FAST FACTS 483 CACHING MODE Caching can be implemented in the following ways: á Reverse caching á Forward caching á Scheduled caching á Distributed caching á Hierarchical caching or chaining ISA S ERVER EDITIONS ISA Server is available in two editions. Significant dif- ferences exist between the editions (detailed in Table 7). SUMMARY TABLE 7 DIFFERENCES BETWEEN ISA SERVER EDITIONS Feature Enterprise Standard Edition Edition Distributed caching Yes No Hierarchical caching Yes Yes Array based policy Yes Yes Enterprise policy Yes No H.323 gatekeeper Yes Yes Intrusion detection Yes Yes Message screener Yes Yes Web publishing Yes Yes Server publishing Yes Yes Active Directory integration Yes No Firewall, Caching, or Integrated modes Yes Yes Bandwidth control Yes Yes Logging and reporting Yes Yes Packet filtering Yes Yes If Active Directory integration is desired, two factors affect your planning and preinstallation activity: á First, you must have Schema Admin and Enterprise Admin membership before you can use the ISA Server Active Directory Initialization utility. á Second, you must wait until the schema modifi- cation replicates to all domain controllers. It is only necessary to apply the utility once in the enterprise, but it may take some time before changes are replicated throughout the forest. POLICY ISA Server policy is created by creating access rules. Rules are made up of policy elements. (Note that in order to allow access to the Internet a protocol rule and a site and content rule must exist that match the client, site and protocol.) Default Rules Some default rules exist: á ICMP outbound. Allow all ICMP outbound from the ISA Server’s default IP addresses on the external interface to all remote computers. (The ISA computer can send ICMP messages.) á ICMP ping response(in). To the default IP address on the external computer from all remote computers. (The ISA Server can receive inbound ping responses.) á ICMP source quench. From outside to the default IP addresses on the external interface. (The ISA Server receives instructions to slow its packet sending rate.) 24 mcse Fast Facts 6/5/01 12:19 PM Page 483 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 484 FAST FACTS SUMMARY TABLE 8 POLICY E LEMENTS Policy Element Definition Used By Schedules Identifies the hours Protocol rules, site of the day and the and content rules, days of the week that bandwith rules the rule is in effect. Bandwidth Priorities Identifies an inbound Bandwidth rules and outbound priority number from 1–200. The numbers establish a relative percentage of the available bandwidth that can be applied to the traffic identified by the rule. Destination Sets Identifies the computers Site and content and potentially the rules, bandwidth directories and files on rules, Web those computers which publishing rules, can or cannot be routing rules accessed. Client Address Sets A collection of one Protocol rules, site or more computers and contest rules, identified by IP bandwidth rules, address. server publishing rules, Web publish- ing rules Protocol Definitions Characteristics that Protocol rules, define available server publishing protocols via port, rules, bandwith protocol type, and rules direction. Content Groups Arranges content Site and content definitions by rules, bandwith MIME type or rules extension. Dial-Up Entries Specific dial-up Routing rules, information such firewall chaining as account information. á ICMP timeout (in). To the default IP address on the external interface computer from all remote computers. (The ISA Server can receive messages relating to timeouts, for example, of ping requests.) á ICMP unreachable. To the default IP address on the external interface from all remote computers. (The ISA Server can receive notice of an unreach- able address.) á DHCP Client. Allows the external interface to act as a DHCP client. This rule is disabled by default. á DNS filter. DNS lookup. (Requests for DNS lookup can pass.) When multiple rules exist they are processed in the following manner: 1. First, protocol rules are examined to determine if the protocol being used is defined in one of the rules. If it is, and the protocol is allowed, not denied, processing continues. 2. Next, site and content rules are applied. Does a site and content rule exist which matches the request and no other site and content rule denies it? Processing continues. 3. Third, IP Packet filters are checked to determine if a blocking filter exists. Is the communication protocol used blocked explicitly? 4. If all answers have been affirmative, ISA Server checks its routing rules or its firewall chaining setup to find out how the message should be sent. Policy Elements Rules include policy elements which must be prede- fined. These elements are defined in Table 8. 24 mcse Fast Facts 6/5/01 12:19 PM Page 484 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FAST FACTS 485 LOGS AND REPORTS You will, over time, use gathered performance data and reports to á Understand server workload á Understand impact of workload on responses á Track trends á Follow results of changes á Tune configuration Logs The following log files are created by ISA Server: á IPPDyyyykmmdd.log. Information on blocked (by default) and allowed (if configured) packets. To enable the logging of “allowed” packets check the Log Packets from Allow Filters check box on the IP Packet Filters property page. á FWSEXTDyyyymmdd.log. Information on packets handled by the firewall service. á WEBEXTDyyyymmdd.log. Information handled by the Web proxy service. Reports In addition to the logs, ISA Server can be configured to produce a number of predefined reports. Reports include: á Summary report. Illustrate traffic usage. á Web usage reports. Top users, common responses, browsers. á Application usage reports. Application usage by top users, incoming and outgoing traffic, client applications, and destinations. á Traffic and utilization reports. Total Internet usages by application, protocol, direction. á Security reports. Attempts to breech network security. It is important to note that report summaries are gener- ated every day at 12:30 A.M. This means that data in the reports are not compiled in real-time. In fact, it is from at least the day before. Cache Adjustments What if your efforts to justify more powerful hardware or another server in the array fail? What then? There are several areas of cache configuration that can aide performance. The cache configuration pages can be used to make some adjustments. For example, you can: á Reduce the size of the maximum URL cached in memory á Use scheduled downloads instead of active caching á Do not cache objects larger than á Do not cache dynamic content AUTHENTICATION You may use various authentication modes as part of access rules. Pay particular attention to how your authentication requirements and the ISA client used may impact the function of these rules. 24 mcse Fast Facts 6/5/01 12:19 PM Page 485 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 486 FAST FACTS SUMMARY TABLE 9 AUTHENTICATION PROCESSES Method Description Who Can Use It? Basic Credentials sent in Users with accounts on encoded text the ISA Server comput characters (easily er or trusted domain read—no encryption). of the ISA Server. Digest Credentials modified User with accounts with values that in a trusted domain of identify user, com- the ISA Server. puter, and domain are time stamped and then are hashed to create a message digest (the result of this one- way encryption process; by one-way it is meant that the product cannot be decrypted). Integrated Integrated windows Windows user accounts. authentication. Can use Kerberos if (Authentication W2K domain user protocol is dependent accounts are being on OS and client used from a W2K account membership domain member com- involved.) puter. Kerberos cannot be used in a pass- through scenario. Pass-through ISA Server can pass Outgoing and incoming a client authentication Web requests. information to the destination server. Certificates Certificate Authority Clients. Servers. issued certificates are used for authentication. Authentication to external sources may also be an issue. One such problem can be solved by installing the Identd service. When a client operates behind a firewall it cannot respond to some types of requests for identifi- cation from Internet servers. The Identd simulation ser- vice, when installed on an ISA Server can respond to the Internet server on behalf of the client. Client authentication before a requested access is grant- ed is required in the following circumstances: á When rules are configured to require membership in specific groups, or the participation of specific users, the ISA Server requires client authentica- tion so it can determine if access is allowed by that user. á If the HTTP protocol is requested by Web proxy or firewall clients, ISA Server determines if the rule allows anonymous access. If this is so, and no other configuration blocks the access, then access is allowed. However, if no rule allows anonymous access to HTTP, the ISA Server requires authenti- cation. á If a firewall client requests access to some other protocol and rules have been configured that require membership in a group, or access is spe- cific to certain users, then authentication is required. á ISA Server has been configured to always require authentication. Remote Access Authentication Authentication choices are defined in Table 9. 24 mcse Fast Facts 6/5/01 12:19 PM Page 486 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FAST FACTS 487 Chained Authentication When a client request is passed from one ISA Server to another, authentication information can also be trans- ferred. However, in some cases the upstream server might not be able to determine the client that is requesting the object. This might be because the upstream server requires that the downstream server use an account in order to connect. In this case, it is this account information that is passed to the upstream server. Otherwise, the client’s authentication informa- tion will be passed to the upstream server. If authenti- cation information is not required for all clients, then it is possible that access rules that rely on user identifica- tion may not be processed in the manner that you require. INTEROPERABILITY Server interoperability with services that may already be employed in the network should be explored. Information on common network services and ISA Server is detailed here: á Windows NT 4.0 domains. ISA can be installed on a standalone Windows 2000 server in a Windows NT 4.0 domain. á ISA Server arrays in a Windows NT 4.0 domain. An ISA Server array requires a Windows 2000 domain. However, this domain be joined in a trust relationship with a Windows NT 4.0 domain in order to provide services to Window NT 4.0 clients. á Routing and Remote Access. ISA Server pro- vides remote connectivity and extends RRAS. ISA can use the dial-up entries configured for RRAS (RRAS can run on the ISA Server). You should allow ISA packet filtering to replace RRAS packet filtering and allow the ISA Server to provide remote connectivity for internal clients. á IIS Server. IIS server is not required on an ISA Server. It can run on one. However, you should configure Web-publishing rules if you wish to allow public users to access the Web server. Set the IIS Server to listen on a port different than port 80, as ISA Server listens for inbound Web requests on that port. á Internet Connection Sharing (ICS). ISA Server replaces the need to run Internet Connection sharing. á IPSec. ISA Server can be configured as an IPSec/L2TP VPN server. á Terminal services. May be installed on the ISA Server for remote administration purposes. á SNMP May be installed if required to support network Server interoperability with services that may already be employed in the network. á Other applications and services. Running other applications on the ISA Server can be done by creating packet filters which allow their services access. However, if the ISA Server is acting as a firewall, you should avoid statically opening ports (that is, via creating packet filters). In most cases, it is not a good idea to enable additional applica- tions on the ISA Server. ENTERPRISE EDITION Differences between the standard and enterprise edi- tions often come down to the ability to configure enter- prise and array level policies, and the ability to create arrays. 24 mcse Fast Facts 6/5/01 12:19 PM Page 487 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 488 FAST FACTS Array Types Hierarchical arrays are chains of ISA Servers and can be established for Standard and Enterprise edition ISA Servers. It is a simple matter of configuring the server to forward requests to other ISA Servers, instead of directly to the requested source. Chains of distributed arrays are also possible. Distributed arrays are collections of Enterprise edition ISA Servers and are managed by assigning Enterprise and Array policies. They can only be created using the Enterprise Edition of ISA Server. They offer multiple advantages including centralized management, fault tol- erance, and improved processing efficiency. Three basic policy scopes exist: á Combined Array and Enterprise policy. Management is potentially split between enter- prise and array level policies. á Array Policy Only. The enterprise policy gives control to the managers of array level policy á Enterprise Policy Only. All policies are set at the enterprise level. Promotion If an enterprise license is obtained, or if an enterprise edition ISA Server was installed in standard mode, an ISA Server can be promoted to an array. Changes to policy will occur as defined in Table 11. Enterprise Policies Policy settings in the enterprise depend on enterprise policy choices. Choices are listed in Table 10. SUMMARY TABLE 10 CUSTOM POLICY SETTINGS Choice Can Be If This Is Number Combined Selected, With You Can Also Select Use array The enterprise 4 and 5 1 policy only policy is not used. Each array has its own policy. Use this Select a created 3, 4, 5 2 enterprise enterprise policy policy by name Allow array The enterprise 2 3 level access policy is applied rules that to all arrays, restrict however, array enterprise policies may policy contain and enforce more restrictive settings. Allow Publishing rules 1 and 2 4 publishing can be created to rules allow access to internal Web servers from the public network. Force packet Packet filtering 1 and 2 5 filtering on will be used to this array restrict entry. By default, no access is allowed until rules and policies are configured. 24 mcse Fast Facts 6/5/01 12:19 PM Page 488 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FAST FACTS 489 3. The primary network address of each ISA Server computer’s internal interface adapter will use this cluster address. All ISA Server computers will have the same primary address in the NLB con- figuration. 4. Assign a unique priority to each machine in the NLB cluster. 5. Set the dedicated IP address to the IP address of the ISA Server’s internal network adapter. (This address can be used to individually address a sin- gle server.) 6. If a server has two internal network adapters, the one which receives the dedicated address, should have the lower metric value (higher priority) than the adapter with the cluster address. 7. If a server has one internal network adapter, the dedicated address should be ordered first. 8. The default gateway for SecureNAT clients will be the cluster IP address. Thus, all SecureNAT requests are handled by Network Load Balancing. CLIENTS ISA Server listens for client requests on port 8080. (It listens for Web server requests on port 80.) If an ISS Server is present on the same machine and has not been configured to use different ports, there will be possible conflicts. In addition, Web Proxy clients will either need to do autodiscovery, or be configured to use port 8080. (Proxy Server 2.0 listened on port 80 for client requests.) This is also why during installation, if an IIS is installed on the same machine, its WWW publishing service is stopped. After installation, the IIS should be removed or its listening port changed before the service is restarted. (An IIS on the ISA Server can be published via the Web publishing rules or by using IP packet filters.) SUMMARY TABLE 11 ARRAY P OLICY M ODIFICATION DURING PROMOTION Enterprise Policy Setting Change in Policy Policy Managed entirely by arrays No changes Policy Managed entirely by Enterprise Delete all array policies Policy Managed by enterprise and array Delete all “allow” policies Publishing Allowed?—Yes Publishing rules retained Publishing Allowed?—No Publishing rules deleted Understanding CARP CARP is a routing algorithm that efficiently determines the best location for a retrieved object. When the object is requested again, the CARP algorithm can be used to locate it. The entire array of ISA caching servers is managed as a single logical array. No object is stored more than once. As servers are added to the array, CARP becomes more efficient. CARP is enabled in array properties. However, for CARP to work, listeners on each server must be config- ured to use an address for intra-array communications. You may also want to balance the “load factor” on servers within the array. Network Load Balancing To plan and implement network load balancing requires that you: 1. Verify that ISA Servers which will be in the clus- ter are installed in the same mode. 2. Assign a unique IP address to the cluster and assign a fully qualified domain name for this address. 24 mcse Fast Facts 6/5/01 12:19 PM Page 489 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 490 FAST FACTS of routers that must be configured and the complexity of this configuration change. If Web proxy or firewall clients need to be configured for automatic discovery, you might need to configure DHCP and/or DNS servers to provide information on where to locate the ISA Server. The protocol used in the Win Proxy Automatic Discover (WPAD) protocol. MIGRATION FROM PROXY 2.0 Many installations of Proxy 2.0 will eventually be migrated to ISA Server. It is important to know what will happen to current settings when this is done. First however, remember that the steps you take during migration are dictated by the variables in Table 13. Then, review the setting modifications explained in Table 14. Client Types Several client types exist. They are distinguished by the features illustrated in Table 12. Infrastructure Changes for Client Types SecureNAT clients potential entail few infrastructure changes. This does not mean the cost will be low, but that the modifications are simple. If SecureNAT clients need to be pointed directly to the internal interface of the ISA Server, that information can be provided in DHCP or manually configured for those clients with static IP addresses. If multiple SecureNAT clients must be directly visited then you must budget your time and cost accordingly. In a larger environment, however, SecureNAT clients may already be pointed to network routers for internal routing. These routers will need to be configured to route Internet requests to the ISA Server. Your time and cost will depend on the number SUMMARY TABLE 12 DISTINGUISHING C LIENT TYPES Client Type Client Configuration Protocols that Can Be Used Client OS Requirements Requirements Necessary To Access Internet Resources Required Mode SecureNAT Possible – client Requires ISA Server application Any TCP/IP; Firewall, default gateway set filters Internet requests integrated to ISA Server are routed to internal interface ISA Server Web Proxy Configure Brower HTTP; HTTPs, FTP, Gopher Most any Web application Caching, can be configured integrated, to use proxy firewall Firewall Install client Winsock applications Win32 Configuration file Firewall, integrated 24 mcse Fast Facts 6/5/01 12:19 PM Page 490 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. FAST FACTS 491 SUMMARY TABLE 13 MIGRATION PATH VARIABLES Variable Steps to Take Is the Proxy Server a Remove the Proxy Server from the member of an array? array prior to the migration. Is the Proxy Server on a No additional steps necessary. standalone system? Will you be installing the You must have appropriate server into an array or not? permissions to install into the array. What is your role in Membership in the Enterprise Windows 2000 Admin and Schema Admin group administration? (Are you is necessary to modify the AD a Domain Admin or Schema. Enterprise Admin?) Will the ISA Server system Join the Windows 2000 system to be a domain member? the proper domain. Does the Proxy 2.0 NT 4.0 If the Proxy 2.0 system does not computer meet minimal meet the minimum requirements and appropriate specification for Windows 2000, you will for Windows 2000? need to upgrade the hardware prior to continuing the migration. Changes necessary after migration are á Because ISA Server and Proxy Server listen on different ports for HTTP requests, downstream browsers will have to be reconfigured. á All network configurations on the ISA Server should be checked for correctness. á Web publishing under ISA Server doesn’t require changes to the published server; however, the server may have had changes configured which now need to be removed. á SOCKS rules from Proxy Server 2.0 are not migrated, ISA Server uses SOCKS application fil- ters. You may need to configure, or adjust these. ISA Server listens on port 1080 for SOCKS requests. This can be changed. á ISA Server installs with only Windows integrated authentication. This will have the affect that pre- viously supported requests from non-I.E. browsers will be rejected. You will need to config- ure basic authentication for Web requests. SUMMARY TABLE 14 PREMIGRATION VARIABLE EFFECT ON PROXY C ONFIGURATION M IGRATION Install to Existing ISA Array Install to New ISA Array Install ISA Standalone Server Proxy Server 2.0 standalone ISA Enterprise configuration ISA Enterprise configuration set Retains most Proxy Server 2.0 determines final configuration during installation determines configuration final configuration Proxy Server 2.0 Array member ISA Enterprise configuration Can utilize array settings from Because Proxy Server removed determines final configuration Proxy Server 2.0 array from array before installation, most settings from array. 24 mcse Fast Facts 6/5/01 12:19 PM Page 491 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 492 FAST FACTS SSL Bridging If a published Web server requires SSL access you may need to make some choices and configure SSL bridg- ing. Your choices are defined in Table 16. SUMMARY TABLE 16 SSL BRIDGING CHOICES Redirection Choice Description Redirect HTTP HTTP No mystery here. requests as: requests SSL request Use this choice to secure HTTP communications between the ISA Server and the internal Web server. Redirect SSL HTTP The SSL secure channel ends at requests as: request the ISA Server. Communications between the ISA Server an the Web serer would be unencrypted. SSL request While the SSL channel terminates at the ISA Server (the client con- versation is secured between itself and the ISA Server.); this option requires a new SSL channel be established between the ISA Server and the Web server. Require secure No conversation takes place if SSL channel (SSL) cannot be established. Require The ISA Server must have the 128-bit high-encryption pack for encryption Windows 2000 installed to use this feature. Use a certificate If an SSL channel is required to authentication between the ISA Server and the to the SSL Web Web server, check this box and server identify the certificate to be used. PUBLISHING Keeping Web and other externally accessed servers behind a firewall is a good thing. To make their con- tents available externally use publishing. Web publish- ing configuration is listed in Table 15. Web Publishing SUMMARY TABLE 15 CONFIGURING WEB PUBLISHING Action Instructions Mandatory? Configure Web Assure that the public Yes site domain Web server address is registerd resolution in DNS with the address of the ISA Server that will perform the Web hosting. Configure The destination set includes No destination sets the external IP address or to identify the names of ISA Servers that ISA Servers that will route the request to the will be configured internal Web server. You can for publishing. choose to use more general terms instead of explicitly identifying the firewall. Configure a Yes listener on the external interface of the firewall. Configure client Client types include No access types to ranges of IP addresses, and restrict access. specific user accounts. Create a Web Yes publishing rule. 24 mcse Fast Facts 6/5/01 12:19 PM Page 492 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... installing ISA Server for your company To become familiar with ISA Server, you installed ISA on a test computer that is a member of the workgroup ISAGROUP as a standalone server You have now created an array that contains two ISA Servers, and would like to promote your test server to be a member of the array Which of the following steps must you do first to allow you to promote the server? A Uninstall ISA Server. .. Enable the appropriate ISA Server events B Enable auditing on the server that will be running ISA Server C Enable Intrusion Detection on the ISA Server D Enable Logging on the ISA Server computer 6 A large financial institution has asked you to assist them in reconfiguring their ISA Server configuration The firm created three separate ISA Server arrays, and allowed departmental administrators to configure... different port from the ISA Server to the application server s TCP port 29214 B By creating a new Server Publishing rule, and redirecting a different port from the ISA Server to the application server s port 29214 C You must install the Web-based application on the ISA Server to accomplish port redirection D This cannot be done 2 Your manager has a project for you Your company has an ISA Server installation,... DNS server forwards name requests to the ISP’s DNS server B Verify the IP address of your Web server is manually added to your internal DNS server C Be sure the firewall client is installed on the users computers D Verify that you have a protocol rule that allows DNS queries to pass through the ISA Server E Be sure that the ISA Server s external network interface is configured to use the internal DNS server. .. traffic to each server in the perimeter network á ISA Server Management Console Packet filters for PPTP and/or IPSec have been created Examine each packet filter to see that the appropriate local computer address (the external IP address of the local ISA Server) and the remote computer address (the external IP address of the remote ISA Server) have been entered TESTING TOOLS 3-HOMED ISA SERVER The 3-homed... address of the ISA Server as the default gateway of each computer B Manually configure the IP address of the ISA Server as the proxy server of each computer’s Web browser C Configure the computers to be DHCP clients, and configure the DHCP scope to provide the ISA Server s IP address as the default gateway D Configure the computers to be DHCP clients, and configure the DHCP scope to provide the ISA Server s IP... two ISA B Create publishing rules on the ISA Server that is connected to the Internet to make the servers on the perimeter network available to Internet clients C Create a publishing rule on the ISA Server connected to the private network, making resources on the Internet available to internal users D Ensure that the IP addresses of the computers on the perimeter network are in the LAT of the ISA Server. .. connected to the Internet E Include only the IP addresses of the computers on the corporate network in the LAT of the ISA Server connected to the private network F Configure a secure channel between the two ISA Servers 30 You are in the process of testing your new ISA Server installation The ISA Server has two network adapters: the internal IP address is 192.168.2.200, and the external IP address is 131.107.1.90... Filtering D Server Publishing E Virtual Private Networks 8 As the network administrator for your company, you have purchased the new system that will be used for your ISA Server You have installed Windows 2000 Server with the default options, and verified network connectivity and name resolution Which of the following are also required to complete the installation of ISA Server? A Internet Information Server. .. this watermark 24 mcse Fast Facts 494 6/5/01 12:19 PM Page 494 FAST FACTS ROUTING VPNS Routing is configured to let the ISA Server know where to forward a request Choices are elucidated in Table 19 ISA Server can be configured to be a client endpoint in a client to server VPN Two ISA Servers can create a gateway to gateway VPN tunnel Wizards assist the process SUMMARY TABLE 19 ROUTING RULE OPTIONS Routing . IGRATION Install to Existing ISA Array Install to New ISA Array Install ISA Standalone Server Proxy Server 2.0 standalone ISA Enterprise configuration ISA Enterprise. the ISA Server should be checked for correctness. á Web publishing under ISA Server doesn’t require changes to the published server; however, the server