155 5 Examining Advanced ISA Firewall Concepts . Logging—The Logging group contains the Remote NetBIOS Logging and Remote SQL Logging configuration groups, which enable the ISA server to send its logs to other servers, such as an internal SQL database. . Remote Monitoring—The Remote Monitoring group contains the Remote Performance Monitoring, Microsoft Operations Manager, and SMTP configuration groups, which enable monitoring services such as MOM to access the ISA server and SMTP emails to be sent from ISA. . Various—The Various group contains the Scheduled Download Jobs and the Allowed Sites configuration groups. Of particular note is the Allowed Sites configuration group, which defines the System Policy Allowed Sites, as shown in Figure 5.14. Unless specific websites are added into this list, the ISA server cannot access them. Troubleshooting why an ISA server cannot perform certain functionality should always include a visit to the System Policy Editor. The built-in system policy rules allow for the configuration of multiple deployment scenarios with ISA Server 2006. Summary ISA Server 2006 fills many roles at many organizations. In certain environments, it provides dedicated web-proxy capabilities. In other locations, it serves as a dedicated OWA reverse-proxy server. All these deployment scenarios utilize specific pieces of ISA function- ality, but the full range of ISA functionality can only be had when it is deployed as a dedi- cated Application-layer firewall. FIGURE 5.14 Viewing the System Policy Allowed Sites list. 156 CHAPTER 5 Deploying ISA Server 2006 as a Firewall The capability of ISA firewalls to provide for robust and secure stateful inspection of all traffic passing through them gives them an added edge over traditional packet-filtering firewalls. In addition, the capability to provide for advanced logging, server publishing, and VPN functionality positions ISA squarely in many environments for the long term. Best Practices . Deploy an ISA-secured perimeter network to isolate Internet-facing services from the rest of the internal network. . Get acquainted with the System Policy Editor, and understand what default system policy rules are in place on the ISA server. . Use the Network Template wizard for the initial configuration of a new ISA server, but manually create networks and network rules for any changes that are made after the server goes into production. . Create access rules on the firewall only when there is a specific business need to do so. If there is not, leave the traffic denied. . Create networks in ISA to correspond with each network card that is connected to a logical grouping of subnets connected by network routers. Do not create individual networks for multiple subnets to which ISA is not directly connected. CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition IN THIS CHAPTER: . Understanding ISA Server 2006 Enterprise Edition . Deploying the Configuration Storage Server (CSS) . Setting Up Enterprise Networks and Policies . Creating and Configuring Arrays . Installing and Configuring ISA Enterprise Servers . Configuring Network Load Balancing and Cache Array Routing Protocol (CARP) Support . Summary . Best Practices ISA Server 2006 is a remarkably adaptable, scalable system that provides for a variety of deployment scenarios for orga- nizations of many sizes. The Standard version of ISA Server 2006, for example, can be deployed as an edge firewall, reverse-proxy server, content-caching box, VPN server, or a combination of these roles. These capabilities satisfy the needs of many small to mid-sized organizations, but for those mid-sized to large organizations wanting to take advantage of those same features, Microsoft offers the Enterprise version of the software. The Enterprise version of ISA Server 2006 enables organiza- tions to scale their ISA implementations outward, providing for redundancy through Network Load Balancing (NLB) and making it possible to create standardized security configura- tions. With the Enterprise Edition, all the capabilities of the Standard Edition are extended and made more manageable, enabling ISA to scale to deployments of multiple sizes. This chapter focuses on deployment scenarios involving the Enterprise version of ISA Server 2006. Differences between the Standard and Enterprise versions are discussed, and best-practice design considerations for the Enterprise version are outlined. In addition, a step-by-step process for configuring a load-balanced ISA Server 2006 Enterprise environment is outlined. 158 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition NOTE The focus of this chapter is directly on those features of the Enterprise Edition that are different from the Standard, and that require different design and configuration. All other chapters in this book apply to the Standard Edition. The functionality in those chapters is the same as with the Enterprise Edition. Subsequently, if additional infor- mation on specific topics is desired, such as VPN support with the Enterprise Edition, the VPN chapters of this book should be referenced. Understanding ISA Server 2006 Enterprise Edition Unlike most Microsoft products, the Standard and Enterprise versions of the old version of ISA Server, ISA Server 2004 were released separately, approximately a half year apart from each other. This caused some confusion over what the Enterprise Edition was, and what distinguished it from the Standard version and the previous Standard and Enterprise versions of ISA 2000. With ISA Server 2006, however, they were released together, but there was still considerable confusion between the two different products. To more fully understand the Enterprise version, it is important first to note the differences between Standard and Enterprise. Exploring the Differences Between the Standard and Enterprise Versions of ISA Server 2006 The Enterprise version of ISA Server 2006 contains all the features and functionality of the Standard version, in addition to the following features: . Network Load Balancing (NLB) Support—Only the Enterprise version of ISA Server 2006 supports Network Load Balancing (NLB) clusters, allowing for automatic failover and load balancing of services across array members. . Cache Array Routing Protocol (CARP) Support—The Enterprise version supports the Cache Array Routing Protocol (CARP) to properly balance web proxy requests across an array. . Configuration Storage Server (CSS)—One of the biggest differences between Standard and Enterprise is that the Enterprise Edition uses a Configuration Storage Server (CSS) to store ISA rules and configuration. A CSS is an Active Directory in Application Mode (ADAM) implementation (essentially a “light” version of an Active Directory forest) and can be installed on non–ISA servers. This also allows for centralized management of ISA servers. . Enterprise and Array Policy Support—As opposed to the Standard version, which allows only a single set of rules to be applied, ISA Enterprise allows a combination of global Enterprise policy rules, and individual array rules that are used in combina- tion with one another. 159 Deploying the Configuration Storage Server (CSS) 6 Designing an ISA Server 2006 Enterprise Edition Environment The Enterprise version of ISA Server 2006 is designed in a different way than the Standard version is. For instance, the CSS component itself changes the entire design equation. The concept of arrays also makes an ISA Enterprise version unique. It is subsequently important to understand what design factors must be taken into account when dealing with the EE. The first design decision that must be made with the Enterprise Edition is where to store the CSS. The CSS is a critical server in an ISA topology, and can be installed on any Windows 2000/2003 server in an environment. In certain cases, it is installed on the actual ISA server itself, and in other cases, it is installed on a dedicated machine or on a domain controller. In smaller environments, the CSS would be installed directly on the ISA server. In larger and more secure environments, however, the CSS would be installed on systems within the network, such as in the ISA environment displayed in Figure 6.1. Because the Content Storage Server is essentially an LDAP-compliant, scaled-down version of an Active Directory forest, it can easily be replicated to multiple areas in an organiza- tion. It is ideal to configure at least one replica of the CSS server to maintain redundancy of ISA management. NOTE Although the ISA servers get their configuration information from a CSS server, they do not shut down or fail if the CSS is down. Instead, they continue to process rules based on the last configuration given to them from the CSS server. The example illustrated in this chapter uses a single CSS server installed on an internal domain controller, as shown in Figure 6.2. In addition, step-by-step deployment guides to setting up two ISA Server 2006 Enterprise servers running as edge firewalls in a network load balanced array of ISA servers are outlined. Although ISA Server Enterprise allows for a myriad of deployment models, this deploy- ment scenario illustrates one of the more common ISA deployment scenarios, which is one that takes full advantage of ISA functionality. Other common deployment models, such as ISA deployment in a workgroup and unihomed ISA reverse-proxy systems, are similar in many ways, with slight variations to implementation. Deploying the Configuration Storage Server (CSS) The Configuration Storage Server (CSS) is the central repository for all of ISA’s rules and configuration information, and is therefore an extremely important piece of the ISA Enterprise Environment. ISA Standard version does not have a CSS equivalent because the rules and configuration of the Standard version are all stored locally. It is important to understand how to deploy and work within the CSS model before deploying and adminis- tering ISA Server 2006 Enterprise Edition. 160 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition Exchange Mailbox Server AD Domain Controller / CSS Replica Edge-Array SMTP Mail Filter Front-end OWA AD Domain Controller CSS Server NY-Email-Array Exchange Mailbox Server New York Paris Tokyo Paris-Email-Array Tokyo-Email-Array Internet New York Internal Network Clients Clients AD Domain Controller / CSS Replica New York Internal Network New York DMZ Network Paris Internal Network Clients Tokyo Internal Network Paris Email Network Tokyo Email Network Remote Clients FIGURE 6.1 Examining a complex ISA Enterprise deployment. Determining CSS Placement As previously mentioned, there are several deployment scenarios for the CSS, starting with simpler, smaller deployments and moving up to larger deployments. These scenarios are as follows: . CSS installed on the ISA server itself . CSS installed on a separate server or servers running other services, such as a domain controller 161 Deploying the Configuration Storage Server (CSS) Internet AD Domain Controller / CSS Server NLB Network Internal Network 172.16.1.101 Edge-Array 172.16.1.102 IP: 10.10.10.101 VIP: 10.10.10.1 IP: 10.10.10.102 VIP: 10.10.10.1 IP: 10.10.10.20 SM: 255.255.255.0 GW: 10.10.10.1 IP: 64.155.166.150 VIP: 64.155.166.151 IP: 64.155.166.149 VIP: 64.155.166.151 FIGURE 6.2 Conceptualizing the CSS deployment model illustrated in this chapter. 6 . CSS on a dedicated server . Multiple CSS servers on multiple types of different servers With CSS, the important thing to remember is that it should be secured and made highly redundant. In addition, there should be a local CSS replica relatively close to the ISA arrays themselves. The ISA servers need to constantly communicate to the CSS server to check for changes in policy. Installing CSS As soon as the decision has been made about where to install the CSS server, the install process can begin. The following procedure describes the installation of CSS onto a sepa- rate server—in this case, a domain controller: 1. Insert the ISA Server 2006 Media in the server’s CD drive and wait for the setup dialog box to automatically appear. If it does not appear, double-click on the ISAAutorun.exe file in the root of the media directory. 2. Click on Install ISA Server 2006. 3. At the welcome screen, click Next to continue. 4. Select I Accept the Terms in the License Agreement and click Next. 5. Enter a User Name, Organization Name, and the Product Serial Number and click Next. 162 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition 6. From the Setup Scenarios dialog box, shown in Figure 6.3, select to Install Configuration Storage Server and click Next. 7. In the Component Selection dialog box, where ISA Server Management and Configuration Storage Server are selected for installation, leave the selections at the default and click Next. 8. From the Enterprise Installation Options, shown in Figure 6.4, select to Create a New ISA Server Enterprise and click Next. 9. At the warning dialog box about creating a new CSS, click Next. FIGURE 6.3 Installing the Configuration Storage Server. FIGURE 6.4 Creating a new ISA Server Enterprise. 163 6 Setting Up Enterprise Networks and Policies 10. If the CSS will be installed on a domain controller, the dialog box shown in Figure 6.5 will prompt for credentials that the CSS service will run under to be displayed. Enter the username and password of a domain admin account and click Next to continue. 11. Click the Install button to begin installing files. 12. After installation, click Finish. 13. Following installation, review the Protect the ISA Server Computer recommenda- tions provided. This web file provides best-practice information on securing ISA components. Setting Up Additional CSS Replicas After the initial Enterprise has been created, it’s possible to generate additional replicas of the Enterprise itself by re-running the setup and choosing to create a replica instead of a new Enterprise. Setting Up Enterprise Networks and Policies With a CSS Enterprise in place, the groundwork can be laid for the eventual introduction of the ISA servers. The key is to preconfigure information that will be global for all ISA servers and arrays within an organization. The ISA admin console, a default installation option on a CSS server, is used in this capacity, and can be run even before official ISA servers are installed. The console, shown in Figure 6.6, is slightly different than the Standard Edition console. Several Enterprise options have been added. FIGURE 6.5 Configuring the login account for the CSS service. 164 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition Although it is possible to wait to configure the options in the console until the servers are installed, it is often preferable to preconfigure them. Delegating Administration of ISA The first step that should be performed after the CSS Enterprise has been established is the delegation of administration to individual users or, preferably, groups of users. To delegate administration to a group, for example, perform the following steps: 1. On the server where CSS was installed, start the ISA Server 2006 Enterprise Admin Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. From the console tree, click on the Enterprise node. 3. In the Tasks tab of the Tasks pane, click on the link Assign Administrative Roles. 4. Click the Add button. 5. Enter the DOMAIN\Groupname into the Group or User field (or use the Browse button) and select a role that matches the group chosen, as is illustrated in Figure 6.7. 6. Click the Add button to add groups as necessary. 7. Click OK to close the dialog box. 8. Click Apply and then click OK to save the changes. FIGURE 6.6 Exploring the ISA Enterprise admin console. [...]... Adding the ISA Server( s) to the Managed ISA Server Computer Set Before any ISA servers can be added to an array, they must be defined on the CSS server, in a group known as the “Managed ISA Server Computers” computer set This predefined computer set exists to further secure the ISA environment by ensuring that only the proper servers are installed into the ISA Enterprise Installing and Configuring ISA Enterprise... but it is highly recommended to install it on Windows Server 2003 only This version is the most secure and integrates better with ISA Server 2006 ISA Server 2006 operates if it is installed onto servers that are domain members, and it also functions on servers that are not domain members (workgroup members) Workgroup member ISA servers require server certificates to be installed between CSS members,... the server and wait for the autorun screen to be displayed (or double-click on the ISAAutorun.exe file) 2 Click the Install ISA Server 2006 link 3 Click the Next button 4 At the license agreement dialog box, click I Accept the Terms in the License Agreement and click Next 176 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition FIGURE 6.19 Finalizing the addition of the servers... and the other ISA deployment models are outlined, and best-practice configuration information on deploying ISA in this manner is provided, including such common tasks as securing OWA, SharePoint sites, and web servers IN THIS CHAPTER: ISA Server 2006 as a Security Appliance Deploying Unihomed ISA Server 2006 Security Appliances Configuring Existing Firewalls to Utilize ISA Server 2006 Reverse Proxy... and received through the same ISA server the entire time If bi-directional affinity is not enabled, then traffic sent through one ISA server might be routed through the NLB cluster to the wrong server, which causes sporadic serious issues Enabling NLB for ISA Networks To enable NLB on an ISA member server, perform the following procedure on each server: 1 From the ISA Server Admin Console, navigate... policy rule Creating and Configuring Arrays ISA 2000 Enterprise Edition introduced the concept of an array, and ISA Server 2006 Enterprise improved upon it Essentially, an array is a grouping of ISA servers that have the same NIC configuration and are connected to the same networks They are meant to 170 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition act as redundant load-balanced... factors have positioned ISA as one of the more attractive options for securing these particular services ISA Server 2006 as a Security Appliance 187 Packet-Filter Firewall Internet DMZ Network Traff HTTP Traffic affic HTTP Traffic ISA Server Internal Nework Active Directory Server Web Server SharePoint Server Exchange Mailbox Server FIGURE 7.1 Understanding how reverse-proxy servers work One of the... the unihomed server doesn’t apply, and can be set to All Networks (ISA sees everything that is not local as a single network.) With this understanding in mind, more specific information on setting up web server publishing rules can be found in Chapter 14, “Securing Web (HTTP) Traffic.” Deploying Unihomed ISA Server 2006 Security Appliances Setup and configuration of unihomed ISA Server 2006 servers is... the server requests To perform the initial setup and configuration steps for a unihomed ISA Server 2006 system, follow the configuration steps outlined in Chapter 2, “Installing ISA Server 2006. ” Applying the Single Network Adapter Network Template to a Unihomed ISA Server After installation, it is ideal to configure the server with one of the preexisting network templates that are available on the ISA. .. more expensive, and a small handful are less expensive than ISA Server 2006 For many organizations, however, the reverse-proxy capabilities of ISA Server have earned it a place as a dedicated security device deployed in the DMZs of their firewalls Deploying a Unihomed ISA Server as a Security Appliance It is important to note that ISA Server 2006 does an extremely good job at providing reverse-proxy . connected. CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition IN THIS CHAPTER: . Understanding ISA Server 2006 Enterprise Edition . Deploying the Configuration Storage Server (CSS) referenced. Understanding ISA Server 2006 Enterprise Edition Unlike most Microsoft products, the Standard and Enterprise versions of the old version of ISA Server, ISA Server 20 04 were released separately,. deploying and adminis- tering ISA Server 2006 Enterprise Edition. 160 CHAPTER 6 Deploying ISA Server Arrays with ISA Server 2006 Enterprise Edition Exchange Mailbox Server AD Domain Controller