrators closer to the area where the ISA Servers are located. This is suitable and desirable in an organiza- tion where IT is itself decentralized. No all-encompassing policy or management structure exists to centrally control all ISA Servers, instead, each array can be managed on its own. Management is simi- lar to the management of a single ISA Server, except policies created are applied to all ISA Servers in the array. FIGURE 11.1 Initial enterprise policy. NOTE Restricting ISA Server Management You might want to restrict ISA Server enter- prise or array management to select adminis- trators. To do so, create Active Directory groups and assign appropriate permissions on ISA Server objects. An outline of the process was described in Chapter 3, “Installing ISA Server.” 15 mcse CH11 6/5/01 12:09 PM Page 341 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 342 Part III CONFIGURING, MANAGING AND TROUBLESHOOTING POLICES AND RULES Using This Enterprise Policy An initial enterprise policy is created and assigned to the first ISA Server array. The first ISA Server array is created during the installa- tion of the first ISA Server in the forest. The first enterprise policy is therefore created during the initialization of the Active Directory schema by the ISA Enterprise initialization tool. During initialization, the following choices can be made: á A name for the policy. á Allow array-level access policy rules that restrict enterprise pol- icy. Array policy rules can never be weaker than the enterprise policy rules. á Allow publishing rules. Publishing rules are created at the array level. á Force packet filtering on the array. This prevents an array level administrator from configuring IP routing without packet fil- ters. By default, all packets are dropped at the external inter- face unless rules exist which allow other action. Managing ISA Server Arrays Manage ISA Server arrays in an enterprise. All Enterprise edition ISA Servers installed in an ISA Server updated Active Directory have the choice of being installed into an array or acting as a standalone ISA Server. To participate in centralized man- agement, and to benefit from the Active Directory environment, they should be installed in an array. Standalone ISA Servers can be promoted to array membership at a later time. ISA Servers are managed then by: á Creating arrays á Creating and assigning enterprise policies to arrays á Configuring policies á Storing and backing up array and enterprise configurations á Promoting standalone servers to array membership 15 mcse CH11 6/5/01 12:09 PM Page 342 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... on the ISA Servers 2 To ensure ISA Server recovery and the availability of potential intrusion detection information after a hard disk crash, you should follow this step: A Back up the enterprise configuration 4 Are enterprise policies modified after creation? How? 5 John promoted ISA1 , a standalone ISA Server, to membership in the Concerto ISA Server array When he examines the configuration of ISA1 after... Standalone Server ISA Enterprise edition servers that were installed as standalone servers can be promoted to array membership The following conditions must be met: á The standalone server must be Enterprise edition á The enterprise must be initialized Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 mcse CH11 6/5/01 12:09 PM Page 349 Chapter 11 MANAGE ISA SERVER IN THE... CONFIGURING FOR SCALABILITY Configure multiple ISA Server computers for scalability Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP) ISA Server distributed arrays enable centralized management of multiple ISA Servers, but they also allow Web caching to scale and offer the benefit of fault tolerance This is done by using additional ISA Server and Windows 2000 algorithms:... the workload between multiple ISA Servers in a NLB cluster The solution is purely software based The clients do not know they are addressing a cluster, and the ISA Server software knows nothing about the cluster either Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 6/5/01 12:09 PM Page 353 Chapter 11 MANAGE ISA SERVER IN THE ENTERPRISE Each ISA Server computer has a unique... at the end of this chapter 11.7 Planning NLB for ISA Server 1 Verify that ISA Servers in the cluster are installed in the same mode 2 Assign a unique IP address to the cluster and assign a fully qualified domain name for this address 3 The primary network address of each ISA Server computer’s internal interface adapter uses this cluster address All ISA Server computers have the same primary address in...15 mcse CH11 6/5/01 12:09 PM Page 343 Chapter 11 MANAGE ISA SERVER IN THE ENTERPRISE Creating Arrays Create an array of proxy servers During each Enterprise edition ISA Server installation, there is an opportunity to install the ISA Server into an array (see Figure 11.2) You then have the opportunity to name the array... page Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 mcse CH11 6/5/01 12:09 PM Page 355 Chapter 11 MANAGE ISA SERVER IN THE ENTERPRISE FIGURE 11.18 Configuring the host page CHAPTER SUMMARY Combining multiple ISA Servers in an array can have striking results Not only can multiple ISA Servers be centrally managed, but their efficiency and fault tolerance can be improved... enterprise and array configuration and ISA logs 3 John is examining the logs of the company Web server, and comparing statistics with those of a month ago Two weeks ago the Web server was placed behind an ISA Server array and a publishing rule to route requests to the Web server was Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 15 mcse CH11 358 6/5/01 12:09 PM Par t III... and creation of an ISA Server array, five additional ISA Servers are added to the array Six months later, the enterprise policy is creating too much work for the members of the Enterprise Admins Group Corporate policy does not require absolute centralized control over Internet access What can be done to alleviate the problem? Location: San Francisco Array West includes these servers: ISA5 - array only... ISA5 - array only policy Location: New York ISA6 - enterprise only policy Array New York will include the following servers ISA1 - firewall ISA2 - caching ISA3 - integrated FIGURE 11.19 Question 3 A Add new members to the Enterprise Admins group B Change the enterprise policy so that Domain Admins can share some of the load C Change the enterprise policy so that Server Administrators can share some of . action. Managing ISA Server Arrays Manage ISA Server arrays in an enterprise. All Enterprise edition ISA Servers installed in an ISA Server updated Active. applied to all ISA Servers in the array. FIGURE 11.1 Initial enterprise policy. NOTE Restricting ISA Server Management You might want to restrict ISA Server enter- prise