ISA Server 2000 Configuring 1 YEAR UPGRADE BUYER PROTECTION PLAN Building Firewalls for Windows 2000 Everything You Need to Deploy ISA Server in the Enterprise • Step-by-Step Instructions for Planning and Designing Your ISA Installation and Deployment • Hundreds of Authentication Methods, Firewall Features,and Security Alerts Explained • Bonus:ISA Server/Exchange 2000 DVD Mailed to You Dr. Thomas W. Shinder Debra Littlejohn Shinder Martin Grasdal Technical Editor 132_ISA_FC 4/13/01 4:29 PM Page 1 With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the max- imum value from your investment. We’re listening. www.syngress.com/solutions solutions@syngress.com 132_ISA_FM 4/2/01 4:29 PM Page i 132_ISA_FM 4/2/01 4:29 PM Page ii CONFIGURING ISA SERVER 2000: BUILDING FIREWALLS FOR WINDOWS 2000 132_ISA_FM 4/2/01 4:29 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc.“Career Advancement Through Skill Enhancement®,”“Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 NANFA94U53 002 MA3AEJDRF9 003 MKEA9UU2Q4 004 KT95QJFD95 005 ZPERJ7AT54 006 EK3ATZLCPE 007 5J6EMVCDAP 008 45SEJT9HSB 009 LDMA349F2G 010 XCFT678KM3 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Configuring ISA Server 2000: Building Firewalls for Windows 2000 Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-29-6 Technical edit by: Martin Grasdal Copy edit by: Darlene Bordwell Co-Publisher: Richard Kristof Index by: Jennifer Coker Project Editor: Maribeth Corona-Evans Page Layout and Art by: Shannon Tozier Distributed by Publishers Group West 132_ISA_FM 4/2/01 4:29 PM Page iv v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. v 132_ISA_FM 4/2/01 4:29 PM Page v 132_ISA_FM 4/2/01 4:29 PM Page vi vii From Deb and Tom Shinder, Authors As always, writing a book is a complex undertaking that involves many people in addition to the authors.This book was, in many ways, a special challenge.We were working with a brand new product, with new features, quirks, and—dare we say—a few bugs that had to be stepped on along the way. A lot of blood, sweat, and tears (not to mention gallons and gallons of caffeine) went into the making of this book. Our goal was to create the definitive guide to Microsoft’s ISA Server, a reference that can be consulted by network professionals as they roll out ISA on their production networks, a supplement to the formal study guides used by MCP/MCSE candidates in preparation for Exam 70-227, and an “interpreter” for those who find the sometimes overly technical jargon in the Microsoft documentation difficult to understand. It also serves as a record of our ongoing saga of discovery, frustration, confusion, and triumph as we worked with the product and struggled to master its intricacies. There are many who contributed to the cause, without whose help the book could not have been written.We especially want to recognize and thank the following: Martin Grasdal, of Brainbuzz.com, our technical editor. Although we moaned and groaned and cursed his name each time we received our chapters back with his many suggestions for wonderful improvements that would take days of work and add dozens of pages, the book would not be half as good (and perhaps not half as long) without his much-appreciated input. Stephen Chetcuti, of isaserver.org, who provided encouragement, enthusiasm, and a forum in which we were able to promote both the product and this book, and get to know other ISA Server enthusiasts from all over the world. Joern Wettern, of Wettern Network Solutions and Technical Lead in developing the Microsoft Official Curriculum for Course 2159A, Deploying and Managing Microsoft ISA Server 2000, who provided invaluable help and served as the “official word” on those perplexing questions that did not seem to have an answer. 132_ISA_FM 4/2/01 4:29 PM Page vii viii Sean McCormick, of Brainbuzz.com, technical consultant/writer/Chief Executive Flunkie (CEF) and friend, who provided emotional and psychological sup- port through the dark days (and nights!) when it seemed we might still be working on this book at the turn of the next century. We also must thank literally dozens of participants in the Microsoft public ISA Server newsgroup and the discussion mailing list and message boards sponsored by isaserver.org. In particular, our gratitude goes to: Rob Macleod, Nathan Mercer, Jason Rigsbee,Trevor Miller, Slav Pidgorny (MVP), Ellis M. George, Jake Phuoc Trong Ha, Terry Poperszky,Vic S. Shahid,Tim Laird, Nathan Obert,Thomas Lee, John Munyan, Wes Noonan, Allistah, Eric Watkins, Rick Hardy,Tone Jarvis, Dean Wheeler, Stefan Heck, Charles Ferreira, Phillip Lyle, Sandro Gauci, Jim Wiggins, Regan Murphy, Nick Galea, Ronald Beekelaar, Russell Mangel, Hugo Caye, and Jeff Tabian. Our apologies for anyone we may have inadvertently left out. All of the above were instrumental in the development of this book, but any errors or omissions lie solely on the heads of the authors.We have tried hard to make this manuscript as mistake-free as possible, but human nature being what it is, perfec- tion is hard to achieve. We want to send a very special message of thanks to Maribeth Corona-Evans, our editor. Her patience and understanding in the face of our weeping and wailing and gnashing of teeth has earned her a permanent place in our hearts. And finally, to Andrew Williams, our publisher, whose e-mail queries regarding when the final chapters were going to be finished demonstrated the utmost in tact and diplomacy—even if undeserved on our part. Dr.Thomas W. Shinder Debra Littlejohn Shinder 132_ISA_FM 4/2/01 4:29 PM Page viii ix Contributors Thomas Shinder, M.D. (MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft.Worth metroplex. He has con- sulted with major firms, including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and implementation of IP-based com- munications strategies.Tom is a Windows 2000 editor for Brainbuzz.com and a Windows 2000 columnist for Swynk.com. Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in Portland, Oregon. His fascination with interneuronal communication ulti- mately melded with his interest in internetworking and led him to focus on systems engineering.Tom and his wife, Debra Littlejohn Shinder, design elegant and cost-efficient solutions for small- and medium-sized businesses based on Windows NT/2000 platforms.Tom has contributed to several Syngress titles, including Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4) and Managing Windows 2000 Network Services (ISBN: 1-928994-06-7), and is the co-author of Troubleshooting Windows 2000 TCP/IP (1-928994-11-3). Debra Littlejohn Shinder (MCSE, MCT, MCP+I), is an independent technology trainer, author, and consultant who works in conjunction with her husband, Dr.Thomas Shinder, in the Dallas-Ft.Worth area. She has been an instructor in the Dallas County Community College District since 1992 and is the Webmaster for the cities of Seagoville and Sunnyvale,Texas. Deb is a featured Windows 2000 columnist for Brainbuzz.com and a regular contributor to TechRepublic’s TechProGuild. She and Tom have authored numerous online courses for DigitalThink (www.digitalthink .com) and have given presentations at technical conferences on Microsoft certification and Windows NT and 2000 topics. Deb is also the Series Editor for the Syngress/Osborne McGraw-Hill Windows 20000 MCSE study guides. She is a member of the Author’s Guild, the IEEE IPv6 Task Force, and local professional organizations. 132_ISA_FM 4/2/01 4:29 PM Page ix [...]... Microsoft ISA Server What Is ISA Server? Why “Security and Acceleration” Server? Internet Security Internet Acceleration The History of ISA: Microsoft Proxy Server In the Beginning: Proxy Server, Version 1.0 Getting Better All the Time: Proxy Server, Version 2.0 A New Name for New and Improved Functionality: Proxy Server 3.0 (ISA Server) ISA Server Options ISA Standard Edition ISA Enterprise Edition ISA Server. .. Proxy Server 2.0 and ISA Server Learn the ISA Server Vocabulary Upgrading Proxy 2.0 on the Windows 2000 Platform Upgrading a Proxy 2.0 Installation on Windows NT 4.0 A Planned Upgrade from Windows NT 4.0 Server to Windows 2000 Summary Solutions Fast Track Frequently Asked Questions Chapter 6 Managing ISA Server Introduction Understanding Integrated Administration The ISA Management Console Adding ISA. .. 18 xiii 132 _ISA_ ToC 4/2/01 xiv 5:02 PM Page xiv Contents Find complete coverage of ISA Server in the Enterprise including hierarchical caching Web Proxy Clients Branch Office Headquarters The Microsoft.Net Family of Enterprise Servers The Role of ISA Server in the Network Environment An Overview of ISA Server Architecture Layered Filtering ISA Client Types ISA Server Authentication ISA Server Features... Proxy Client DNS Considerations for the Web Proxy Client Configuring the Web Proxy Client Autodiscovery and Client Configuration Summary Solutions Fast Track Frequently Asked Questions Chapter 8 Configuring ISA Server for Outbound Access Introduction Configuring the Server for Outbound Access Configuring Listeners for Outbound Web Requests Server Performance Network Configuration Settings Firewall Chaining:... Stream Splitting Understanding and Configuring the Web Proxy Cache Cache Configuration Elements Configuring HTTP Caching Configuring FTP Caching Configuring Active Caching Configuring Advanced Caching Options Scheduled Content Downloads Summary Solutions Fast Track Frequently Asked Questions Chapter 9 Configuring ISA Server for Inbound Access Introduction Configuring ISA Server Packet Filtering How Packet... Schema ISA Server and Domain Controllers Understanding Interoperability with Routing and Remote Access Services RRAS Components RRAS and ISA Server Understanding Interoperability with Internet Information Server IIS Functionality Publishing IIS to the Internet Understanding Interoperability with IPSecurity How IPSec Works How IPSec Is Configured in Windows 2000 IPSec and ISA Server Integrating an ISA Server. .. Definitions ISA Client Configuration Client Address Sets Server Publishing Walkthrough—Basic Server Publishing Secure Mail Server Publishing 615 616 618 620 621 627 630 631 632 637 639 642 643 650 653 653 654 654 655 655 655 656 656 656 657 657 657 658 662 132 _ISA_ ToC 4/2/01 5:02 PM Page xxvii Contents Configuring ISA Server to Support Outlook Web Access Publishing a Terminal Server Terminal Server on the ISA. .. the Local Address Table ISA Server Features Installation Performing the Installation Installing ISA Server: A Walkthrough Upgrading a Standalone Server to an Array Member: A Walkthrough Performing the Enterprise Initialization Backing Up a Configuration and Promoting a Standalone Server to an Array Member Changes Made After ISA Server Installation Migrating from Microsoft Proxy Server 2.0 What Gets Migrated... Server and Windows 2000 Diagnostic Tools ISA Server Troubleshooting Resources Troubleshooting ISA Server Installation and Configuration Problems Hardware and Software Compatibility Problems ISA Server Doesn’t Meet Minimum System Requirements ISA Server Exhibits Odd Behavior When Windows 2000 NAT Is Installed Internal Clients Are Unable to Access External Exchange Server Initial Configuration Problems... corporations Internet Security and Acceleration Server (ISA Server) is Microsoft’s latest entry into the firewall market Its opening debut was impressive: within less than 30 days of its release in late 2000, it had already achieved ICSA Labs Certification for firewalls For anyone familiar with ISA Server s predecessors, Proxy Server 1.0 and 2.0, they will recognize that ISA Server represents a significant improvement . listening. www.syngress.com/solutions solutions@syngress.com 132 _ISA_ FM 4/2/01 4:29 PM Page i 132 _ISA_ FM 4/2/01 4:29 PM Page ii CONFIGURING ISA SERVER 2000: BUILDING FIREWALLS FOR WINDOWS 2000 132 _ISA_ FM 4/2/01. ISA Server 2000 Configuring 1 YEAR UPGRADE BUYER PROTECTION PLAN Building Firewalls for Windows 2000 Everything You Need to Deploy ISA Server in