Managing ISA Server • Chapter 24 897 You can view a report by double-clicking it in the right detail pane (see Figure 24.21). You will learn how to configure alerting, logging, and reporting later in this chapter, in the “Using Monitoring, Alerting, Logging, and Reporting Functions” section. The next object in the console tree is the Computers folder, which contains an object for each computer that belongs to the array. By double-clicking a computer object in the right detail pane, you can display its Properties sheet, as shown in Figure 24.22. NOTE Although the ISA Management Console allows you to change the name of an array, it does not support changing the name of an ISA Server computer. www.syngress.com Figure 24.21 You Can View Reports by Double-Clicking the Report Name in the Right Detail Pane Figure 24.22 Access the Properties Sheet for Each Array Member through the Computers Folder 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 897 898 Part V • ISA Server In addition to general information such as the version number of ISA Server that is installed, the product ID, the date the ISA server was created, the installation directory path, and the domain controller, the Properties sheet has a tab labeled Array Membership.This tab shows the IP address used for intra-array communication and lets you specify the load factor for the server, which indicates its relative availability for caching in comparison to the other servers in the array. You can increase or decrease the load on a particular ISA server by increasing or decreasing the value in the load factor field. By default, this value is set to 100. NOTE The intra-array IP address information is typically the same address used by downstream clients and ISA servers to communicate with the server. Microsoft recommends that you not change this value, because it has to be replicated to all the other servers in the array. However, if you do need to change the address, you can do so by typing the new IP address into the box on the Array Membership tab. The address that you use for intra-array communication must be configured to listen for requests on the same port as the address that is configured to listen for incoming Web requests. Otherwise, CARP will not function for incoming Web requests. This means you should set the incoming Web request properties for the array so that the same lis- tener configuration is used for all IP addresses. Continuing down the console tree, you will find the Access Policy object, which has three subfolders: ■ Site and Content Rules ■ Protocol Rules ■ IP Packet Filters If you have an array, you can create access policies at the enterprise level, the array level, or both. If the enterprise policy settings are configured to use enterprise policy only, you cannot add new rules at the array level. Conversely, if settings are configured to use array policy only, no enterprise policy will be applied to the array. If the enterprise administrator has configured set- tings for combined enterprise and array policy, an array policy will be added to the enterprise policy, with the enterprise policy overriding the array policy so that restrictions imposed by the enterprise policy will always apply.You can impose additional restrictions with the array policy but, as discussed previously, you cannot set an array policy that is less restrictive than the enter- prise policy. If you configure settings to use enterprise policies only, you will not be able to use array policies without reinstalling ISA Server. The next object in the tree is the Publishing object, containing two folders: ■ Web Publishing Rules ■ Server Publishing Rules www.syngress.com 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 898 Managing ISA Server • Chapter 24 899 You can create a new rule of either type by right-clicking the appropriate folder and selecting New from the right context menu.This action invokes a wizard (see Figure 24.23), which will walk you through the steps required to create the new rule. The Bandwidth Rules object is the next element in the console tree. Bandwidth rules let you specify which connections have priority over other connections. NOTE Don’t confuse bandwidth priority rules with bandwidth limitation. ISA Server rules do not limit the amount of bandwidth that can be used by a connection; they specify how the QoS packet-scheduling service should prioritize the use of multiple network connections. As with the creation of other rules, a New Bandwidth Rule Wizard assists you in creating bandwidth rules. Policy elements come next in our journey down the left console pane.You will recognize most of these as the same as the policy elements available under the Enterprise object. However, there are two additional folders here: the Bandwidth Priorities element and the Dial-up Entries element. Moving down the tree, we come to the Cache Configuration object.You will find two subfolders here: ■ Scheduled Content Download ■ Drives The scheduled content service is w3prefetch, which lets you configure ISA to download cache content from specific URLs at specified times.This prefetching of regularly accessed pages speeds your users’ access because the pages are already in the cache when users attempt to access them. For example, if users visit a particular news site daily, you could configure a scheduled download to occur on a daily basis so that the content in the cache would be updated each day. www.syngress.com Figure 24.23 New Web Publishing or Server Publishing Rules Are Created with a Wizard 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 899 900 Part V • ISA Server WARNING You cannot schedule a content download job if the Web server on which the Web objects reside requires client authentication. The job will fail because the Web server cannot authenticate the ISA server. You create scheduled content jobs by right-clicking the Scheduled Content Download folder and selecting New | Job, which invokes another wizard.After giving the job a name, you can set the date and time to start the download and specify whether to download the content just once, daily, or weekly on a specified day of the week.You will be able to choose the URL from which the content should be downloaded and whether to download only content from the URL domain, not from sites to which it is linked.You also have the option of caching dynamic con- tent, even when the HTTP cache control headers indicate they are not cacheable. You can limit the depth of links to be cached as well. By default, there is no limit.You can also set a limit on the total number of objects to be cached, up to a maximum of 99,999. When you have completed providing the information for the wizard, a summary of your selections will be presented, as shown in Figure 24.24. Now the job is displayed in the right detail pane along with other scheduled jobs, as shown in Figure 24.25. The Drives folder displays NTFS logical drives on the ISA servers in the array, provides information on the total amount of disk space and the amount of free space on each drive, and allows you to set a limit on the cache size, in megabytes, for each drive. Right-click the drive in the right detail pane to access the Properties sheet shown in Figure 24.26. www.syngress.com Figure 24.24 The Scheduled Content Download Wizard Makes It Easy to Create a Job to Automatically Update the Cache of Specified URLs 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 900 Managing ISA Server • Chapter 24 901 Continuing to move down the left console tree, you will see the Monitoring Configuration object that holds folders for Alerts, Logs, and Report Jobs. Later in this chapter, in the “Using Monitoring, Alerting, Logging and Reporting Functions” section, you will learn how to use each of these objects. The next item in the tree is an object labeled Extensions. Extensions are filters that provide additional functionality for filtering applications and Web requests.Thus there are two types of filters: application filters and Web filters. Several filters of each type are installed with ISA Server, but additional filters can be developed by third parties to be used with ISA Server. The Network Configuration object is used to set up a local or remote ISA VPN server and allow VPN client connections.These setups are done with a series of wizards that make it easy to configure ISA VPNs. There are three subfolders under Network Configuration: www.syngress.com Figure 24.25 Scheduled Content Download Jobs Appear in the Right Pane When the Folder Is Selected Figure 24.26 Configure the Amount of Disk Space on Each NTFS Drive to Be Allocated to the ISA Cache 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 901 902 Part V • ISA Server ■ Routing Used to create and configure routing rules (using the Routing Rule Wizard). ■ Local Address Table (LAT) Used to construct a local address table and to add entries to the existing LAT. ■ Local Domain Table (LDT) Used to add new entries to the LDT. Routing rules determine where Web proxy client requests are sent and apply to both incoming and outgoing Web requests.The local address table keeps track of the internal IP address ranges that are in use by the LAN behind the ISA server. ISA users the LAT to control communication between internal computers and those on external networks; the LAT is automatically down- loaded to firewall clients, copies of which are periodically updated. The local domain table lists all domain names in the internal network behind the ISA server and is used by firewall clients to differentiate between internal and external names. Clients use the LDT to determine whether to send a name resolution request to ISA Server to handle the name resolution for an external resource or to perform name resolution themselves for a local resource. NOTE The LDT is not used by SecureNAT clients, which resolve both internal and external names via DNS and thus must have access to DNS servers. As we move down the console tree, we next encounter the Client Configuration object. As shown in Figure 24.27, there are two configuration objects in the right detail pane: Web Browser and Firewall Client. By double-clicking the configuration object name, you can access its Properties sheet, allowing you to view or change settings. The Web browser Properties sheet allows you to choose whether to configure the Web browser during firewall client setup and whether to use automatic discovery and configuration. You can also choose to have the client bypass the proxy for local servers and/or directly access www.syngress.com Figure 24.27 The Two Client Configuration Objects: Web Browser and Firewall Client 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 902 Managing ISA Server • Chapter 24 903 computers specified in the LDT, and you can specify the IP addresses, domain names, or com- puter names of specific computers that you want the client to be able to access directly, without going through ISA.You can also configure a backup route, designating how clients should access the Internet if the ISA server is unavailable. NOTE Like most firewalls, it is the gatekeeper of network traffic. You need to define what’s trusted and not trusted to go through the ISA server. The LDT provides an interface for this. The Properties sheet for the firewall client is less complex. It allows you to specify whether the firewall client will connect to the ISA computer or array by name or IP address (and enter the DNS name or IP address of the ISA server to be used), and you can enable or disable autodis- covery in the firewall client.The Application Settings tab is used to add client configuration information for specific applications, if necessary. N OTE The default firewall client configuration works for the majority of Winsock applications, but in some cases, custom client configuration information needs to be stored in the Mspclnt.ini or Wspcfg.ini file. The H.323 Gatekeepers Object The last second-level object in the console tree is the H.323 Gatekeepers object. By right- clicking this object, you can add a gatekeeper computer (either on the local machine or on a remote computer identified by fully qualified domain name) and view and configure active ter- minals, active calls, and call routing (see Figure 24.28). www.syngress.com Figure 24.28 Add and Configure H.323 Gatekeepers Via the Last Second-Level Object in the Console Tree 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 903 904 Part V • ISA Server The H.323 Gatekeeper is used to allow clients to use NetMeeting and other H.323-com- pliant applications through the ISA server.The clients register a well-known alias (typically an e- mail address) with the gatekeeper, which allows others to contact them.The gatekeeper provides directory services and call routing for registered clients. All inbound calls to a well-known alias via these programs require registration with the gatekeeper. Outbound calls require only that clients are registered if they are using translation services; other outbound calls can be made without using the gatekeeper. Understanding the H.32X Series Standards The H.323 ITU standard for audio, video, and data communication across IP networks that do not provide QoS is part of a series of standards that all work to enable videoconferencing across disparate networks.The series is known collectively as the H.32X standards. H.320 provides speci- fications for using ISDN, and H.324 addresses the Public Switched Telephone Network (PSTN), also referred to in the industry as POTS, or plain old telephone service. H.323 applies to both voice-only and full audio-videoconferencing.An advantage of the H.323 standard is that it allows communication over existing IP-based networks without any modifications to the network infrastructure. H.323 supports management of network bandwidth, allowing administrators to restrict the amount of bandwidth that can be used for conferencing or specify a maximum number of H.323 connections active on the network at any one time. H.323’s support for multicasting also decreases bandwidth requirements. Platform independence means that users can communicate with one another using a variety of hardware platforms and operating systems. The H.323 standard designates four major elements: terminals, gateways, gatekeepers, and multipoint control units (MCUs).The terminal is the endpoint for real-time two-way communi- cation with another terminal or a gateway or MCU. H.323 terminals also must support H.245. The latter negotiates channel usage and capabilities. Gateways provide translation functions between the H.323 endpoints and other types of terminals. Gateways are optional components; if both endpoints are on the same LAN, they are not needed. Gatekeepers function as the central point for call control services to registered endpoints in their zones. Gatekeepers provide address translation from terminal or gateway aliases to IP addresses. Gatekeepers can also manage band- width and route H.323 calls. A gatekeeper’s zone refers to all the terminals, gateways, and MCUs that are managed by that gatekeeper. An MCU enables conferencing between multiple (three or more) endpoints (as opposed to simple one-to-one communication).The MCU is made up of two components: the multipoint controller (MC) and the multipoint processor (MP). ISA Wizards Following in the footsteps of Windows 2000, ISA Server provides a variety of wizards to assist you in setting up services, configuring features, and performing other common tasks. A wizard is a series of “friendly” dialog boxes that walk you through a process in a step-by-step fashion. www.syngress.com 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 904 Managing ISA Server • Chapter 24 905 The Getting Started Wizard The Getting Started Wizard is available when you start ISA Server after installing the ISA soft- ware.The wizard is designed to help you configure your initial array and enterprise policies. Steps include: ■ Configuring enterprise policy settings and enterprise-level policy elements, protocol rules, and site and content rules (if you have installed an array rather than a stand-alone ISA server) ■ Creating array-level policy elements, protocol rules, and site and content rules ■ Setting the system security level ■ Configuring packet filtering ■ Configuring routing and chaining ■ Creating a cache policy Rules Wizards After ISA Server is installed, you can create and configure new rules (routing rules, protocol rules, site and content rules) using the Rules wizards that are invoked when you right-click the rule type under Access Policy or Network Configuration and select New | Rule. One of the handiest aspects of the ISA wizards is the screen that appears after you finish entering the information requested by the wizard.This page summarizes the information you have entered, so you can double-check for accuracy before you click Finish to actually complete the process (see Figure 24.29). These rules wizards make it easy for you to create a new rule, but you can change the prop- erties of the rule later by accessing the rule’s Properties sheet; double-clicking the rule in the right detail pane to do so. www.syngress.com Figure 24.29 The ISA Wizards Allow You to Check the Information Entered for Accuracy Before You Click Finish 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 905 906 Part V • ISA Server VPN Wizards ISA includes three wizards to help you perform tasks related to setting up VPN connections: ■ The Local ISA VPN Wizard Used for configuring the ISA server that will receive inbound VPN connections (the VPN server) or to set up the local ISA server to initiate VPN connections. ■ The Remote ISA VPN Wizard Used to set up a remote ISA server to initiate or receive connections. ■ The Set Up Clients to ISA Server VPN Wizard Enables roaming clients to con- nect to a VPN server. Performing Common Management Tasks In this section, we look at some common management tasks.This includes setting Enterprise Policies and special object permissions, as well as managing arrays. It is important that your fire- wall has its security policies implemented properly, as the ISA Server has this defined in the Enterprise policy and Enterprise policy settings. Configuring Object Permissions ISA Server uses Windows 2000 discretionary access control lists (DACLs) to control access to objects and object properties. With Windows 2000, access is granted on a granular basis and can be granted to individual users or to groups (Microsoft’s recommended approach). The ISA Server objects for which you configure permissions are: ■ Enterprise policy settings ■ Enterprise policies ■ Arrays ■ Alerts ■ Sessions ■ The gatekeeper Default Permissions Depending on the type of object, certain permissions are assigned by default.You can view or change the object permissions by right-clicking on the object, selecting Properties, and selecting the Security tab, as shown in Figure 24.30. The example in Figure 24.30 shows the permissions settings for the Array object. By default, the Administrator, Domain Admin, Enterprise Admin, and System accounts have full control, and the Authenticated Users group has read access.You can change the permissions or add other groups or individual user accounts in the same way you configure any NTFS permissions in Windows 2000. www.syngress.com 252_BDFW_ch24.qxd 9/18/03 6:12 PM Page 906 [...]... of the Properties sheet, shown in Figure 24.42.You also need to configure the Schedule tab, as shown in the next section, if you want the report to be generated on a recurring basis Figure 24.42 Configure the Reporting Interval by Selecting the Period Tab on the Properties Sheet The report period configuration determines the period each report covers .The Daily option generates a report that covers the. .. Viewing Alerts That Occurred on the ISA Server or Array You will see, displayed in the detail pane, the server on which each event occurred, the alert type, the date and time of first occurrence, and a description of the event Remember that this is where you view the alerts; they are configured using the Alerts object under the Monitoring Configuration object, further down in the tree Creating and Configuring... Provide the Appropriate Credentials to Run a Report Job on a Report Computer or Array To provide credentials for running the report job, enter the user account name (or browse for it in the Directory by clicking the Browse button), the domain name to which the user account belongs, and the password on the Credentials tab of the Properties box shown in Figure 24.45 NOTE The user account must have the proper... Appears in the Right Detail Pane The following information about each report job will be displayed: I The name of the job I The scheduled start date and time I The next run time (if it is a recurring job) I The ready status I The result of the last attempt to run the job www.syngress.com 252_BDFW_ch24.qxd 926 9/ 18/ 03 6:13 PM Page 926 Part V • ISA Server NOTE When you select a start time other than “Immediately”... HTM, you access the report from the applicable report type folder; to save as XLS, you access the report from the Reports folder Either way, you will be asked to select a location in which to save the file and to enter a filename (the default filename is the name of the report displayed in the right detail pane) NOTE In order to save the report in XLS format, you must have Excel installed on the ISA server... available in the ISA Server Help files (In the Help Index, search for Alerts, Alert event messages (list)) Monitoring Sessions You can view the sessions that are active by selecting the Sessions object in the left console pane of the ISA MMC; information about current sessions will appear in the right detail pane, as shown in Figure 24. 38 The Sessions display can be refreshed or the refresh rate set, in the. .. can access the Options configuration sheet by clicking the Options button.This allows you to specify the following: I Log file location The default location is the ISALogs folder in the ISA Server installation folder, but you can type in the path or browse to another folder in which you want to save the log file I Compress log files Compression is enabled by default I Limit the number of log files The default... Reports The reports themselves are accessed via the Reports folder under the Monitoring object near the top of the left console tree, as shown in Figure 24.47 Figure 24.47 The Reports That Have Been Generated Are Accessed from the Reports Folder Note that all reports appear in the right detail pane when you select the Reports folder.You also see five categories of predefined reports sorted into the following... account name and password Otherwise, you must run the program in the context of the system account If you elect to stop or start selected ISA Server services, you will be prompted to select the services that should be stopped or started.You can choose from one or more of the following: the firewall service, the scheduled content download, or the Web proxy service Refreshing the Display The Alerts display is... session via the ISA Management Console First, you must ensure that the Advanced option is checked in the View menu (by default, it is not) To disconnect a session, right-click the session in the detail pane, and then from the right context menu, select Abort Session.This action disconnects the selected session, with no warning or notification to the client www.syngress.com 252_BDFW_ch24.qxd 9/ 18/ 03 6:12 . Double-Clicking the Report Name in the Right Detail Pane Figure 24.22 Access the Properties Sheet for Each Array Member through the Computers Folder 252_BDFW_ch24.qxd 9/ 18/ 03 6:12 PM Page 89 7 89 8 Part. information such as the version number of ISA Server that is installed, the product ID, the date the ISA server was created, the installation directory path, and the domain controller, the Properties. Rules www.syngress.com 252_BDFW_ch24.qxd 9/ 18/ 03 6:12 PM Page 89 8 Managing ISA Server • Chapter 24 89 9 You can create a new rule of either type by right-clicking the appropriate folder and selecting New from the right context