391 Publishing and Customizing Web Server Publishing Rules FIGURE 14.8 Examining the Traffic tab on an ISA web publishing rule. . Maximum ULR Length . Maximum Query Length . Verify Normalization . Block High Bit Characters . Block Responses Containing Windows Executable Content Customizing Allowed Methods In addition to these options, the filter definitions also enable specific HTTP methods (such as GET and POST) to be allowed in the particular rule. If specific HTTP methods are restricted, a web server can be made even more secure because many of the exploits take advantage of little-used HTTP methods to gain control of a system. To restrict by a specific HTTP method, perform the following steps while in the Methods tab: 1. Under Specify the Action Taken for HTTP Methods, use the drop-down box to specify to Allow Only Specific Methods. 2. Click the Add button. 392 CHAPTER 14 Securing Web (HTTP) Traffic 3. Enter a name for the HTTP method that will be allowed. For example, enter GET (the method is case-sensitive) and click OK. 4. From the dialog box shown in Figure 14.9, click OK to save the changes. Customizing Extensions The Extensions tab of the Filtering Rules setting allows only specific types of message attachments to be displayed, such as .mpg files, .exe files, or any other ones defined in this rule. It also allows for the reverse, where all attachments except for specific defined ones are. To accomplish this, choose the option Block Specified Extensions (Allow All Others). For additional security, the box on this page can be checked to block ambiguous or ill- defined extensions, which can pose a security risk to an ISA server. Blocking Headers Specific HTTP headers can be blocked on the Headers tab of the filter- ing options. This allows for HTTP Request headers or Response headers to be blocked, which can be useful in denying certain types of HTTP headers, such as User-Agent or Server, which define what type of HTTP traffic is being used. Restricting Signatures The Signature Restriction tab is one of the most important. It is “ground zero” for filtering of HTTP traffic to scan for specific exploits and viruses, such FIGURE 14.9 Customizing HTTP methods. 393 Publishing and Customizing Web Server Publishing Rules as the signature that is defined to block the Kazaa file-sharing application, shown in Figure 14.10. This dialog box is where the majority of the custom filters can be created and applied. Because so many applications and exploits use the HTTP port to tunnel their traffic, it is extremely useful to configure these settings to block malware, scumware, and any other applications that are not approved by the organization. This allows for blocking of signa- tures from such applications as Instant Messaging, Gnutella, Kazaa, Morpheus, and many more. For a list of signatures that can be blocked, see the following Microsoft URL: http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx NOTE Although this link applies to ISA Server 2004, the content still applies to ISA Server 2006 as well. Understanding Listener Tab Configuration Options The Listener tab of the web publishing tool, shown in Figure 14.11, allows for the customization and creation of various web listeners. A listener is an ISA construct that “listens” for requests made to a specific IP port combination. As soon as the listener FIGURE 14.10 Blocking Kazaa HTTP traffic by signature. 394 CHAPTER 14 Securing Web (HTTP) Traffic receives the traffic, it then processes that traffic back into ISA. Listeners are required for web server publishing rules, and are what enable the ISA server to act as a web server to the requesting client. The existing listener that was created in the Publishing Rule Wizard can be directly modi- fied if the rule is selected from the drop-down box and the Properties button is clicked. This allows for various settings to be applied, such as the following: . Rule name and description . Which IP address(es) the listener will listen to . Whether SSL or HTTP or both are enabled and whether traffic is redirected from HTTP to HTTPS automatically . What type(s) of authentication methods are available, such as basic, integrated, and forms-based authentication . Whether RADIUS servers are needed . Number of connections allowed and connection timeout . RSA SecureID settings as necessary FIGURE 14.11 Viewing the Listener tab settings. 395 Publishing and Customizing Web Server Publishing Rules NOTE The most important thing to remember about listeners in ISA Server 2006 is that you can have only a single listener on each IP:Port combination. In cases where additional IP addresses are not a problem, this is a relatively small issue. Viewing Public Name Options The Public Name tab on the web server publishing rule, shown in Figure 14.12, enables an administrator to dictate that the traffic to the ISA server travels with a specific public name. For example, it could be stipulated that access to a website such as www.compa- nyabc.com is granted only to requests made to that website, rather than requests to an internal server such as \\server20. If a user tries to access that site from an IP address, that request fails because the web publishing rule is allowing only traffic sent to the www. companyabc.com website in this case. When testing a rule, administrators often test via the external IP address, and are frus- trated in their efforts as ISA will block that traffic. To enable this type of scenario, the IP address must be added to the Public Name options. FIGURE 14.12 Viewing Public Name options. 396 CHAPTER 14 Securing Web (HTTP) Traffic Paths Tab Options In the Paths tab, shown in Figure 14.13, specific external paths can be mapped to different locations on a web server. For example, it may be helpful to send requests to http://www. companyabc.com to http://www.companyabc.com/public automatically. The Paths tab offers this type of functionality. To add a path to accomplish what this model illustrates, for example, do the following: 1. On the Paths tab of the web publishing rule, click the Add button. 2. Under Path Mapping, enter /public/*. 3. Under External Path, select The Following Folder and enter /*. 4. Click OK, Apply, and OK to save the changes. Exploring Authentication Delegation Options The Authentication Delegations tab of an ISA web publishing rule, shown in Figure 14.14, displays options for how the ISA server will authenticate to the web server. For anony- mous HTTP rules, it can be turned off, as shown in the diagram. For rules that require authentication, authentication can be enabled. Exploring the Application Settings Tab The Applications Settings tab, shown in Figure 14.15, allows for a custom forms-based authentication page to be enabled for the published site. The default FBA page may not be desired for the specific rule, and organizations may want their own logo displayed or additional information to be gathered in the form. This tab allows for a connection to that custom page to be made. FIGURE 14.13 Viewing the Paths tab. 397 Publishing and Customizing Web Server Publishing Rules FIGURE 14.14 Exploring authentication delegation options. FIGURE 14.15 Exploring application settings options. 398 CHAPTER 14 Securing Web (HTTP) Traffic Exploring the Bridging Tab The Bridging tab of an ISA web publishing rule, shown in Figure 14.16, gives an adminis- trator the flexibility to send HTTP and/or SSL traffic to different ports on a web server. This concept can help to support those environments that have nonstandard ports set up for their web environments. For example, an organization may have set up multiple web servers on an internal web server that has a single IP address. Rather than assign multiple IP addresses to that server, the administrators chose to set up different ports for each virtual server and each website. So, internally, users would have to point to http://site1.companyabc.com:8020 and http:/ /site2.companyabc.com:8030, and so on. The Bridging option in ISA Server 2006 enables end users to not have to enter in strange port combinations to access websites, and instead relies on the Bridging tab of the rule to direct port 80 traffic to the appropriate ports, such as port 8020 or any other defined port. Understanding the Users Tab The Users tab, shown in Figure 14.17, is typically set to All Authenticated Users for a default rule. For most inbound web publishing rules, this is the option that must be chosen for it to work properly. If using pre-authenticated VPN users or Firewall client users, however, distinctions can be made between users by groups. FIGURE 14.16 Exploring bridging concepts. 399 Publishing and Customizing Web Server Publishing Rules Outlining Schedule Tab Options The Schedule tab of a web publishing rule, shown in Figure 14.18, does not require much explanation. Using this tab, an organization can decide at exactly what times the rule will be in effect. FIGURE 14.17 Exploring Users tab options. FIGURE 14.18 Viewing the Schedule tab for the web publishing rule. 400 CHAPTER 14 Securing Web (HTTP) Traffic Configuring SSL-to-SSL Bridging for Secured Websites As previously mentioned, ISA Server 2006 allows for end-to-end SSL encryption to take place between client and ISA and ISA and Exchange and back. This ensures the integrity of the transaction, and keeps the data secure and encrypted across the entire path. To set up a scenario like this, however, a Public Key Infrastructure (PKI) must either be in place locally, or a third-party company such as Verisign or Thawte can be used to create the certificate’s infrastructure. FIGURE 14.19 Viewing the Link Translation tab for the web publishing rule. Exploring the Link Translation Tab The Link Translation tab, shown in Figure 14.19, allows for a great deal of flexibility in searching for unique bits of contents and replacing those bits of content with something else. More information on this is included in the section of this chapter titled “Securing Access to SharePoint Sites with ISA 2006.” [...]... with ISA Server Outlining Default Server Publishing Rules in ISA Server The list of protocols available by default with server publishing rules is extensive and includes the following: DNS Server Exchange RPC Server FTP Server HTTPS Server IKE Server IMAP4 Server IMAPS Server IPSec ESP Server IPSec NAT-T Server L2TP Server Microsoft SQL Server MMS Server NNTP Server NNTPS Server PNM Server. .. Server Kiev FIGURE 15.3 Using ISA Server to secure Exchange server network segments Publishing RPC Services with ISA Server 2006 ISA Server 2006 utilizes a concept of a server publishing rule to protect specific services such as RPC A server publishing rule enables a specific service on a single server to be published to the clients on a separate network For example, an Exchange server in a protected Exchange... connect to HTTP port of 63.240.93.1 38 3 4 5 6 ISA Server forwards the client’s credentials to the SharePoint server Internet 8 Internal Net 6 5 Client sees forms-based auth web page served up by ISA server, assumes it is the SharePoint server, and enters username and password 403 8 ISA server then allows the authentication HTTP traffic from the client to the SharePoint server, establishing a connection... configurations, as shown in Figure 15.2, ISA Server RPC filtering can greatly limit the risk of RPC-based attacks Publishing RPC Services with ISA Server 2006 417 Server Network ISA Firewall RPC infection outbreak stopped at ISA Server Client Network 1 Infected workstation attempts to spread RPC exploit to workstations and servers on all networks FIGURE 15.2 Using ISA Server to secure network segments If... which describe how to use ISA to filter the SSL traffic destined for the SharePoint server Use the procedures outlined earlier in this chapter to install and configure an SSL certificate on the SharePoint server Securing Access to SharePoint Sites with ISA 2006 405 NOTE ISA Server 2006 also supports SSL encryption that is not end to end, but rather terminates on the ISA server ISA can then make a connection... the difference between the ISA server and the SharePoint server itself Securing Access to SharePoint Sites with ISA 2006 1 Client on Internet attempts to connect via web browser to mail.companyabc.com 1 2 DNS Server on Internet informs client that mail.companyabc.com is the IP address 63.240.93.1 38 4 ISA Server responds to HTTP request on external interface of 63.240.93.1 38 and serves up forms-based... to the ISA Server For ISA to be able to decrypt the SSL traffic bound for the SharePoint server, ISA needs to have a copy of this SSL certificate The certificate is used by ISA to decode the SSL packets, inspect them, and then re-encrypt them and send them on to the SharePoint server itself For this certificate to be installed on the ISA server, it must first be exported from the SharePoint server, ... (HTTP, HTTPS) traffic, ISA Server can use server publishing rules, including RPC rules, only if the traffic sent between client and server flows through ISA Server This requires ISA Server to have multiple network interfaces, and for the client traffic to be routed through it, either because ISA is the default gateway or because the routing traffic is configured to flow through ISA Through these types... exploits and attacks 7 7 The SharePoint Server validates the credentials and sends the affirmative response back to the ISA server FIGURE 14.21 Explaining SharePoint site publishing with ISA Server 2006 ISA Server is also one of the few products that has the capability to secure web traffic with SSL encryption from end to end It does this by using the SharePoint server s own certificate to re-encrypt... Network 2 4 18 CHAPTER 15 Securing RPC Traffic Colorado Springs Exchange CAS (OWA) Clients Colorado Springs Email Network ISA Colorado Springs Internal Network Exchange Mailbox Server Exchange Mailbox Server Kiev Internal Network Clients Bogota Internal Network Clients Bogota Email Network Kiev Email Network ISA ISA Exchange CAS (OWA) Server Exchange Mailbox Server Bogota Exchange Mailbox Server Kiev . following Microsoft URL: http://www .microsoft. com/technet /isa/ 2004/plan/commonapplicationsignatures.mspx NOTE Although this link applies to ISA Server 2004, the content still applies to ISA Server 2006. SharePoint Server validates the credentials and sends the affirmative response back to the ISA server. 6. ISA Server forwards the client’s credentials to the SharePoint server. 4. ISA Server responds. Access to SharePoint Sites with ISA 2006 NOTE ISA Server 2006 also supports SSL encryption that is not end to end, but rather termi- nates on the ISA server. ISA can then make a connection to