Chapter 1 Introduction to Microsoft Internet Security and Acceleration Server 2000 1
About This Chapter 1
Before You Begin 2
Lesson 1 Overview of ISA Server 3
Editions Comparison 3
ISA Server Enterprise Edition 3
ISA Server Standard Edition 4
Key Differences 4
ISA Server Roles 4
Internet Firewall 5
Secure Server Publishing 5
Forward Web Caching Server 5
Reverse Web Caching Server 5
Integrated Firewall and Web Cache Server 5
Windows 2000 Integration 6
Extensibility 9
Scalability 9
ISA Server Architecture 10
Practice:ISA Server Overview Presentation 15
Lesson Summary 16
Lesson 2 Introduction to the ISA Server Firewall 17
Filtering Methods 17
IP Packet Filtering 17
Circuit-Level(Protocol)Filtering 18
Application Filtering 19
Bandwidth Rules 22
Integrated Virtual Private Networking 22
Integrated Intrusion Detection 24
Packet Filter Intrusions 24
Secure Publishing 25
Lesson Summary 27
Lesson 3 Overview of ISA Server Caching 28
High-Performance Web Cache 28
Forward Web Caching Server 28
Reverse Web Caching Server 30
Active Caching 31
Scheduled Content Download 31
CARP and Cache Server Scalability 32
Hierarchical Caching 33
Web Proxy Routing 34
Lesson Summary 35
Lesson 4 ISA Server s Management Features 37
Intuitive User Interface 37
Policy-Based Access Control 38
Integrated Administration 38
Tiered Policy 40
Array Policy 40
Enterprise Policy 41
Lesson Summary 41
Review 43
Chapter 2 Installing Microsoft Internet Security and Acceleration Server 2000 45
About This Chapter 45
Before You Begin 46
Capacity Planning 47
Lesson 1 Planning for an ISA Server Installation 47
Minimal Requirements 48
Remote Administration Requirements 48
Firewall Requirements 48
Forward Caching Requirements 49
Publishing and Reverse Caching Requirements 50
Array Considerations 50
Standalone Servers and Single-Server Arrays 51
Array Requirements 51
ISA Server Mode 52
Internet Connectivity Considerations 53
Publishing and Connectivity 54
ISA Server in the Network 54
Windows NT 4.0 Domain 54
ISA Server Configuration Data 54
Small Office Scenario 55
ISA Server Network Topology Scenarios 55
Remote Access Server 55
Internet Connection Server 55
Enterprise Scenario 56
Enterprise Network Configuration 56
Web Publishing Topologies 58
Co-Located Web Server 58
Web Server on Local Network 58
Co-Located Exchange Server 59
Exchange Server Publishing Topologies 59
Exchange Server on Local Network 60
Perimeter Network(DMZ)Scenarios 60
Back-to-Back Perimeter Network Configuration 61
Three-Homed Perimeter Network(DMZ)Configuration 62
Lesson Summary 63
Lesson 2 Performing an ISA Server Installation 64
Before You Install ISA Server 64
Setting Up the Network Adapter 64
Setting Up a Modem or ISDN Adapter 65
TCP/IP Settings 65
Windows 2000 Routing Table 66
Installing ISA Server 66
Initializing the Enterprise 67
Installation Procedure 68
Constructing the Local Address Table 70
Windows 2000 Routing Table 71
Default Settings 71
Troubleshooting ISA Server Installation 72
Practice:Installing ISA Server Enterprise Edition 73
Exercise 1:Initializing the Enterprise 73
Exercise 2:Installing ISA Server Software 74
Lesson Summary 77
Lesson 3 Migrating from Proxy Server 2.0 78
Migrating from Microsoft Proxy Server 2.0 78
Operating System Considerations 78
Proxy Server on Windows 2000 78
Proxy Server on Windows NT 4.0 79
Proxy Server 2.0 Array Considerations 80
Migrating to an Array 81
Migrating Proxy Server 2.0 Configuration 82
Proxy Chains 82
Web Proxy Client Requests 82
Publishing 82
Cache 82
SOCKS 82
Lesson Summary 83
Rules and Policies 83
Review 84
Chapter 3 Configuring Secure Internet Access 85
About This Chapter 85
Before You Begin 86
Lesson 1 Configuring Local Clients for Secure Internet Access 87
About ISA Server Clients 87
Assessing Client Requirements 88
Configuring SecureNAT Clients 90
Configuring SecureNAT Clients on a Simple Network 91
Configuring SecureNAT Clients on a Complex Network 91
Additional SecureNAT Configuration for Dial-up Networks 91
Resolving Names for SecureNAT Clients 92
Internet Access Only 92
Internal Network and Internet Access 92
Firewall Clients 92
Advanced Client Configuration 94
Firewall Client Application Settings 94
Sample Wspcfg.ini File 95
Web Proxy Service 97
Configuring Web Proxy Clients 98
Direct Access 99
Practice 1:Establishing Secure Internet Access for Web Proxy Clients 99
Exercise 1:Creating a Protocol Rule 100
Exercise 2:Configuring Internet Explorer to Use the Web Proxy Service 101
Practice 2:Installing Firewall Client 101
Lesson Summary 102
Exercise:Installing Firewall Client over the Local Network 102
Lesson 2 Configuring ISA Server Dial-up Connections 103
Configuring Dial-up Entries 103
Dial-on-Demand 105
Configuring Dial-on-Demand 106
Limiting ISA Server Dial-out to External Sites 107
Closing Dial-up Connections 108
Practice:Configuring a Dial-up Entry 108
Exercise 1:Testing Internet Connectivity 108
Exercise 2:Creating a New Dial-up Entry 109
Exercise 3:Configuring ISA Server to Route through the Dial-up Entry 110
Exercise 4:Restarting the Firewall Service 110
Exercise 5:Viewing SecureNAT Session Information 111
Lesson Summary 111
Lesson 3 Configuring Automatic Discovery of ISA Server 112
Automatic Discovery 112
Configuring WPAD and WSPAD on the DNS or DHCP Server 113
Verifying Automatic Discovery for Firewall Clients 115
Automatic Discovery for Firewall Clients 115
Automatic Discovery for Web Proxy Clients 116
Troubleshooting Automatic Discovery 116
Practice:Configuring Automatic Discovery 117
Exercise 1:Publishing Automatic Discovery 117
Exercise 2:Creating a WPAD Alias(CNAME)Record in DNS 118
Exercise 3:Enabling Automatic Discovery on a Firewall Client 118
Exercise 4:Testing Automatic Discovery 118
Lesson Summary 119
Lesson 4 Troubleshooting ISA Server Client Connectivity 120
Troubleshooting Client Connections 120
Troubleshooting Dial-up Entries 122
Restarting Services after Configuration Changes 123
Lesson Summary 126
Review 127
Chapter 4 Configuring Internet Security Using Access Policies 129
About This Chapter 129
Before You Begin 130
Lesson 1 Creating an Access Policy with ISA Server 131
Controlling Outgoing Requests 131
Configuring Access Policy 133
Rules and Authentication 134
SecureNAT Clients and Authentication 134
Firewall Clients and Authentication 135
Web Proxy Clients and Authentication 135
ISA Server System Security(System Hardening) 136
Getting Started Wizard 137
Lesson Summary 139
Lesson 2 Creating Customized Policy Elements 140
Policy Elements 140
Array-Level and Enterprise-Level Policy Elements 140
Configuring Schedules 141
Configuring Destination Sets 142
Client Address Sets 144
Configuring Protocol Definitions 145
Client Users and Groups 145
Direction 146
Configuring Content Groups 147
Practice:Creating Policy Elements 149
Exercise 1:Creating a Schedule 149
Exercise 2:Creating a Destination Set 150
Lesson Summary 151
Lesson 3 Configuring Protocol Rules 152
Protocol Rules 152
Protocol Rule Configuration Scenario 153
Protocol Availability 154
Application Filters and Protocol Availability 155
Processing Order 156
Array-Level and Enterprise-Level Protocol Rules 156
Web Protocols 156
Protocol Definitions that are Installed with ISA Server 157
Practice:Assigning Protocol Rules to User Accounts 160
Exercise 2:Requiring Authentication for Web Sessions 161
Exercise 1:Monitoring Sessions in ISA Management 161
Exercise 3:Assigning a Protocol Rule to a Windows 2000 User 162
Lesson Summary 164
Lesson 4 Configuring Site and Content Rules 165
Site and Content Rules 165
Processing Order 165
Allow and Deny Actions 166
Destination Sets and Path Processing 166
Array-Level and Enterprise-Level Site and Content Rules 167
Sample Site and Content Rule 168
Content Groups 168
Practice:Creating New Site and Content Rules 174
Exercise 1:Denying Userl Access to Audio and Video Content 175
Exercise 2: Testing the Configuration 176
Lesson Summary 177
Lesson 5 Configuring IP Packet Filters 178
When to Use IP Packet Filters 178
Creating IP Packet Filters 179
Configuring Packet Filter Options 183
IP Fragment Filtering 183
IP Options Filtering 184
Logging Packets 184
Practice:Running Internet Services on the ISA Server Computer 185
Exercise 1:Creating an IP Packet Filter for Incoming(POP3)Mail 185
Exercise 2:Creating an IP Packet Filter for Outgoing(SMTP)Mail 187
Exercise 3:Creating an IP Packet Filter for NNTP 188
Exercise 4:Creating an IP Packet Filter to Allow Outgoing Web Requests(DNS Queries) 189
Exercise 5:Creating an IP Packet Filter for Web Content(HTTP) 190
Lesson Summary 191
Lesson 6 Configuring ISA Server to Detect External Attacks and Intrusions 192
Intrusion Types and Alerts 192
Port Scan Attack 193
All Ports Scan Attack 193
Enumerated Port Scan Attack 193
Ping of Death Attack 194
Land Attack 194
IP Half Scan Attack 194
UDP Bomb Attack 195
Windows Out-of-Band Attack(WinNuke) 195
Configuring Intrusion Detection 195
Practice:Configuring Intrusion Detection on ISA Server 197
Exercise:Enabling Intrusion Detection 197
Lesson Summary 198
Review 199
Before You Begin 201
Chapter 5 Configuring Internet Acceleration through the ISA Server Cache 201
About This Chapter 201
Lesson 1 Creating a Basic Cache Policy with Routing Rules 202
How Caching Works 202
Processing Caching Rules 202
Cache Configuration Properties 203
Routing Rules 203
When to Cache Content 203
Applying Routing Rules to Particular Destinations 204
When to Retrieve Objects from the Cache 204
Default Routing Rule 208
Processing Flow for Caching 208
Rule Order 208
Cache Filtering 210
Additional Cache Policy 211
Practice:Caching Dynamic Content 211
Exercise:Creating a Routing Rule Caching Both Non-Dynamic and Dynamic Content 211
Lesson Summary 213
Cache Requirements and Recommendations 214
Lesson 2 Configuring Cache Properties in ISA Server 214
Configuring Cache Drives 214
Configuring Size and Location 215
Cache Content Files 216
Configuring How ISA Server Caches Objects 217
Configuring Which Content to Cache 217
Configuring Expiration Policy 218
Request Headers 218
Response Headers 218
RAM Caching 218
HTTP Object Caching 219
FTP Object Caching 220
Returning Expired Objects 221
Configuring Active Caching 223
Configuring Negative Caching 224
Practice 1:Enabling Active Caching 224
Exercise:Enabling Active Caching 224
Practice 2:Adjusting the Amount of RAM Used for Caching 225
Exercise:Adjusting the Percentage of Available Memory Used for Caching 225
Lesson Summary 225
Lesson 3 Scheduling Cache Content Downloads 226
Scheduled Cache Content Downloads 226
Updating Cache Content Automatically 226
Configuring Properties for Existing Download Jobs 227
Configuring the Schedule for Content Download Jobs 229
Downloading Dynamic Content 229
Practice:Creating a Scheduled Content Download Job 230
Exercise:Scheduling a Content Download for Microsoft Online Seminars 230
Lesson Summary 231
Review 232
Chapter 6 Secure Server Publishing 233
About This Chapter 233
Before You Begin 233
Publishing Policy Rules 234
Lesson 1 Publishing Servers Securely 234
Server Publishing Rules 235
How Server Publishing Works 235
Server Publishing Rule Actions 237
Sample Rule Action 237
Client Address Sets 238
Server Publishing Rules and IP Packet Filters 239
Publishing Servers on a Perimeter Network 239
Practice:Publishing an Internal Server 240
Server on the Same Computer as ISA Server 240
Exercise 1:Creating a Publishing Rule on Serverl 241
Exercise 2:Verifying the FTP Server Connection 242
Lesson Summary 243
Lesson 2 Publishing Web Servers Securely 244
Web Publishing Rules 244
Destination Sets and Client Sets 244
Web Publishing Rule Actions 246
SSL and HTTP Bridging 247
Rule Order 248
Default Web Publishing Rule 248
Sample Web Publishing Rule 248
Publishing a Web Server on the Local Network 249
Publishing a Web Server Hosted on the ISA Server Computer 250
Using Packet Filters to Publish a Web Server on the ISA Server Compute 250
Practice:Publishing a Web Server on the ISA Server Computer 251
Exercise 1:Configuring Incoming Web Request Properties 251
Exercise 2:Creating a Destination Set for the Web Server 252
Exercise 4:Creating a Web Publishing Rule 253
Exercise 3:Preparing the Web Site 253
Exercise 5:Testing the Configuration 254
Lesson Summary 255
Lesson 3 Publishing Mail Servers 256
Mail Server Security Wizard 256
Mail Wizard Settings 257
Content Filtering 257
Exchange Server on the ISA Server Computer 258
Configuring Exchange Server on the Local Network 258
Practice:Publishing the SMTP Service 259
Exercise 1:Configuring the SMTP Service 259
Exercise 2:Creating a Mail Wizard Rule 260
Exercise 3:Configuring Outlook Express 261
Exercise 4:Testing the Configuration 262
Lesson Summary 263
Review 264
Before You Begin 265
About This Chapter 265
Chapter 7 Securing Enterprise Networks with ISA Server 265
Lesson 1 Applying Enterprise Policies 266
Enterprise Policies and Arrays 266
How Enterprise Policies are Applied 266
Creating an Enterprise Policy 267
Configuring the Policy Settings for an Enterprise 268
Backing Up and Restoring an Enterprise Configuration 271
Practice:Creating and Applying an Enterprise Policy 272
Exercise 1:Creating an Enterprise Policy 272
Exercise 2:Creating a New Array that Inherits the Default Enterprise Policy 274
Exercise 3:Testing the Configuration 275
Lesson Summary 277
Lesson 2 Configuring ISA Server Arrays 279
Creating ISA Server Arrays 279
Array Requirements 280
Arrays and Standalone Servers 280
Promoting Standalone Servers 281
Array Member Settings 283
Storing an Array Configuration 283
Controlling Array Membership 284
Backing Up and Restoring an Array Configuration 285
Backing Up the Configuration 285
Backing Up a Standalone Server Configuration 286
Restoring the Configuration 286
Using Arrays to Provide Fault Tolerance 287
Fault Tolerance for Firewall Clients 288
Fault Tolerance for SecureNAT Clients 288
Cache Array Routing Protocol 290
How CARP Works 290
Configuring CARP 291
Configuring the Load Factor 292
CARP and Scheduled Content Download 292
Lesson Summary 293
Integrating Virtual Private Networks with ISA Server 294
Lesson 3 Securing Virtual Private Networks with ISA Server 294
Configuring the Network for VPN Connectivity 295
Using the ISA Server VPN Configuration Wizards 296
Local ISA Server VPN Configuration Wizard 296
Remote ISA Server VPN Configuration Wizard 297
ISA Virtual Private Network Configuration Wizard 298
Reconfiguring the VPN 298
ISA Server and IPSec 299
Large Network Scenario with VPN and Routing 300
Large Network VPN Description 300
Meeting Network Requirements 301
ISA Server Array at the United States Headquarters 301
ISA Server Array at the Canada Branch Office 301
ISA Server Array at the United Kingdom Branch Office 301
Enterprise Policy at Headquarters 302
ISA Server Policy at the Canada Branch Office 303
Lesson Summary 304
ISA Server Policy at the United Kingdom Branch Office 304
Review 305
Chapter 8 Secure Videoconferencing with H.323 Gatekeeper 307
About This Chapter 307
Before You Begin 308
Lesson 1 Configuring Clients to Use H.323 Gatekeeper 309
H.323 Protocol 309
Intra-Enterprise Conference Call Scenario 310
H.323 Gatekeeper Usage Scenarios 310
H.323 Gatekeeper Snap-in 310
Overview of H.323 Gatekeeper 310
Inter-Enterprise Conference Call Scenario 311
PSTN Call Scenario 312
Registering Clients with H.323 Gatekeeper 313
Endpoint Attributes 314
Aliases 314
Client Address Translation 315
From within Your Company 316
At the Destination 316
Installing H.323 Gatekeeper 317
Practice:Configuring a Client to use H.323 Gatekeeper 318
Exercise 1:Adding a Gatekeeper 318
Exercise 2:Configuring NetMeeting to Use H.323 Gatekeeper 318
Exercise 3:Testing the Configuration 320
Lesson Summary 320
Lesson 2 Routing Conference Calls with H.323 Gatekeeper 322
Call Routing Rules 322
Phone Number Rules 323
Example of a Phone Number Rule 324
IP Address Rules 326
IP Address Rule Resolution Example 327
E-mail Address Rules 327
Rule Processing and Destinations 330
None 330
Registration Database 330
Gateway/Proxy 331
Internet Locator Service(ILS) 331
Local Network 332
Active Directory Directory Services 332
Gatekeeper 332
DNS 332
Multicast Gatekeeper 332
Applying Rules to Calls 333
Inbound Calls 333
Outbound Calls 334
Lesson Summary 335
Review 336
Chapter 9 Monitoring and Optimizing ISA Server Performance 337
About This Chapter 337
Before You Begin 338
Lesson 1 Configuring Alerts 339
Preconfigured Alerts 339
Alert Conditions 341
Event Location 342
Event Thresholds 342
Alert Action 343
ISA Server Events 345
Practice:Configuring an Alert to Send an E-mail Message 348
Exercise:Configuring the Intrusion Detected Alert to Send You an E-mail Message 348
Lesson Summary 349
Lesson 2 Logging ISA Server Activity 350
Managing ISA Server Logs 350
Logging to a File 352
W3C Format 353
Log File Names 354
ISA Format 354
Log File Options 355
Logging to a Database 356
Logging Packets 359
Firewall and Web Proxy Log Fields 360
Packet Filter Log Fields 370
Practice:Reading Web Logs 372
Exercise:Analyzing a Web Log 372
Lesson Summary 373
Configuring Reports 374
Lesson 3 Creating ISA Server Reports 374
Viewing Reports 375
Summary Reports 375
Web Usage Reports 376
Application Usage Reports 376
Security Reports 377
Configuring Report Jobs 377
Traffic Utilization Reports 377
Report Job Credentials 379
Configuring Report Log Summaries 380
Report Database 381
Practice:Creating and Viewing Reports 382
Exercise 1:Creating a Report Job 382
Exercise 2:Viewing Reports 384
Lesson Summary 385
Effective Bandwidth for Dial-up Connections 386
Lesson 4 Controlling Bandwidth 386
Determining Effective Bandwidth 386
Effective Bandwidth for Dedicated Network Connections 387
Configuring Bandwidth Priorities 389
Configuring Bandwidth Rules 391
Rule Order 393
Default Bandwidth Rule 394
Practice:Creating a Bandwidth Rule 394
Exercise 1:Creating a New Bandwidth Priority Policy Element 394
Exercise 2:Creating a New Bandwidth Rule 395
Lesson Summary 396
Lesson 5 Additional Tuning and Monitoring Tools 397
Tuning ISA Server Performance 397
Tuning Cache Performance 398
ISA Server Performance Objects and Counters 399
ISA Server Performance Monitor 400
Performance Objects and Counters Included in ISA Server 402
Lesson Summary 421
Review 422
Chapter 10 Troubleshooting ISA Server 423
About This Chapter 423
Before You Begin 423
Lesson 1 Troubleshooting Tools in ISA Server 424
Troubleshooting Tools 424
ISA Server Reports 424
Event Viewer 425
Netstat 426
Performance Monitor 426
Telnet 428
Network Monitor 429
The Routing Table 430
The Route Determination Process 431
Troubleshooting Routing Tables 431
Practice:Testing Port Status 432
Exercise:Testing ISA Server ports 432
Lesson Summary 435
Lesson 2 Troubleshooting Strategies in ISA Server 436
Troubleshooting User Access 436
Authentication 436
Troubleshooting Packet-Based Access Problems 438
VPN Network Considerations 439
Additional Troubleshooting Notes 440
Lesson Summary 444
Review 446
Appendix A Questions and Answers 449
Appendix B Deploying and Administering ISA Server in a Complex Network 479
About This Appendix 479
Before You Begin 479
Scenario Background 480
Questions 480
Appendix C Event Messages 489
Alert Event Messages 490
Bandwidth Event Messages 491
Cache Event Messages 492
Common Service Event Messages 495
Dial-up Connection Events 499
Firewall Service Event Messages 500
Winsock Error Code Messages 505
Intrusion Detection Event Messages 538
Log Event Messages 543
Control Service Event Messages 547
Packet Filter Event Messages 549
Server Event Messages 551
Web Proxy Service Event Messages 555
HTTP Messages 558
HTML Messages 561
Gopher Messages 562
FTP Messages 563
Internet Messages 563
Appendix D Glossary 567
Index 581