Thông tin tài liệu
ISA Server
2000
Configuring
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Building Firewalls
for Windows 2000
Everything You Need to Deploy ISA Server in the Enterprise
• Step-by-Step Instructions for Planning and Designing Your
ISA Installation and Deployment
• Hundreds of Authentication Methods, Firewall Features,and
Security Alerts Explained
• Bonus:ISA Server/Exchange 2000 DVD Mailed to You
Dr. Thomas W. Shinder
Debra Littlejohn Shinder
Martin Grasdal
Technical Editor
132_ISA_FC 4/13/01 4:29 PM Page 1
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author”™ customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the max-
imum value from your investment. We’re listening.
www.syngress.com/solutions
solutions@syngress.com
132_ISA_FM 4/2/01 4:29 PM Page i
132_ISA_FM 4/2/01 4:29 PM Page ii
CONFIGURING
ISA SERVER 2000:
BUILDING FIREWALLS FOR WINDOWS 2000
132_ISA_FM 4/2/01 4:29 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold
AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc.“Career Advancement Through
Skill Enhancement®,”“Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 NANFA94U53
002 MA3AEJDRF9
003 MKEA9UU2Q4
004 KT95QJFD95
005 ZPERJ7AT54
006 EK3ATZLCPE
007 5J6EMVCDAP
008 45SEJT9HSB
009 LDMA349F2G
010 XCFT678KM3
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Configuring ISA Server 2000: Building Firewalls for Windows 2000
Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis-
tributed in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and executed
in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-29-6
Technical edit by: Martin Grasdal Copy edit by: Darlene Bordwell
Co-Publisher: Richard Kristof Index by: Jennifer Coker
Project Editor: Maribeth Corona-Evans Page Layout and Art by: Shannon Tozier
Distributed by Publishers Group West
132_ISA_FM 4/2/01 4:29 PM Page iv
v
Acknowledgments
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry’s best courses, instructors and training facilities.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill
Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their
incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all
their help.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.
v
132_ISA_FM 4/2/01 4:29 PM Page v
132_ISA_FM 4/2/01 4:29 PM Page vi
vii
From Deb and Tom Shinder,
Authors
As always, writing a book is a complex undertaking that involves many people in
addition to the authors.This book was, in many ways, a special challenge.We were
working with a brand new product, with new features, quirks, and—dare we say—a
few bugs that had to be stepped on along the way.
A lot of blood, sweat, and tears (not to mention gallons and gallons of caffeine)
went into the making of this book. Our goal was to create the definitive guide to
Microsoft’s ISA Server, a reference that can be consulted by network professionals as
they roll out ISA on their production networks, a supplement to the formal study
guides used by MCP/MCSE candidates in preparation for Exam 70-227, and an
“interpreter” for those who find the sometimes overly technical jargon in the
Microsoft documentation difficult to understand. It also serves as a record of our
ongoing saga of discovery, frustration, confusion, and triumph as we worked with the
product and struggled to master its intricacies.
There are many who contributed to the cause, without whose help the book could
not have been written.We especially want to recognize and thank the following:
Martin Grasdal, of Brainbuzz.com, our technical editor. Although we moaned and
groaned and cursed his name each time we received our chapters back with his many
suggestions for wonderful improvements that would take days of work and add
dozens of pages, the book would not be half as good (and perhaps not half as long)
without his much-appreciated input.
Stephen Chetcuti, of isaserver.org, who provided encouragement, enthusiasm, and
a forum in which we were able to promote both the product and this book, and get
to know other ISA Server enthusiasts from all over the world.
Joern Wettern, of Wettern Network Solutions and Technical Lead in developing
the Microsoft Official Curriculum for Course 2159A, Deploying and Managing
Microsoft ISA Server 2000, who provided invaluable help and served as the “official
word” on those perplexing questions that did not seem to have an answer.
132_ISA_FM 4/2/01 4:29 PM Page vii
viii
Sean McCormick, of Brainbuzz.com, technical consultant/writer/Chief
Executive Flunkie (CEF) and friend, who provided emotional and psychological sup-
port through the dark days (and nights!) when it seemed we might still be working
on this book at the turn of the next century.
We also must thank literally dozens of participants in the Microsoft public ISA
Server newsgroup and the discussion mailing list and message boards sponsored by
isaserver.org. In particular, our gratitude goes to: Rob Macleod, Nathan Mercer, Jason
Rigsbee,Trevor Miller, Slav Pidgorny (MVP), Ellis M. George, Jake Phuoc Trong Ha,
Terry Poperszky,Vic S. Shahid,Tim Laird, Nathan Obert,Thomas Lee, John Munyan,
Wes Noonan, Allistah, Eric Watkins, Rick Hardy,Tone Jarvis, Dean Wheeler, Stefan
Heck, Charles Ferreira, Phillip Lyle, Sandro Gauci, Jim Wiggins, Regan Murphy,
Nick Galea, Ronald Beekelaar, Russell Mangel, Hugo Caye, and Jeff Tabian. Our
apologies for anyone we may have inadvertently left out.
All of the above were instrumental in the development of this book, but any
errors or omissions lie solely on the heads of the authors.We have tried hard to make
this manuscript as mistake-free as possible, but human nature being what it is, perfec-
tion is hard to achieve.
We want to send a very special message of thanks to Maribeth Corona-Evans,
our editor. Her patience and understanding in the face of our weeping and wailing
and gnashing of teeth has earned her a permanent place in our hearts.
And finally, to Andrew Williams, our publisher, whose e-mail queries regarding
when the final chapters were going to be finished demonstrated the utmost in tact
and diplomacy—even if undeserved on our part.
Dr.Thomas W. Shinder
Debra Littlejohn Shinder
132_ISA_FM 4/2/01 4:29 PM Page viii
ix
Contributors
Thomas Shinder, M.D. (MCSE, MCP+I, MCT) is a technology
trainer and consultant in the Dallas-Ft.Worth metroplex. He has con-
sulted with major firms, including Xerox, Lucent Technologies, and FINA
Oil, assisting in the development and implementation of IP-based com-
munications strategies.Tom is a Windows 2000 editor for Brainbuzz.com
and a Windows 2000 columnist for Swynk.com.
Tom attended medical school at the University of Illinois in Chicago
and trained in neurology at the Oregon Health Sciences Center in
Portland, Oregon. His fascination with interneuronal communication ulti-
mately melded with his interest in internetworking and led him to focus
on systems engineering.Tom and his wife, Debra Littlejohn Shinder,
design elegant and cost-efficient solutions for small- and medium-sized
businesses based on Windows NT/2000 platforms.Tom has contributed
to several Syngress titles, including Configuring Windows 2000 Server
Security (ISBN: 1-928994-02-4) and Managing Windows 2000 Network
Services (ISBN: 1-928994-06-7), and is the co-author of Troubleshooting
Windows 2000 TCP/IP (1-928994-11-3).
Debra Littlejohn Shinder (MCSE, MCT, MCP+I), is an independent
technology trainer, author, and consultant who works in conjunction with
her husband, Dr.Thomas Shinder, in the Dallas-Ft.Worth area. She has
been an instructor in the Dallas County Community College District
since 1992 and is the Webmaster for the cities of Seagoville and
Sunnyvale,Texas.
Deb is a featured Windows 2000 columnist for Brainbuzz.com and a
regular contributor to TechRepublic’s TechProGuild. She and Tom have
authored numerous online courses for DigitalThink (www.digitalthink
.com) and have given presentations at technical conferences on Microsoft
certification and Windows NT and 2000 topics. Deb is also the Series
Editor for the Syngress/Osborne McGraw-Hill Windows 20000 MCSE
study guides. She is a member of the Author’s Guild, the IEEE IPv6 Task
Force, and local professional organizations.
132_ISA_FM 4/2/01 4:29 PM Page ix
[...]... Microsoft ISA Server What Is ISA Server? Why “Security and Acceleration” Server? Internet Security Internet Acceleration The History of ISA: Microsoft Proxy Server In the Beginning: Proxy Server, Version 1.0 Getting Better All the Time: Proxy Server, Version 2.0 A New Name for New and Improved Functionality: Proxy Server 3.0 (ISA Server) ISA Server Options ISA Standard Edition ISA Enterprise Edition ISA Server. .. Proxy Server 2.0 and ISA Server Learn the ISA Server Vocabulary Upgrading Proxy 2.0 on the Windows 2000 Platform Upgrading a Proxy 2.0 Installation on Windows NT 4.0 A Planned Upgrade from Windows NT 4.0 Server to Windows 2000 Summary Solutions Fast Track Frequently Asked Questions Chapter 6 Managing ISA Server Introduction Understanding Integrated Administration The ISA Management Console Adding ISA. .. 18 xiii 132 _ISA_ ToC 4/2/01 xiv 5:02 PM Page xiv Contents Find complete coverage of ISA Server in the Enterprise including hierarchical caching Web Proxy Clients Branch Office Headquarters The Microsoft.Net Family of Enterprise Servers The Role of ISA Server in the Network Environment An Overview of ISA Server Architecture Layered Filtering ISA Client Types ISA Server Authentication ISA Server Features... Proxy Client DNS Considerations for the Web Proxy Client Configuring the Web Proxy Client Autodiscovery and Client Configuration Summary Solutions Fast Track Frequently Asked Questions Chapter 8 Configuring ISA Server for Outbound Access Introduction Configuring the Server for Outbound Access Configuring Listeners for Outbound Web Requests Server Performance Network Configuration Settings Firewall Chaining:... Stream Splitting Understanding and Configuring the Web Proxy Cache Cache Configuration Elements Configuring HTTP Caching Configuring FTP Caching Configuring Active Caching Configuring Advanced Caching Options Scheduled Content Downloads Summary Solutions Fast Track Frequently Asked Questions Chapter 9 Configuring ISA Server for Inbound Access Introduction Configuring ISA Server Packet Filtering How Packet... Schema ISA Server and Domain Controllers Understanding Interoperability with Routing and Remote Access Services RRAS Components RRAS and ISA Server Understanding Interoperability with Internet Information Server IIS Functionality Publishing IIS to the Internet Understanding Interoperability with IPSecurity How IPSec Works How IPSec Is Configured in Windows 2000 IPSec and ISA Server Integrating an ISA Server. .. Definitions ISA Client Configuration Client Address Sets Server Publishing Walkthrough—Basic Server Publishing Secure Mail Server Publishing 615 616 618 620 621 627 630 631 632 637 639 642 643 650 653 653 654 654 655 655 655 656 656 656 657 657 657 658 662 132 _ISA_ ToC 4/2/01 5:02 PM Page xxvii Contents Configuring ISA Server to Support Outlook Web Access Publishing a Terminal Server Terminal Server on the ISA. .. the Local Address Table ISA Server Features Installation Performing the Installation Installing ISA Server: A Walkthrough Upgrading a Standalone Server to an Array Member: A Walkthrough Performing the Enterprise Initialization Backing Up a Configuration and Promoting a Standalone Server to an Array Member Changes Made After ISA Server Installation Migrating from Microsoft Proxy Server 2.0 What Gets Migrated... Server and Windows 2000 Diagnostic Tools ISA Server Troubleshooting Resources Troubleshooting ISA Server Installation and Configuration Problems Hardware and Software Compatibility Problems ISA Server Doesn’t Meet Minimum System Requirements ISA Server Exhibits Odd Behavior When Windows 2000 NAT Is Installed Internal Clients Are Unable to Access External Exchange Server Initial Configuration Problems... corporations Internet Security and Acceleration Server (ISA Server) is Microsoft’s latest entry into the firewall market Its opening debut was impressive: within less than 30 days of its release in late 2000, it had already achieved ICSA Labs Certification for firewalls For anyone familiar with ISA Server s predecessors, Proxy Server 1.0 and 2.0, they will recognize that ISA Server represents a significant improvement . listening.
www.syngress.com/solutions
solutions@syngress.com
132 _ISA_ FM 4/2/01 4:29 PM Page i
132 _ISA_ FM 4/2/01 4:29 PM Page ii
CONFIGURING
ISA SERVER 2000:
BUILDING FIREWALLS FOR WINDOWS 2000
132 _ISA_ FM 4/2/01. ISA Server
2000
Configuring
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Building Firewalls
for Windows 2000
Everything You Need to Deploy ISA Server in
Ngày đăng: 24/01/2014, 10:20
Xem thêm: Tài liệu Configuring ISA Server 2000 Building Firewalls for Windows 2000 docx, Tài liệu Configuring ISA Server 2000 Building Firewalls for Windows 2000 docx