96 CHAPTER 3 Exploring ISA Server 2006 Tools and Concepts Creating Remote Site Networks for Site-to-Site VPNs ISA Server 2006 also includes the capability to create encrypted tunnels between two disparate networks in an organization that are connected through the Internet. This allows for communication across the Internet to be scrambled so that it cannot be read by a third party. ISA provides this capability through its Remote Site VPN capabilities. The Remote Site VPN options, available on the Remote Sites tab in the Details pane of the VPN node, allow for the creation and configuration of Remote Site networks for site-to-site VPNs. These site-to-site VPN networks enable an organization to connect remote networks together, creating one complete, routable, and logical network, such as the one shown in Figure 3.29. When configuring a site-to-site VPN between two ISA Server 2006 systems, the option exists to secure the traffic by using the IP Security Protocol (IPSec), the Layer 2 Tunneling Protocol (L2TP) over IPSec, or the Point-to-Point Tunneling Protocol (PPTP), depending on the individual organizational security needs. These options are available when running the Create Site-to-Site Connection Wizard that is launched from the Create VPN Site-to- Site Connection link in the Task Pane. In addition to supporting a destination ISA Server 2006 system for site-to-site VPN, ISA Server also supports connecting to a third-party VPN gateway that supports the IPSec protocol. This greatly extends ISA’s reach because third-party firewall solutions that may already be in place are potential candidates for ISA site-to-site VPNs. Specific configuration information for site-to-site VPNs can be found in Chapter 10. Understanding VPN Quarantine The concept of the VPN quarantine network is fairly straightforward, although its imple- mentation is not necessarily so. Essentially, VPN quarantine refers to the capability to have ISA place a client that does not conform to specific criteria into a special quarantined VPN clients network. This network can then be limited to only a specific set of low-risk 63.240.93.138 10.1.1.1 10.1.2.1 12.155.166.151 VPN Tunnel Internet 10.1.2.0/24 10.1.1.0/24 San Francisco Minneapolis FIGURE 3.29 Understanding a site-to-site VPN. 97 3 Examining the Cache Node Settings activities. For example, it may be useful to validate that all clients have approved anti- virus software installed before full access to the network is granted. VPN quarantine is not on by default, and must be specifically set up and configured. Chapter 9 contains step-by-step procedures, but the configuration of VPN quarantine consists of two processes. The first process involves configuring VPN client computers with a special listener that reports to the ISA server if the client passes specified criteria that are necessary for full access. The second component, illustrated in Figure 3.30, involves checking the box in the Quarantined VPN Clients Properties dialog box. Unlike the other VPN settings, you can invoke this dialog box in the Networks node by double-clicking on the quarantined VPN clients network listed under the Networks tab of the Details pane. Examining the Cache Node Settings The Cache node in the ISA Server Console, shown in Figure 3.31, is where content caching can be enabled and configured on an ISA server. Although not enabled by default in the ISA Console, enabling caching can improve network performance and response time by saving copies of images, text, and other data that clients download from web and FTP sites on the Internet and making them available to the next client that requests infor- mation from that particular site. FIGURE 3.30 Enabling VPN quarantine. 98 CHAPTER 3 Exploring ISA Server 2006 Tools and Concepts This section contains a high-level description of the settings available in the ISA Server Console under the Cache node. Further information on deploying ISA Server for its content-caching capabilities can be found in Chapter 8. Enabling Caching It is not immediately evident how to enable caching, in that it is disabled by default when ISA is deployed. Caching is enabled when physical drive space is made available to the caching service. To perform this action, follow these steps: 1. Open the ISA Server 2006 Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. From the console tree, select the Cache node by clicking on it. 3. In the Task Pane, click the link entitled Define Cache Drives (Enable Caching). 4. In the Define Cache Drives dialog box, select the drive where the cache will be stored. 5. Enter the Maximum cache size in megabytes in the field provided, and click the Set button. 6. Click the OK button. 7. Click the Apply button that is displayed at the top of the Details pane. 8. When presented with the option to restart the services or not, as shown in Figure 3.32, select Save the Changes and Restart the Services and click OK. 9. Click OK when finished. FIGURE 3.31 Viewing the ISA Console Cache node. 99 3 Examining the Cache Node Settings FIGURE 3.32 Enabling caching. NOTE Unlike most other changes made in the ISA Console, configuring cache drives is one of the changes that requires a restart of the firewall service, as noted in the preced- ing procedure. Understanding Cache Rules Caching behavior by ISA is made granular and more configurable through the addition of specific caching rules. Each caching rule allows for specific types of content to be processed in different ways, depending on the needs of the administrator. By default, when caching is enabled, a default cache rule is put into place that caches objects based on default settings. Additional caching rules can be configured by clicking on the Create a Cache Rule link in the Tasks tab. Each rule created can contain the follow- ing customizations: . Source and destination networks . What types of items are retrieved and stored in the cache . HTTP caching settings, such as the Time to Live (TTL) of objects retrieved . File Transfer Protocol (FTP) caching settings . Secure Sockets Layer (SSL)–specific settings . Object size limitations Just as with firewall rules, caching rules are applied in order, from top to bottom, until a match is made. Through the creation of multiple caching rules, fine-grained control over the caching settings of the clients can be achieved. 100 CHAPTER 3 Exploring ISA Server 2006 Tools and Concepts Examining Content Download Jobs The final set of options available under the Cache node revolves around the capability of the ISA caching engine to automatically download content based on a defined schedule. This can be useful if specific websites need to be always up to date and quickly available to internal clients. Content download jobs can be enabled and configured via the Content Download Jobs tab in the Details pane of the Cache node. When configuring this setting up via the Schedule a Content Download Job link in the Tasks tab, two changes must be made to the configuration. These changes, shown in the dialog box in Figure 3.33, are to allow the Local Host to listen for web proxy requests via a rule, and enabling a special system policy rule. After these settings are automatically configured, specific content download jobs can be created. Content download jobs can be scheduled weekly, daily, hourly, or only once, as needed. They also can be configured to browse and download the content of only a single URL page on the Internet, or to follow a certain number of links “deep” from the page that is being accessed. CAUTION Care should be taken to not configure content download jobs to be too aggressive because they can consume exponential amounts of bandwidth, depending on the depth of the links that will be followed. For example, a simple page with five links on it, and five links on its subpages, would access only six total pages if the content download job were to be configured to scour pages one link deep. If the job were changed to two links deep, however, a total of 31 pages would need to be accessed. This could pose a serious drain on the Internet bandwidth available if not configured properly. Configuring Add-Ins One of the biggest advantages to ISA Server 2006 is its ability to have its base application- filtering engine easily extended with third-party add-in functionality. This makes ISA a strong candidate for software to provide advanced web filtering, anti-virus applications, intrusion detection filters, and additional VPN capabilities. FIGURE 3.33 Enabling content download jobs. 101 3 Configuring Add-Ins All the add-ins to ISA Server, including the default add-ins that are installed with ISA itself, can be viewed from within the Add-ins node of the console tree, as shown in Figure 3.34. This section takes a high-level look at the add-in options available in the Add-ins node of the ISA Console. Additional information on specific add-ins can be found in Part III of this book, “Securing Servers and Services with ISA Server 2006.” Exploring Application Filters Application filters in ISA were specifically created to examine the traffic being passed through the server and make sure that it is not simply a piggy-backed exploit or attack. Each application filter contains language specific to the protocol it is filtering, so it can identify and block traffic that does not comply with the proper use of the protocol. The following application filters are configured by default in ISA Server 2006: . DNS filter . FTP Access filter . H.323 filter . MMS filter . PNM filter . POP Intrusion Detection filter . PPTP filter FIGURE 3.34 Examining the Add-ins node of the ISA Console. 102 CHAPTER 3 Exploring ISA Server 2006 Tools and Concepts . RPC filter . RTSP filter . SMTP filter . SOCKS V4 filter . Web Proxy filter Examining Web Filters In addition to the default application filters available with ISA Server 2006, a series of web filters is also installed that extends the capability of ISA to scan incoming web (HTTP) packets. These web filters, shown in Figure 3.35, allow for advanced HTTP filtering capa- bilities, such as the capability to secure Outlook Web Access (OWA) traffic, or the capabil- ity to perform Link Translation. The web filters in ISA are accessible via the Web Filters tab in the Details pane of the Add- ins node. For more specific information on using web filters, refer to Chapter 14, “Securing Web (HTTP) and SharePoint Site Traffic.” FIGURE 3.35 Viewing web filters in the Add-ins node. 103 3 Exploring the ISA General Node Exploring the ISA General Node Any of the settings that were not explicitly defined in the other nodes of the ISA console were placed together in the General node. The General node, shown in Figure 3.36, contains several links to key functionality that are not found anywhere else, and is there- fore important to explore. Delegating ISA Administration The first link listed under the ISA General node is the Administration Delegation link. This link makes it possible to enable other administrators within an organization to monitor and/or administer the ISA Server Console. The delegation process is streamlined through the use of a wizard, which leads administrators through the entire process. To allow an individual or a group of users to administer the ISA Server system, perform the following steps: 1. Open the ISA Server Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. From the console tree, select the General tab by clicking on it. FIGURE 3.36 Exploring the General node in the ISA Console. 104 CHAPTER 3 Exploring ISA Server 2006 Tools and Concepts 3. In the Details pane, click the Assign Administrative Roles link. 4. In the Delegate Control dialog box, click the Add button to add a group or user. 5. In the Administration Delegation dialog box, enter the name of the group or user that will be added, similar to the example shown in Figure 3.37. Users or groups can be local accounts, or they can be domain accounts if the ISA server is joined to an Active Directory domain. Under the Role field in this dialog box, three types of administrators are available to choose from, each with its own varying level of permissions and abilities. The three types are as follows: . ISA Server Monitoring Auditor—Members of this role can view the ISA monitoring console and items such as the Dashboard but cannot configure any of the settings. . ISA Server Auditor—Members of this role can monitor ISA and are also capable of customizing monitoring components. All other ISA configuration components are listed as read-only for members of this role. . ISA Server Full Administrator—A Full Administrator can configure and change any ISA Server components. To complete the Admin role assignment, do the following: 1. Choose the role of the administrator to be added using the criteria already outlined. Click OK when finished. 2. Click the Add button and repeat the procedure for any additional groups or users that will be added. 3. After returning to the dialog box, as shown in Figure 3.38, review the addition(s) and click OK to finish. FIGURE 3.37 Delegating ISA administration. 105 3 Exploring the ISA General Node 4. Click the Apply button at the top of the Details pane. 5. Click OK at the confirmation dialog box. Configuring Firewall Chaining Firewall chaining is an additional option that can be configured via the General node. With firewall chaining, multiple ISA servers can be configured to forward client requests to upstream ISA servers. This enables them to be routed to “parent” ISA servers, for the purposes of directing the flow of traffic from one network to another. Firewall chaining settings can be set up by clicking the Configure Firewall Chaining link in the Details pane. Defining Firewall Client Parameters The full-featured Firewall client, available as an option for ISA implementations, allows for customized user-based policies and application-specific filtering using Winsock-compatible applications. Specific Firewall client settings are available in the General node of the ISA Server Console by clicking on the Define Firewall Client Settings link. These settings allow for options such as whether or not downlevel (ISA 2000) client connections will be allowed and what type of Winsock applications to support through the Firewall client, as shown in Figure 3.39. For additional information on using the Firewall client, see Chapter 11. FIGURE 3.38 Specifying groups to be added as ISA administrators. [...]... ISA environment is configured is akin to giving the war plans to an enemy army in advance of a battle Migrating from ISA Server 2000/2004 to ISA Server 2006 Part of an ISA design process involves examining existing ISA deployments and migrating those servers to ISA Server 2006 Fortunately, Microsoft provides for a robust and straightforward set of tools to migrate existing ISA 2000 servers to ISA Server. .. a full ISA Server 2006 deployment with multiple arrays of ISA Enterprise Edition servers running on robust multi-processor systems Migrating from ISA Server 2000/2004 to ISA Server 2006 117 can end up being quite expensive, most ISA deployments are actually quite low cost, particularly when they are compared to similar solutions A single-processor ISA Server 2006 Standard system running on server hardware,... an ISA Server 2006 Environment perspective, it is important to first understand the functional differences between ISA 2000, ISA 2004, and ISA Server 2006, so that the design can take them into account Exploring Differences Between ISA 2000 and ISA Server 2004 /2006 ISA 2000 was a very capable product that provided for a great deal of firewall and proxy capabilities Compared to the features of ISA Server. .. enhancements to server publishing for services such as OWA, websites, SharePoint, FTP sites, and other firewall rules have been included Migrating ISA 2000 to ISA Server 2006 There is no direct upgrade path for ISA 2000 systems to ISA 2006 The only supported method of upgrading an existing ISA 2000 server to ISA 2006 is by migrating the server s settings to ISA 2004, and then migrating from 2004 to 2006 This... this type of ISA 2000 migration to ISA Server 2004, perform the following steps: NOTE To upgrade the Standard version of ISA 2000, the Standard version CD for ISA Server 2006 must be used Likewise, to upgrade from the Enterprise version of ISA 2000, the ISA Server 2006 Enterprise CD must be used If the intent is to upgrade between different versions (that is, ISA 2000 Standard to ISA Server 2006 Enterprise),... to an ISA Server 2004 system FIGURE 4.2 Viewing the export XML file for ISA Server 2004 After the XML file has been physically made accessible from the new server, it can then be imported via the following process: 1 On the ISA Server 2004 system, open the ISA Console Migrating from ISA Server 2000/2004 to ISA Server 2006 121 2 Right-click the server name in the Scope pane and click on Import 3 When... rules and settings from 2004 to 2006 In addition, any SSL certificates that are installed on the old 2004 server must be transferred and installed on the 2006 server as well Migrating from ISA Server 2000/2004 to ISA Server 2006 1 23 To export the configuration from an ISA 2004 server, perform the following steps: 1 From the ISA Server 2004 Management Console, click on the server name in the scope pane... option for ISA Server 2004 is to run the ISA Server Migration tool to export out the settings of an ISA 2000 server to an XML file, which can then be imported on another newly installed ISA Server 2004 system running on Windows Server 20 03 This option allows for the creation of a brand-new ISA server from scratch, without any of the configuration or operating system problems of the ISA 2000 server To... Designing ISA Server 2006 for Organizations of Varying Sizes 129 The ISA design that CompanyABC deployed, illustrated in Figure 4.6, incorporates a single ISA Server 2006 Standard server as the edge firewall for the organization ISA Server Internet Wireless Access Network VPN Access VPN Access Internal Nework 4 Active Directory Server Exchange Mailbox Server Company Web Server FIGURE 4.6 Examining an ISA. .. Migrating from ISA 2004 to ISA 2006 The migration path between ISA Server 2004 and ISA Server 2006 is more straightforward than the one between ISA 2000 and ISA 2004, but there are still several key factors that need to be taken into account Just as with the ISA 2000–2004 upgrade, it is highly recommended to build a new server and then export and import the rules configuration from the old server, rather . Preparing for an ISA Server 2006 Design . Migrating from ISA Server 2000/2004 to ISA Server 2006 . Determining the Number and Placement of ISA Servers . Prototyping a Test ISA Server Deployment in ISA Server 2006: . DNS filter . FTP Access filter . H .32 3 filter . MMS filter . PNM filter . POP Intrusion Detection filter . PPTP filter FIGURE 3. 34 Examining the Add-ins node of the ISA. of users to administer the ISA Server system, perform the following steps: 1. Open the ISA Server Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. From